100% found this document useful (2 votes)

52 views81 pages

(Ebook) Hands-On Information Security Lab Manual by Andrew Green, Michael Whitman, Herbert Mattord ISBN 9781285167572, 1285167570

The document promotes the 'Hands-On Information Security Lab Manual' by Andrew Green, Michael Whitman, and Herbert Mattord, which provides hands-on exercises for information security education. It includes various recommended ebooks and links for downloading additional resources. The manual is designed for students with a background in information systems or business and covers both Windows and Linux lab exercises.

Uploaded by

shalninjanja

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

52 views81 pages

(Ebook) Hands-On Information Security Lab Manual by Andrew Green, Michael Whitman, Herbert Mattord ISBN 9781285167572, 1285167570

Uploaded by

shalninjanja

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 81

Visit https://ebooknice.

com to download the full version and

explore more ebooks

(Ebook) Hands-On Information Security Lab Manual by

Andrew Green, Michael Whitman, Herbert Mattord ISBN
9781285167572, 1285167570

_ Click the link below to download _

https://ebooknice.com/product/hands-on-information-
security-lab-manual-10878872

Explore and download more ebooks at ebooknice.com

Here are some recommended products that might interest you.
You can download now and explore!

(Ebook) Biota Grow 2C gather 2C cook by Loucas, Jason; Viles, James

ISBN 9781459699816, 9781743365571, 9781925268492, 1459699815,
1743365578, 1925268497

https://ebooknice.com/product/biota-grow-2c-gather-2c-cook-6661374

ebooknice.com

(Ebook) Principles of Information Security by Whitman, Michael;

Mattord, Herbert ISBN 9781337102063, 1337102067

https://ebooknice.com/product/principles-of-information-
security-7316654

ebooknice.com

(Ebook) Principles of Information Security by Michael E. Whitman,

Herbert J. Mattord ISBN 1111138214

https://ebooknice.com/product/principles-of-information-
security-2421608

ebooknice.com

(Ebook) Principles of Information Security by Michael E. Whitman,

Herbert J. Mattord ISBN 2021909680

https://ebooknice.com/product/principles-of-information-
security-49695134

ebooknice.com
(Ebook) Principles of Information Security by Michael E. Whitman,
Herbert J. Mattord ISBN 9781285448367, 1285448367

https://ebooknice.com/product/principles-of-information-
security-10018104

ebooknice.com

(Ebook) Management of Information Security by Michael E. Whitman,

Herbert J. Mattord ISBN 9781285062297, 1285062299

https://ebooknice.com/product/management-of-information-
security-5519438

ebooknice.com

(Ebook) Management of Information Security by Michael E. Whitman,

Herbert J. Mattord ISBN 9781337405713, 133740571X

https://ebooknice.com/product/management-of-information-
security-7352938

ebooknice.com

(Ebook) Principles of information security by Mattord, Herbert

J.;Whitman, Michael E ISBN 9781285448367, 1285448367

https://ebooknice.com/product/principles-of-information-
security-11889912

ebooknice.com

(Ebook) Management of Information Security by Michael E. Whitman;

Herbert J. Mattord ISBN 9781305501256, 130550125X

https://ebooknice.com/product/management-of-information-
security-34801210

ebooknice.com
Hands-On
INFORMATION SECURITY
Lab Manual, Fourth Edition

Michael E. Whitman, Ph.D., CISM, CISSP,

Herbert J. Mattord, Ph.D., CISM, CISSP,
Andrew Green, MSIS

Australia • Brazil • Mexico • Singapore • United Kingdom • United States

Art Director: GEX

Cover image: © istock/Thinkstock Course Technology
20 Channel Center Street
Boston, MA 02210
USA

Cengage Learning is a leading provider of customized learning solutions with

office locations around the globe, including Singapore, the United Kingdom,
Australia, Mexico, Brazil, and Japan. Locate your local office at:
international.cengage.com/region

Cengage Learning products are represented in Canada by Nelson Education, Ltd.

For your lifelong learning solutions, visit www.cengage.com

Purchase any of our products at your local college store or at our preferred
online store www.cengagebrain.com
Visit our corporate website at www.cengage.com

Printed in the United States of America

1 2 3 4 5 6 7 17 16 15 14 13

Contents
Chapter 1: Information Security Process Flows 1
Flow 1.1 Firewalls 2
Flow 1.2 Remote Access Protection 2
Flow 1.3 Access Controls 3
Flow 1.4 Vulnerability Assessment 4
Flow 1.5 Penetration Testing 5
Flow 1.6 Forensics and Anti-Forensics 6
Flow 1.7 Client Security 7
Flow 1.8 Perimeter Defense 8
Flow 1.9 Server Security 9
Flow 1.10 Intrusion Detection 10
Flow 1.11 Network Security 11
Flow 1.12 Cyber Defense 13
References 14

Chapter 2: Background and Theory for Lab Exercises 15

2.1 Footprinting 16
2.2 Scanning and Enumeration 20
2.3 OS Processes and Services 23
2.4 Vulnerability Identification and Research 24
2.5 Vulnerability Validation 26
2.6 Systems Remediation and Hardening 26
2.7 Web Browser Security and Configuration 27
2.8 Data Management 28
2.9 Data Backup and Recovery 29
2.10 Access Controls 29
2.11 Host-Based Intrusion Detection 31
2.12 Log Security 32
2.13 Privacy and Anti-forensics 34
2.14 Software Firewalls 34
2.15 Linksys Firewall Routers and Access Points 35
2.16 Network Intrusion Detection 36
2.17 Network Traffic Analysis 37
2.18 Virtual Private Networks and Remote Access 38
2.19 Digital Certificates 39
2.20 Password Circumvention 40
2.21 Antivirus Defense 41
2.22 Bot Management and Defense 41

Chapter 3: Windows Labs 43

Lab 3.0 Using VMware 44
Lab 3.1 Footprinting 51
Lab 3.2 Scanning and Enumeration 77
Lab 3.3 Windows OS Processes and Services 85
Lab 3.4 Vulnerability Identification and Research 95
Lab 3.5 Vulnerability Validation 107
Lab 3.6 System Remediation and Hardening 115
Lab 3.7 Windows Web Browser Security and Configuration 139
Lab 3.8 Data Management 155
Lab 3.9 Windows Data Backup and Recovery 167
Lab 3.10 Windows Access Controls 177
Lab 3.11 Windows Host Intrusion Detection 195
Lab 3.12 Windows Log Security Issues 205

Lab 3.13 Windows Privacy and Anti-Forensics Issues 217

Lab 3.14 Software Firewalls 229
Lab 3.15 Linksys Firewall Routers and Access Points 241
Lab 3.16 Network Intrusion Detection Systems 263
Lab 3.17 Network Traffic Analysis 265
Lab 3.18 Virtual Private Networks and Remote Access 281
Lab 3.19 Digital Certificates 293
Lab 3.20 Password Circumvention 301
Lab 3.21 Antivirus 309
Lab 3.22 Malware Prevention and Detection 317

Chapter 4: Linux Labs 329

Lab 4.0 Using VMware 330
Lab 4.1 Footprinting 339
Lab 4.2 Scanning and Enumeration 351
Lab 4.3 OS Processes and Services 361
Lab 4.4 Vulnerability Identification and Research 371
Lab 4.5 Vulnerability Validation 379
Lab 4.6 System Remediation and Hardening 387
Lab 4.7 Web Browser Security 395
Lab 4.8 Data Management 401
Lab 4.9 Data Backup, Restore, and Recovery in Linux 407
Lab 4.10 Access Controls in Linux 417
Lab 4.11 Host Intrusion Detection in Linux 429
Lab 4.12 Log and Security in Linux 435
Lab 4.13 Linux Privacy and Anti-Forensics Issues 441
Lab 4.14 Software Firewalls 445
Lab 4.15 Linksys Firewall Routers and Access Points 455
Lab 4.16 Network Intrusion Detection Systems 457
Lab 4.17 Network Traffic Analysis 465
Lab 4.18 Virtual Private Networks and Remote Access 477
Lab 4.19 Digital Certificates 483
Lab 4.20 Password Circumvention in Linux 495
Lab 4.21 Antivirus in Linux 505
Lab 4.22 Malware Prevention and Detection 513

INDEX 517

Intended Audience
This lab manual is targeted toward students exploring information security topics coming from an
information systems and/or business background. Those with strong experiences in computing tech-
nologies, such as computer science or information technology, may find that the approach taken in
this manual is limited in its intention to delve deeply into the technology. These exercises are pre-
sented as an introduction to the topics rather than as a deep exploration. The scope of the manual
ranges from simple introductory exercises, similar to those found in data communications or net-
working courses, to more focused information security–specific exercises. A White Hat Agreement
is placed at the end of the Introduction to delineate the ethical and moral responsibilities of the
information security student, in order to assist them in avoiding activities that could be misconstrued
as criminal or violating ethical standards.

Chapter Descriptions
Chapter 1, Information Security Process Flows is used to enable course instructors to choose
which lab elements are useful to students in a particular course. The flow of labs selected by the instruc-
tor can complement the learning outcomes for a variety of courses.
Chapter 2, Background and Theory for Lab Exercises presents the background of the networking
protocols, specific tools, and key issues. While not required for completion of the lab exercises, these sec-
tions can provide added understanding and broader context.
Chapter 3, Windows Labs is made up of the lab exercises that use the Windows operating system.
Chapter 4, Linux Labs is made up of the lab exercises that use the Linux operating system.

Features
➤➤ Lab exercise flow sequences shown in Chapter 1 can be used to create themed exercises and
to illustrate common activities performed by information security personnel in the course of
their duties.
➤➤ Background and theory are linked to the lab exercises and are covered in Chapter 2.
Content includes information about network protocols, specific tools, and/or information
security strategies.
➤➤ A list of Materials Required in each lab includes software and hardware necessary to complete
the exercise and an Estimated Completion Time for each exercise is included in each lab.

➤➤ A set of detailed procedures with sample output screen shots accompany each lab.
➤➤ There are occasional questions within the lab requiring students to seek and record
information about their sessions. Each lab ends with a Student Response Form for students to
use and to submit their findings for assessment.
➤➤ Most Labs are available for Windows and Linux operating systems, although there are some
instances where one or the other is omitted. This often provides the instructor with greater
flexibility in selecting a platform on which to conduct the exercises, as well as the option to
have the students perform the same exercise in multiple OS settings.

How to Use the Lab Manual

This manual is presented using a menu approach, allowing instructors to choose what strategy they wish
to take in the instruction of their students, and then select the platform(s) they wish to use. For almost all
exercises, there are both Microsoft Windows and Linux versions.
To use this manual, identify the information security task or responsibility you wish to instruct (or
learn). Look up the associated “flow” in Chapter 1, and identify the requisite lab exercise components.
Chapter 2 provides background on each individual lab exercise—regardless of platform. Chapter 3 pro-
vides the exercise(s) in Windows, and Chapter 4 provides the exercises in Linux. By tearing out flow
sheets, and individual lab exercises, students can create custom instructional sets that are easier to work
with in the lab. We hope you find this new format to be better suited to the instruction of information
security in the lab.

What’s New to This Edition?

The Hands-On Information Security Lab Manual, Fourth Edition has been revised to operate with Windows 7
and the Fedora Linux operating systems.You might notice that many of the individual tools remain the
same, but the versions of specific tools have been brought up to date.

Instructor Companion Site

In order to assist the instructor in the setup and conduct of these lab exercises, detailed instructions
are provided online via www.cengage.com/login. These instructions provide specific requirements for the
conduct of each exercise, lab, or case, along with the needed resources and target systems.

“White Hat” Oath

We enclose a sample Ethics Statement that instructors can require students to agree to. This states that
the students will not use the information learned to perform unauthorized examinations of systems and
information both inside and outside the university. This oath is based on a number of sources including
the ACM Code of Ethics.

Lab Requirements
General Hardware and Software Requirements
➤➤ Microsoft Windows 7 (or another operating system version as specified by the lab instructor)
with a Web browser—Microsoft’s Internet Explorer or Mozilla’s Firefox
➤➤ Microsoft Windows 2008 Server Standard Edition SP 2
➤➤ Fedora 17 Linux with KDE 4.0 with a functional Web browser with active Internet connection

Special Requirements

Lab 3.5
➤➤ A target system with the Windows XP operating system that has not been patched or else has
only been patched to SP1

Lab 3.15
➤➤ A computer running Microsoft Windows with IIS configured as a Web server (Note: You
may also simply connect the network segment to the Internet and use an existing Web
server(s) to complete the exercise.)
➤➤ A Web browser such as Internet Explorer or Firefox
➤➤ A Linksys Firewall Router—The first lab uses a WRT54G version 8 Linksys—there are
several models available; most will be similar to this device.
➤➤ A Linksys Wireless Access Point—The second lab uses WAP54G—there are several models
available; most will be similar to this device. It is possible to use the device from the first exercise
for the second, but you will need to modify some of the exercise steps to accomplish this.

Lab 3.19
➤➤ Microsoft Windows 2008 Server R2 configured as specified in the lab setup guide

Downloadable Software Required

Lab 3.1
➤➤ Sam Spade version 1.14 for Windows from Blighty Design

Lab 3.2
➤➤ Advanced Port Scanner 1.3 for Windows from Radmin (http://www.radmin.com
/download/utilities.php)
➤➤ NMap 6.0 or later version for Windows (http://nmap.org/download.html)

Lab 3.3
➤➤ Microsoft Windows Defender (www.microsoft.com)
➤➤ Autoruns for Windows (http://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx)

Lab 3.4
➤➤ Microsoft Baseline Security Analyzer (http://www.microsoft.com/en-us/download/details
.aspx?id=7558)
➤➤ Nessus 5.0.1 for Microsoft Windows (http://www.nessus.org/products/nessus
/select-your-operating-system)

Lab 3.5
➤➤ Metasploit framework v4.3

Lab 3.6
➤➤ Microsoft Security Compliance Manager from Microsoft Download Center (http://technet
.microsoft.com/en-us/library/cc677002.aspx)
➤➤ .Net Framework 4 from Microsoft Download Center (http://www.microsoft.com/en-us
/download/details.aspx?id=17851)

Lab 3.7
➤➤ Internet Explorer 9
➤➤ Mozilla Firefox 13

Lab 3.9
➤➤ SyncToy 2.1 (http://www.microsoft.com/en-us/download/details.aspx?id=15155)

Lab 3.10
➤➤ TrueCrypt v 7.1a (http://www.truecrypt.org/downloads.php)

Lab 3.11
➤➤ MD5summer v 1.2.0.5 (http://sourceforge.net/projects/md5summer/)
➤➤ FileVerifier++ v 0.6.3.5 (http://sourceforge.net/projects/fileverifier)

Lab 3.12
➤➤ Clearlog.exe (http://www.ntsecurity.nu/toolbox/clearlogs/)

Lab 3.13
➤➤ Internet Explorer 9
➤➤ Firefox Version 17
➤➤ CCleaner v 3.24 (www.piriform.com/ccleaner/download)
➤➤ Clean Disk Security v 8.1 (www.diskcleaners.com/clndisk.html)
➤➤ DBAN available (http://dban.sourceforge.net/)

Lab 3.14
➤➤ ZoneAlarm Basic 2012 (free version from download.cnet.com)

Lab 3.17
➤➤ WinPcap v. 4.1.2 (www.winpcap.org)
➤➤ Windows TCP Dump (WinDump) (www.winpcap.org)
➤➤ Wireshark for Windows 1.8 (www.wireshark.org)

Lab 3.18
➤➤ A Configured Windows 2008 VPN Server

Lab 3.20
➤➤ PWDump7 (http://www.openwall.com/passwords
/microsoft-windows-nt-2000-xp-2003-vista)
➤➤ Offline NT Password & Registry Editor (http://www.pogostick.net/~pnh/ntpasswd)

Lab 3.21
➤➤ ClamWin Free 0.97.5 or later edition (www.clamwin.com)
➤➤ AVG Free Antivirus 2013 (free.avg.com)

Lab 3.22
➤➤ Spybot—Search & Destroy (http://www.safer-networking.org/en/download/index.html)
➤➤ Malwarebytes—current version from http://www.malwarebytes.org
➤➤ Adblock Plus from Firefox extensions (downloaded and installed as part of the exercise)

Lab 4.2
➤➤ The thc-amap package built from source.

Lab 4.4
➤➤ Nessus 5

Lab 4.5
➤➤ Metasploit v4.3.0
➤➤ TightVNC

Lab 4.6
➤➤ Apache from the yum repositories
➤➤ Postfix from the yum repositories
➤➤ Bind from the yum repositories
➤➤ Bastille Linux from the yum repositories
➤➤ perl-curses
➤➤ perl-cursesui

Lab 4.9
➤➤ rdiff-backup from the yum repository
➤➤ Access to a secondary Ext2 formatted file system
➤➤ Midnight Commander from the yum repository

Lab 4.10
➤➤ Truecrypt (http://www.truecrypt.org/downloads.php)

Lab 4.11
➤➤ Installation of integrit 4.1

Lab 4.13
➤➤ Wipe from the yum repositories

Lab 4.16
➤➤ libpcap-devel from the yum repository
➤➤ Snort v 2.9.4 (www.snort.org)
➤➤ Snort ruleset (www.snort.org)
➤➤ Alternative solution—Security Onion ISO (20120125)

Lab 4.17
➤➤ Wireshark and Wireshark-gnome from yum repositories

Lab 4.19
➤➤ Apache Web server with the mod_ssl lodule—if not already installed, use the yum tool
to install

Lab 4.20
➤➤ John the Ripper version 1.7.9

Lab 4.21
➤➤ ClamAV

Lab 4.22
➤➤ chkrootkit from the yum repository

Author Biographies
Michael Whitman, Ph.D., CISM, CISSP is a Professor of Information Security in the Information
Systems Department, Coles College of Business at Kennesaw State University, Kennesaw, Georgia,
where he is also the Director of the Coles Center for Information Security Education (infosec.ken-
nesaw.edu). He and Herbert Mattord are the authors of Principles of Information Security; Principles of
Incident Response and Disaster Recovery; Readings and Cases in the Management of Information Security; Read-
ings & Cases in Information Security: Law & Ethics; Guide to Firewall and VPNs; Guide to Network Security;
Roadmap to the Management of Information Security and Hands-On Information Security Lab Manual, all from
Cengage Learning. Dr. Whitman is an active researcher in information security, fair and responsible use
policies, ethical computing, and information systems research methods. He currently teaches graduate
and undergraduate courses in information security. He has published articles in the top journals in his
field, including Information Systems Research, Communications of the ACM, Information and Management,
Journal of International Business Studies, and Journal of Computer Information Systems. He is an active mem-
ber of the Information Systems Security Association, the Association for Computing Machinery, ISACA,
(ISC)2, and the Association for Information Systems. His home institution has been recognized by the
Department of Homeland Security and the National Security Agency as a National Center of Academic
Excellence in Information Assurance Education three times. This text is also part of his institution’s
Information Assurance Courseware Evaluation certification.
Herbert Mattord, Ph.D, CISM, CISSP completed 24 years of IT industry experience as an application
developer, database administrator, project manager, and information security practitioner before joining
the faculty as Kennesaw State University, where he is an Associate Professor of Information Security

and Assurance and the Coordinator of the Bachelor of Science in Information Security and Assurance
program – the first program of its kind in the Southeast. Dr. Mattord currently teaches graduate and
undergraduate courses in Information Security and Information Systems. He and Michael Whitman are
the authors of Management of Information Security, 4th Ed, Readings and Cases in the Management
of Information Security, and The Hands-On Information Security Lab Manual, 4th ed., Principles of
Incident Response and Disaster Recovery, 2nd Ed. and The Guide to Firewalls and Network Security,
2nd ed. all from Course Technology.
Dr. Mattord is an active researcher and author in Information Security Management and related topics.
He currently teaches graduate and undergraduate courses in Information Security. Dr. Mattord has sev-
eral information security textbooks currently in print – Management of Information Security, 4th Ed.,
Readings and Cases in the Management of Information Security, Volumes I and II, The Hands-On
Information Security Lab Manual, 4th Ed., Principles of Incident Response and Disaster Recovery,
2nd Ed., The Guide to Network Security and The Guide to Firewalls and Network Security, 3rd
Ed. all from Cengage/Course Technology. He has published articles in the Information Resources
Management Journal, Journal of Information Security Education, the Journal of Executive Education,
and the International Journal of Interdisciplinary Telecommunications and Networking. Dr. Mattord
is a member of the Information Systems Security Association, the Information Systems Auditing and
Control Association, and the Association for Information Systems.
During his career as an IT practitioner, Dr. Mattord was an adjunct professor at Kennesaw State University,
Southern Polytechnic State University in Marietta, Georgia, Austin Community College in Austin,Texas, and
Texas State University: San Marcos. He was formerly the Manager of Corporate Information Technology
Security at Georgia-Pacific Corporation, where much of the practical knowledge found in this and other
textbooks was acquired.
Andrew Green, MSIS is a Lecturer of Information Security and Assurance in the Information Systems
Department, located in the Michael J. Coles College of Business at Kennesaw State University, Kennesaw,
Georgia. Green has over a decade of experience in information security. Prior to entering academia full
time, Green worked as an information security consultant, focusing primarily on the needs of small and
medium-sized businesses. Prior to that, Green worked in the health care IT field, where he developed
and supported transcription interfaces for medical facilities throughout the United States. Green is also
pursuing his Ph.D. at Nova Southeastern University, where he is studying information systems with a
concentration in information security. Green is also a coauthor on a number of academic textbooks
on various information security–related topics, published by Cengage Learning.

Acknowledgments and Thanks

The authors would like to thank the following individuals for their assistance in making this lab manual
a reality.
➤➤ From Mike Whitman: To my loving family for their unwavering support during the writing
of this work. Thanks to all others who have had a hand in this effort.
➤➤ From Herb Mattord: I would not be able to make the commitment of the time it takes to
write without the support of my family. Thanks for your understanding.
➤➤ From Andy Green: For my cousin, Dana Lempesis. Thank you for always being there for me,
even when I didn’t deserve it.
➤➤ All the students in the Information Security and Assurance degree program courses at
Kennesaw State University for their assistance in testing, debugging, and suffering through
the various draft versions of the manual.
➤➤ Special thanks to Daniel Center, an undergraduate student at Kennesaw State University who
contributed much to the draft and preparation of the exercises in this manual.

The White Hat Oath

White Hat Agreement
and Code of Ethics
This is a working document that provides further guidelines for the course exercise. If you have ques-
tions about any of these guidelines, please contact one of the course instructors. When in doubt, the
default action should be to ask the instructors.
1) The goal of the project is to search for technical means of discovering information about
others with whom you share a computer system. As such, nontechnical means of discovering
information are disallowed (e.g., following someone home at night to find out where they live).
2) ANY data that is stored outside of the course accounts can be used only if it has been explicitly
and intentionally published (e.g., on a Web page), or if it is in a publicly available directory
(e.g., /etc, /usr ).
3) Gleaning information about individuals from anyone outside of the course is disallowed.
4) Impersonation (e.g., forgery of electronic mail) is disallowed.
5) If you discover a way to gain access to any account other than your own (including root), do
NOT access that account, but immediately inform the course instructors of the vulnerability. If
you have inadvertently already gained access to the account, IMMEDIATELY exit the account
and inform the course instructors.
6) All explorations should be targeted specifically to the assigned course accounts. ANY tool that
indiscriminately explores noncourse accounts for vulnerabilities is specifically disallowed.
7) Using the Web to find exploration tools and methods is allowed. In your reports, provide full
attribution to the source of the tool or method.
8) If in doubt at all about whether a given activity falls within the letter or spirit of the course
exercise, discuss the activity with the instructors BEFORE exploring the approach further.
9) You can participate in the course exercise only if you are registered for a grade in the class.
ANY violation of the course guidelines may result in disciplinary or legal action.
10) Any academic misconduct or action during the course of the class may result in disciplinary measures.

White Hat Agreement

State University
As part of this course, you may be exposed to systems, tools, and techniques related to information se-
curity. With proper use, these components allow a security or network administrator better understand
the vulnerabilities and security precautions in effect. Misused, intentionally or accidentally, these com-
ponents can result in breaches of security, damage to data, or other undesirable results.
Since these lab experiments will be carried out in part in a public network that is used by people for real
work, you must agree to the following before you can participate. If you are unwilling to sign this form,
then you cannot participate in the lab exercises.

Student agreement form:

I agree to:
–– only examine the special course accounts for privacy vulnerabilities (if applicable)
–– report any security vulnerabilities discovered to the course instructors immediately, and not
disclose them to anyone else
–– maintain the confidentiality of any private information I learn through the course exercise
–– actively use my course account with the understanding that its contents and actions may be
discovered by others
–– hold harmless the course instructors and my University for any consequences of this course
–– abide by the computing policies of my University and by all laws governing use of computer
resources on campus
I agree to NOT:
–– attempt to gain root access or any other increase in privilege on any University workstation
–– disclose any private information that I discover as a direct or indirect result of this course
exercise
–– take actions that will modify or deny access to any data or service not owned by me
–– attempt to perform any actions or use utilities presented in the laboratory outside the confines
and structure of the labs
–– utilize any security vulnerabilities beyond the target accounts in the course or beyond the
duration of the course exercise
–– pursue any legal action against the course instructors or the University for consequences
related to this course
Moreover, I consent for my course accounts and systems to be examined for security and privacy vul-
nerabilities by other students in the course, with the understanding that this may result in information
about me being disclosed (if applicable).
This agreement has been explained to me to my satisfaction. I agree to abide by the conditions of the
Code of Ethics and of the White Hat Agreement.

Signed: Date:

Printed name:
E-mail address:

Information Security
Process Flows
Using the Information Security Process Flows
This chapter provides an introduction to the use of the Hands-On
I nformation Security Laboratory Exercises Manual, by using a series of
I nformation Security Process Flows to illustrate common activities
performed by Information Security (InfoSec) personnel in the course
of their duties. Many duties performed by an InfoSec professional
are managerial in nature, such as those involving policy, plans, projects,
programs, personnel, and practices. Some are technical in nature, involving
information security and information system technologies. It is the latter
that is the subject of this lab manual.
As you will notice, the flows, and thus the corresponding list of applicable
exercises, increase in length and complexity as you move through it.
This is intentional as the represented tasks become more complex and
more difficult. The list of tasks presented is in no way intended to be
exhaustive, nor comprehensive. There are many more aspects of the flows
illustrated than can be presented in this text. The exercises selected are
representative of components of these processes, and focus on tasks that
can be performed in a laboratory environment with accessible tools.
Note the numbers in the flows illustrated in Figures 1-1 through 1-12
represent the lab exercises from Chapters 3 and 4, respectively. For
e xample, Lab 3.14/4.14 Software Firewalls refers to the Windows
Lab 3.14 in Chapter 3 and a similar Linux Lab in Chapter 4 denoted as
Lab 4.14.

1
Copyright 2014 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
2 Chapter 1 Information Security Process Flows

Flow 1.1 Firewalls

Flow 1.1, shown in Figure 1-1, provides an overview experience with firewalls, network routers,
and wireless access points, all related technologies. The exercises associated with this flow focus on
consumer-grade or Small Office/Home Office (SOHO) technologies. Obviously, commercial-grade
appliances are much more complex, and of course more expensive.
Flow 1.1 begins with an examination of Software Firewalls, incorporated into popular operating systems,
or available as third-party software. The process flow continues with an examination of low-grade
hardware firewalls and wireless access points. Many of the firewalls presented are primarily developed as
network routers or Internet connection devices, but have some firewall capabilities.

What Is a Firewall?
In general, a firewall is anything—hardware, software, or a combination of the two—that can filter the
transmission of packets of digital information as they attempt to pass through an interface between
networks.
Firewalls perform two basic security functions:
➤➤ Packet filtering—Determining whether to allow or deny the passage of packets of digital
information, based on established security policy rules.
➤➤ Application proxy—Providing network services to users while shielding individual host
computers. This is done by breaking the IP flow (i.e., the traffic into and out of the network).
Firewalls can be complex, but if you thoroughly understand each of these two functions, you’ll be able
to choose the right firewall and configure it to protect a computer or network.1

Lab 3.14/4.14
Software Firewalls

Lab 3.15/4.15
Hardware Firewalls and WAPs

Figure 1-1 Flow 1.1: Firewalls

Flow 1.2 Remote Access Protection

Flow 1.2, shown in Figure 1-2, provides an overview experience with remote access technologies, and
the management of end-user access through these devices. This process flow includes firewalls, network
routers, and wireless access points, as described in Flow 1.1. This process flow adds Virtual Private
Networks and Remote Access technologies, an overview of log security issues, and an introduction to
access control privileges.
A virtual private network (VPN) is a private and secure network connection between systems that
uses the data communication capability of an unsecured and public network. By combining the use
of encryption, various computer networks, secure tunneling protocols, and various security practices,
VPNs are widely viewed as a secure, cost-effective way to allow individuals and organizations to securely
connect to remote networks and systems.
Remote access in the context of these exercises is the management of user accounts required for the
user to access systems from outside the traditional network environment. This includes dial-up and/or
high-speed Internet-based access.

Lab 3.10/4.10
Access Controls
1
Lab 3.12/4.12
Log Security Issues

Lab 3.14/4.14
Software Firewalls

Lab 3.15/4.15
Hardware Firewalls and WAPs

Lab 3.18/4.18
Virtual Private Nets and Remote Access

Figure 1-2 Flow 1.2: Remote Access Protection

Flow 1.3 Access Controls

Flow 1.3, shown in Figure 1-3, extends the work of Flow 1.2—Remote Access—adding levels of
complexity in the examination and use of access controls.
Access controls encompass four processes:
➤➤ Identification—obtaining the identity of the entity requesting access to a logical or physical area
➤➤ Authentication—confirming the identity of the entity seeking access to a logical or physical area
➤➤ Authorization—determining which actions that entity can perform in that physical or logical area
➤➤ Accountability—documenting the activities of the authorized individual and systems
Access controls specifically address the admission of users into a trusted area of the organization. These areas
can include information systems, physically restricted areas such as computer rooms, and even the organiza-
tion in its entirety. Access controls usually consist of a combination of policies, programs, and technologies.2

Lab 3.10/4.10
Access Controls

Lab 3.12/4.12
Log Security Issues

Lab 3.14/4.14
Software Firewalls

Lab 3.15/4.15
Hardware Firewalls and WAPs

Lab 3.18/4.18
Virtual Private Nets and Remote Access

Lab 3.11/4.11
Host Intrusion Detection Systems

Figure 1-3 Flow 1.3: Access Controls

Flow 1.4 Vulnerability Assessment

Flow 1.4, shown in Figure 1-4, represents the most common task associated with information security,
the examination of a computer server or client to determine if a known vulnerability or weakness exists
that could be exploited by an attacker. Vulnerability assessment entails examining all publicly available
information that would be accessible to an attacker, as well as examining all network resources that could
be involved in an attack. Once the vulnerabilities are found, they are remediated—removed, resolved, or
addressed with mitigating controls.
The primary goal of vulnerability assessment and remediation is to identify specific, documented
v ulnerabilities and remediate them in a timely fashion. This is accomplished by:
➤➤ Using documented vulnerability assessment procedures to collect intelligence about networks
(internal and public-facing), platforms (servers, desktops, and process control), dial-in
modems, and wireless network systems safely
➤➤ Documenting background information and providing tested remediation procedures for the
reported vulnerabilities
➤➤ Tracking vulnerabilities from when they are identified until they are remediated or the risk
of loss has been accepted by an authorized member of management
➤➤ Communicating vulnerability information including an estimate of the risk and detailed
remediation plans to the owners of the vulnerable systems
➤➤ Reporting on the status of vulnerabilities that have been identified
➤➤ Ensuring that the proper level of management is involved in the decision to accept the risk
of loss associated with unrepaired vulnerabilities.3

Lab 3.1/4.1
Footprinting

Lab 3.2/4.2
Scanning and Enumeration

Lab 3.3/4.3
OS Processes and Services

Lab 3.4/4.4
Vulnerability Identification and Research

Lab 3.6/4.6
System Remediation and Hardening

Lab 3.7/4.7
Web Browser Security

Lab 3.12/4.12
Log Security Issues

Figure 1-4 Flow 1.4: Vulnerability Assessment

Flow 1.5 Penetration Testing 1

Flow 1.5, shown in Figure 1-5, extends the tasks associated with vulnerability assessment, allowing the
information security professional to be more invasive, attempting to confirm any weaknesses identified
in a particular information system by actually exploiting the system itself, with authorization, of course.
One method of finding faults is to use the vulnerability assessment processes to find the physical
and logical vulnerabilities present in both information security and related nonsecurity systems. This
assessment is most often accomplished with penetration testing. Penetration testing is the simulation
or execution of specific and controlled attacks by security personnel to compromise or disrupt their
own systems by exploiting documented vulnerabilities. Penetration testing is commonly performed on
network connections from outside the organization—that is, from the typical attacker’s position. The
information security personnel who perform penetration testing are often consultants or outsourced
contractors, and are commonly referred to as pen testers, tiger teams, or red teams. What these people
are called is less important than what they do. Unfortunately, some information security administrators
are made hesitant by such labels to hire outside consultants to conduct penetration tests. Information
security administrators who have not looked at their systems through the eyes of an attacker are failing
to maintain readiness. The best procedures and tools to use in penetration testing and other vulnerability
assessments are the procedures and tools of the criminal community. An additional important part of this
process is documenting the intelligence gathered during penetration testing and then using it to make
sure the vulnerabilities that allowed the penetration to succeed are repaired promptly.4

Lab 3.1/4.1
Footprinting

Lab 3.2/4.2
Scanning and Enumeration

Lab 3.3/4.3
OS Processes and Services

Lab 3.4/4.4
Vulnerability Identification and Research

Lab 3.5/4.5
Vulnerability Validation

Lab 3.6/4.6
System Remediation and Hardening

Lab 3.7/4.7
Web Browser Security

Lab 3.12/4.12
Log Security Issues

Figure 1-5 Flow 1.5: Penetration Testing

Flow 1.6 Forensics and Anti-Forensics

Flow 1.6, shown in Figure 1-6, represents the tasks associated with the preservation, identification,
extraction, documentation, and interpretation of computer media for evidentiary and/or root cause
analysis, as well as the understanding of the tasks that individuals who do not want this material found
will undertake to prevent its discovery.
Whether due to a character flaw, a need for vengeance, curiosity, or some other reason, an employee,
contractor, or outsider may attack a physical or information asset. When the asset attacked is in the
purview of the chief information security officer (CISO), that executive is expected to understand how
policies and laws require the matter to be managed. In order to protect the organization, and to possibly
assist law enforcement in the conduct of an investigation, they must act to document what happened
and how. The investigation of what happened and how is digital forensics.
Forensics is the coherent application of methodical investigatory techniques to present evidence of crimes
in a court or courtlike setting. Not all events involve crimes; some involve natural events, accidents,
or system malfunctions. Forensics allows investigators to determine what happened by examining the
results of an event. It also allows them to determine how it happened by examining activities, individual
actions, physical evidence, and testimony related to the event.
Like traditional forensics, digital forensics follows clear, well-defined methodologies, but still tends to be
as much art as science. This means the natural curiosity and personal skill of the investigator play a key
role in discovering potential evidentiary material. Evidentiary material (EM), also known as an item of
potential evidentiary value, is any information that could potentially support the organization’s legal or
policy-based case against a suspect.
Digital forensics investigators use a variety of tools to support their work, which you will learn about
later in this chapter. However, the tools and methods used by attackers can be equally sophisticated.
Digital forensics can be used for two key purposes:
1. To investigate allegations of digital malfeasance
2. To perform root cause analysis5

Lab 3.7/4.7
Web Browser Security

Lab 3.8/4.8
Data Management

Lab 3.9/4.9
Data Backup and Recovery

Lab 3.12/4.12
Log Security Issues

Lab 3.17/4.17
Network Traffic Analysis

Lab 3.20/4.20
Password Circumvention and Mgmt

Figure 1-6 Flow 1.6: Forensics & Anti-Forensics

Flow 1.7 Client Security 1

Flow 1.7, shown in Figure 1-7, represents the tasks associated with the assessment, protection, and audit
of client systems. The tasks include a variety of tasks, including examining systems processes and services,
understanding browser protection, systems logs, passwords, antivirus and malware prevention, among others.
End users have a much higher probability of compromise than most organizational servers as the
end users have lower levels of training and preparation, are generally considered lower priorities for
protection, and have less staff dedicated to their security. The most important piece of protecting client
systems is a program called Security Education, Training and Awareness or SETA that teaches the end
users how to care for their own systems.
SETA programs enhance general education and training programs by focusing on information
security. For example, if an organization finds that many employees are using e-mail attachments in
an unsafe manner, then e-mail users must be trained or retrained. As a matter of good practice, all
systems development life cycles include user training during both the implementation and maintenance
phases. Information security projects are no different; they require initial training programs as systems
are deployed and occasional retraining as needs arise.
A SETA program consists of three elements: security education, security training, and security awareness.
An organization may not be able or willing to undertake the development of all of these components
in-house, and may outsource them to local educational institutions. The purpose of SETA is to enhance
security in three ways:
➤➤ By building in-depth knowledge, as needed, to design, implement, or operate security
programs for organizations and systems
➤➤ By developing skills and knowledge so that computer users can perform their jobs while using
IT systems more securely
➤➤ By improving awareness of the need to protect system resources6,7
SETA programs can cover the end-user education, but technical controls are still needed to protect the
systems.

Lab 3.3/4.3
OS Processes and Services

Lab 3.6/4.6
System Remediation and Hardening

Lab 3.7/4.7
Web Browser Security

Lab 3.8/4.8
Data Management

Lab 3.9/4.9
Data Backup and Recovery

Lab 3.12/4.12
Log Security Issues

Lab 3.14/4.14
Software Firewalls

Lab 3.20/4.20
Password Circumvention and Mgmt

Lab 3.21/4.21
Antivirus Defense

Lab 3.22/4.22
Malware Defense

Figure 1-7 Flow 1.7: Client Security

Flow 1.8 Perimeter Defense

Flow 1.8, shown in Figure 1-8, represents the tasks associated with the protection of the organization’s
perimeter—that invisible boundary between the organization’s information assets, known as the trusted
network, and the external environment, known as the untrusted network. Most organizations refer to
their gateway router connecting the organization to the Internet as their perimeter, although it may also
include dial-up connections and leased lines. The exercises included in this process flow include access
controls and logs associated with perimeter devices, hardware and software firewalls, intrusion detection,
and network monitoring tasks.
A perimeter is a boundary between two zones of trust. For example, an organization’s internal network
is more trusted than the Internet, and it is common to install a firewall at this boundary to inspect and
control the traffic that flows across it.8

Lab 3.10/4.10
Access Controls
1

Lab 3.12/4.12
Log Security Issues

Lab 3.14/4.14
Software Firewalls

Lab 3.15/4.15
Hardware Firewalls and WAPs

Lab 3.11/4.11
Host Intrusion Detection Systems

Lab 3.18/4.18
Virtual Private Nets and Remote Access

Lab 3.17/4.17
Network Traffic Analysis

Lab 3.16/4.16
Network Intrusion Detection Systems

Lab 3.2/4.2
Scanning and Enumeration

Lab 3.3/4.3
OS Processes and Services

Lab 3.4/4.4
Vulnerability Identification and Research

Figure 1-8 Flow 1.8: Perimeter Defense

Flow 1.9 Server Security

Flow 1.9, shown in Figure 1-9, represents the tasks associated with the assessment, protection, and audit
of server systems. Information servers are the backbone of most modern organizations. They provide
the services necessary to sustain business operations, and facilitate business communications. The tasks
expand on those of Flow 1.8, adding tasks associated with scanning systems services and functions not
normally associated with clients. There are also tasks associated with data management and backups,
along with intrusion detection systems.

Lab 3.2/4.2
Scanning and Enumeration
Lab 3.10/4.10
Access Controls
Lab 3.3/4.3
OS Processes and Services
Lab 3.11/4.11
Host Intrusion Detection Systems
Lab 3.4/4.4
Vulnerability Identification and Research
Lab 3.12/4.12
Log Security Issues
Lab 3.6/4.6
System Remediation and Hardening
Lab 3.20/4.20
Password Circumvention and Mgmt
Lab 3.7/4.7
Web Browser Security
Lab 3.21/4.21
Antivirus Defense
Lab 3.8/4.8
Data Management
Lab 3.22/4.22
Malware Defense
Lab 3.9/4.9
Data Backup and Recovery

Figure 1-9 Flow 1.9: Server Security

Flow 1.10 Intrusion Detection

Flow 1.10, shown in Figure 1-10, represents the tasks associated with the detection and identification of
intrusions in organizational networks and systems.
An intrusion occurs when an attacker attempts to gain entry or disrupt the normal operations of
an information system, almost always with the intent to do harm. Even when such attacks are self-
propagating, as in the case of viruses and distributed denial-of-service attacks, they are almost always
instigated by an individual whose purpose is to harm an organization. Often, the differences among
intrusion types lie with the attacker: some intruders don’t care which organizations they harm and
prefer to remain anonymous, while others crave notoriety. In recent years the term extrusion has begun
to be used to describe the release of sensitive data from organizations. The detection and prevention of
data extrusion is one of the control objectives of a modern information security system.
Intrusion detection consists of procedures and systems that identify system intrusions. Intrusion reaction
encompasses the actions an organization takes when an intrusion is detected. Intrusion prevention
consists of activities that deter an intrusion. Some important intrusion prevention activities are writing
and implementing good enterprise information security policy, planning and performing effective
information security programs, installing and testing technology-based information security counter-
measures (such as firewalls, intrusion detection and prevention systems), and conducting and measuring
the effectiveness of employee training and awareness activities. These actions of intrusion detection and
prevention seek to limit the loss from an intrusion, and return operations to a normal state as rapidly as
possible. Intrusion correction activities finalize the restoration of operations to a normal state, and seek
to identify the source and method of the intrusion in order to ensure that the same type of attack cannot
occur again.9

Lab 3.2/4.2 1
Scanning and Enumeration
Lab 3.15/4.15
Hardware Firewalls and WAPs
Lab 3.3/4.3
OS Processes and Services
Lab 3.16/4.16
Network Intrusion Detection Systems
Lab 3.7/4.7
Web Browser Security
Lab 3.17/4.17
Network Traffic Analysis
Lab 3.10/4.10
Access Controls
Lab 3.18/4.18
Virtual Private Nets and Remote Access
Lab 3.11/4.11
Host Intrusion Detection Systems
Lab 3.20/4.20
Password Circumvention and Mgmt
Lab 3.12/4.12
Log Security Issues
Lab 3.21/4.21
Antivirus Defense
Lab 3.13/4.13
Anti-Forensics
Lab 3.22/4.22
Malware Defense
Lab 3.14/4.14
Software Firewalls

Figure 1-10 Flow 1.10: Intrusion Detection

Flow 1.11 Network Security

Flow 1.11, shown in Figure 1-11, represents the tasks associated with the examination, protection, and
audit of network-attached systems. The tasks combine those of previous flows, but focus on network
resources, rather than all resources in the organization. Information security professionals assigned as
network security administrators are responsible for perimeter defense activities, intrusion detection
systems, and network attached servers and services.
To computer users, the network is a transparent entity. A user logs on to his or her workstation and
uses a variety of tools to communicate with other users and other computer systems. He or she expects
e-mail, instant messaging, and Web browsing to work. After all, if the data is there in a timely fashion,
who cares how it got there?
Network administrators care. Networks provide the blood flow for the computing environment and
must be managed efficiently around the clock. Networks are typically composed of hundreds or even
thousands of miles of data arteries and veins. Each network component is designed to ensure that
information continues to flow efficiently to all consumers. The burden of maintaining this vital IT
resource is left to the network administrators.

Attackers also care—those miscreants who seek to use computers and networks for unintended,
unauthorized, and often illegal purposes. By design, the increasing complexity of network communication
speeds up and increases the amount of data users can share. However, by mastering the complexity
of network protocols, attackers can also subvert network devices and communications for malicious
purposes. Security professionals must recognize this fact and help network administrators keep this vital
arterial system protected.10

Lab 3.1/4.1
Footprinting

Lab 3.2/4.2 Lab 3.15/4.15

Scanning and Enumeration Hardware Firewalls and WAPs

Lab 3.3/4.3 Lab 3.16/4.16

OS Processes and Services Network Intrusion Detection Systems

Lab 3.4/4.4 Lab 3.17/4.17

Vulnerability Identification and Research Network Traffic Analysis

Lab 3.5/4.5 Lab 3.18/4.18

Vulnerability Validation Virtual Private Nets and Remote Access

Lab 3.6/4.6 Lab 3.19/4.19

System Remediation and Hardening Digital Certificates

Lab 3.7/4.7 Lab 3.20/4.20

Web Browser Security Password Circumvention and Mgmt

Lab 3.10/4.10 Lab 3.21/4.21

Access Controls Antivirus Defense

Lab 3.12/4.12 Lab 3.22/4.22

Log Security Issues Malware Defense

Lab 3.14/4.14
Software Firewalls

Figure 1-11 Flow 1.11: Network Security

Flow 1.12 Cyber Defense 1

Flow 1.12, shown in Figure 1-12, represents the culmination of all tasks presented in this laboratory
exercise manual. It is, for purposes of this text, the comprehensive assessment and protection of all
organizational information assets through the use of all available and appropriate technologies. Students
completing all assignments provided in this manual will have a basic grasp on the range and depth of
technical responsibilities of the modern information security professional.

Lab 3.1/4.1
Footprinting

Lab 3.2/4.2 Lab 3.13/4.13

Scanning and Enumeration Anti-Forensics

Lab 3.3/4.3 Lab 3.14/4.14

OS Processes and Services Software Firewalls

Lab 3.4/4.4 Lab 3.15/4.15

Vulnerability Identification and Research Hardware Firewalls and WAPs

Lab 3.5/4.5 Lab 3.16/4.16

Vulnerability Validation Network Intrusion Detection Systems

Lab 3.6/4.6 Lab 3.17/4.17

System Remediation and Hardening Network Traffic Analysis

Lab 3.7/4.7 Lab 3.18/4.18

Web Browser Security Virtual Private Nets and Remote Access

Lab 3.8/4.8 Lab 3.19/4.19

Data Management Digital Certificates

Lab 3.9/4.9 Lab 3.20/4.20

Data Backup and Recovery Password Circumvention and Mgmt

Lab 3.10/4.10 Lab 3.21/4.21

Access Controls Antivirus Defense

Lab 3.11/4.11 Lab 3.22/4.22

Host Intrusion Detection Systems Malware Defense

Lab 3.12/4.12
Log Security Issues

Figure 1-12 Flow 1.12: Cyber Defense

References
1 Whitman, M., Mattord, H., & Green, A. Guide to Firewalls & VPNs, 3rd edition, © 2012 Course Technology.
2 Whitman, M., Mattord, H., & Green, A. Guide to Firewalls & VPNs, 3rd edition, © 2012 Course Technology.
3 Whitman, M. & Mattord, H. Principles of Information Security, 3rd edition, © 2009 Course Technology.

6 National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP 800-12.

http://csrc.nist.gov/publications/nistpubs/800-12/.
7 Whitman, M. & Mattord, H. Management of Information Security, 2nd edition, © 2008 Course Technology.

9 Whitman, M., Mattord, H., Austin, R. & Holden, G. Guide to Firewalls and Network Security with Intrusion Detection and VPNs,

Background and Theory for

Lab Exercises
Introduction
This chapter presents the theory and background materials that support
the lab exercises presented in this manual. Here you will be exposed to
the background concepts that you should have before heading to the lab
(whether physically or virtually) to perform the step-by-step instructions
that make up the rest of this manual. Chapter 3 is made up of the lab
exercises for Windows platforms and Chapter 4 contains the lab exercises
for Linux systems.

Why Have Lab Exercises?

There is no substitute for experience. Employers tell the faculty at colleges
and universities around the world that they would like to hire students
who can demonstrate experience with the technological tools of their
trade. In the information security area, this can sometimes pose extra
challenges. After all, you cannot simply allow students to use the local
networks as a sandbox for some of the tools we need them to learn how
to use. That brings us to the networking laboratory. This is a place where
students can try out tools and skills in an environment with less risk to the
local network and students do not have as great a concern for accidentally
damaging systems with unintended consequences.

15
Copyright 2014 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
16 Chapter 2 Background and Theory for Lab Exercises

2.1 Footprinting
Introduction
When an attacker wants to compromise a targeted system, they will usually use a methodological
approach to gather information and then launch their attack. The initial stage of information gather-
ing is footprinting, attempting to find out the extent of the target’s network presence, or footprint.
Once that network presence is defined, the attacker will then move on to attempting to characterize
the full scope and depth of the devices visible to them on the target’s network. This step is often called
fingerprinting, but also goes by many other names such as scanning and enumeration or simply port
scanning. Once the network devices reachable by the attacker are documented, the effort moves on to
identify weaknesses or vulnerabilities in the systems that might allow the attacker to directly or indi-
rectly accomplish the attack they have in mind. The attacker then moves in to compromise systems, steal
information or perform other illegal acts as they intended from the start. Most will then make at least
some attempt to cover their tracks as they leave their victim’s systems. Some attackers will leave “back
door” programs running to allow them to return later to steal more information or to use the systems
in attacking other targets. Some will simply crash the systems they just attacked to hide the facts about
their activities.
Where attackers engage in these steps looking for weaknesses to exploit, defenders must understand
the processes the attackers use. This will allow them to better defend the networks and systems they are
supposed to be protecting.You are expected to know enough about how attackers do their dirty work
to be better able to design, build, and maintain networks and systems that are effective in defending
themselves from attack.
The first step of the attack process steps to be examined is footprinting. This is the process of collecting
information about an organization, its networks, its address ranges, and the people who use them.
Footprinting is usually completed via readily available electronic resources. It is important for security ad-
ministrators to know exactly what an individual can find on the Internet regarding their organizations. The
information an organization maintains about itself should be properly organized, professionally presented,
and as secure as possible to defeat any social engineering and other attempts at compromise by attackers.This
is sort of like looking in the mirror before an important meeting to be sure your hair is properly groomed.
Footprinting includes both researching information from printed resources as well as gathering facts that
can be collected from online resources and through social engineering efforts.

Web Reconnaissance
Web reconnaissance is a simple but effective method of collecting rudimentary information about
an organization. All Web browsers have the ability to display source code, allowing users to not only
view the Web pages in their intended format, but also to look for hidden information. The kinds of
information gathered during the footprinting of an organization’s networks and systems commonly
include the names of Web personnel, the names of additional servers, locations of script bins, and so on.
Performing Web reconnaissance is straightforward. Individuals wanting to explore an organization
open a Web browser or utility and view the source HTML code behind a Web page. Web pages can
also be downloaded for offline viewing, dissecting, or duplicating. This allows someone time to design
and put up a spoof site or plan an attempt to compromise the Web server to load their own version
of the site’s Web pages. Some utilities, including some Web authoring tools like Dreamweaver from
Macromedia and Sam Spade from Blighty Design, enable a more detailed analysis of the components
of a Web page.
Web reconnaissance is one of the most basic and simple methods of collecting information on an
organization. It generally provides only limited information, but occasionally it can uncover a valuable clue
about the organization and its systems. Web reconnaissance can be used to identify the name of an organi-
zation’s Webmaster or other member of the technical staff, either of which is helpful in executing a social
engineering ploy.Web reconnaissance is also a good way to identify the domain names of related Web serv-
ers, which can then be used to identify additional IP addresses for further reconnaissance activities.

Some of the labs in this area use installed applications, and others make use of command-line utilities
or access tools using a Web browser.Your instructors may prefer that the students use one or another or
both of these options and they will let you know if you need to install a program and provide you with
those instructions if needed. 2
An organization should scrutinize its own Web sites to ensure that no vital organizational information
is exposed. E-mail addresses should not contain any part of an employee’s name. For example, the
Webmaster’s address should be listed as [email protected] not [email protected]. Additionally,
an organization should use page redirection and server address aliases in its Web pages instead of simply
listing page references and specific addresses for servers. This will prevent possible attackers from perusing
the pages and gleaning additional information about the organization’s network and server infrastructure.
As an alternative, an organization can outsource their Web server hosting services, and either locate all
their Web pages on the host’s servers or use page redirection from the host’s servers to specific content
directories. With domain name registration, the customers are none the wiser and a DNS query for the
company’s Web site resolves to the Web host’s Web server rather than a server on the company’s network.
When this method is used, no information about the company’s network is revealed.

WHOIS
WHOIS is a service common to Windows and Linux that allows you to look up people’s names on a
remote server. Whenever you need to find out more about a domain name, such as its IP address, who
the administrative contact is, or other information, you can use the WHOIS utility to determine points
of contact (POCs), domain owners, and name servers. Many servers respond to TCP queries on port
43 in a manner roughly analogous to the DDN NIC WHOIS service described in RFC 954.You can
locate information about this Internet Request for Comment along with most others at http://www
.rfc-archive.org. Some sites provide this directory service via the finger protocol or accept queries by
electronic mail for directory information. WHOIS was created to provide individuals and organizations
with a free lookup utility to find out if the domain name they wanted to register was already in use.
Unfortunately, WHOIS can also be used by a potential attacker to gather information about a domain,
identify owners of addresses, and collect other information that can be used in social engineering attacks.
Social engineering is the use of tidbits of information to trick employees in an organization into provid-
ing an attacker with valuable information on systems configuration, usernames, passwords, and a variety
of other information that could assist him or her in accessing protected information.
There are five specific WHOIS queries used to obtain information. Some can be performed together,
and others must be performed independently:
➤➤ Registrar queries—Used for querying specific Internet registrars, such as InterNIC (we
recommend you visit ICANN at http://www.icann.org/registrar-reports/accredited-list.html to
access a listing of certified registrars). If a WHOIS query reveals the name of a registrar, going to
that specific registrar and repeating the query might reveal additional information on the target.
➤➤ Organizational queries—In addition to providing the name of the registrar, a WHOIS
query should provide basic information on the organization that owns the domain name. This
may also provide information on the points of contact (see below).
➤➤ Domain queries—Domain information is the primary result of a WHOIS query. Through
a process called “inverse mapping,” a WHOIS query can also provide domain information for
a known IP address.
➤➤ Network queries—The Internet versions of WHOIS (registrar Web sites such as www.internic
.net) provide only rudimentary information, but the Linux/UNIX version and the Sam Spade
utility provide much more detailed information by cross-referencing directories, such as the initial
and owning registrar’s directories. This can actually result in detailed information on the entire
range of addresses owned by an organization, especially in an inverse mapping exercise.
➤➤ Point of contact queries—The final pieces of information gleaned in a query are the
names, addresses, and phone numbers of points of contacts, which are vital for a social
engineering attack.

WHOIS searches databases to find the name of network and system administrators, RFC authors,
system and network points of contact, and other individuals who are registered in various databases.
WHOIS may be accessed by using Telnet to connect to an appropriate WHOIS server and logging in
as whois (no password is required). The most common Internet name server is located at the Internet
Network Information Center (InterNIC) at rs.internic.net. This specific database only contains Internet
domains, IP network numbers, and domain points of contact. Policies governing the InterNIC database
are described in RFC 1400. Many software packages contain a WHOIS client that automatically estab-
lishes the Telnet connection to a default name server database, although users can usually specify any
name server database they want. While most UNIX/Linux builds contain utilities such as WHOIS, all
Windows-based builds use utilities designed by third parties.
Windows users can also use third-party software to obtain the same functionality. In addition to the
InterNIC utility, this text uses the freeware utility Sam Spade.

The Domain Name System

The Domain Name System (DNS) is a hierarchical and distributed data management tool used by the
Internet to share the association between human-centric domain names and the IP address used by hosts
on the Internet to communicate. DNS allows the lookup of a fully qualified domain name (FQDN) to
return the associated IP address and can also be used for reverse lookup of IP addresses for association
them with domain names. The typical use of DNS will utilize a series of local and remote DNS servers
using a sequence of lookup steps to perform these lookups or reverse lookups.
A complete discussion of the Domain Name System is extremely complex and thus beyond the scope
of this lab manual. For a more detailed discussion refer to RFCs 1034 (Domain Names—Concepts And
Facilities) and 1035 (Domain Names—Implementation and Specification).
One aspect that should be addressed here is the DNS zone transfer. A zone transfer is a request,
usually from a secondary master name server to a primary master name server, which allows the
secondary master to update its DNS database. Unless this process is restricted, it can provide a very
detailed set of information about an organization’s network to virtually anyone with the ability and
desire to access it.
The standard method to conduct a DNS query uses nslookup, a UNIX-based utility created by
Andrew Cherenson to query Internet domain name servers. There is an equivalent program available
for Windows. Its primary use is identifying IP addresses corresponding to entered domain names and
identifying domain names corresponding to entered IP addresses. DNS makes use of a defined set of
record types. The DNS record types are as follows:
➤➤ A – address record: Returns a 32-bit IPv4 address, most commonly used to map hostnames to
an IP address of the host
➤➤ AAAA – address record: Returns a 128-bit IPv6 address, most commonly used to map
hostnames to an IP address of the host
➤➤ DHCID – DHCP identifier: Used in conjunction with the FQDN option to DHCP
➤➤ DNSKEY – DNS Key record: The key record used in DNSSEC. Uses the same format as the
KEY record.
➤➤ DS – Delegation signer: The record used to identify the DNSSEC signing key of a delegated
zone
➤➤ IPSECKEY – IPSEC Key: Key record that can be used with IPSEC
➤➤ KEY – Key record: Was used for DNSSEC, but DNSSEC now uses DNSKEY
➤➤ LOC – Location record: Specifies a geographical location associated with a domain name

➤➤ MX – mail exchange record: Maps a domain name to a list of message transfer agents for that
domain
➤➤ NS – name server record: Delegates a DNS zone to use the given authoritative name servers 2
➤➤ NSEC – Next-Secure record: Part of DNSSEC—used to prove a name does not exist
➤➤ NSEC3 – NSEC record: An extension to DNSSEC that allows proof of nonexistence for a
name without permitting zonewalking
➤➤ SOA – start of authority record: Specifies authoritative information about a DNS zone
➤➤ SRV – Service locator: Generalized service location record
➤➤ TXT – Text record: Originally for arbitrary human-readable text in a DNS record more often
carries machine-readable data
Other types of information (ANY, AXFR, MB, MD, MF, and NULL) are described in RFC 1035.

DNS Zone Transfer

DNS zone transfer is an advanced query on a name server asking it for all information it contains
about a queried domain name. This only works if the name server is authoritative or responsible for that
domain. DNS zone transfers border on improper use of the Internet and as such should be performed
with caution. Zone transfers are an easy way for an attacker to engage in reconnaissance, since a zone
transfer delivers a complete record for the queried domain name. As a result, many name servers disable
zone transfers, or restrict them to trusted IP addresses that are authorized to request a zone transfer from
the DNS server in question.

Network Reconnaissance
Network reconnaissance is a broad description for a set of activities designed to map out the size and
scope of a network using Internet utilities. This includes the number and addresses of available servers,
border routers, and the like. Two of the most common utilities used are ping and traceroute. Each of
these utilities is demonstrated in some of the lab exercises in this manual.

Ping
Ping is a utility that will generate one or a series of TCP/IP packets and send them to a specified
computer address. It is also known as Packet InterNet Groper and many claim it may be named on the
basis of the word used by submariners from the sound of a returning sonar pulse. Ping is implemented
into almost all operating systems and network devices that use TCP/IP. It is used to determine if a
specific address on the Internet is responsive. It does this by creating and sending Internet Control
Message Protocol (ICMP) echo requests and subsequently waiting for a response. Ping operates at the
lowest level of the network model and may be useful to verify the responsiveness of a host. Ping will
elicit a response from a remote host (if the network architecture of the destination network allows it). It
can sometimes respond even when higher-level services are unavailable.
Ping is a useful tool in determining whether a target machine is available on the network. It often works
across the Internet and provides information on the number of bytes transmitted and received from the
destination and the amount of time it took to send and receive the ping packets.
According to RFC 1574, the ping utility must be able to provide the round-trip time of each packet
sent, plus the average minimum and maximum round-trip time over several ping packets. When an error
packet is received by the node, the ping utility must report the error code to the user.

Traceroute
Traceroute is a common TCP/IP utility that provides the user with specific information on the path a
packet takes from the sender to the destination. It provides not only the distance the packet travels, but
the network and DNS addresses of each intermediary node or router. Traceroute provides an in-depth
understanding of a network’s configuration and assists administrators in debugging troublesome
configurations. Unfortunately, it also provides details of a network’s configuration that a network
administrator may not want disclosed.
Traceroute works by sending out an IP packet with a time to live (TTL) of 1. The first router/gateway
encountered responds with an ICMP error message indicating that the packet cannot be forwarded
because the TTL has expired. The packet is then retransmitted with a TTL of 2, to which the second
hop router responds similarly. This process goes on until the destination is reached. This allows the utility
to document the source of each ICMP error message and thus trace the route between the sender and
the receiver.
The advantage of this approach is that all network devices in use today have the ability to send TTL
exceeded messages. No special programming is required. On the downside, a large number of overhead
packets are generated.

Lab Exercises
Lab 3.1A will use the Windows command-line tools nslookup, ping, and traceroute to perform simple
network data retrieval. Lab 4.1A will use similar tools on a Linux platform. The retrieval of public
information from the Internet will be shown in Lab 3.1B and the use of a convenient tool called Sam
Spade will be demonstrated in Lab 3.1C.
Lab exercises in Chapter 3 are:
➤➤ 3.1A Network Reconnaissance Using Command Line
➤➤ 3.1B Web Reconnaissance Using a Web Browser
➤➤ 3.1C Web Reconnaissance Using Sam Spade
Lab exercises in Chapter 4 are:
➤➤ 4.1A Network Reconnaissance with Linux Command Line
➤➤ 4.1B Web Reconnaissance Using a Web Browser

2.2 Scanning and Enumeration

Once the network territory of the organization of interest is known, attackers will begin collecting
data from the network using a process known as scanning and enumeration. Scanning is the process
of collecting information about computers by either listening to network traffic or sending traffic and
observing what traffic returns as a result. Once a specific network host has been identified, enumeration
is the process of identifying what resources are available to exploit. These methods work in conjunc-
tion with each other.You first scan the network to determine what assets or targets are on the network,
and then you enumerate each target by determining which of its resources are available. From the
defender’s perspective, without knowing which computers and resources are vulnerable, it is impossible
to protect those resources from attack. The manual includes a number of exercises that will show you
how to determine exactly what computers are making resources available on the network and what
vulnerabilities exist.
Scanning utilities are tools used to identify what computers are active on a network, as well as what
ports and services are active on the computers, what function or role the machines may be fulfilling, and
so on. These tools can be very specific as to what sort of computer, protocol, or resource they are scan-
ning for, or they can be very generic. It is helpful to understand what sort of environment exists within

your network so you can use the best tool for the job. The more specific the scanner is, the more likely
it will give you detailed information that is useful later. However, it is also recommended that you keep
a very generic, broad-based scanner in your toolbox as well. This will help locate and identify rogue
nodes on the network of which you—as the administrator of the system—might not be aware. Many of 2
the scanning tools available today are capable of providing both simple/generic and detailed/advanced
functionality.
Stack fingerprinting is used to identify the operating systems on remote machines using common
network protocols, many of which have already been discussed in previous lab exercises. The term “stack
fingerprinting” refers to the TCP/IP stack on a host system. There are other ways of determining the
OS of a remote machine that do not involve stack fingerprinting at all, but rely on poorly managed or
configured systems. Generally, there are two types of stack fingerprinting: active and passive.You will be
working with active stack fingerprinting for some of the lab exercises offered in this manual because it
is much easier and less time consuming. With active stack fingerprinting, you are using a tool to probe
systems on the network and gather any information returned from those systems. The tool evaluates
the information and makes a determination as to the possible OS running on those systems. Passive
stack fingerprinting involves silently monitoring network traffic between other machines and trying to
determine the OS on those machines by the traffic patterns.
Enumeration is the process of identifying the resources on a particular network node that are available
for network access. Typically, each resource is accessed through a particular port of the protocol that
is being used on the network. The port number can be anything that both the client and the server
computers agree on in order to allow access to the resource. Enumeration tools move through the range
of possible ports and try to determine as much information as possible about the resource that is being
offered at that port address.
Enumeration tools allow the network security administrator to determine what resources are being
made available on the network. Most of these will be expected, as they are required for doing business.
However, some resources might be available (and therefore vulnerable) on the network without knowl-
edge or planning by the IT staff. Some of these rogue resources are made available by default with cur-
rent operating systems. Also, employees who do not understand that they are placing their system and
the network as a whole at risk can inadvertently make resources available that compromise the network’s
integrity.
Using scanner software is relatively straightforward. Once you know either the range of addresses of
the network environment or the protocol you want to scan, this information is entered in the software
tool. The tool then polls the network. The software sends active traffic to all nodes on the network. Any
computer on the network that is offering services or utilizing that protocol will respond to the poll with
some specific information that can then be gathered and analyzed.

The TCP/IP Family of Protocols

In order to understand scanning and enumeration, some degree of network knowledge is required. It is as-
sumed that students using this manual will have been exposed to networking concepts and to TCP/IP in
particular. One Internet protocol, ICMP, is primarily used by networked operating systems to send error
messages. They allow servers to communicate with each other, enabling them to report errors and ensure
that network paths are maintained. One feature of the protocol allows it to be used to send echo requests
and their replies. When the ICMP request is broadcast, any listening ports transmit an ICMP reply. How-
ever, it is a common practice for administrators to block ICMP requests at the firewall or gateway router.
UDP scans are used to detect UDP ports open on a target device. UDP packets don’t use flags that are
set to identify listening ports—they operate in a slightly different manner. A UDP packet contains only
three headers: a data-link header, an IP header, and the UDP header. The UDP header contains the tar-
get port number, which is changed during the scan in order to reach all ports on the target device. If the
target isn’t listening for traffic on that UDP port, it replies with an ICMP “Destination Unreachable”
packet.The UDP ports that are active do nothing, thus marking those port numbers as active for the user.

The TCP/IP Handshake is a sequence of TCP packets that work together to establish a persistent
connection between networked computers. To establish such a connection, a client attempts to connect
with a server, using a three-way (or three-step) handshake:
1. A request to open is initiated by the first host (the client) sending a SYN packet to the second
host (the server).
2. In response, the server replies with a SYN-ACK packet.
3. Finally the client sends an ACK back to the server to finalize the connection.
At this point, both the client and server have received an acknowledgment of the connection. The TCP
packets described in this process are further defined as the following:
➤➤ TCP SYN—Used to open a connection between a client and a server. First the client sends
the server a TCP packet with the SYN flag set. The server responds to this with a packet
having both SYN and ACK flags set, acknowledging the SYN. The client then replies with
an ACK of its own, completing the connection.
➤➤ TCP FIN—Similar to TCP SYN. Normally, a TCP packet with the FIN flag set is sent
to a client when the server is ready to terminate the connection. The client responds with
an ACK which acknowledges the disconnect. This only closes half of the connection as the
client still must indicate to the server that it has transmitted all data and is ready to disconnect.
This is referred to as the “half-close.”
➤➤ TCP NULL—A packet with none of the RST (reset), FIN, SYN, or ACK flags set. If the
ports of the target are closed, the target responds with a TCP RST packet. If the ports are
open, the target sends no reply, effectively noting that port number as an open port to the user.
➤➤ TCP ACK—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used
to identify Web sites that are active, which are normally set not to respond to ICMP pings.
Active Web sites respond to the TCP ACK with a TCP RST, giving the user confirmation
of the status of a site.
➤➤ TCP Connect—The “three-way handshake” process described under TCP SYN above.
When one system sends a packet with the SYN flag set, the target device responds with SYN
and ACK flags set, and the initiator completes the connection with a packet containing a set
ACK flag.
Many times systems professionals will put systems into productive use without making sure they are
properly configured. These types of faults can sometimes be discovered using simple instructions typed
into the Windows command line. This activity will be performed in Lab 3.2A.
Basic port scanning is a very simple process that takes a range of TCP/IP addresses and a range of TCP
and/or UDP ports and tries to determine which ports are active at which addresses. The various tools
that can be used to perform this activity provide automated controls that use a variety of mechanisms to
make the connections.
For defending against basic enumeration, only one basic principle applies: do not run any unnecessary
services. To repeat, do not run any unnecessary services! Please, don’t run any unnecessary services. Got the
point? Good. This is the most basic building block of a good defense in information security. It applies
to Windows machines the same as Linux, or Unix, or AS400 systems. If there is not a clear business need
for having a port open or a service running—don’t let it run. Disable it.

Lab Exercises
Lab 3.2A will use the Windows command-line tool net and nbstat to perform simple network
attachment tricks. Lab 4.02A will use similar tools on a Linux platform. Labs 3.2B and 4.2B will use the
free Advanced Port Scanner for Windows and THC-Amap applications, respectively, to do simple port
scanning. Labs 3.2C and 4.2C will use the NMap application to actively scan and enumerate systems.

Lab exercises in Chapter 3 are:

➤➤ 3.2A Scanning and Enumeration for Windows Command Line
➤➤ 3.2B Port Scanning with Advanced Port Scanner for Windows 2
➤➤ 3.2C Active Stack Fingerprinting Using NMap
Lab exercises in Chapter 4 are:
➤➤ 4.2A Generic Enumeration with Command Line
➤➤ 4.2B Scanning with THC—Amap
➤➤ 4.2C Active Stack Fingerprinting and Enumeration with NMap

2.3 OS Processes and Services

Computer users often monitor the performance of their systems. Sometimes this is to determine if
system resources are low or to see what is causing a performance bottleneck. It is also very useful for
security professionals to know what is expected to be on a systems and what an unexpected element of
a system is.
Many of the things that a good network security administrator can do to protect the network and the
systems on the network are plain common sense.The manufacturers of the operating system and of most
programs that operate in a network environment provide patches, updates, and hot fixes that secure their
software. Some companies are more visible with these patches than others, and some provide convenient
utilities that help you identify weaknesses and harden the OS.
System resources can be consumed by specific programs or by services running on the system.
If a system has been compromised, it is needful that the person assessing the situation be able to
determine which processes are currently running on the system legitimately along with being able
to assess which communications sockets are open by each process. In some cases it is not possible to
identify the attacking program or person until all of the legitimate programs and processes have been
accounted for.

Lab Exercises
Labs 3.3A and 4.3A will show the user how to determine which processes are running and how much of
the systems resources are being consumed by each process for Windows and Linux systems respectively.
Windows user will drill into the subject with an exploration of several tools for getting more informa-
tion and more convenient access to information in Labs 3.3B to 3.3E. Linux users will examine the
powerful features of the lsof command in Lab 4.3B.
Lab exercises in Chapter 3 are:
➤➤ 3.3A OS Processes and Services Functional Assessment
➤➤ 3.3B Functional Services Assessment
➤➤ 3.3C OS Services Management Using MSConfig
➤➤ 3.3D OS Services Management using Performance Information and Tools
➤➤ 3.3E OS Services Management Using Autoruns
Lab exercises in Chapter 4 are:
➤➤ 4.3A Active OS Process and Service Assessment with ps
➤➤ 4.3B Intermediate OS Process and Service Assessment with top
➤➤ 4.3C Active OS Processes and Service Assessment with lsof

2.4 Vulnerability Identification and Research

One of the finer distinctions in information security is the one made between vulnerability and a threat.
A vulnerability is a potential security flaw that exists in some defined system. Examples would be buffer
overflows in code, built-in vendor accounts that are enabled by default, and so on. Vulnerabilities such
as these can be exploited in some way by attackers. Threats are the broader sources from which attacks
might come. Losses from theft or natural disasters are examples of potential threats.
What does this mean? A security or systems administrator may have 20 machines in his or her enterprise
running Microsoft Windows Server 2003. If a buffer overflow vulnerability is announced in the code of
this operating system, the systems administrator should be concerned. What if this can only be exploited
from a remote network connection and the machines are all in a lab environment without networking?
They have a vulnerability, and that is understood. What is the likelihood of a threat to these systems?
Fairly slim.
This manual approaches the topic of vulnerability assessment with a very focus on a few techniques
to identify and validate a specific range of vulnerabilities for Windows and Linux operating systems.
There are a many different types of vulnerabilities and quite a few of them are not discussed here; many
vulnerabilities are related to complex and intricate relationships between and among the many parts of
an information system used in a production environment. These are outside the scope of this manual.
Keep in mind that experts in this field will spend many years acquiring and honing their skills in detect-
ing and validating vulnerabilities.Your assignment is to begin to understand what they are looking for.
Along the way of finding vulnerabilities there will be a number of simple remediation and prevention
methods discussed. At a granular level, there are many steps you can take to prevent attacks on machines
running Windows and Linux. In a later unit you will examine the process of “hardening” the operating
system, removing unnecessary services and accounts, and making small changes here and there, such as
adjusting password usage parameters and using the software patch process.

Windows Servers
Windows Servers 2008 and 2012 have had major improvements over the previous server-level operating
systems that had been produced by Microsoft.
Among the features that are available in Windows Server 2008 is a robust public key infrastructure,
allowing organizations to manage certificates and keys much more easily than in the past. This operating
system also incorporates a built-in firewall that was introduced with Windows XP, and the ability to
encrypt offline files easily. With regard to networking, new Windows domain policies are available
that allow the network or systems administrator to lock down software, achieve much more granular
user-level control, and centrally monitor wireless access points and connections.
Windows Server 2012 saw further improvements with improved server group management features,
continued improvement in virtualization capabilities, improvements in the way virtual disk management
is performed, and more choices in the roles that can be fulfilled with Server Core.

Linux
“Got root?”This is both an amusing attacker-related bumper sticker and T-shirt slogan, or the question all
Linux attackers ask themselves when an attempted attack is successfully completed. Linux has advanced
significantly as a commercial server since its inception in the early 1990s by Linus Torvalds. Most of you
may be familiar with Linux, but in case you are not, Linux is an open source operating system. Open
source software is open to code review and addition by any developer who wants to contribute to the
project. There are benefits and drawbacks to this approach, as there are with any approach, but people
seem to be a bit more fanatical when it comes to proselytizing open source operating systems built
around UNIX, including different flavors of BSD and Linux.
Linux backers will tell you that the primary benefit to open source software is the extensive debug-
ging that is undertaken by community-minded developers. Linux detractors argue the opposite: anyone
can create a security flaw for Linux, because they can just open up the code and look in, and that you

get what you pay for. It is opinion of many, however, that Linux is certainly as stable, robust, and secure
as most commercial operating systems. Many large companies have adopted Linux in some fashion,
including IBM, Hewlett-Packard, Sun Microsystems, and so on.
2
Before you get into any detail regarding local aspects of Linux security, one thing should be emphasized.
Never underestimate the importance of physical security! Everything else about to be discussed is
irrelevant if an attacker has physical access to the machine. Consider an example. Linux users have the
option of running the OS at different run levels. For brevity, suffice it to say that the standard run level
without a GUI is run level 3, and the X-Windows system operates at run level 5. Have you ever booted
Windows into safe mode? This is a simplified, watered-down version of the OS that does not necessarily
support network access, and is often used for troubleshooting purposes. In Linux, this is called single-
user mode, or run level 1. Linux machines are often dual booted between operating systems. When you
boot the machine, you are presented with some sort of bootloader program, typically LILO or GRUB
on a Linux system. If you are presented with a LILO screen, enter Linux single-user mode at the prompt
(press Ctrl+X first if a graphical LILO screen is presented). This automatically enters you into a root
prompt! Using the passwd command, you could change the root user password and then reboot to a
higher run level. Compromising a system does not get any easier than this.

Vulnerability Scanning with Nessus

The Nessus Project is an open source vulnerability scanner that is comprised of a server installation in
either a Windows or Linux environment, along with a Web server which allows any system with a Web
browser to be used as a client. The server actually performs the scans, and can be configured to include
one of many loadable modules or plug-ins written in a specialized scripting language called Nessus
Attack Scripting Language (NASL). For individual penetration testing, you need to execute a single
NASL script at a target to test for vulnerabilities.
Nessus differs from many security scanners in that it can fully penetrate systems to perform a full test.
The user can select various plug-ins that test for specific vulnerabilities, or he or she can run a scan that is
intrusive (overall) or nonintrusive. An attacker skilled in using Nessus may learn more about your system
in a few hours than you know yourself.The information gleaned from a scan can then be used to exploit
the system.You should be aware that Nessus is a very powerful tool and can be quite intrusive and even
cause systems to crash or become unstable. Make sure you have explicit permission to use Nessus to scan
the computer systems used as targets for your scans.The authors do not recommend your use of this tool
outside of a lab setting unless it is used under supervision of an experienced vulnerability analyst.
Nessus is one of the most powerful and adaptive vulnerability scanners available to security professionals
today.Very few tools exist that are more capable in conducting penetration tests and vulnerability scans,
both internal and external. The best part? It’s free! Nessus is an open source product originally created
and maintained by a man named Renaud Deraison, but is now maintained by Tenable Security. Tenable
continues to offer the application freely, but with limitations on personal versus professional usage. A
custom scripting language called NASL is used to write the plug-ins that Nessus uses to test machines.
The best defense in protecting against remote vulnerabilities is to “plug the leaks.” By identifying and
disabling all unnecessary services and ports, you can decrease the chances of an intrusion enormously.
For services that are considered to be mission critical, make sure that all the software is up to date and
that any security patches have been applied. Because Linux is an open source OS, most software devel-
opers who create applications for Linux possess a community-oriented mindset; this, in turn, typically
leads to security patches being published very quickly whenever a vulnerability in a Linux application
is disclosed.
For any systems administrator or security administrator, being “in touch” with your servers is very
important. What this means is checking log files religiously, running simple commands such as ps and
netstat to see what is running on your system, and periodically testing the machine’s defenses for chinks
in its armor with vulnerability scanners or similar tools.

Lab Exercises
Lab 3.4A will use a tool called Microsoft Baseline Security Analyzer (MBSA) that Microsoft provides
for finding systems vulnerabilities. Two sections of exercises will expose you to a product suite called
Nessus that is considered by many to be the industry standard for finding systems vulnerabilities for all
types of systems. You will run your Nessus searches from a Windows system using Lab 3.4B or from a
Linux system accessing a Nessus server using Lab 4.4A.
Practitioners who use tools like Nessus say that finding vulnerabilities is pretty easy, verifying and
classifying them is the hard part. The exercises in Labs 3.4C and 4.4B will help you begin to understand
how vulnerabilities are validated and then how the research process can help come up with remediation
options to fix the vulnerabilities that are real threats to system security.
Lab exercises in Chapter 3 are:
➤➤ 3.4A Vulnerability Identification with MBSA
➤➤ 3.4B Vulnerability Identification with Nessus
➤➤ 3.4C Vulnerability Research with CVE and Bugtraq
Lab exercises in Chapter 4 are:
➤➤ 4.4A Vulnerability Investigation Using Nessus
➤➤ 4.4B Vulnerability Research with CVE and Bugtraq

2.5 Vulnerability Validation

When a network or a system has been scanned to identify potential vulnerabilities, that is not in itself
proof that the system are in fact vulnerable to exploits that use the suspected vulnerability. Many times
a suspected vulnerability may have been patched or controlled in a way that is not detectable to the
vulnerability scanning tool used. It then becomes necessary to validate the vulnerability in question.
There are tools that can assist in this process, but they must be used by a skilled and experienced human
operator in order to prove that the vulnerability does in fact exist.

Lab Exercises
Lab 4.5 provides a tutorial using the Metasploit Framework tool.
Lab exercises in Chapter 3 are:
➤➤ 3.5A Penetration Testing with Metasploit
Lab exercises in Chapter 4 are:
➤➤ 4.5A Penetration Testing with Metasploit

2.6 Systems Remediation and Hardening

After systems have been assessed for vulnerabilities and the vulnerabilities are known to be valid, the use
of both common hardening techniques and specific vulnerability remediation will make those systems
less vulnerable to attack. While this section does not offer an exhaustive list and systems reconfigured
with only these techniques discussed here should not be considered secure, these steps are a useful way
to begin the process of system hardening. Most hardening techniques simply rely on denying or limiting
access to services and functionality that is not currently being used. This is a process known to many
as Attack Surface Reduction (ASR). The “attack surface” is the portion of a systems functionality that
is available to unauthenticated users. The size of the attack surface and the systems capabilities available
to unauthenticated users must be carefully minimized. In general, the fewer the number of running
services, the smaller the chance that one of them will be vulnerable to attack.

Throughout the last several years, Microsoft Web server software, Internet Information Services (IIS), has
been beset by security problems. Although the software is functional, easy to use, and very robust, severe
coding errors and a default configuration that was woefully insecure have led to IIS having a reputation
as the “poster child” for insecure software. 2
When properly configured and secured, however, IIS can be considerably less risky to use; considering
the ease of implementation and low learning curve associated with IIS, this is an attractive option
for many organizations already running a Windows network infrastructure. To assist users in properly
configuring the software, Microsoft published a free application called the IIS Lockdown Tool.
At the time of this writing, the Apache Web server is the most popular Web server in use on the Internet.
The price can’t be beat (free), and the software is extremely robust and stable, with a wealth of options
that can be configured. In some of the lab exercises offered in this manual, you will start with a default
installation of Apache 2 on your system, and take steps to add a password-protected directory, as well as
improve the overall security of the service.
It is important to note that Apache has an enormous number of possible configuration options that can
be set. Only a very small subset of Apache’s options will be set in the Apache-related lab exercises.

Lab Exercises
Lab 3.6A will use the Windows secedit tool to reset Windows security settings to default. Lab 4.6A will
describe editing configuration files for various Internet-facing services. Lab 3.6B will examine and use
the various Windows tools available to secure the OS. Lab 3.6C will describe various methods to harden
Windows Server 2008.
Lab exercises in Chapter 3 are:
➤➤ 3.6A Windows Security Default Reset
➤➤ 3.6B Windows 7 OS Security Configurations
➤➤ 3.6C Windows Server 2008 OS Hardening
The exercises in Chapter 4 are:
➤➤ 4.6A Internet Server Configuration and Security

2.7 Web Browser Security and Configuration

The use of the Internet and the World Wide Web (WWW) has grown exponentially in recent years
and has become a central component of most organization’s IT strategy. Many software companies
have modeled their applications around the same model, with distributed clients accessing centralized
applications through a Web browser client.
Whenever a technology becomes widespread and is used to handle important information that has
value, attackers will work on ways to compromise those systems. The WWW is no exception and there
are many types of Web-based attacks being executed today. Some of these include:
➤➤ Cross-site scripting (XSS)—Usually occurs via concealed code in Web site links, forms,
and so on, XSS allows an attacker to gather data from a Web user for malicious purposes.
➤➤ Information theft—Through techniques such as phishing, malicious attackers can
masquerade as legitimate Web sites or applications and harvest user data.
➤➤ Session hijacking—Small text files called cookies are placed on a user’s machine when
visiting many Web sites in order to maintain information about the user or site for future
visits. These can be manipulated for malicious purposes including privacy violations and
the actual hijack of a user’s browser session, where an attacker uses information stored in
customized cookies to mislead a user in some way.

The most popular Web browser today is Microsoft Internet Explorer (IE).This software has been plagued
with security problems such as buffer overflows, remotely exploitable vulnerabilities, and so forth.
Many Web-based sites and applications are configured to work specifically with IE, however. For this
reason, many people choose to patch the software and live with the security problems. Knowing how to
properly configure some of the security settings available in Internet Explorer can drastically reduce the
potential threat of compromise.
Internet Explorer has a number of simple settings that can be configured to increase its overall security
posture. Security Zones enable users to define sites that are known to be safe, as well as those known to
be unsafe. It is simple to also define sites here that are based on a user’s local network or intranet, as well
as generalized Internet (or external) sites.
Other settings that can be configured include the acceptable encryption level, how cookies are used
and/or stored, a content rating system called Content Advisor, and other miscellaneous settings.
Flash and JavaScript have given rise to beautiful and functional Web applications. It has improved the
experience users enjoy at Web sites and moved many everyday functions from the desktop to the
browser. However, as a trade-off it has also made the Web a very dangerous place. In 2007, approximately
80% of documented vulnerabilities were related to XSS or cross-site scripting. In 2013, the OWASP
Top 10 Project listed cross-site scripting as the third most frequently used method of compromise via
Web sites, behind only injection and broken authentication/session management. Often the authors of
effected Web sites are not even aware that their sites are damaging its users’ computers. Steps must be
taken to harden our Web browsers and put us in control of the code that runs in it.
The Firefox Web browser has enjoyed increased usage in recent times, due to better security
implementation than Internet Explorer and much more rigid adherence to Internet standards. It also
offers a number of interesting and convenient features such as tabbed browsing and native support for
disabling pop-ups. By default, many Linux distributions ship with Firefox as the default Web browser.

Lab Exercises
Lab 3.7A will describe how to harden Internet Explorer. Labs 3.7B and 4.7A will describe how to
harden Firefox on a Windows and Linux system, respectively.
Lab exercises in Chapter 3 are:
➤➤ 3.7A Web Browser Security and Configuration—Internet Explorer
➤➤ 3.7B Web Browser Security and Configuration—Firefox
Lab exercises in Chapter 4 are:
➤➤ 4.7A Securing the Configuration of Firefox

2.8 Data Management

Current generation operating systems use elements known as file systems to manage the data being
stored on rotating magnetic media. This has the effect of making data management tasks both easier to
accomplish and more resistant to errors than was commonly found on computer file systems of just one
or two OS generations ago.

Lab Exercises
Labs 3.8A and 4.8A will use the chkdsk and fsck tools on Windows and Linux systems, respectively, to
scan disks for errors and correct them if possible. Lab 3.8B will use the chkntfs tool to disable auto-
matic mounting of New Technology File System (NTFS) volumes on Windows systems. Lab 4.8B will
describe how to view the fstab file to discover the types of file systems mounted on a Linux system.
Lab 3.8C will use the disk defragmenter tool to defrag Windows files. Lab 3.8D will use the Computer
Management tool to create a new partition on a Windows system.

Lab exercises in Chapter 3 are:

➤➤ 3.8A Windows Drive Management Using ChkDisk
➤➤ 3.8B Windows Drive Management Using chkntfs 2
➤➤ 3.8C Windows Drive Management Using Disk Defragmenter
➤➤ 3.8D Windows Drive Management Using Disk Management
Lab exercises in Chapter 4 are:
➤➤ 4.8A Drive Management in Linux
➤➤ 4.8B Exploring File Systems in Linux

2.9 Data Backup and Recovery

Protection of the information assets is the primary goal of a security professional. In this section we
discuss a few options to assure that your organization will have access to the information it spends its
resources on. No matter the security of your system, backup and recovery processes should be regularly
exercised. While it should be your goal never to need to undelete a file, it is an important process to
know in case it is your only option.

Lab Exercises
Lab 3.9A will use the backup and restore tool to backup data on a Windows system. Lab 4.9A will use
the rdiff-backup tool to backup individual files and folders on a Linux system. Lab 3.9B will use the
SyncToy tool to do real-time backup on a Windows system. Lab 4.9B will use the dd tool to backup an
entire disk image on a Linux system. Lab 3.9C will use the backup and restore tool to restore backup
data on a Windows system. Lab 4.9C will use the midnight commander tool to restore deleted files on
a Linux system.
Lab exercises in Chapter 3 are:
➤➤ 3.9A Windows Data Backup and Recovery
➤➤ 3.9B Data Backup and Recovery Using SyncToy
➤➤ 3.9C Data Backup and Recovery with the Windows Recovery Options
Lab exercises in Chapter 4 are:
➤➤ 4.9A Data Backup and Restore using Linux Command-Line Tools
➤➤ 4.9B Data Backup and Recovery of Drive Images
➤➤ 4.9C Recovering Deleted Files

2.10 Access Controls

Properly configuring the features of the file system, the Web browser, and the CA on Windows systems
is important for overall system security, as many new exploits take advantage of weaknesses and inherent
insecurity in the default configuration of these elements.
In earlier versions of Microsoft Windows, the standard file systems were known as FAT and FAT32
(“FAT” stands for file allocation table). The FAT file system is really a holdover from the MS-DOS
operating systems that existed prior to Windows, with the FAT32 system simply supporting smaller
cluster sizes and larger volumes than FAT. All FAT file systems have inherent problems related to security,
plus volume and disk sizes. With the advent of the Windows NT operating system, Microsoft created
NTFS (New Technology File System). In addition to supporting much larger volumes and file sizes,
NTFS significantly enhanced fault tolerance and security for the Windows family of operating systems.

Copyright 2014 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Random documents with unrelated
content Scribd suggests to you:
Harry shot two wild turkeys, and gave them one; and they baked it,
and had a great feast, and kept the fire up three days; and when on
the forenoon of the fourth day they opened it, the pot came out
without a crack, and baked to a bright red.
The little stems of the cedar and beech were baked to a coal; and
Sammy picked them out, leaving the impression sharp and clear.
He then mixed up some lamp-black that Solomon Lombard, the
Indian trader, had given him, and filled the letters that composed the
motto, which brought them out finely in contrast with the red ground
on which they were cut. The other articles fared quite otherwise:
many of the marbles split in halves, some cracked, others blistered
or fell to pieces; but a few came out whole and fair.
It was found, however, that the marbles and dishes made of clay
brought from the river were the ones that stood the baking and
were bright red, while the others were lighter-colored. Mr. Seth said
they stood the fire because the clay had been worked more, and
that the deeper color was due to the greater quantity of iron in the
river clay.
Sammy had taken his pot to the pasture among the bushes, to fill
the letters with black, and was joined by the other boys as soon as
they had cleared the kiln.
Their conversation, as was often the case, turned upon the virtues of
Uncle Seth, without whose advice it was allowed Sammy would
never have succeeded in making his pot.
"What a pity," said Dan, "such a good man should be a coward!"
"He isn't a coward," said Sammy.
"Yes, he is. Didn't he shut himself up in the mill when the Indians
attacked the fort, scared to death? and didn't his own brother Israel
say it was the first time he ever knew a fort saved by a coward?"
"What is a brave man, what ain't a coward?"
"Why, a man what ain't scared of any thing."
"Then there ain't any brave men, and every man in the Run is a
coward; for there ain't one of 'em but's afraid of something,—afraid
to go into the house where McDonald and his folks were killed. Mr.
Holdness nor McClure wouldn't go in there in the night, sooner'n
they'd jump into the fire: don't you call them brave men?"
"Yes."
"Uncle Seth isn't afraid to walk up on a tree that's lodged, and cut it
off, and then come down with it, or jump off. He isn't afraid to go
under a tree that's lodged, and cut the tree it's lodged on; he'll ride
the ugliest horse that ever was; walk across the water on a log when
it's all white with froth; and when there was a great jam of drift stuff
stopped the river, and was going to overflow the cornfield, he went
on to the place, and cut a log what held it, and broke the jam; and
there wasn't another man in the Run dared do it. He said he'd lose
his life afore the water should destroy the corn."
While Sammy was defending Uncle Seth from the charge of
cowardice, his face reddened, his eyes flashed fire, his fists were
clinched, and he threw his whole soul into the argument, and carried
his audience with him.
They resolved on the spot that Uncle Seth was not a coward, though
he was afraid of Indians. They could not endure the thought that an
imputation so disgraceful in their eyes as that of a coward should
rest upon the character of a man whom they so dearly loved.
CHAPTER XV.
THE SURPRISE.

It is perhaps needless to inform our readers that Sammy did not find
the "sley" on that eventful day when he threw the water in the
baby's face; but his mother got the baby to sleep, and found it. On
the morning of the third day, she had just entered the door of the
kitchen with a pail of water in her hand, when she encountered
Sammy (followed by Louisa Holt, Maud Stewart, Jane Proctor, and a
crowd of boys) with the bean-pot in his hand, which he placed upon
the table with an air of great satisfaction.
It was some time before the good woman could be brought to
believe that Sam made it. She knew that of late he had been much
at the mill with Mr. Seth, and supposed he must have made and
given it to him; but, when she became convinced of the fact, the
happy mother clasped him in her arms, exclaiming,—
"Who says Sammy's fit for nothing but mischief? Who is it says that?
Let him look at that pot, as nice a one as ever a woman baked
beans in, and a cover too. Harry has made pails, tubs, a churn, and
a good many other things; but he never made an earthen pot, nor
any man in this place. My sakes! to think we've got a potter among
us! what a blessing he will be! There's not another woman in the
settlement has got a bean-pot."
"Mrs. Sumerford, only see the printing and the pictures on it," said
Maud Stewart.
"Pictures and printing! I must get my glasses."
After putting on her spectacles, the happy mother expressed her
astonishment in no measured terms.
"'For Mother:' he's his mother's own blessed baby. But did you truly
make the letters, and the leaves on there, your own self?"
"Yes, mother: I did it alone in the woods; only Mr. Seth made the
letters on some bark for me, but I put 'em on the pot."
"Now I'll bake a mess of beans in it, just to christen it. Girls, you
help me pick over the beans; and I'll put 'em on to parboil afore we
sit down to dinner, and have 'em for supper. I want you all to stay to
dinner and supper both. The boys can play with Sammy; and the
girls and I'll make some buttermilk biscuit for supper, and a custard
pudding.
"Girls, I'm going to draw a web of linen into the loom; and you can
help me, and learn how; play with the baby and the bear: baby's
bear'll play real good; he's a good creature. He'll tear all the bark off
the tree with his claws; but, when he's playing with baby, he'll pull
'em all into the fur, so his paw is soft as can be. Harry, Elick, and
Enoch'll be home from the scout; and what think they'll say when
they come to know that Sammy's made a pot, and his mother's
baked beans in it?"
"Mother, may I ask Uncle Seth to come to supper? I want him to see
the pot, 'cause he told me how to fix the clay, and bake it."
"Sartain: I'd like to have Mr. Seth come every night in the week. This
pot isn't glazed, to be sure; but I'll rub it with tallow and beeswax:
I've heard my husband say that was the way the Indians used to do
their pots."
"Mr. Seth said the Indians used to make pots, mother."
"Sartain, dear, the Indians clear back; but now they get iron ones of
the white folks, and people reckon they've lost the art. If you look on
the side of the river where the old Indian town used to be, where
you go to get arrow-heads, you'll find bottoms of pots washing out
of the banks, and sometimes half of one."
The good woman stuffed the pot thoroughly with tallow and wax,
dusted some flour over it, and put it in the beans and pork.
Mrs. Sumerford had no oven; but that did not in the least interfere
with baking the beans. With the kitchen shovel she threw back the
ashes and coals on the hearth, and took up a flat stone under which
was a square hole dug in the hearth (the house had no cellar), lined
with flat stones. Into this hole she put wood and hot coals till it was
thoroughly heated: then she cleaned the cavity, put in the pot,
covered it with hot coals, and left the beans to bake; for there never
was a better place,—that is, to give them the right flavor.
The boys could not leave till this important operation was
performed; when, finding the mill was in motion, they concluded to
go there, and invite Uncle Seth to supper, and, after having a swim,
and a sail on the raft, escort him to Mrs. Sumerford's. The mill had
not yet ceased to be a novelty; and they loved dearly to watch the
grain as it dropped from the hopper into the shoe, and from the
shoe into the hole in the upper stone.
It was also a great source of amusement to go up into the head of
the mill, and hear it crack, and feel it jar and quiver when the wind
blew fresh, and put their hands on the shaft as it revolved. They
were more disposed to this quiet pastime, from the fact that they
had been prohibited the use of powder and lead for the present.
When Harry, Alex, and Enoch came home, nothing was said about
the bean-pot, though it was hard work for Mrs. Sumerford, and
especially for the girls, to hold in.
"Come, mother," said Harry, "we're raving hungry: ain't you going to
give us any supper?"
"I should have had supper on the table when you came, but Mr.
Seth's coming: the boys have gone after him, and I knew you would
want to eat with him."
It was not long before they all came in; and after putting the dishes
on the table, and other provisions, Mrs. Sumerford took from the
Dutch oven the biscuits, a custard pudding she had baked from a
kettle, and then, placing a bean-pot in the middle of the table,
exclaimed with an air of ill-concealed triumph,—
"There! Harry, Elick, Enoch, look at that pot, and tell me where you
suppose it came from."
They examined it with great attention; and, the more they looked,
the more their wonder grew.
"It was made by somebody in this place, of course," said Alex;
"because nobody has been here to bring it, and nobody could go
from here to get it. I guess Mr. Honeywood made it, because he's
lived in Baltimore where they make such things."
"Guess, all of you; and, when any one guesses right, I'll say yes."
"I," said Enoch, "guess Mr. Holt made it, 'cause he came from one of
the oldest settlements, where they have every thing; and he made
the millstones."
Harry, who had been examining it all the while, thought he
recognized Uncle Seth's handiwork in the inscription, and said,—
"I think, as Elick does, it must have been made here, because
there's no intercourse betwixt us and other people; and no regular
potter would have made it that shape; it would have been higher
and straighter, like some I saw at Baltimore when we went after the
salt: so I guess Uncle Seth made it."
"Come, Mr. Blanchard, it's your turn now."
"I guess little Sammy here made it."
This assertion raised a roar of laughter; and, when it subsided, Mrs.
Sumerford said,—
"Yes; Sammy made it."
"O mother!" cried Harry, "you needn't try to make us believe that,
because it's impossible."
Sam had ever been so full of mischief, that it was new experience for
him to receive commendation from his brothers; but now it was
given him with a liberality amply sufficient to remunerate him for its
lack in the past. A proud boy he was that evening; but he bore his
honors modestly, and his face was redder than the surface of the pot
on which he had bestowed so much labor.
When the cover was removed, much to the surprise of Mrs.
Sumerford, it was found that the pot had not lost any portion of its
contents.
"Why, I expected to find these beans dry,—most of the juice filtered
out,—'cause it wasn't glazed; but I don't see but it's about as tight
as an iron pot, though, to be sure, I rubbed it with wax and tallow,
and dredged flour over it."
"That pot," said Mr. Seth, "is very thick,—as thick again as one a
potter would make,—was made of good clay, quite well worked, and
hard baked; and it is no wonder that it would not let any thing as
thick as the bean-juice through it. Good potter's ware, if it isn't
glazed, will hold water a long time: it won't leak fast enough to
drop; it will hold milk longer still; and after a while the pores will
become filled up, and 'twill glaze itself, especially if anybody helps it
with wax as you have. I wish every woman in this Run had plenty of
earthen dishes, pots and pans, if they were not one of them glazed."
"If there's so little difference, why ain't the unglazed just about as
good?"
"Because you can't keep 'em so clean: after a while, the unglazed
ware gets soaked full of grease, butter, milk, or whatever you put in
it, and becomes rancid; you can't get it out, and it sours and taints
whatever you put in it: that bean-pot will after a while; but, when
ware is glazed, nothing penetrates, and you can clean it with hot
water, scald it sweet. There's another trouble with ware that is not
glazed: if you put water in it, and heat it on the fire, the water swells
the inside, and the fire shrinks the outside; and it is apt to crack."
"Uncle Seth, you said, when we made the dishes down to the river,
that we made brick. What is brick?" asked Sam.
"It's made of clay and sand worked together; and this brick mortar is
put into a mould that makes each brick about seven and a half
inches long, and three and a half inches wide, and two and a half
inches thick; then they are dried and burnt hard in a kiln; and in old
settled places they build houses of 'em, chimneys, ovens, and
fireplaces: they don't make chimneys of wood and clay, and
fireplaces of any stone that comes to hand, as we do."
"Did you ever see a house made of brick?"
"Yes, a good many. Israel and I made and burnt a kiln of bricks, and
had enough to make a chimney, fireplace, and oven, in our house
where we used to live; and, if this terrible war is ever over, I mean
to make brick, build a frame house, and put a good brick chimney,
fireplace, and oven, in it. Israel's wife misses her oven very much."
"I never had an oven, nor saw one; but I've heard of 'em, and I
expect they are good things. I think a Dutch oven is a great thing for
us wilderness-folks; but I suppose the one you tell of is better," said
Mrs. Sumerford.
"I guess it is better. Why, Mrs. Sumerford, if you had a brick oven,
you could put a pot of beans, twice as many biscuits as you've got in
that Dutch oven, a custard, and an Indian pudding, and ever so
many pies, in it all at once, and shut up the oven, and then have
your fireplace all clear to boil meat, fry doughnuts or pork, or any
thing you wanted to do."
"It must be a great privilege to be able to do so many things at
once: I can't boil and bake more than one thing at a time now,
except beans or potatoes, because I have to bake in a kettle."
"If you had a brick oven, you could bake a pumpkin, or a coon, or
beaver, or joint of meat, or a spare-rib. Why, by heating the oven
once, you could bake victuals enough to last a week; and then, any
thing baked in a brick oven is as good again as when it is baked in
iron. These beans wouldn't have been half so good if they'd been
baked in an iron pan set into the Dutch oven or a kettle, because
that place in the hearth is what you may call an oven."
"What kind of moulds do the potters in the settlements have to
make their things of?" asked Sammy; "or do they make 'em in holes
in the ground or on a basket?"
"No, indeed! they make 'em on a wheel."
"Oh, do tell me about it, Uncle Seth! tell me all you know."
"That won't take long. What is called a potter's wheel means not
only a wheel, but a good many more things with it; but they all go
by the name of the potter's wheel.
"In the first place, there's a rough bench made; and then there's an
iron spindle goes through this bench, and not far from the bottom is
a crank; and below this crank, about three inches from the lower
end, a wheel is put on it as big over as the bottom of a wash-tub,
with a gudgeon at the end that goes into a socket in a timber. Upon
the other end that comes up about a foot above the bench, a screw-
thread is cut, and a round piece of hard-wood plank is screwed on
the top of the spindle about a foot over; on this the potter puts his
lump of clay, and smashes it down hard to make it stick fast.
"There's a treadle fixed to this crank on the spindle, just as there is
to your mother's flax-wheel. The potter puts his foot on this, sets the
clay whirling round, sticks his thumb into it and his fingers on the
outside, and makes it any shape he wants. After the vessel,
whatever it may be, is made, he takes off the finger-marks, and
shapes it inside and out more to his mind, with little pieces of wood
cut just the shape he wants; then takes it off the wheel, and puts it
away to dry."
"Does it take him a good while to make a pot?" asked Harry.
"No, indeed! he'd make a pot as large as that bean-pot in five
minutes, and less too. A potter'd make a thousand of four-inch pots
in a day. In their kilns they burn thousands of pieces according to
size, of all kinds at once; as it don't take much longer, nor is it any
more work, to burn a thousand pieces than two hundred."
"That isn't much like me, two or three days making one pot," said
Sammy.
"Sometimes, instead of having a crank on the spindle, they put a
pulley on it, and have the wheel on the floor, and a band run from
this big wheel to the pulley; but then it takes another hand to turn
the big wheel."
"O Uncle Seth! how much you do know, don't you?"
"I don't know much about pottery, Sammy, because it's not my
business; but I've seen a little of it, and it's the most interesting
work to see a man doing, that I ever looked at. I've seen their kilns,
and seen them bake their ware, but it was a good many years ago:
so you must not take all I say for gospel, 'cause I may have
forgotten. I always take notice of what I see, because sometimes it
might be a benefit. I've taken more notice of brickmakers and
masons: I can make brick; I think Israel and myself could build a
chimney, between us, and make an oven and a fireplace. It wouldn't
be like one made by a mason, but would answer the purpose, and
be a great comfort here in the woods."
"We don't know any thing," said Mrs. Sumerford; "and no wonder
we don't, here in the woods with wild beasts and wild Indians."
If our young readers will call to mind that these frontier people had
never seen many of the most common conveniences of daily life, nor
witnessed any of the usual mechanical employments, they will
perceive at once how intensely interesting the conversation of Uncle
Seth must have been to this family-circle, and also how much
mankind can dispense with and yet be happy.
To no one of the circle was it more absorbing than to Sammy, who
longed to know more about the matter, and asked what the glazing
was made of, and how they put it on.
"As I told you once before, my lad, I don't know much about that;
because it's one of their secrets that they don't care to let folks
know, though I've seen some put it on. When I was a boy, and lived
with my grandfather in Northfield, Mass., afore we went into the
woods, I've seen an old English potter by the name of Adams make
a kind of glaze that's on your mother's milk-pan. He used to take
lead, and heat it red-hot till he made a great scum come on it, which
he would skim off till he burnt it all into dross; then he pounded that
all fine, and mixed it with water, clay, and a little sand, about as
thick as cream, and poured it into the things he wanted to glaze,
rinsed it round, and then turned it out; sometimes he put it on with
a brush. What little water there was would soak into the ware, and
the lead would be on the outside; then he put 'em into the kiln, and
started the fire. When the pots got red-hot the lead would melt; and
I s'pose the sand melted some too, and run all over the inside, and
made the glaze. I don't know as I've got it just right, but that's as
near as I can recollect; and I know I'm right about the lead.
"He said that in England they flung a lot of salt into the kiln to glaze
some kinds of ware; but he didn't, and his glaze was just like that on
your mother's pan."
"What an awful sin," said Mrs. Sumerford, "to burn up salt!"
"Oh, what a worse sin," said Harry, "to burn up lead! I should rather
go without pots and pans all the days of my life: I'm sure there are
ash and beech whorls enough in the woods to make bowls of."
"Indeed," said Mr. Seth, "salt and lead are not such scarce articles in
the settlements as they are amongst us, I can tell you."
Some who read these pages may think these boys to be very much
inferior to themselves, and be almost inclined to pity them; but are
you sure, that, considering the advantages both parties have had,
they may not be far your superiors? Notwithstanding all your
advantages, is it not probable, that, turn you right out in the world,
you would either beg or starve?
But turn one of them out into the woods, with a rifle, tomahawk,
flint and steel, and I would risk him: he would do neither.
CHAPTER XVI.
THE DAWN OF A LIFE-PURPOSE.

After the conversation referred to in the preceding chapter, there

was a pause; and Harry, well knowing Mr. Seth's habits, filled a pipe,
and handed it to him.
While he was enjoying his smoke, Mrs. Sumerford washed up her
dishes with the help of the girls, and the boys related to each other
the incidents of the scout.
Sammy, on the other hand, sat with his hands clinched over one
knee, as still as a mouse, occasionally casting a glance towards Mr.
Seth; and, the instant the latter laid by his pipe, he leaped from his
stool, and, running up to Mr. Seth, cried out,—
"O Uncle Seth! will you make me a potter's wheel, and show me how
to make a pot on it, and show me how they fix the glaze, so I can
make my mother and all the neighbors bean-pots, bowls, and milk-
pans, and glaze 'em just like the potters do?"
"I can't, child! I couldn't make a wheel, because there's a crank that
must be made of iron, and we haven't got any iron. If I should make
a wheel, I couldn't show you how to make a pot on it, for I don't
know how myself. A potter's trade is a great trade, takes years to
learn it. It's not every one who can learn it; and I have only
happened to see them work a few times in my life."
"You could make a windmill without hardly any iron; and you're
going to make a bail to take off the millstone without one mite of
iron, when Mr. Honeywood said 'twas impossible. Everybody says
you can do any thing you be a mind to. I should think you might
help me."
Adopting the method he had ever found to be most effective with his
mother, Sammy burst into tears; and so did the girls, who
sympathized with him.
"Dear me! what shall I do with the child?" exclaimed Uncle Seth,
whose whole heart went out to a boy so interested in a mechanical
pursuit.
"Do help him if you can, Mr. Blanchard. I'm sure if he wants to think
about or do something besides killing Indians, and risking his life on
rafts, I do hope you'll gratify and encourage him, if it's only for the
sake of his mother, and tell him something to pacify him."
"Well, Sammy, if I can't make you a wheel nor tell how to use it,
there's one thing I can do: I can show you how to mould brick, and
you can have a brick-yard and a kiln, and make your mother a brick
oven that will be worth three times as much to her as the bean-pot;
and she can bake beans, bread, and meat in it."
"I don't want to make no brick oven. I wouldn't give a chestnut-burr
for a thousand brick ovens. I want to do what the potters do."
"Well, I'll tell you all about how the potters work their clay; and then
you can make a good pot or milk-pan on a mould as you do now,
and I'll make moulds for you. I'll keep thinking about a wheel; and
perhaps we may have to go to Baltimore or Lancaster for salt or
powder, and can get some iron: then I'll make a wheel; or perhaps I
shall think of some way to make it without iron."
In this manner Mr. Seth continued to pacify Sammy, who, wiping up
his tears, got up in his benefactor's lap, and wanted to know when
he would show him how to fix the clay.
Mr. Seth replied, "To-morrow morning," well knowing he should have
no peace till it was done.
Sammy then wanted to know when he would tell him about the
glaze; to which he answered that it was no use to think about that
till the Indian war was over, as neither lead nor salt could be spared
for the purpose, and if the clay was well worked, and the articles
well baked, they would do good service without any glaze.
Harry, Alex, and Enoch now took their rifles, and went home with
the children; but Mrs. Sumerford persuaded Mr. Blanchard to tarry all
night.
"What do you think has got into this boy, Mr. Blanchard?" said the
mother, after Sammy had gone to bed, "that he should set out all at
once in such a fury to make things of clay?"
"Well, Mrs. Sumerford, almost everybody in this world has a turn for
some one thing more than another; and you know that all your boys
have a turn for handling tools: Elick and Enoch have, though not so
much as Harry."
"That's true, Mr. Blanchard; and they take it from their father: he
could make almost anything; he would make a handsome plate out
of an ash-whorl; and he made me a churn that he dug out of a
round log, and swelled the bottom in, then put hoops on; it was the
handsomest you ever did see."
"The child's got that natur in him; but he's been so full of other
things since the war broke out, been stirred up all the time, that it
never came out till they began to build that raft. He was the head of
that; but when he got hold of the clay, and started the notion of
making dishes to play with, he was like a man who is digging a well,
and all at once strikes water. He found the thing that suited his turn;
and it became real earnest with him, though it was nothing but play
to the others. When the rest of 'em wanted to make dishes out of
wood and bark, he said, 'Let's make 'em out of clay.' He didn't know
what he was fumbling arter in the dark, didn't know he was chalking
out his whole life; for, mark my words for it, sooner or later that
boy'll be a potter, and no power on earth can hinder it. Mary
Sumerford, I believe there's a higher Power has to do with these
things; and I verily believe we have our own way least when we
think we have it most."
"From my soul I believe as you do, Mr. Blanchard, and always did."
"I know how it is: he's had a call to do that thing, and you'll see how
'twill be. I know all about it: it's no new thing to me, it was just so
with me when I began to work wood. If he could be in the
settlements, he would learn a potter's trade in no time; but what we
shall do with him here, I'm sure I don't know."
"Then you don't think he'll give it up. Boys, and my boys, are apt to
take hold of some new thing pretty sharp for a time, and then give it
up, and go into something else."
"He'll not give it up as long as the breath of life's in him: it's clear
through him, in his marrow and in his bones, and must and will
come out."
"But I don't like to have him down to the river: the Indians might
carry him off."
"I'll get him to go to the old Cuthbert house: there's good clay there,
and the spring where Cuthbert got his water."
The next morning Mr. Seth said to Sam,—
"Your mother don't like to have you down to the river: it's too far
away; the Indians might come; we don't any of us think it's safe.
You must play with your clay at the Cuthbert house: it's near the
garrison, and then you'll all be safe."
"It isn't play," said Sammy, straightening him self up: "what makes
you call it play? It isn't foolish play to make a bean-pot and things
for folks to use, and that they have to buy at Baltimore: it's real
work. It isn't a bit like making mud-puddin's, cob-houses, or playing
marbles or horse, or having a war-post and making believe kill
Indians."
"Indeed it's not," said Uncle Seth, more delighted than he cared to
express, and patting the young enthusiast on the head.
"I don't want to go to the Cuthbert house, 'cause it's handsome
down to the river; and the raft's there, and the fireplace, and water,
and plenty of wood to bake the pots; and the clay down there is real
soft, and just as blue as indigo, and feels greasy; and I can cut it
with my knife, and it won't dull it one mite."
"I know that; but it's not so good clay to make pots as the gray at
the Cuthbert house. It will do to make bricks by putting sand with it;
but it's liable to crack, blister, and melt in the fire, 'cause there's so
much iron in it."
"It don't look so red when it's burnt, that Cuthbert clay don't."
"Well, then, you can bring up a little of that from the river to color it:
'twon't take but a mite. There's more wood lying round Cuthbert's
door than you can burn in six months; then you can have the house
to dry your ware in, and to work in when it rains, and the great
fireplace to build your kiln in."
"What shall I do for water?"
"There's a spring on the side of the hill where Mr. Cuthbert got his
water; and there's a great trough in the kitchen that he used to salt
pork in, and you can have that to put your clay in, and a table. I'll
ask Nat to let you have that to make your things on."
When Mr. Seth concluded, Sammy expressed himself reconciled. He
then told him to dig the clay, and pick out any little sticks or gravel-
stones he found, put it in the trough, pour in water enough to cover
it, and let it soak till after dinner, when he would come down, and
tell him what to do with it.
With the help of his mates, Sammy was not long in filling the trough
with clay and water when they went to haul wood. The settlers
hauled their fire-wood as they wanted it, and did all their work in
companies for safety.
After dinner Mr. Seth, with all the boys at his heels, went to look at
the clay, and told them to strip up their trousers, get into the trough,
and tread the clay by turns with their bare feet, while he sat on the
door-stone to smoke his pipe.
The boys entered upon the work with great good-will; but the longer
they tramped, the stiffer the clay grew as it absorbed the water, and
the harder the work became. In the course of fifteen minutes they
asked,—
"Isn't it trod enough, Uncle Seth?"
"Not yet."
They then wanted to put more water to it, but Mr. Seth would not
permit that. The clay grew more dense: and the boys began, one
after another, to get out of the trough. They suddenly recollected
that they were wanted at home, till at the end of a half-hour only
Will Redmond, Archie Crawford, and Sammy were left. Mr. Seth then
looked at it, rubbed it between his fingers, and told Sammy to let it
lie till supper-time, then give it another treading, and he would tell
him what to do next.
When the time came, Sammy could not get a single boy to help him.
Their interest in pottery had evaporated. They had the cattle to drive
up, chores to do, and plenty of occupation. Not so, however, with
Sammy: his enthusiasm lay deeper. He got into the trough, and trod
as long as he could see, till his legs ached, and he perceived that the
clay became much tougher and finer. Just as he was about to go, he
saw Uncle Seth coming from the mill, and they went home together.
When Uncle Seth came the next morning to look at the clay, he said,
—
"You see, my lad, we always do every thing with a better heart when
we understand the reason for doing it."
He then took a piece of clay, placed it on the table, and cut it in
halves with a knife, and made Sammy notice that there were a good
many little holes and bubbles in it, and some little hard lumps, and
sometimes he picked out a little gravel-stone.
"If," said he, "these air-bubbles are not removed, when the ware is
put into the kiln, that air will expand with the heat, and burst the
clay; if there are stones, they will crumble; if there are sticks they
will make steam, swell, and cause a flaw. The potters work their clay
more than a woman does her dough: it is a great deal more work to
prepare the clay than it is to do all the rest. After they have worked
their clay, they let it lay in a heap to settle together, and break the
bubbles, and close the holes: sometimes they dig it a whole year
beforehand, and let it lie and ripen, as they call it."
"I don't care how hard I work, if I can only make a real good pot."
"That's a manly principle. You know how hard we all worked to build
the mill; and see what a blessing it is. Every thing, my lad, comes
from labor: it's the root and foundation of every thing worth having.
The Indians won't work, and see what a miserable life they lead."
Mr. Seth now made some of the clay into large lumps, and, taking up
one, slapped it down on the table with all his force three or four
times, and then kneaded it, and made Sammy take notice that when
he kneaded it he folded the dough back on itself so as to keep the
grain in one direction; and then cut it in halves, and Sammy saw
that the air-bubbles were closed up.
He told Sammy, if he just stuck together several lumps, just as an
eave-swallow does to make her nest, and made a dish out of it, that
when it came to dry it would be full of seams, a seam for every
lump. He then gave him a mallet, and told him when he was tired
with slapping he could pound it with the mallet.
"Why couldn't I put it in Mr. Cuthbert's hominy-block that is right
here before the door, and pound it same as we used to the corn? I
could get the boys to help, and pound up a lot."
"That would be just the best thing that ever was; and get them to
help you all you can the first going-off, while it is a new thing, for
they'll get sick of that sooner than they did treading the clay in the
trough."
Sammy found it was just as Mr. Seth said: the boys thought it was
nice fun at first; but they soon became tired, and one after another
found their folks wanted them, or they had something to do at
home. In vain Sammy begged them to stay; but, no, they could not.
"You'll want me to go 'long with you some time, and then I won't
go," said Sammy, and began to cry.
Soon Mr. Seth came along with some tools in his hand, with which
he had been working at the mill.
"What's the matter, Sammy?"
"The boys have all gone off, and won't help me; and I can't lift the
pestle. I wanted to pound all what was in the trough, and they ain't
pounded more'n half of it."
"Don't cry, lad: I'm going to the house, and I'll send Scip to help
you."
He felt so bad to have all his mates leave him, that he could not
recover himself immediately and Scip (with whom Sammy was a
great favorite) found him in tears.
"What de matter wid my leetle Sammy?" cried Scip, taking the lad in
his arms, and wiping off his tears.
"The boys won't help me,—Archie won't, nor Will; and I can't lift the
pestle."
"Nebber mind dem. Scip help you much you want: you tell Scip what
you want."
Scip was a powerful fellow; and, though he had always avoided the
hominy-block before the mill was built, he now stripped himself to
the work, and soon pounded what remained of the clay that had
been trod in the trough, then carried it into the house. Sam cut it up
into lumps with a tomahawk; and Scip would take them up, and slap
them down on the table with a force that filled up the pores of the
clay, and made it compact.
Sammy hugged Scip, and told him he never would scare him again,
would give him half of all the maple-sugar he got, make him an
earthen mug to drink out of, and give him a lot of his hens' eggs.
It is not probable that Sammy would have obtained much help from
his companions, except for two reasons; one, that they could not
have a very good time without him, and also that he (by his
influence with Uncle Seth, and through him with Israel Blanchard)
could obtain the company of Scip on their expeditions.
Thus it was for their interest to help Sammy, in order that they might
have him and Scip to go with them. Sammy knew this, and made
the most of it while they were disposed to make the least of it, and
help him as little as would answer the purpose.
Sammy found that this clay was a very different material from any
he had used before: it was fine, tough, and did not stick to his hands
in the least; and with a mallet he could flat it out into broad sheets,
and roll it with a rolling-pin as his mother did her pie-crust.
As Mr. Seth became interested in Sammy's work, he recollected
many things that at first did not occur to him, and told Sam that the
potters put handles on their wares after they were partly dried; that
they rolled out a piece of clay of the right shape, and then stuck it
on with a little "slip" (that is, clay and water of the consistency of
thick cream), smoothed it with a wet sponge; and after the wares
were baked it would not show, but all look alike, and that a rag
would do as well as a sponge. Mr. Seth had offered to make moulds
of wood for him to mould his vessels on, but Sammy resolved to do
it himself; and, as he knew that the quality of the clay would
improve by lying, took time to think over the matter, and collected a
number of hard-shelled pumpkins, gourds, and squashes, which
suited his fancy in shape, boiled them, and scraped out the inside
with a spoon instead of waiting for the meat to rot, or trusting to the
wood-ants.
He wanted to make a bean-pot for Mrs. Stewart, and especially for
Mrs. Blanchard, because Uncle Seth would eat of the beans in that,
and, in respect to it, wished to do his best.
He could not brook the thought of making a pot, that was, in truth,
to be a present to Uncle Seth in acknowledgment of favors received,
and at the same time ask him to make the mould to form it on. The
boy likewise felt, as every one does who has accomplished any
thing, that he now had a character to sustain.
This is the operation of right and wrong notions and doings with a
boy. When he has done one or two good things, he naturally feels
anxious to do more, and maintain and add to the reputation he has
obtained.
On the other hand, when he has done several bad things, and feels
that he has lost character, he grows reckless: it becomes up-hill work
to get back, and he finally gets discouraged. Thus it happens to him
as the Scriptures declare: "For he that hath, to him shall be given;
and he that hath not, from him shall be taken even that which he
hath."
CHAPTER XVII.
SELF-RELIANCE.

The boys wanted Sammy to go hunting with bows and arrows, as

they were not allowed any more powder for gunning at present; but
he recollected how they had disappointed him in respect to the
hominy-block, and went to the mill, hoping something might drop
from Uncle Seth that would aid his thought.
The good man having constructed the crane and screw with which
to lift the upper millstone, and swing it off the spindle, was
deliberating upon the method in which he should make a bail by
which the screw was to be attached to the stone. He knew that
among the trees that grew on the banks of the stream or among the
bowlders on the hillside, where roots of trees were turned from their
natural course by various obstructions, it was not difficult to find a
root or branch that would form the upper part or crown of the bail;
and then, by cutting a mortise in each end, he could attach two
strong straight pieces of wood to drop over the edge, and be
fastened to it by wooden pins, thus forming a kind of wooden chain
similar to the brake on the driving-wheel of the wind-shaft.
He knew if such a root or branch was found, it would be a rough
affair, not a true curve, would probably be crooked, at least one
way; and that it was not at all probable that one would be found
large enough to hew to a square edge, and that here and there
portions of bark would need to be left on. Should he make the crown
from a large, slightly sweeping stick, it would be necessary to cut
the wood so much across the grain, there would not be sufficient
strength.
Mr. Seth was sitting flat on the floor, with his back to the wall,
chewing a chip. Sammy, who also had a burden on his mind, seated
himself at a little distance, waiting patiently for a proper opportunity
to speak.
At length Mr. Seth began to talk to himself: "I know what I'll do. I
won't get a natural crook; 'twill be rough, crooked, full of bunches,
and won't come to the stone as it should. It will look just like cart
and sled tongues that I have seen people make out of a crotched
tree; and I always despise 'em. I won't make it in pieces either. I'll
take a tough piece of wood, and bend it to exactly the shape I want;
then I can finish it up smooth. Of course it won't be quite as strong
as a natural crook, but I'll make it larger."
"O Uncle Seth! how can you bend such a great piece of wood?"
"Ha! you there, my little potter? You can do any thing, my lad, if you
only have pluck and patience."
"Then," thought Sammy, "I can find some better way to make pots,
if I have pluck and patience."
"Sammy, have you got your rifle with you?"
"No, sir. They don't let the boys have powder and bullets now."
"Well, I'm going home to get the oxen to haul a walnut-butt: run
down to your house, and ask Harry and the other boys to go into the
woods with me. Israel'll go too. And tell Harry to bring his broad-
axe: I want him to help me."
After hauling home a walnut-butt twenty feet in length, Mr. Seth
rolled it upon blocks, and began to hew the bail from the large end
of it; hewing the wood to a proud edge, and leaving a much greater
quantity of wood in the middle, where the screw was going through,
than at the ends.
Israel Blanchard and Harry began to make a form on which to bend
this great piece of timber by treenailing logs together, and hewing
them in the form of half the millstone the bail was to lift, or rather
little more than half as room must not only be left for the stone to
turn easily in the bail, but also for the head of the screw between
the bail and the stone, and also at the ends, as the holes for the
pins that attached it to the stone could not be very near the end, but
space must be left to admit treenails to prevent splitting.
On the sides of this form they fastened strong uprights opposite
each other, at proper distances, and strong yokes to slip over the
ends of them, and fastened by pins through the uprights, that could
be put on and taken off at pleasure; and made a number of large
wedges to drive under the yokes.
It was now sundown; and Sammy, who had been much more
interested in watching the work than he would have been in hunting,
went home to milk, and reflect upon the matter nearest his heart,
having enjoyed some little opportunity to converse about it with
Uncle Seth.
Sammy did not like the pumpkins and gourds as forms to mould his
dishes on; neither did he like a mould of wood, or a basket. He knew
the basket would leave the outside rough.
He sat down in the yard to milk his cow, and began; but became so
absorbed in thought, that the cow put her foot in the pail all
unnoticed by Sammy, who kept on milking mechanically.
"Why, Samuel Sumerford! are you out of your senses? Don't you see
that cow has got her foot in the pail? What in the world can you be
thinking of? Now go give that milk to the hogs, and get a clean pail.
—I declare, I don't know what has got into that child: he was always
tearing round, couldn't live without half a dozen boys round him,
always complaining that he couldn't have no good times, till
sometimes, betwixt him and that little sarpent of a Tony, I was afraid
I should go distracted; and now he goes right down to the Cuthbert
house the moment he gets his breakfast, or up to the mill with Mr.
Seth; and there he stays. He don't seem to care about company, nor
about his hens, nor any play. I don't believe he's taken a bow and
arrow nor a gun in his hand this ten days; and seems all the time in
a study."
"I'm sure, mother, I should think you'd be glad of it," said Enoch:
"you couldn't take any peace of your life for him; at any rate, all the
rest of us are glad."
"So am I, Enoch; but it seems so kind of unnatural!"
If the cow did put her foot in the pail, and if while it was there
Sammy was leaning his head against her, he got an idea that after
sleeping on he resolved to carry out in practice. But scarcely had he
despatched his breakfast when several boys made their appearance
with bows and arrows, and wanted him to go with them on a
ramble.
"Can't go."
"What's the reason?" asked Stiefel.
"Don't want to."
"If you don't go with us never, we won't help you tread clay."
"I'll go some time: don't want to go to-day."
The boys went off; and Mrs. Sumerford said, "Sam, what made you
so short with the boys? I know they didn't like it. If you wanted to
work with your clay, why didn't you tell 'em that was the reason you
didn't want to go to-day? then they would have gone down to the
Cuthbert house with you."
"I knew they would, marm; and that was just the reason I didn't tell
'em. I didn't want 'em down there: I wanted to be alone to contrive
something. Mother, if you was going to draw a piece of linen into the
loom, and study out a new figure that you never wove before, would
you want all the neighbors in, gabbing?"
"No, I'm sure I shouldn't."
Sammy went to his workshop; and his mother began to wash the
breakfast-dishes, saying, "Well, these are new times: I shouldn't
think I'd been talking with Sam Sumerford."
The first thing Sammy did was to gather up all the pumpkins,
gourds, and squashes he had been at so much pains to select and
dig out, and throw them on the woodpile: he had brought with him
a piece of ash board (a remnant that was left when Harry made a
drum, and had given him), also a large piece of thick, smooth birch-
bark pressed flat as a board, and Harry's large compasses. He sat
down at the table, and began to talk to himself:—
"I heard my brother say, and tell Jim Blanchard, he didn't want to
eat other people's cold victuals, but he liked best to build his own
campfire. I don't want to eat anybody's cold victuals neither. I'll
make my own moulds: I won't ask Uncle Seth to make 'em. If I can't
make 'em, I won't try to be a potter."
Sammy had found that the bean-pot he had made for his mother
was about the right size, but the shape did not suit: he knew that
everybody who looked at it would see that it was just the shape of a
pumpkin. To use his own expression, it was too "pottle-bellied;" and
the mouth was not large enough to admit a piece of pork the right
size. The cover of this pot dropped inside the rim of the pot; and, as
nearly all the settlers baked their beans in a hole under the hearth, it
was not so good a form for keeping out the ashes, as to have the
cover shut over the rim, with a flange on the inside of it.
With the compasses he struck out a circle on the table, the exact
size of the bottom of his mother's bean-pot, of which he had the
measure, and, boring a hole in the centre, stuck up a round, straight
willow stick considerably longer than the height of the original
vessel. Around this stick and in this circle he built up a mass of clay
as high as the stick, and much larger in circumference than the old
pot.
His object in putting the stick in the centre of his circle was to obtain
a guide, a plumb-line centre from which to work.
"When they build a haystack," said he, "they always set a pole in the
middle, and then they get all sides alike."
Having thus provided plenty of material to go and come upon, he
ran home, and got his mother's pot, and placed it on the table
beside his pile of clay; then with the compasses marked on a piece
of bark the size he intended to have the mouth of his pot, and cut it
out, levelled the top of the clay, and, making a hole exactly in the
centre of the bark, slipped it over the upright rod and downward till
it rested upon the surface of the clay; and put some flat stones upon
it to keep it in place.
He now had the centre of the top and bottom, and by measuring
found the centre of the side, and marked it in four places; and with
those guides began with his scalping-knife to slice off the clay, form
the sides and swell and taper of the vessel, and by placing a rule
across the mouth obtained another guide, till he thus formed a
model to suit his eye. Sometimes he took off a little too much in one
place, and made a hollow: then he filled it with clay and cut again,
until he felt that he could make no further improvement.
It was of much better proportions than the original, which was
manifest as they sat side by side: still the capacity of the vessel
represented by the mould was about the same. If it was a little
deeper, and had a larger mouth, it was less bulging in the middle,
tapering gradually each way.
Sammy cleaned up the table, and was walking round it, viewing his
pot from different standpoints, once in a while making some trilling
alteration, or smoothing the surface with a wet rag, when he was
greatly surprised by the entrance of his mother.
"O mother! did you come to see me work?"
"Not altogether, my dear. Nat Cuthbert said there was a pair of wool-
cards in the chamber, that he would lend me. Run up, and look for
them."
Sammy soon returned with the cards, when his mother said,—
"Had you rather be down here alone, than at play with the boys?"
"Yes, marm: I'm having a nice time."
"What made you throw all those punkins, squashes, and gourds
away, my son, after you had taken so much pains to boil and scrape
the inside out?"
"'Cause they wasn't the right shape. They had their bigness all in
one place. The punkins had their bigness all in the middle, the
squashes and gourds at the bottom. They wasn't good moulds,
marm."
"Wasn't the moulds the Lord made good enough for you to work
from?"
"The Lord don't make bean-pots, mother; he only makes squashes
and punkins and such like: if he did, he'd make 'em right, 'cause he
makes the beans, flowers, and every thing right. Marm, there's both
pots: now which do you think is the best shape? Truly now, marm."
"Well, Sammy, I think this last is the best shape, and it has a larger
mouth to take in a good piece of pork. Come, you'd better go home
with me. It's only about an hour till dinner-time."
"Has the mill been going this morning?"
"Most all the forenoon, but the wind is nearly gone now."
"Then Uncle Seth hasn't touched his bail; but he'll work on it this
afternoon, and I'll see him."
He now made a profile just the shape of the outside of his pot, from
the thin piece of ash-board, then set it off an inch from the edge,
and cut the other side to correspond: thus the inside of the profile
gave the outside of the mould, and the outside of the profile the
inside of the vessel to be made. He then placed the great compasses
each side on the middle of the mould, and by that measure cut out
another birch-bark pattern: thus he had the measure of the diameter
in three places, bottom, middle, and top. After putting the profile
and pieces of bark carefully away, he tore down his mould, flung the
clay in with the rest, laid away the stick for future use, and ran home
to dinner.
He had worked out all his plans in his head and in part with his
hands, knew he could do it, and felt easy; could go to the mill now.
But to have gone in the morning, and left that idea undeveloped—he
would not have done it to see Uncle Seth make a dozen bails.
When he came near the mill he met Uncle Seth, Israel Blanchard, Mr.
Holdness, Cal, and his brother Harry, who had been to dinner with
Israel, coming to help Mr. Seth bend the bail that he blocked out in
the stick the day before, and had not meddled with since: there
having sprung up a "mill-wind," he had been occupied in grinding.
Thus Sammy was in season.
A fire was made in the block-house, and water heated. The part of
the tree on which the bail was made being covered with straw, hot
water was poured on it till it was thoroughly steamed: then all those
strong men lifted the whole stick, and put the finished end on the
mould between two uprights, put a yoke over, and Uncle Seth drove
a wedge between the yoke and the bail, bringing it snug to the
mould, and gave the word, "Lower away." They now gradually let
down the heavy unhewn end of the stick that was in the air, the
great leverage bringing it down easily, for the bail was as limber as a
rag. Slowly the heavy timber came down, Uncle Seth meanwhile
driving wedges under the yokes, and Sammy pouring hot water on
the portions designated by the former, till the end of the stick struck
the ground.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com

Total Protein Estimation Method
No ratings yet
Total Protein Estimation Method
2 pages
Modular S Low
No ratings yet
Modular S Low
2 pages
International Conference on Sustainability
No ratings yet
International Conference on Sustainability
3 pages
EDFA Control Software User Manual
No ratings yet
EDFA Control Software User Manual
12 pages
Copeland Refrigeration Manual
No ratings yet
Copeland Refrigeration Manual
44 pages
Generate Runtime Dumps in SAP HANA
No ratings yet
Generate Runtime Dumps in SAP HANA
5 pages
IEEE Reference Style Guide For Authors
No ratings yet
IEEE Reference Style Guide For Authors
48 pages
GT-S5510 UM Open Eng Rev.1.2 101116
No ratings yet
GT-S5510 UM Open Eng Rev.1.2 101116
82 pages
Year-2 Semester Exam Question
No ratings yet
Year-2 Semester Exam Question
11 pages
Python Control Flow and Functions Guide
No ratings yet
Python Control Flow and Functions Guide
128 pages
2023 Middle-Weight ADV Guide
No ratings yet
2023 Middle-Weight ADV Guide
10 pages
Management of Isolated Greater Trochanter.2
No ratings yet
Management of Isolated Greater Trochanter.2
9 pages
Wonderful World 6 Unit 3. Test
No ratings yet
Wonderful World 6 Unit 3. Test
7 pages
Brainy 5 Unit Test 5 A - PDF
No ratings yet
Brainy 5 Unit Test 5 A - PDF
1 page
Math Test for Grade 10 Students
No ratings yet
Math Test for Grade 10 Students
3 pages
GMAT Stuff
100% (1)
GMAT Stuff
14 pages
Discrete Mathematics Graph Algorithms Algebraic Structures Coding Theory and Cryptography 1st Edition Sriraman Sridharan online reading
100% (1)
Discrete Mathematics Graph Algorithms Algebraic Structures Coding Theory and Cryptography 1st Edition Sriraman Sridharan online reading
43 pages
Datafeedopcsuite en
No ratings yet
Datafeedopcsuite en
1,053 pages
Seablue Watermaker Brochure
No ratings yet
Seablue Watermaker Brochure
4 pages
Invoice
No ratings yet
Invoice
1 page
Identifying Fresh Ginger Root
No ratings yet
Identifying Fresh Ginger Root
47 pages
Cyclone Tauktae Path & Impact
No ratings yet
Cyclone Tauktae Path & Impact
9 pages
CS2 - Antenatal Mother
50% (2)
CS2 - Antenatal Mother
10 pages
Kettering - 1977 - Rembrandt's Flute Player A Unique Treatment of Pastoral
No ratings yet
Kettering - 1977 - Rembrandt's Flute Player A Unique Treatment of Pastoral
27 pages
Department of Education: Preparing Layout Design of An Orchard Gardening
100% (1)
Department of Education: Preparing Layout Design of An Orchard Gardening
5 pages
Instant Confidence: by Paul Mckenna
No ratings yet
Instant Confidence: by Paul Mckenna
4 pages
Psychological Stress-Induced ALKBH5 Deficiency
No ratings yet
Psychological Stress-Induced ALKBH5 Deficiency
41 pages
Recommended Practice For Lighting Industrial Facilities: Ansi/Ies
No ratings yet
Recommended Practice For Lighting Industrial Facilities: Ansi/Ies
10 pages
VH Cbse-Gr-8 Ai-Practical Sample QP Half-Yearly
100% (1)
VH Cbse-Gr-8 Ai-Practical Sample QP Half-Yearly
2 pages
Industrial Pump Automation Guide
No ratings yet
Industrial Pump Automation Guide
2 pages