Your SlideShare is downloading. ×
ECE4112 Internetwork Security
  Final Lab: Secure Web Surfing and hardening your Windows Operating System


Group Number: ...
In this section we will learn the various threats that exist in the real world when
surfing the internet or while download...
We will now install a few web browsers and try and see what happens when you
visit such sites with and without the phishin...
The firefox does not have an inbuilt phishing filter and hence we need to install
one in order to prevent your browser fro...
Now type the link http://dl2nym.dyndns.org/update/index.html back in the browser
   and click enter.

Q.1.1.4 Do you see a...
is supposed to have an inbuilt phishing filter. We check this by going on to the site we
went on in the previous part of t...
Q.1.3.1 Go to the two websites above and see the difference. Also find another pair of
websites with typoerrors. (You will...
check his credentials and if the user does so it is possible for the hacker to gain access to
the login details of the use...
9
Section 1.6 – Downloading files from the internet

        We often download file / applications from the internet and mos...
REGISTRY                                                                     STRUCTURE




Figure 1

Figure 1 shows Window...
up losing our entire application. Hence it is highly recommended that we take a backup of
our registry. This can be done m...
Now check in the registry that there is no entry for that software now.

Step 4: Now go to the RegKey Window. Select the s...
Vembu StoreGrid is flexible packed data backup software that works with our existing
hardware. It can provide intranet, cl...
Step 4: Add the selected file to the back up list and also enter the password to make it
protected.

Screenshot 5: Take a ...
and Outlook Express Errors, EXE errors, Svchost errors and a wide variety of other
system issues.

Step 1: Copy the file r...
When you click continue it will take you to screen




This gives you the detail of the errors found.




                ...
Step 3: Select the particular file you want to delete or you can select all, to delete all the
invalid entries found by th...
Doing that manually for each file becomes very tedious. Instead we use software called
Recent Cleaner.

Step 1: Copy the f...
Q2.1 Once the recent files gets deleted, suppose I wanted to have few files in recent
record for fast access, in this case...
Section 3: Select the connections tab to see the various connections to our system.




When we check the display remote c...
Step 4: Now we can select any of the other tabs to see their respective statistics. For eg if
we select the traffic tab, w...
Appendix A: Structure of Windows Registry

Hives is a logical file system within a flat file.
Key = directories.
Values = ...
2. HKEY_CURRENT_USER

•   It shows profile information about currently logged on user.

•   The HKCU key is a link to the ...
3. HKEY_LOCAL_MACHINE

•   It stores information about local system hardware, device drivers, services, and ma-
    chine-...
4. HKEY_USERS

•   It contains pre-logon default user profile information and HKEY_CURRENT_USER
    key

•   The HKCU key ...
5. HKEY_CURRENT_CONFIG

•   Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at
    runtime; informatio...
28
Appendix B: RegCure software to clean registry

Another tool for Registry clean ups.

The system can slow down dramaticall...
Even this software has good features like Backup, Manage Start Up and Results. All
these features are useful to manage the...
Step 3: Select the particular location to start scanning. And when you click scan, you will
see the scanning has started. ...
Step 4: We can see the location of each error. We can select the errors we want t delete.
Another good feature of this sof...
Step 3: We can specify to do an automatic backup by adding another project. We will be
asked to enter the source folder wh...
Accordingly backups will be created at the specified times at the destination folder.
Hence we have seen that this tool is...
References:
[1] http://ddanchev.blogspot.com/
[2] http://opdb.berlios.de/download/
[3] http://www.antiphishing.org/phishin...
Answer Sheet:

Section I

Q. 1.1.1 What is Phishing?
Ans:



Q.1.1.2 How does Phishing work and spread?
Ans:



Q.1.3 Do y...
Ans:



Q.1.3.2 How can we defend ourselves against such sites that rely on typoerrors?
(You will have to google for this)...
Q 1.1.2 Why is there a need of backup, why don’t we directly delete applications
from the registry?




Section 1.2- Clien...
Q1.3.2 How is this tool better than other registry tools (Appendix B and C or other
tools on the web)?




Section 2: Reco...
General Questions

Q.1. How long did it take you to complete this lab? Was it an appropriate length
lab?


Q.2. What corre...
Upcoming SlideShare
Loading in...5
×

Secure Web Surfing and Hardening Windows Report

770

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
770
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Secure Web Surfing and Hardening Windows Report"

  1. 1. ECE4112 Internetwork Security Final Lab: Secure Web Surfing and hardening your Windows Operating System Group Number: _________ Member Names: ___________________ _______________________ Date Assigned: mm/dd/yyyy Date Due: mm/dd/yyyy Last Edited: 6/16/2010 Authors: Varun Shah, Nikunj Nemani Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the provided Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: This lab is designed to enable you to surf the web more securely and learn ways to harden your Windows operating system. Summary: This lab will introduce you to the threats that exist during web surfing and the ways you can prevent against these threats. In the later sections you will see different ways to harden your Windows Operating System. Prelab Questions: None Requirements: 1. A Windows XP/VISTA machine with internet. 2. IE 7 Browser 3. Opera Browser 4. Mozilla Firefox Browser 5. sregkey10.exe( back up software) 6. VembuStroreGrid.exe (client-server and remote backup software). 7. registryfix.exe (software to clean the registry). 8. recentcleaner.exe (software to clean the recently accessed files). 9. ptlanmon-setup.exe (software for LAN Monitoring). Lab Scenario: The lab scenario is as explained below for all the sections. Section I: Secure Web Surfing 1
  2. 2. In this section we will learn the various threats that exist in the real world when surfing the internet or while downloading files from the internet. Considering the huge number of security softwares that are made and released everyday we can conclude that internet is not a safe place. And it is not safe due to the various threats it possesses. Some of these threats will be presented in this lab. Few common ways in which users infect their PCs using the internet are: 1. Browser Exploits 2. Email attachments 3. Downloading files from the internet. We will have a look at each of them in detail. Apart from the Cross Site Scripting attacks learnt in Lab 9 these are some of the other attacks that exist in the real world The Browser exploits are run on a machine when it is connected to the internet. We will see some of the exploits that exist and some of its fixes. The browser exploits have been further divided into the following types: 1.1 Phishing. 1.2 Using IFrames as an exploit 1.3 Typosquatting 1.4 Javascripts with DOM access Section 1.1 - Phishing. Q. 1.1.1 What is Phishing? Ans: Q.1.1.2 How does Phishing work and spread? Ans: There are various sites on the internet that maintain a database of the sites that phish for data. The main aim of these phishing sites is to develop fake login pages for various web sites that maintain user information. Thus the aim of these phishing sites is to obtain sensitive information about users of the legitimate sites that the hackers are trying to phish. By phishing the hackers are trying to steal your identity and most of the time much more than that your financial information. Some of the sites where Phishing site databases are stored are as follows: [1] http://opdb.berlios.de/ [2] http://www.phishtank.com/phish_archive.php?page=2 [3] http://ddanchev.blogspot.com/ 2
  3. 3. We will now install a few web browsers and try and see what happens when you visit such sites with and without the phishing filters. Obtain the folder containing Mozilla Firefox, Opera and Microsoft’s IE 7 from the NAS. Install the Mozilla firefox web browser by just double clicking on the Mozilla Firefox installation setup. Just keep all the default values. Once installed it will add an icon on the desktop if the setting was selected when installing it. We have taken a few sites from the list of the phishing sites mentioned from the database above. 1.http://deinz.pochta.ru/ved/ 2.http://www.dollarsbomb.com/join_now.ph 3.http://62.159.207.82:84/www.oregoncommunitycu.org/survey/s2.html 4.http://dl2nym.dyndns.org/update/index.html These sites haven been verified as phishing sites by phishtank.com. Now for simplicity let us use only the last link mentioned here in our example. Thus, type the URL in the Mozilla browser. Q.1.3 Do you see any notification of a phishing site? If so explain. Ans: You must see something like this. 3
  4. 4. The firefox does not have an inbuilt phishing filter and hence we need to install one in order to prevent your browser from these phishing websites. Go and obtain the firephish software from the NAS. Copy the file on your local Windows XP / VISTA machine. Once done install the software. It is basically just an add on. Restart Firefox once this is done. You will see that a toolbar is added on your browser window as follows: 4
  5. 5. Now type the link http://dl2nym.dyndns.org/update/index.html back in the browser and click enter. Q.1.1.4 Do you see anything now? What can you conclude from this? Ans: Screenshot 1: Take a screenshot of this and submit it with your lab. Now Obtain the Opera web browser from the NAS. Install the web browser keeping the default settings. This software of Opera is supposed to have an inbuilt phishing filter. Once installed run the web browser and copy the same link that we did for the Mozilla web browser and check for any warnings. Q.1.1.5 Do you see any warnings? If so take a screenshot of this and submit it with your lab. The Opera browser though has an inbuilt phishing filter does not show a popup or warn a user from not accessing the site. It however notifies you in the taskbar below that something is wrong. On clicking it and selecting the option of checking whether the site is vulnerable we basically see a popup window that it might be a phishing site. Screenshot 2: Take a screenshot of this and submit it with your lab. Now obtain the IE 7 web browser by going onto the site http://www.microsoft.com/windows/downloads/ie/getitnow.mspx or from the NAS. IE 7 5
  6. 6. is supposed to have an inbuilt phishing filter. We check this by going on to the site we went on in the previous part of this lab. Q.1.1.6 Do you see any warnings? The IE 7 though has an inbuilt phishing filter doesn’t show a popup on detecting such a site, instead just puts a notification in the taskbar, which when double clicked performs a check if the site is a phishing site and if so prevents the user from accessing the site. Double click on the sign in the taskbar and see if what you see on the screen changes. Screenshot 3: Take a screenshot of this warning by the IE 7 and submit it with your lab. Q.1.1.7 Compare the antiphishing functionality of the three browsers. Section 1.2 – IFrames as an exploit IFrames (Inline Frames) is a technique which allows us to embed an HTML document within the main HTML document. Generally frames are used in a page to divide the contents of a website; however Inline Frames are used generally used to insert content from one website into another website like an advertisement. Though a good and useful feature it is being used by hackers for their benefit of extracting sensitive information from them. Q.1.2.1 Explain how IFrames can be used by hackers to extract information from users? Real world examples of IFrames being used as an exploit can be seen by clicking on the link shown below. 1. Epilepsie France - epilepsie-france.org 2. Iran Art News - iranartnews.com 3. Le Bowling en France - bowling-france.fr 4. The Hong Kong Physiotherapists Union - hkpu.org 5. The Wireless LAN Community - wlan.org Section 1.3 - Typosquatting Typosquatting is nothing but URL hijacking by the hackers. It is possible that we make typing errors while typing in URLs for different websites. There are certain common typing errors that can occur while typing in the names of certain websites for example www.myspacce.com instead of www.myspace.com. The first one is actually a hijacked URL. 6
  7. 7. Q.1.3.1 Go to the two websites above and see the difference. Also find another pair of websites with typoerrors. (You will have to google for this) Hence, if there is a possibility that hacker also own / hijack websites that are typoerrors of the websites of Banks and they may dupe the customers into filling in their credentials in the site with the typo error. Q.1.3.2 How can we defend ourselves against such sites that rely on typoerrors? (You will have to google for this) Q.1.3.3 Type www.gooogle.com and see what happens. Explain. Section 1.4 – JavaScript DOM Access Javascripts can be written which have complete control over DOM (Data Object Module) and are capable of modifying anything they want on a website. Using such Javascripts it is possible for a user to change the news articles mentioned on a site and absolutely change anything it wants. Apart from causing such disruptions javascripts can also be written to execute when clicked or when simply opened to execute and steal a user’s cookies. Thus they have 2 kinds of threats: 1. Direct Cookie: It is a javascript that executes when a user clicks a link and it steals the user’s cookies. This can be very detrimental if a user is accessing his bank account and simultaneously opens such a link. Once the cookies are stolen it is possible for a hacker to simulate the session from elsewhere. 2. HTML Injection: In this the user is not even required to click on a certain link. It can send in an email or on a website and if a user just opens his email or visits a website the code executes and the user’s cookies are stolen. Q.1.4.1 How can we prevent ourselves from such attacks? Section 1.5 – Email Attachments. With hundreds of computers joining the botnet army everyday it is very easy for a hacker to send out SPAM emails. Apart from sending advertisements the SPAM emails are now being used for even more harmful stuff. Now hackers send SPAM emails to users by spoofing the email IDs of the banks that the users bank with. The email then contains a link that seems like the URL of the bank. However, it is masqueraded and the user is actually directed to a link that is a phishing site of the bank. The email mentions that the user needs to log in and change or 7
  8. 8. check his credentials and if the user does so it is possible for the hacker to gain access to the login details of the user. Have a look at the sample email sent by hackers and see for the places one should look in order to ensure that email has come from a bank or is sent by hacker. Q.1.5.1 Based on the sample shown above what all must be check to ensure whether the email is from a legitimate bank or a hacker? (Hint: compare the emails shown below and above) Given below is a sample of an email that is actually sent from a bank to a customer. 8
  9. 9. 9
  10. 10. Section 1.6 – Downloading files from the internet We often download file / applications from the internet and most often do not care where we download the softwares from. However with the increase in cyber crime we need to be vigilant as to where we download softwares from. It is advisable to not download a file from a site we do not have adequate knowledge of. Also Downloading files that are present as attachments in emails from an unknown source should not be downloaded. Owing to this the hackers have become smarter and have now started making fake security softwares. These fake security softwares are actually viruses or Trojans that are masked as security softwares. Also it is possible for the hackers to install rootkits on your machine and gain permanent access to it. Some examples of fake security site softwares are as follows: 1. www.antivirusfiable.com 2. www.antivirusmagique.com Hence, one should be careful when downloading file from the internet. One must first check what kind of a site it is before downloading anything from a site. Section II: Hardening your Windows Operating System Section 1: Working with Windows Registry INTRODUCTION Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003/Vista store configuration data in registry. It is a central repository for configuration data that is stored in a hierarchical manner. System, users, applications and hardware in Windows make use of the registry to store their configuration and it is constantly accessed for reference during their operation. The registry is introduced to replace most text-based configuration files used in Windows 3.x and MS-DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored in Windows registry, the registry can be an excellent source for potential evidential data. For instance, windows registry contains information on user accounts, typed URLs, network shared, and Run command history. 10
  11. 11. REGISTRY STRUCTURE Figure 1 Figure 1 shows Windows registry logical view from Register Editor (Windows default register editor). Each folder in the left key pane is a registry key. The right panes show the key’s value. Subkey is used to show the relationship between a key and the keys nested below it. Branch refers to a key and all its subkeys. Windows uses symbolic link (i.e. similar to file system.s shortcut) to link a key to a different path which allows the same key and its values to appear at two different paths. Figure 1: Windows Registry Logical View Key The Registry is split into a number of logical sections called hives. Registry is divided into two parts 1. Keys- The keys all begin with HKEY and they are on left of the window. 2. Values - They are the actual values inside the registry folders, and they are on the right side of the window. The details of all the keys and their description are given in Appendix A. Section 1.1 Creating the Back Up before Cleaning the Registry We know that registry is very important for any system. A lot of problems occur only because all some invalid entries are there in the registry. Every software, all executables, absolutely everything has an entry in the registry. Hence it becomes all the more risky to play with the registry. If some important files get deleted from the registry we could end 11
  12. 12. up losing our entire application. Hence it is highly recommended that we take a backup of our registry. This can be done manually, but with software it becomes very easy. RegKey Backup is software that takes the backup of the registry. Step 1: Copy the file regkey10.exe from NAS and store it in your XP virtual machine. The software can also be obtained from the internet. http://www.softplatz.com/Soft/Utilities/Backup/3258.exe Step 2: Install the software and run it. Once it is properly installed it will show the entire registry. Now select a particular application from any one of the registry keys. Choose it from the HKEY_CURRENT_USER to see the changes effectively. Go to software’s and select particular software and click Backup. On the right half of the window you will see the name of the software in the list of My Backups. Step 3: Go to the main registry by typing the regedit on the command prompt. The registry is displayed; Select the same software that you backed up. Right click and press delete. 12
  13. 13. Now check in the registry that there is no entry for that software now. Step 4: Now go to the RegKey Window. Select the software from my backup list. And click restore. We see that the software is placed back where it was. Screenshot 4: Take a screenshot of the application when it is back in the registry. Hence we see that we have learned to successfully back up the registry. This will help us to save our system incase we happen to delete an application that was important for us. Q.1.1.1 I have an application which I had installed, but it made my system slow, so I deleted it, still the performance does not change, why? Q 1.1.2 Why is there a need of backup, why don’t we directly delete applications from the registry? Section 1.2- Client-server and remote back up 13
  14. 14. Vembu StoreGrid is flexible packed data backup software that works with our existing hardware. It can provide intranet, client-server and remote backups. It's unique 'trusted 2P mode' can help leverage free space lying around the network to provide a backup solution for all users in a small network. After the first backup only changes in the files are backed up, this optimizes bandwidth and storage utilization. Step 1: Copy the file VembuStroreGrid.exe from NAS and copy it on your XP virtual machine. Install the software by accepting the default settings. The software can also be obtained from the internet. http://www.softplatz.com/Soft/Utilities/Backup/26921.exe. Step 2: During installation select the client-server architecture. Once it is installed and we run it we see that a web browser comes up asking for connection ID and password. Enter the default as admin. We see that the http connection is on port 6060. Step 3: Select a file from the ones listed, the file to be backed. 14
  15. 15. Step 4: Add the selected file to the back up list and also enter the password to make it protected. Screenshot 5: Take a screenshot of the file successfully added to the backup list. Q 1.2.1 What is the advantage of this back up over other forms of backup? Section 1.3 Cleaning the Registry with backup Every Microsoft Windows operating system has a registry. Your system registry holds a wealth of information about your computer, which is why we constantly hear from users that after using their PC for a short length of time, it no longer works the way it used to. This is due in part to invalid entries that exist in your system registry that might exist because of software you are no longer using or software that was not properly removed. By removing these invalid entries, you can significantly increase the performance of your PC. Registryfix is software that scans for invalid entries. Registryfix will scan for errors related to ActiveX controls, DLL issues, Windows explorer errors, Windows installer issues, Internet Explorer errors, Iexpore and System32 errors, Runtime errors, Outlook 15
  16. 16. and Outlook Express Errors, EXE errors, Svchost errors and a wide variety of other system issues. Step 1: Copy the file registryfix.exe from the NAS and install it on your XP Virtual Machine. The software could also be obtained from the internet. http://www.registryfix.com/ Step 2: Once the software is installed press the scan button. If everything has gone well until now, you will see the scanning in progress, and the screen would appear something like this. Once the scanning is completed Registryfix will give details of the errors it found and the location of those invalid files. 16
  17. 17. When you click continue it will take you to screen This gives you the detail of the errors found. 17
  18. 18. Step 3: Select the particular file you want to delete or you can select all, to delete all the invalid entries found by the software. Step 4: After you have deleted the entries you find out that some files were useful for you. You can go the Back option on the main screen. Here you can select the time you deleted it, and it will list all the files that were deleted. You can press restore to get all the files to their respective position. Screenshot 6: Take a screenshot of a particular application after restoring it. Q1.3.1 how can this tool be useful in hardening your system? Q1.3.2 How is this tool better than other registry tools (Appendix B and C or other tools on the web)? Section 2: Record Cleaner We know that a lot of time, we wonder that a hacker has accessed the file we have closed recently. We forget the fact that when we close a particular file, an entry has been made in the log of recent files. Recent files are a record that maintains all the files and application that were recently accessed. Hence to protect a file from being accessed or stolen, apart from closing it we should also remove it from the lists of recent records. 18
  19. 19. Doing that manually for each file becomes very tedious. Instead we use software called Recent Cleaner. Step 1: Copy the file recentcleaner.exe from NAS to your XP virtual machine. Install the file and run it. The software could also be obtained from the internet. http://www.findprotected.com/solutions/recent-files/download.htm The screen should look like this. We see that we are able to see all the files that are in different formats. Also it list the application accessed in the system recently, as shown in the above figure. Step 2: You can select the file that you want to delete or all files from a particular application. Step 3: Once you press the Clear Selected items, the files selected will be deleted from the database. We also have options of deleting the entire group, by clicking the clear all or clear group button. Also we generate a report by clicking Generate report. Screenshot 7: Take a screenshot of the generated report. 19
  20. 20. Q2.1 Once the recent files gets deleted, suppose I wanted to have few files in recent record for fast access, in this case how would I recover the lost files? Section 3: LAN Monitoring Karen's LAN Monitor starts by displaying important information about every network adapter on your computer. These details include the adapter's speed, IP addresses, DHCP Lease information, and more. Next, the program shows all current connections between your computer and others on the local network, and on the Internet. You'll see the name and IP address of the remote computer, and the type of connection (HTTP, POP3, FTP, etc) that's being made. The LAN Monitor also displays real-time traffic statistics, includ- ing bytes sent and received transmission errors, and network connection load factors. Step 1: Copy the file ptlanmon-setup.exe from NAS to your XP virtual machine. The software can also be obtained from the internet. http://www.karenware.com/powertools/ptlanmon.asp Step 2: In the adapters tab, select the network adapter which has to be monitored. Once an adapter is selected the entire information about the adapter is displayed. In our lab we will select the Ethernet interface. If everything has gone well we will see a screen like the one in figure below. 20
  21. 21. Section 3: Select the connections tab to see the various connections to our system. When we check the display remote computer names checkbox on the left top, we will see 21
  22. 22. Step 4: Now we can select any of the other tabs to see their respective statistics. For eg if we select the traffic tab, we can see the traffic flowing Q3.1. How is this tool useful in our lab? Q3.2. How can a hacker defend himself against this tool? 22
  23. 23. Appendix A: Structure of Windows Registry Hives is a logical file system within a flat file. Key = directories. Values = files. There are 5 root keys (i.e. starting point) in Windows registry. Table 1 shows the root keys and the abbreviation normally used. Name Abbreviation HKEY_CLASSES_ROOT HKCR HKEY_CURRENT_USER HKCU HKEY_LOCAL_MACHINE HKLM HKEY_USERS HKU HKEY_CURRENT_CONFIG HKCC 1. HKEY_CLASSES_ROOT HKCR contains two types of per-user settings, file associations, and class registration for Component Object Model (COM) object. File associations describes the file types and associated programs that open and edit them. HKCR consumes most of the space in registry (Russinovich, 1997). Windows merges two keys HKLMSOFTWAREClasses (contains default file associations and class registration) and HKCUSoftwareClasses (contains per-user file associations and class registration) to obtain HKCR. In fact, HKCUSoftwareClasses is a link to HKUSID_Classes. By merging the two keys, program can register per computer and per-user file associations and program classes. • Stores information about registered applications, such as Associations from File Ex- tensions and OLE Object Class IDs • Software configuration information from the HKEY_LOCAL MACHINESOFT- WAREClasses key 23
  24. 24. 2. HKEY_CURRENT_USER • It shows profile information about currently logged on user. • The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the user; the same information is reflected in both locations. 24
  25. 25. 3. HKEY_LOCAL_MACHINE • It stores information about local system hardware, device drivers, services, and ma- chine-specific application data information. • It also has information about system hardware drivers and services are located under the SYSTEM subkey, whilst the SOFTWARE subkey contains software and windows settings. 25
  26. 26. 4. HKEY_USERS • It contains pre-logon default user profile information and HKEY_CURRENT_USER key • The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the user; the same information is reflected in both location 26
  27. 27. 5. HKEY_CURRENT_CONFIG • Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time. • It also contains hardware information from the HKEY_LOCAL MACHINESOFT- WARE and HKEY_LOCAL MACHINE SYSTEM keys. 27
  28. 28. 28
  29. 29. Appendix B: RegCure software to clean registry Another tool for Registry clean ups. The system can slow down dramatically due to an overloaded file system and registry, temporary, old file residues, pending uninstalls. Hence the system has to be maintained to clean the file system to ensure that the computer runs at a good speed. RegCure is one such software that does this. It cleans the remnants left behind in the registry. You can enable and disable applications in the Manage Startup list with a few simple clicks Step 1: Copy the file RegCure_Setup_15_RW.exe from the NAS and install it in your virtual XP machine. It is also available on the internet. http://pctuneuptips.com/recommends/clean/? u=1&gclid=COXz5q7znJACFUtyOAodCUMX7Q Step 2: Once it is installed press the scan button to look for error files. After the scan is complete it would display the results. Step 3: Also a description and the location of the errors could be obtained by clicking Next. Step 4: We can then click fix errors, to clean the registry. 29
  30. 30. Even this software has good features like Backup, Manage Start Up and Results. All these features are useful to manage the registry better. Also to fix the errors we will have to register, which will involve some cost. Appendix C: Efficient and selective way of cleaning registry. We have seen that scanning the registry takes a lot of time, because it scans all the entries in the entire windows system. It may be a waste of time to search the entire registry if we know the possible location where the invalid entry could be. Hence we need a more efficient tool to be able to scan at the selected location. AntiSpywarebot is one such tool. Step 1: Copy the file setupxv.exe from the NAS and install it on your XP virtual machine. The software could also be obtained from the internet. http://www.antispywarebot.com/?hop=mypctools Step 2: After it is installed the screen would appear like We see that we are provided with scanning options. Take a look at each option. A very important and good feature of this software is that of scanning location. When we click scanning location, we get something like this. 30
  31. 31. Step 3: Select the particular location to start scanning. And when you click scan, you will see the scanning has started. After the scanning is complete, a complete list of all the errors is displayed. 31
  32. 32. Step 4: We can see the location of each error. We can select the errors we want t delete. Another good feature of this software is that it maintains an ignore list of the errors we did not select to delete. The drawback of this tool is that it does not have a backup option. Hence incase we happen to delete a file which was important we will not be able to retrieve it. Also to fix the errors we will have to register, which will involve some cost. Appendix D: Everyday auto backup To manually take the back up every time a change is made gets tedious. Hence we need an automated mechanism to get the back up automatically. Also in any case the file at the specified location is attacked and damaged; we still have a back up. Compare & Backup is easy to use and powerful backup software for directory synchronization. It allows you to compare source with destination before backup. Then you will know which files need to be backup, which files need to be restored, which files need to be deleted. Step 1: Copy the file cb_setup.exe from NAS to your XP virtual machine. The software is also available on the internet. http://www.backupsoft.net/index.html Step 2: Now you can select the destination and source folders under one project. What this is doing, it is comparing the values of the source and destination. Also after the results we can see which files to delete which one to backup or restore. If everything has gone well the screen should look like the one in the figure below. 32
  33. 33. Step 3: We can specify to do an automatic backup by adding another project. We will be asked to enter the source folder where we need to take the back up and the destination folder where all the files have to be stored. Also we can select the times at which we need backup. 33
  34. 34. Accordingly backups will be created at the specified times at the destination folder. Hence we have seen that this tool is really very useful. It not just blindly copies but it also does a compare in case of any changes. It is an automated process and hence it is easy to use. 34
  35. 35. References: [1] http://ddanchev.blogspot.com/ [2] http://opdb.berlios.de/download/ [3] http://www.antiphishing.org/phishing_archive/phishing_archive.html [4] http://www.sonicwall.com/phishing/why.htm?whynum=2 [5] http://www.phishtank.com/phish_archive.php [6]http://www.registryfix.com/ [7]http://whitehatsec.com [8]http://www.karenware.com [9]http://www.findprotected.com [10]http://www.softplatz.com Tools: [1] Mozilla Firefox Browser with Firephish add-on [2] Opera and IE 7 Browsers [3] Registry fix Software [4] Reg Back up Software [5] Vimbu StoreGrid Software [6] Recent Cleaner Software [7] LAN Monitor Software 35
  36. 36. Answer Sheet: Section I Q. 1.1.1 What is Phishing? Ans: Q.1.1.2 How does Phishing work and spread? Ans: Q.1.3 Do you see any notification of a phishing site? If so explain. Ans: Q.1.1.4 Do you see anything now? What can you conclude from this? Ans: Q.1.1.5 Do you see any warnings? If so take a screenshot of this and submit it with your lab. Q.1.1.6 Do you see any warnings? Ans: Q.1.1.7 Compare the antiphishing functionality of the three browsers. Ans: Q.1.2.1 Explain how IFrames can be used by hackers to extract information from users? Ans: Q.1.3.1 Go to the two websites above and see the difference. Also find another pair of websites with typoerrors. (You will have to google for this) 36
  37. 37. Ans: Q.1.3.2 How can we defend ourselves against such sites that rely on typoerrors? (You will have to google for this) Ans: Q.1.3.3 Type www.gooogle.com and see what happens. Explain. Ans: Q.1.4.1 How can we prevent ourselves from such attacks? Q.1.5.1 Based on the sample shown above what all must be check to ensure whether the email is from a legitimate bank or a hacker? (Hint: compare the emails shown below and above) Ans: Section II Section 1: Working with Windows Registry Section 1.1- Back up Registry Screenshot #4: Take a screenshot of the registry highlighting the application when it is restored back. Q 1.1.1 I have an application which I had installed, but it made my system slow, so I deleted it, still the performance does not change, why? 37
  38. 38. Q 1.1.2 Why is there a need of backup, why don’t we directly delete applications from the registry? Section 1.2- Client-Server and remote backup Screenshot 5#: Take a screenshot of the file successfully added to the backup list and submit it with your answer sheet. Q1.2.1 What is the advantage of this back up over other forms of backup? Section 1.3 – Cleaning the registry with backup Screenshot 6 # Take a screenshot of any one of the application after getting deleted and after being restored back at the same location. Q 1.3.1 How can this tool be useful in hardening your system? 38
  39. 39. Q1.3.2 How is this tool better than other registry tools (Appendix B and C or other tools on the web)? Section 2: Record Cleaner Screenshot 7# Take a screenshot of the generated report and attach it with you answer sheet. Q2.1 Once the recent files gets deleted, suppose I wanted to have few files in recent record for fast access, in this case how would I recover the lost files? Section -3 LAN Monitoring Q3.1. How is this tool useful in our lab? Q3.2. How can a hacker defend himself against this tool? 39
  40. 40. General Questions Q.1. How long did it take you to complete this lab? Was it an appropriate length lab? Q.2. What corrections and or improvements do you suggest for this lab? Please be very specific and if you add new material give the exact wording and instructions you would give to future students in the new lab handout. You may cross out and edit the text of the lab on previous pages to make minor corrections/suggestions. General suggestions like add tool xyz to do more capable scanning will not be awarded extras points even if the statement is totally true. Specific text that could be cut and pasted into this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if tool xyz adds a capability or additional or better learning experience for future students here is what you need to do. You should add that tool to the lab by writing new detailed lab instructions on where to get the tool, how to install it, how to run it, what exactly to do with it in our lab, example out- puts, etc. You must prove with what you turn in that you actually did the lab im- provement yourself. Screen shots and output hardcopy are a good way to demon- strate that you actually completed your suggested enhancements. The lab addition section must start with the title “Lab Addition”, your addition subject title, and must start with a paragraph explaining at a high level what new concept may be learned by adding this to the existing laboratory assignment. After this introductory paragraph, add the details of your lab addition. Turn-in checklist You need to turn in: Answer sheet. 7 screenshots Any corrections or additions to the lab. 40

×