CNT 125 Campus - Risk Management Lab​ Created by: Mr. D.

Brown
​ CNT 125 Campus - Risk Management Lab

Course Learning Outcomes:

Upon successful completion of the course, the student shall be able to:
●​ Implement a working network utilizing routers and switches
●​ Demonstrate configuration and use of remote access technologies
●​ Identify the risks associated with protocols
●​ Demonstrate the use of network assessment tools to test for vulnerabilities
●​ Implement and test security measures in the network equipment

Part 0 - Special Lab Note

This lab is special in that you will be utilizing some tools that will require you to use some ethical hacking techniques to
learn about these technologies. REMINDER: these are being utilized for educational purposes only – you still need to
adhere to the college AUP.
​ Open a browser and navigate to a web source, like Wikipedia, and locate a definition of “White Hat Hacker”.

​ For the lab today are you a white hat or black hat hacker? ________________________________

Part 0 - Lab Prep - Complete BEFORE Arriving at the Lab Room

#1 - Read Through the Lab (Print a copy of the lab if you wish to have a hard copy)
#2 - View Network Map !!!!
#3 - Take note that you will be providing the IP Addresses and Ports used for the network map
#4 - Take Notes on what is being completed in the lab
#5 - Watch the Lab Podcasts (There will not be time in the lab room to do so)

Part 0 - Lab Prep - Complete WHEN Arriving at the Lab Room

#1 - Download a copy of the Lab to your Lab PC
#2 - Get out lab your notes for completing the lab
#3 - Check Lab PC to make sure ONLY Npcap is installed along with NMAP and Wireshark
●​ Windows button
●​ Type .. Applications to open Apps and Features
●​ Select the Programs and Features on the right side
●​ Scroll through and look for nmap and npcap and Wireshark
○​ If you see Winpcap in addition to … nmap and npcap and Wireshark, please check with
Mr. Brown - an uninstall may be necessary to have these apps work correctly

1
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
Part 1: Subnet Planning
ACME Adhesive Company® needs their network subnetted to help organize the network. Their network is
using the 160.60.0.0 network. You will need to assist them with the additional subnetting they need to complete
their network configuration. A map of their network is located in the enclosed material. Please view that map to
understand the construction of their network.

1.​ View the map contained in this lab. This company needs ______ subnets.
2.​ The network # for the network is: 160.60.0.0​

Bit SNM – Dotted Decimal # Bits # of SN Created # of Addresses/SN # of Usable

Count Borrowed (2# of Borrowed Bits ) ( 2# of Remaining Bits ) ( 2# of Remaining Bits – 2 )

1/8 255.255.192.0 2 2^2=4 sn 2^14=16384 16382

(Note: Use as much of this chart as needed to get the subnets necessary for the Lab)​
SN # Usable host range SN BA

0.0 160.60.0.1 - 160.60.63.254 63.255

64.0 160.60.64.1 - 160.60.127.254 127.255
128.0 160.60.128.1 - 160.60.191.254 191.255
192.0 160.60.192.1 - 160.60.255.254 255.255

3.​ Now take the subnets that you have planned and apply them to the network map (next page) so you have
a plan on how to connect and configure their network.

2
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
Gi0/1
FA0/1 IP Address: 160.60.64.2
IP Address: 160.60.64.1 Subnet Mask: 255.255.192.0
Subnet Mask: 255.255.192.0

0
IP Address: 160.60.0.1
Subnet Mask: 255.255.192.0

160.60.64.0
IP Address: 160.60.128.1
Subnet Mask: 255.255.192.0

160.60.0.0
160.60.128.0

IP Address: 160.60.0.2 IP Address: 160.60.128.2

Subnet Mask: 255.255.192.0 Subnet Mask: 255.255.192.0
Default Gateway: 160.60.0.1 Default Gateway: 160.60.128.1

IP Address: 160.60.0.10
Subnet Mask: 255.255.192.0
Default Gateway: 160.60.0.1 IP Address: 160.60.128.10
Subnet Mask: 255.255.192.0
Default Gateway: 160.60.128.1
FastEthernet 0/1
Connected Port: FastEthernet 0/1

3
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
Part 2 – Physical Connectivity
Layer 1 Use the map as a guide – connect your network together as it is being shown.
Connectivity ●​ Pay attention to the port #'s being used on devices
Type text here ●​ Pay attention to the cables being used
○​ Reminder - between unlike devices = straight through
○​ Reminder - between link devices = crossover
●​ PCs can be connected to any switch port for this lab

Part 3 – Switch Configuration

Use your Lab Notes or Notes from Previous Lab to assist with this portion if necessary.
Console Into ●​ Using Terminal Emulation Program (putty) on PC Console into the Switch
Switch
●​ Use your Lab Notes or look at previous labs for configuration help
Cisco Switch ●​ Configure the Hostname on the Switch
Switch Name ●​ Use the Network Map as a Guide for Hostname
○​ Hostnames become really important when working with remote access!

●​ Use your Lab Notes or look at previous labs for configuration help
●​ Troubleshooting Tip … if the hostname entered is not correct … repeat the command with the
correct name

Cisco Switch ●​ Configure an IP Address on the Switch on Interface VLAN 1 for remote access and
Assigning an management purposes
IP Address
●​ Use the Network Map as a Guide for the IP Address to use
●​ Make sure to “Turn the IP Address On” after assigning the IP Address

●​ Use your Lab Notes or look at previous labs for configuration help
●​ Troubleshooting Tip … if the IP & SNM entered is not correct … repeat the command with the
correct IP & SNM - this will “overwrite” the incorrect IP & SNM and fix the error.​

Cisco Switch ●​ Configure a Banner Message (MOTD - Message of the Day) that will be displayed
Configuring when a remote connection is established.
Banner switch# config t
Message switch(config)# banner motd $_____________$
●​ The symbol at the beginning and end denote that “between” is the message of the day
●​ Use the device hostname in the banner message
●​ Example: banner motd $Welcome to the Bottom Switch$
Cisco Switch ●​ Switch should be configured with default gateway if switch will be managed remotely
Assigning from networks not directly connected
Default ●​ default gateway is first Layer 3 device (router) on the same management VLAN
Gateway ●​ switch will forward IP packets with destination IP addresses outside local network to
the default gateway

switch# config t
switch(config)# ip default-gateway 160.60.___.____
●​ Use Default Gateway IP Address noted on Map for each switch

4
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Cisco Switch ●​ Use the command to show your current running configuration
●​ Check carefully for any errors - make any necessary corrections
View Config
●​ Use your Lab Notes or look at previous labs for configuration help
Cisco Switch ●​ Use the command to copy your current running configuration in RAM to the startup
configuration in NVRAM
Save Config
●​ Use your Lab Notes or look at previous labs for configuration help
Repeat Above Steps for the other switch in the network

Part 4 – Basic Router Configuration

For this portion of the lab we will configure the basics on the router - hostname and interface addresses.
Cisco ●​ Using Terminal Emulation Program (putty) on PC Console into the Router
Router
●​ Use your Lab Notes or look at previous labs for configuration help
Console
Into Router ●​ NOTE: You can move the blue console cable to another console port and continue to
use the same/active PUTTY connection created !!!
Cisco ●​ Configure the Hostname on the Router
Router ●​ Use the Network Map as a Guide for Hostname
Router ○​ Hostnames become really important when working with remote access!
Name
●​ Use your Lab Notes or look at previous labs for configuration help
●​ Troubleshooting Tip … if the hostname entered is not correct … repeat the command with the correct
name

Cisco ●​ Configure a Banner Message (MOTD - Message of the Day) that will be displayed
Router when a remote connection is established.
Configuring router# config t
Banner router(config)# banner motd $_____________$
Message ●​ The symbol at the beginning and end denote that “between” is the message of the day
●​ Use the device hostname in the banner message
●​ Example: banner motd $Welcome to the 2811 Router$
Repeat Above Steps for the other Router in the network
NOTE: You can move the blue console cable to the other router console port and continue to
use the same/active PUTTY connection created !!!

5
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
Cisco 2811 Router - Interface IP Address Configuration
Cisco Router - ●​ Use the Network Map as a Guide for the Port to configure
2811 Model ●​ Select the LAN Interface (port connected to Switch)
●​ Use the Network Map as a Guide for IP Address to configure
LAN Interface ●​ Configure the IP Address and Subnet Mask
IP Address ●​ Make sure to “Turn the Port On” after configuring the IP
(The LAN Port
Connected to ●​ Use your Lab Notes or look at previous labs for configuration help
Switch)
●​ Troubleshooting Tip … if the IP & SNM entered is not correct … repeat the command with the
correct IP & SNM - this will “overwrite” the incorrect IP & SNM and fix the error.

Cisco Router - ●​ Use the Network Map as a Guide for the Port to configure
2811 Model ●​ Select the WAN Interface (port connected to other Router)
●​ Use the Network Map as a Guide for IP Address to configure
WAN Interface ●​ Configure the IP Address and Subnet Mask
IP Address ●​ Make sure to “Turn the Port On” after configuring the IP
(The WAN Port
connected to other ●​ Use your Lab Notes or look at previous labs for configuration help
router)
●​ Troubleshooting Tip … if the IP & SNM entered is not correct … repeat the command with the
correct IP & SNM - this will “overwrite” the incorrect IP & SNM and fix the error.

Cisco 4221 Router - Interface IP Address Configuration

Cisco Router - ●​ Use the Network Map as a Guide for the Port to configure
4221 Model ●​ Select the LAN Interface (port connected to Switch)
●​ Use the Network Map as a Guide for IP Address to configure
LAN Interface ●​ Configure the IP Address and Subnet Mask
IP Address ●​ Make sure to “Turn the Port On” after configuring the IP
(The LAN Port
Connected to ●​ Use your Lab Notes or look at previous labs for configuration help
Switch)
●​ Troubleshooting Tip … if the IP & SNM entered is not correct … repeat the command with the
correct IP & SNM - this will “overwrite” the incorrect IP & SNM and fix the error.

Cisco Router - ●​ Use the Network Map as a Guide for the Port to configure
4221 Model ●​ Select the WAN Interface (port connected to other Router)
●​ Use the Network Map as a Guide for IP Address to configure
WAN Interface ●​ Configure the IP Address and Subnet Mask
IP Address ●​ Make sure to “Turn the Port On” after configuring the IP
(The WAN Port
connected to other ●​ Use your Lab Notes or look at previous labs for configuration help
router)
●​ Troubleshooting Tip … if the IP & SNM entered is not correct … repeat the command with the
correct IP & SNM - this will “overwrite” the incorrect IP & SNM and fix the error.

6
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
Configuring OSPF Routing Protocol
Cisco Router ●​ Use the Network Map as a Guide for the Networks (Subnets) to configure
●​ Configure the OSPF routing protocol
OSPF Routing ●​ Configure the Networks (subnets) that will participate in OSPF Routing making
Protocol sure to use the Inverse Mask for each Network (Subnet)
Enabled
●​ Use your Lab Notes or look at previous labs for configuration help
●​ Troubleshooting Tip … if there is an error in the Network entered … repeat the
entire command (copy & paste can help) with “No” at the beginning of the
command and that will remove the wrong entry … Then … Re-enter the correct
network
Complete the OSPF Configuration for BOTH Routers

Viewing & Saving the Running Router Configuration

Cisco Router ●​ Use the command to show your current running configuration
●​ Check carefully for any errors - make any necessary corrections
View your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Cisco Router ●​ Use the command to copy your current running configuration in RAM to the
startup configuration in NVRAM
Save your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Complete for BOTH Routers

Viewing & Troubleshooting the Network

Cisco Router After completing configuration … On BOTH routers … router ports should be functioning.
Check the link lights next to the ports you configured and verify that they are ON

Check Link If the router & switch ports being used have link lights … excellent … continue on
Lights If the router & switch ports being used DO NOT have link lights … Use the
Troubleshooting Tips Shown At the end of the lab to help with connectivity.

Workstation Configuration & Testing

Workstation ●​ Connect the client computers into the network as shown
Configuration ○​ Follow the map for where the clients are to be connected
●​ Change the IP Settings to match what is shown on the map
○​ Follow the map for details on IP, SNM and DFG
○​ CHECK FOR TYPOS !!!
●​ Verify the change has occurred at a command prompt
●​ Complete for all Client PCs

7
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Workstation On each PC perform the following tests:

Testing of LAN ●​ ping IP address of default gateway - should be successful

If these PING tests were successful … excellent … continue on

If these PING tests were not successful … Use the Troubleshooting Tips Shown At the
end of the lab to help with connectivity.

Workstation On each PC perform the following tests:

Testing of WAN ●​ ping IP address of node on other switch
●​ use tracert to trace path to node on other switch

If these PING tests were successful … excellent … continue on

If these PING tests were not successful … Use the Troubleshooting Tips Shown At the
end of the lab to help with connectivity.

Viewing & Troubleshooting the Routing Table

Cisco Router ●​ Use the command to show your current routing table
●​ Make sure all Networks (Subnets) appear in the Routing Table
Viewing OSPF
Routing Tables ●​ Use your Lab Notes or look at previous labs for configuration help

If All Networks are in the routing table … excellent … continue on

If All Networks are NOT in the routing table … Use the Troubleshooting Tips Shown At
the end of the lab to help with connectivity.

Gathering Proof of OSPF Routing Table

Cisco Router If All Networks are in the routing table … excellent … continue on
●​ Open Notepad … or … Text Editor on your PC
Gather Proof of ●​ Create a file to gather results from this lab and save the file as
OSPF Routing risk-routing-table.txt (NOTE: Make sure your have the .txt file extension - D2L
Table does not like files with no file extension and will not let them be loaded for
submission)

●​ In Putty Copy results of the show ip route command

●​ In Notepad Paste the results of the show ip route command
●​ Save Notepad file to desktop with name risk-routing-table.txt
●​ Save this Notepad file for submission to D2L

8
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
5 - Configuring Enable Password, Local User Account & Telnet Access for Switches
When configuring remote access, some security will be needed on the device. This security will include a
password to be able to enter Enable mode on the device along with a user account that will be needed to be able
to connect to the device remotely.
Configuring a Password for Enable Mode
Cisco Switch Console in to your Switch

Create switch(config)# enable secret class

Password for ●​ Sets the enable password to class and then encrypts the password
Enable Mode ●​ CHECK FOR TYPOS … BEFORE … Hitting Enter !!!
●​ Exercise caution when setting passwords - you can lock yourself out of the device if
not careful - CHECK FOR TYPOS !!!
●​ Troubleshooting Tip … if there is an error in the password entered … correct that
now by re-entering the command with the correct password

Creating a Local User Account

Cisco Switch switch(config)# username _______ password _________
●​ creates a local account for Telnet access
Create Local ●​ use your first name for username
User Account ●​ use password as password

●​ Troubleshooting Tip … if there is an error in the account entered … correct that

now by re-entering the command with the correct info

Enabling Telnet Access

Cisco Switch switch(config)# line vty 0 15
●​ Selects the “virtual terminals” for configuration
Enable Telnet ●​ The “virtual terminals” are used for remote connections
Access switch(config-line)# transport input telnet
(Switch does ●​ enabling access via telnet on these “virtual terminals”
not support switch(config-line)# login local
SSH, so we will ●​ indicates that the locally stored user account that we created previously should be the
use Telnet) one that is used when a remote connection is initiated
switch(config-line)# exit

Cisco Switch ●​ Use the command to show your current running configuration
●​ Check carefully for any errors - make any necessary corrections
View your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Cisco Switch ●​ Use the command to copy your current running configuration in RAM to the startup
configuration in NVRAM
Save your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Complete for BOTH Switches

9
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
6 - Configuring Enable Password, Local User Account & SSH Access for Routers
When configuring remote access, some security will be needed on the device. This security will include a
password to be able to enter Enable mode on the device along with a user account that will be needed to be able
to connect to the device remotely.
Configuring a Password for Enable Mode
Cisco Router router(config)# enable secret class
●​ Sets the enable password to class and then encrypts the password
Create ●​ CHECK FOR TYPOS … BEFORE … Hitting Enter !!!
Password for ●​ Exercise caution when setting passwords - you can lock yourself out of the device if
Enable Mode not careful - CHECK FOR TYPOS !!!

●​ Troubleshooting Tip … if there is an error in the password entered … correct that

now by re-entering the command with the correct password

Creating a Local User Account

Cisco Router router(config)# username ______ password _______
●​ creates a local account for SSH access
Create Local ●​ use your first name for username
User Account ●​ use password as password

●​ Troubleshooting Tip … if there is an error in the account entered … correct that

now by re-entering the command with the correct info

Creating an Encryption Key for SSH to use

Cisco Router router(config)# ip domain name ___cnt.org___
●​ sets the domain name, which is needed for creation of key
Create an
Encryption Key router(config)# crypto key generate rsa
to use for SSH ●​ if asked to replace key indicate …. yes
Connection ●​ enter a key size of …. 1024
●​ this generates an encryption key that SSH will use to encrypt the remote connection
router(config)#

Enabling SSH Access on Router

Cisco Router router(config)# line vty 0 15
●​ Selects the “virtual terminals” for configuration
●​ The “virtual terminals” are used for remote connections
Enable Remote
Access via SSH router(config-line)# transport input ssh
●​ enabling access via SSH on these “virtual terminals”

router(config-line)# login local

●​ indicates that the locally stored user account that we created previously should be
the one that is used when a remote connection is initiated
router(config-line)# exit
10
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Cisco Router ●​ Use the command to show your current running configuration
●​ Check carefully for any errors - make any necessary corrections
View your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Cisco Router ●​ Use the command to copy your current running configuration in RAM to the
startup configuration in NVRAM
Save your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Complete for BOTH Routers

7 - Configure Client Computer Remote Access via RDP

The network is up & running with connectivity throughout the network. We have enabled remote access to the
Switches via Telnet and routers via SSH. We are not going to configure Remote Access via RDP (Remote
Desktop Protocol) to a Client PC (the client PC that is noted on the network map).

Windows Client On Windows Client Noted as having RDP Enabled

Enable Remote ●​ Open the control panel
Access via RDP ○​ Click Windows Icon and start typing Control Panel
●​ Locate and Click on system & security settings
(Windows client ●​ Under the System section - click allow remote access
noted on map as ●​ Under Remote Desktop section – click the Allow Remote Connections to this
having RDP computer
●​ click apply
Enabled. We are
●​ click ok
enabling this PC
This PC has been enabled for remote access via RDP. We will test the connection later.
to be accessed
via RDP)

11
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
8 – Use a Client Computer to Remote Access into a Switch via Telnet
Now that the network is up and running and has remote access enabled for the switches, routers and a client PC
…. let's do some remote connections. Again, remember, this allows work, repairs, troubleshooting on remote
devices in a network.
Remote Access On your Windows PC#1 on the Left Side of the Map … we will use Putty to Telnet into a
into Cisco Cisco Switch
Switch via ●​ Locate Windows PC#1
Telnet ●​ Close any open Putty Sessions
●​ Open a New Putty
(Do this from ●​ Select the Connection Type: Telnet
Windows PC#1 ●​ Input the IP Address of a Switch in your network: 160.60.___.____
on the Left Side ●​ Click Open
of the Map) ●​ When prompted for username - input the username (this will be your first name)
of the local account created on this switch
●​ When prompted for password - input the password of the local account created -
password
●​ Use the enable command
●​ When prompted for password - input the password configured for Enable Access:
class
●​ Take note of the Prompt name that is displayed. You are using a “client PC” to
remotely connect into a switch for admin work !!! This connection is using the
NIC and connecting through the network to the switch. So the PC could be in
one city and the network device could be in another city!
●​ Type the show run command to view the switch configuration
●​ Close out the Putty session
●​ Feel Free to Try the Other Switch in the Network

9 – Examine Protocol Traffic from Remote Access into Switch via Telnet
Now that the network is up and running and has remote access enabled for the switches, routers and a client PC
….…. let's examine the protocol traffic generated by remote connections of Telnet.
Remote Access On your Windows PC#1 on the Left Side of the Map … we will use Putty to Telnet into a
into Cisco Cisco Switch
Switch via ●​ Locate Windows PC#1
Telnet ●​ Close any open Putty Sessions
●​ Open a new Wireshark session
(Do this from ●​ Select your NIC
Windows PC#1 ●​ Start a session to capture the Telnet connection to the cisco Switch on your network
on the Left Side ●​ Open a New Putty
of the Map) ●​ Select the Connection Type: Telnet
●​ Input the IP Address of a Switch: 160.60.___.____
●​ Click Open

….. Continued …..

12
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

….. Continued …..

●​ When prompted for username - input the username (this will be your first name)
of the local account created on this switch
●​ When prompted for password - input the password of the local account created -
password
●​ Use the enable command
●​ When prompted for password - input the password configured for Enable Access:
class

●​ Type the show run command to view the switch configuration and use the
space bar to view all of the configuration.

●​ Stop the Wireshark session

●​ Close the Putty Session

View the Telnet Session Captured in Wireshark
●​ In wireshark apply a filter for Telnet (Hint: use telnet for filter )
●​ examine the Telnet packets captured
○​ examine the source and destination IP Addresses
○​ examine the source and destination Port #’s
○​ open a Telnet Packet & view data contained in the Telnet Portion of the Packet
○​ Scroll through some more Telnet packets & view the data contained in the Telnet
Portion of the Packet
○​ Is the Data Encrypted?
●​ close any open Telnet packets
Save the Telnet packets captured
●​ In wireshark select the file option and export specified packets
●​ Browse to the desktop of this PC
●​ Name the file a name of telnet-wireshark
●​ select the .pcapng file type option (should be the first option)
●​ make sure the All Packets button is selected
●​ make sure the Displayed button is selected
●​ click save to save this file for submission to D2L
●​ Close Wireshark when you are done

13
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

10 – Use a Client Computer to Remote Access into a Router via SSH

Now that the network is up and running and has remote access enabled for the switches, routers and a client PC
….…. let's do some remote connections. Again, remember, this allows work, repairs, troubleshooting on
remote devices in a network.
Remote Access On your Windows PC#1 … we will use Putty to SSH into Cisco Router
into Cisco ●​ Locate Windows PC#1
Router via SSH ●​ Close any open Putty Sessions
●​ Open a New Putty
(Do this from ●​ Select the Connection Type: SSH
Windows PC#1 ●​ Input the IP Address of a Router: 160.60.__.__
on the Left Side ●​ Click Open
of the Map) ●​ When prompted to accept an Encryption Key select Yes
●​ When prompted for username - input the username (this will be your first name)
of the local account created on this router
●​ When prompted for password - input the password of the local account created -
password
●​ Use the enable command
●​ When prompted for password - input the password configured for Enable Access:
class
●​ Take note of the Router Prompt name that is displayed. You are using a “client
PC” to remotely connect into a router for admin work !!! This connection is
using the NIC and connecting through the network to the router “at the other
site”. This PC could be in one city and the network device could be in another.
●​ Type the show run command to view the router configuration
●​ Close out the Putty session
●​ Feel Free to Try the Other Router in the Network

11 – Examine Protocol Traffic from Remote Access into Router via SSH
Now that the network is up and running and has remote access enabled for the switches, routers and a client PC
…. let's examine the protocol traffic generated by remote connections of SSH.
Remote Access On your Windows PC#1 … SSH with Putty into Cisco Router
into Cisco 4221 ●​ Locate Windows PC#1
Router via SSH ●​ Close any open Putty Sessions
●​ Open a new Wireshark session
(Do this from ●​ Select your NIC
Windows PC#1 ●​ Start a session to capture the SSH connection to a cisco router
on the Left Side ●​ Open a New Putty session
of the Map) ●​ Select the Connection Type: SSH
●​ Input the IP Address of the a Router: 160.60.__.__
●​ Click Open
●​ When prompted for username - input the username (your name)
●​ When prompted for password - input the password (password)
●​ Use the enable command
●​ When prompted for password - input Enable password: class
●​ Use show run and space bar to view router configuration
●​ Stop the Wireshark session
●​ Close the Putty Session
14
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

(Continued on next page)

(Continued from last page)
View the SSH Session Captured in Wireshark
●​ In wireshark apply a filter for SSH (Hint: use ssh for filter )
●​ examine the SSH packets captured
○​ view the first few SSH packets - what is occurring between client and router?
○​ view the next batch of SSH packets (after the key exchanges) - what type of Data
is now being exchanged?
○​ open an SSH packet that is encrypted
○​ examine the source and destination IP Addresses
○​ examine the source and destination Port #’s
○​ open the header fields of the SSH packet
○​ view the data portion of the SSH packet
○​ Is the Data Encrypted?
●​ close any open SSH packets
Save the SSH packets captured
●​ In wireshark select the file option and export specified packets
●​ Browse to the desktop of this PC
●​ Name the file a name of ssh-wireshark
●​ select the .pcapng file type option (should be the first option)
●​ make sure the All Packets button is selected
●​ make sure the Displayed button is selected
●​ click save to save this file for submission to D2L
●​ Close Wireshark when you are done

12 – Examine Protocol Traffic from Remote Access into Workstation via RDP
Now that the network is up and running and has remote access enabled for a workstation …. let's examine the
protocol traffic generated by remote connections of RDP.
Remote Access (You will use PC#1 on the left side of the map to do a Remote Connection via RDP to
into Windows PC#2 on the right side of the map)
PC#2 via RDP
Remote Access into Windows Client via RDP
(You will use ●​ Make sure Both Windows PC’s are “awake”
PC#1 on the left ●​ Locate Windows PC#1 on the left side of the map
side of the map to ●​ Open Wireshark
do a Remote ●​ Select your NIC
Connection via ●​ Start a session to capture the RDP connection to the windows client
RDP to PC#2 on ●​ Open remote desktop connection
the right side of ○​ click windows icon and type remote desktop connection
the map) ●​ Input IP address for Windows Client #2 on Right Side: 160.60.__.__
●​ Click connect
●​ Input the student account
○​ Username: cnt-student
○​ Password: cntclass
●​ Accept the certificate
●​ Watch BOTH PCs when this is completed
●​ You should now be controlling this client machine - Work with it for a few minutes
(Continued on next page)

15
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

(Continued from last page)

●​ Close the Remote Desktop Session using the X on the top menu bar
●​ Stop the Wireshark session

View the RDP Session Captured in Wireshark

●​ In wireshark input a filter to see the RDP connection between PCs
○​ input rdpudp filter in wireshark
●​ Examine Packets being shown - Examine the Source & Destination IP Addresses !!!
●​ examine one of the packets captured
○​ examine the source and destination IP Addresses
○​ examine the source and destination Port #’s
○​ What is source port # and destination port # in the UDP Header
●​ close any open packets
Save the RDP packets captured
●​ In wireshark select the file option and export specified packets
●​ Browse to the desktop of this PC
●​ Name the file a name of rdp-wireshark
●​ select the .pcapng file type option (should be the first option)
●​ make sure the All Packets button is selected
●​ make sure the Displayed button is selected
●​ click save to save this file for submission to D2L
●​ Close Wireshark when you are done

13 – Examine Network Devices with Network Mapping Utility - NMAP

In this portion of the lab we are going to examine some network devices with a network mapping utility …
nmap… to look at the device from the “network point of view” to see if the device has any open ports.
Device ●​ Launch nmap
Assessment ●​ Run a scan of your Router – it will take a few seconds
(Security Audit ○​ Target: _____IP Address of Cisco 2811 Router____
with Nmap) ○​ Profile: intense scan
●​ This will take a few minutes, so be patient - it is “probing the Device” to learn what it
(Port Scan of can about the unit
Network Device) ●​ After the scan completes … view the tabs to see what the scan discovered – pay
attention to the Nmap Output and ports tabs
○​ What ports are noted as “open”? _____________
○​ Do these make sense? _______________

(Continued on next page)

16
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Device While you have the Nmap results … save these for submission to D2L:
Assessment ●​ Open a new notepad file
(Security Audit ○​ click windows icon
with Nmap) ○​ type notepad and launch application
●​ In Nmap highlight all of the scan results under the Nmap Output tab … and
Gather Proof of copy the scan results (use enter or right-click copy)
Device Security ●​ In Notepad Paste the scan results
Assessment ●​ Save Notepad file to desktop with name router-nmap-scan.txt
●​ Click save
●​ Find file on desktop … open with a text editor and view results
●​ Save the scan results for submission to D2L.
●​ Close your Nmap scan after your results are saved
Feel Free to complete a few more NMAP Scans of devices in your network -
●​ Repeat the NMAP Scan on one of the switches …
●​ Repeat the NMAP Scan on the PC that has RDP enabled …
(You do not need to save these results)

14 – Implement Security Practices on Switches

Previously we have implemented some Security Best Practices on our Network Devices by configuring
passwords for Admin Mode (enable mode password).
In this portion of the lab we are going to implement some security best practices on our network switches and
then test their operation. The 2 techniques are going to implement are:
●​ 1 - Shut off some unused switch ports
○​ Ports 11 - 24 will be shut off so they cannot be used until an admin enables the ports
●​ 2 - Implement port security on a range of switch ports
○​ Ports 1 - 5 will have port security implemented so only 1 MAC address is allowed on the port
○​ Ports 6 - 10 will be left on for testing purposes

Shutting off Unused Switch Ports

Turn off unused switch(config)# interface range fa0/11 – 24
Switch Ports ●​ This selects the range of switch ports to be configured
switch(config-if-range)# shutdown
(This will turn off switch(config-if-range)# exit
switch ports so switch(config)# exit
they cannot be
used until an
Admin enables
the port)

17
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Cisco Switch ●​ Use the command to show your current running configuration
●​ Check carefully for any errors - make any necessary corrections
View your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Cisco Switch ●​ Use the command to copy your current running configuration in RAM to the
startup configuration in NVRAM
Save your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Complete for BOTH Switches

Testing the Unused Switch Ports

Connect PC into Connect the PCs into a switch port that has been Turned Off
Switch Ports ●​ Plug both PCs into a port in the 11 - 24 range
that have been Observe the Switch Ports as the PC is plugged in
Turned Off ●​ What do you observe? __________________________
Connect the PCs into a switch port that is still enabled
●​ Plug the PCs into a port in the 6 - 10 range
Observe the Switch Ports as the PC is plugged in
●​ What do you observe? __________________________

Shutting off unused switch ports can prevent unauthorized users from accessing resources on your network.
(Think about a visitor plugging into a network jack in the hallway/lobby of a building - if the switch port
associated with that network jack is “turned off” that visitor has no access to network resources.)

Implementing Port Security on the Switch

Configure Port NOTE: Make sure your PC’s are Plugged into a port in the 6 - 10 range before proceeding.
Security on the
Switch switch(config)# interface range fa0/1 – 5
●​ This selects the first 5 switch ports to be configured
(This will put switch(config-if-range)# switchport mode access
limits on the ●​ This sets the port mode to access as opposed to “trunk”
switch port so switch(config-if-range)# switchport port-security
that multiple ●​ This enables port security on these ports
MAC Addresses switch(config-if-range)# switchport port-security maximum 1
can not occur on ●​ This sets the port to have a MAX of 1 MAC address associated
a set of switch switch(config-if-range)# switchport port-security mac-address sticky
ports) ●​ This holds the first MAC learned on that port in the MAC table
switch(config-if-range)# switchport port-security violation shutdown
●​ This will shutdown down the port & send an alert if more than 1 MAC Address is
connected to port
switch(config-if-range)# exit
switch(config)# exit

18
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

View Your switch# show run

Current Running ●​ this will show the currently running configuration
Configuration ●​ Note port security settings under the first 5 ports
View the Port switch# show port-security
Security Settings ●​ this will show the current port security on your switch
on Switch ●​ NOTE: Observe the port #’s listed
●​ NOTE: Observe the “1” under the Count Column
View the Port switch# show port-security interface fa0/5
Security Settings ●​ this will show the current port security settings on a specific port
on a Specific Port ●​ NOTE: Observe the settings and MAC
Cisco Switch ●​ Use the command to copy your current running configuration in RAM to the
startup configuration in NVRAM
Save your
Configuration ●​ Use your Lab Notes or look at previous labs for configuration help
Complete for BOTH Switches

Testing Port Security on the Switch

Switch Console Console into the Switch … with Putty … Keep this window viewable for the next steps
PC Connections Move the PC patch cables from their current switchport into Port 5 on the switch and let
to Switches the ports settle.
Generate some Issue a PING between the 2 workstations so generate some traffic so the switches can learn
Traffic Between the MAC Addresses of the devices attached.
the PCs
View the Config switch# show run
on the Switch ●​ this will show the current config on your switch
●​ NOTE: Observe the port #’s listed with Port Security
●​ NOTE: Observe the MAC Address shown on Port 5
View the Port switch# show port-security
Security Settings ●​ this will show the current port security on your switch
on Switch ●​ NOTE: Observe the port #’s listed
●​ NOTE: Observe the “1” under the MAX Mac Count Column for all Ports
●​ NOTE: Observe the “1” under the Current Addr Count Column for Port 5
View the Port switch# show port-security interface fa0/5
Security Settings ●​ this will show the current port security settings on a specific port
on a Specific Port ●​ NOTE: Observe the settings and MAC
○​ Port Security, Violation Mode, Max MAC Address, Total MAC Address, Sticky
MAC Address, Last Source Address, Violation Count

19
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Linux VM Start Linux VM (or CNT 120 Linux VM) …. Watch messages displayed in Putty
This will ADD a second MAC address to switch port - it violates security setting on port
(Create a MAC ●​ What is being displayed? ______________________________
Address issue on ●​ What is happening? _____________________________
Switch Port)
Switch Switch Port Link Light for Port #5
Observe Link ●​ What is the status? ______________________________
Lights ●​ Why is it acting this way? ___________________
Switch Console Using Putty Console Window …..
switch# show run
View the Port ●​ this will show the current config on the switch
Security Settings ●​ NOTE: Observe the MAC Address listed for port 5
Switch Console Using Putty Console Window …..
switch# show port-security
View the Port ●​ this will show the current port security on your switch
Security Settings ●​ NOTE: Observe the port #’s listed
on Switch ●​ NOTE: Observe the “1” under the MAX Mac Count Column for all Ports
●​ NOTE: Observe the “1” under the Current Addr Count Column for Port 5
●​ NOTE: Observe the “1” under the Security Violation Count Column for Port 5
Switch Console Using Putty Console Window …..
switch# show port-security interface fa0/5
View the Port ●​ NOTE: Observe the settings and MAC
Security Settings ●​ NOTE: Observe the Violation Count
on a Specific Port ●​ NOTE: Observe the following
○​ Port Security, Violation Mode, Max MAC Address, Total MAC Address, Sticky
MAC Address, Last Source Address, Violation Count
Switch Console Using Putty Console Window …..
switch# show interface fa0/5
View Status of ●​ NOTE: Observe the status under the first line of the output - up or down status
Shutdown Port ●​ NOTE: Observe the Disabled Message on the first line

Implementing Port Security on switch ports can prevent unauthorized users from accessing resources on your
network by either spoofing MAC addresses or connecting additional devices (like a hub or switch) to gain
access to the network. (Think about a visitor plugging a hub or switch into an outlet in an employee
office/location and then connecting their laptop/device into that new hub or switch. When our network switch
senses an additional MAC address on that port, it will shut the port down.)

20
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

15 – Gather Proof of Network Configuration

You are now going to gather your network configurations from this lab for submission to D2L.

Cisco Router ●​ Open Notepad … or … Text Editor on your PC

Configurations ●​ Connect Console Cable to 2811 router
●​ At the router# prompt issue the show run command
Gather Proof of ○​ this displays the current running configuration
Router ○​ use the SPACE BAR multiple times to make sure the whole config is being
Configuration displayed
●​ In Putty Copy the results of the show run command
●​ In Notepad Paste the results of the show run route command
●​ Save Notepad file to desktop with name risk-2811-config.txt

●​ Open Notepad … or … Text Editor on your PC

●​ Connect Console Cable to 4221 router
●​ At the router# prompt issue the show run command
○​ this displays the current running configuration
○​ use the SPACE BAR multiple times to make sure the whole config is being
displayed
●​ In Putty Copy the results of the show run command
●​ In Notepad Paste the results of the show run route command
●​ Save Notepad file to desktop with name risk-4221-config.txt
Cisco Switch ●​ Open Notepad … or … Text Editor on your PC
Configurations ●​ Connect Console Cable to Top_Switch
●​ At the switch# prompt issue the show run command
Gather Proof of ○​ this displays the current running configuration
Switch ○​ use the SPACE BAR multiple times to make sure the whole config is being
Configurations displayed
●​ In Putty Copy the results of the show run command
●​ In Notepad Paste the results of the show run route command
●​ Save Notepad file to desktop with name risk-top-sw-config.txt

●​ Open Notepad … or … Text Editor on your PC

●​ Connect Console Cable to Bottom_Switch
●​ At the switch# prompt issue the show run command
○​ this displays the current running configuration
○​ use the SPACE BAR multiple times to make sure the whole config is being
displayed
●​ In Putty Copy the results of the show run command
●​ In Notepad Paste the results of the show run route command
●​ Save Notepad file to desktop with name risk-bot-sw-config.txt

21
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
Make sure you have the following before cleaning up your network devices:
●​ risk-routing-table.txt - routing table as result of show ip route command
●​ telnet-wireshark.pcapng - wireshark capture of telnet session
●​ ssh-wireshark.pcapng - wireshark capture of SSH session
●​ rdp-wireshark.pcapng - wireshark capture of RDP session
●​ router-nmap-scan.txt - nmap scan of router
●​ risk-2811-config.txt - 2811 router configuration
●​ risk-4221-config.txt - 4221 router configuration
●​ risk-top-sw-config.txt - 2960 top switch configuration
●​ risk-bot-sw-config.txt - 2960 bottom switch configuration

16 – Lab Clean-Up
You are now going to clear off the device configuration and clean up your lab station.

Cisco Switches ●​ Connect the console cable to each switch and complete the following
switch> enable
Erase switch# erase startup-config (or …. erase start )
Configuration ​ (This erases the contents of NVRAM on the switch – when the switch reboots or powers down it will
have no configuration in memory, so on next boot it will load a blank switch)

Cisco Routers ●​ Connect the console cable back to each router and complete the following
router> enable
Delete router# config t
Encryption Key router(config)# crypto key zeroize rsa
and Erase ●​ Accept with “Y” for Yes
Configuration ●​ This is deleting the RSA encryption key created during config
router(config)# exit
router# erase startup-config (or …. erase start )
​ (This erases the contents of NVRAM on the router – when the router reboots or powers down it will
have no configuration in memory, so on next boot it will load a blank router.)

Network ●​ Disconnect patch cables and return to rack at side of room

Clean Up ●​ shut down routers and switches
●​ return console cables to lab equipment rack
Linux VM Power down the Linux VM
●​ Click the Linux Mint Logo
●​ Click the Power Button
●​ Select the option for Shutdown

22
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Windows PC#2 Locate PC#2 that RDP was enabled

RDP Enabled ●​ Open the control panel
Workstation ○​ Click Windows Icon and start typing Control Panel
Clean Up ●​ locate system & security settings
●​ click Allow Remote Access
●​ click don't allow remote connections
●​ click apply
●​ click ok
●​ Return PC patch cables to normal “Internet Connection”
●​ Set the TCP/IP Settings to be “Dynamic” and receive an IP Address from a DHCP
Server
●​ Apply these changes
●​ Verify with command prompt
Windows PC#1 Locate PC#1
Workstation ●​ Return PC patch cables to normal “Internet Connection”
Clean Up ●​ Set the TCP/IP Settings to be “Dynamic” and receive an IP Address from a DHCP
Server
●​ Apply these changes
●​ Verify with command prompt

23
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown
17 – Lab Submission
You are now going to submit the files gathered during the lab to D2L.

Lab Submission ●​ Open Notepad … or … Text Editor on your PC

to D2L ●​ Create a file to gather results from this lab and save the file as
risk-lab-questions.txt (NOTE: Make sure your have the .txt file extension - D2L
does not like files with no file extension and will not let them be loaded for
submission)
●​ Answer the following questions in this notepad file using complete sentences:

1.​ What TCP port # does Telnet use?

2.​ What is the problem with telnet?
3.​ What TCP port # does SSH use?
4.​ Why is SSH preferred?
5.​ What TCP port # does RDP use?
6.​ Is RDP “safe” to use?
7.​ What security best practice did we do on the router & switch?
8.​ What security practices did we specifically implement on the switches? (Hint:
there were 2 that were not mentioned in the answer to the last question - they
are unique to the switches!)
9.​ What is an AUP?
10.​What is a Password Policy?

Save the updated notepad file - risk-lab-questions.txt

Gather the files you created

1.​ risk-routing-table.txt - 5 pts
2.​ telnet-wireshark.pcapng - 5 pts
3.​ ssh-wireshark.pcapng - 5 pts
4.​ rdp-wireshark.pcapng - 5 pts
5.​ router-nmap-scan.txt - 5 pts
6.​ risk-2811-config.txt - 5 pts
7.​ risk-4221-config.txt - 5 pts
8.​ risk-top-sw-config.txt - 5 pts
9.​ risk-bot-sw-config.txt - 5 pts
10.​risk-lab-questions.txt - 10 pts

Submit these files to the dropbox on D2L for this lab.

24
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Troubleshooting Tips

Check Link Check these items on Router(s) …

Lights and Link 1.​ Check the cables are connected to correct ports
Lights are not a.​ disconnect/remove wrong connections
“ON” for a Port b.​ re-connect with correct cable and into correct port(s)
i.​ remember - between like devices = crossover cable
ii.​ remember - between unlike devices = straight through cable
Cisco Router or c.​ Be 1,000,000 % Sure
Switch 2.​ Make sure the “ports are turned on” and you see “blinky link lights”
a.​ Issue a show run and look at ports - look under port configuration to make
sure the word shutdown does not appear (this indicates port is turned off)
b.​ If the word shutdown does appear under the port you are configuring - issue
no shutdown command for that router port
i.​ configure terminal
ii.​ interface ___
iii.​ no shutdown
If … after trying these troubleshooting tips, you still do not see links lights on for the
ports you configured … now Ask for Help

If your PC Check these items on your PC …

CANNOT PING 1.​ Check the cables are connected to correct ports - be 100% sure !
on your LAN to 2.​ Make sure that IP, SNM and DFG are correct - Check for Typos and then Verify at a
default gateway command prompt …. ipconfig
3.​ Make sure this IP Address does not conflict with other devices in the network -
correct the necessary IP Address if it does
4.​ Make sure extra NICs (wireless for example) are turned off on the PC
5.​ Try to PING the default Gateway
a.​ If it Works - Excellent
b.​ If it does not Work … Continue …

Check these items on your Router(s) …

1.​ Check the items listed in the troubleshooting section for checking Link Lights
2.​ Issue a show run and view the IP Address & SNM set on each port
a.​ refer back to troubleshooting tips to change IP & SNM that are not correct
b.​ You may need to remove an IP Address that was assigned to a wrong port -
this will require the use of the no command
i.​ configure terminal
ii.​ interface ___
iii.​ no ip address
c.​ re-enter the correct IP & SNM for this port and issue a no shutdown
Try the PING Test again

If … after trying these troubleshooting tips, these PING tests for the PC were not
successful … now Ask for Help
25
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Troubleshooting Tips (Continued)

If your PC Check these items on your PC … and the Other PC in the Network as well
CANNOT PING 1.​ Check the cables are connected to correct ports - be 100% sure !
to device across 2.​ Make sure that IP, SNM and DFG are correct - Check for Typos and then Verify at a
WAN link (to command prompt …. ipconfig
PC in another 3.​ Make sure this IP Address does not conflict with other devices in the network -
network) correct the necessary IP Address if it does
4.​ Make sure extra NICs (wireless for example) are turned off on the PC
5.​ Try to PING the other PC …
a.​ If it Works - Excellent
b.​ If it does not Work … Continue …

Check these items on Router(s) … you will most likely need to check BOTH (ALL)
1.​ Check the items listed in the troubleshooting section for checking Link Lights
2.​ Issue a show run and view the IP Address & SNM set on each port
a.​ refer back to troubleshooting tips to change IP & SNM that are not correct
b.​ You may need to remove an IP Address that was assigned to a wrong port -
this will require the use of the no command
i.​ configure terminal
ii.​ interface ___
iii.​ no ip address
c.​ re-enter the correct IP & SNM for this port and issue a no shutdown
3.​ Issue a show run and make sure all Networks (Subnets) are listed with the Routing
Protocol Configuration
a.​ Make sure the Network or Subnet # is correct (and inverse mask)
b.​ You may need to ADD a network/subnet to the Routing Protocol Config - go
back to the appropriate Routing Protocol Configuration section of the Lab
and ADD the missing network/subnet
c.​ You may need to REMOVE a network/subnet from the Routing Protocol
Config - go back to the appropriate Routing Protocol Configuration section
of the Lab to help
i.​ copy the incorrect line of routing protocol config
ii.​ start the routing protocol configuration (go back into that mode)
iii.​ type the no command and then paste in the incorrect line and hit
enter - this will remove the incorrect line of config
Try the PING Test again

If … after trying these troubleshooting tips, these PING tests for the PC were not
successful … now Ask for Help

26
CNT 125 Campus - Risk Management Lab​ Created by: Mr. D. Brown

Troubleshooting Tips (Continued)

If you need to When you are working with Port Security - if you have a port that shuts down due to a MAC
reset your port Address violation, you can reset the port to bring it back online using the following
after having a sequence.
Port-Security
Violation that Remove the device(s) from the port causing the Violation and then issue the following
shuts down the commands at the Switch Console Connection:
port
2960_Top_Sw(config)# interface ______
2960_Top_Sw(config-if)# no switchport port-security
2960_Top_Sw(config-if)# shutdown

let the port shutdown

2960_Top_Sw(config-if)# no shutdown
2960_Top_Sw(config-if)# switchport port-security

let the port come back online

27