Netseclab – Communications Systems Center

Spring 2009 NETSEC LAB (V3.4)

Introduction

The purpose of this lab is two fold: harden an install of Ubuntu 7.04 Desktop (Linux) and to compromise other computers on the lab network. Points will be assigned according to the level of compromise achieved on other boxes. A report will be required on Wednesday, April 16th for a grade and a bonus given for a high score during the competition. There will be two in-lab competitions: April 6th and 8th. On each date, all teams will be given one hour concurrently to attempt to compromise the other computers including the other teams.

Network Setup

Hard Drive and Machine Access

Each team captain will receive a hard drive in class, which will have to install a Ubuntu 7.04 Desktop (Linux), running several services prescribed below. Each team will be assigned an IP address. You can plug the hard drive into any unused Dell Dimension 370 systems in KACB 2446. You will need a hard drive lock key for it to work. The hard drive has a serial IDE interface and may not work with many older systems. You may take the hard drives home to install patches or whatnot. All teams and victims should be configured to use the 192.168.100.0/24 network.

User Accounts

A user account called “hacker” should be created on each team box. Each team must pass the login information of that account to the TA and its password should not be changed throughout the competition. This account is used to test the services with the traffic generator, thus accurate login information is vital. Each team member should have their own logins into the system as well.
Services
During the competition, each server should have all 6 services available listed in the table below. Each service must be on the default port listed and must allow a valid login from any computer on the network. This will be tested by traffic generating scripts from random source IPs. These services should be maintained throughout the duration of the competition. SMTP should not relay, but should deliver email from anywhere to users on the box.
ServicePort
ssh22
telnet23
smtp25
https443
mysql3306
phpMyAdm/pma
XMPP/Jabber5222
MultiCastZoo446

MySQL does not have to be available via the network, but the contents should be accessible via the webpage interface, phpMyAdmin.

Goals

Points are assigned by the level of compromise each team is able to perform to the network. Do note that efficiency and creativity are given bonuses (but it’s impossible to outline them here). We want people to think up and implement new ways of exploiting machines and will reward such efforts in any way we can.
The target goals and points provided for each in this competition are as follows:
Mapping the network (2 pts. per ip)
Mapping services (20 pts. per box)
OS detection (10 pts. per victim box)
Gaining user access to a victim box (30 pts.)
Gaining user access to a team box (50 pts.)
Gaining root access to a victim box and retrieving the shadow hash file (150 pts.)
Gaining root access to a team box and retrieving the shadow hash file (250 pts.)
Time bonus: Additional points given for time to complete all of the above goals according to the time table below.
Not having services up during competition (-150 pts.)
Your box becomes compromised (-300 pts.)
Below are bonuses you can receive outside of the competition:
Super bonus: successfully cracking a password (100 pts. per password). You can continue to crack passwords up until the turnin deadline.

Time FrameBonus

0~5 (min)200
5~10150
10~15100
15~2050
20~3025

Rules

In attempt to keep the competition clean yet creative, a few simple rules should be observed.
Attackers should not change victims’ passwords unless needed for a compromise, and then it should be reset back to the original password.
No denial of service attacks against any host on the network, rate throttle your nmaps (no -T4).
Services on the team and victim should remain up and active throughout the competition. Services should not be turned off by the defender or the attacker (unless momentarily necessary for a compromise or defense). The service should still be available for legitimate use.
Absolutely no deleting of logs. They are precious as gold when writing the report.
No Arp poisoning this year, we’ll use a hub. Since we have ten teams we cannot support all teams doing arp poisoning.
Competition Days
Here is what to do and expect on the competition days:
The operator and the representative for each competing team should be present by 09:05 am.
Hopefully, by 09:10 we should have all the boxes up and the referees verify your setup and fix any problems.
At this point we will start the show and allow the attacking teams to start their scripts.
Each attacking team’s representative should be giving the announcer constant updates.
When an exploit is successful, the representative should alert a referee immediately so that it can be recorded.
The competition will end at 09:50 ish, or when the network fries.
The teams are then expected to stop all their attacks, clean up, and save their logs.

The Report

The report is the main portion of the project (and the part that results in the grade). The reports are informal and do not need polishing. We basically want to know how you hardened your box, what scripts you developed or used for attacking, what references (people, websites, books, independent research, etc.) you used to learn about the exploits, and a description of the effectiveness of your defense and offence during the lab. Please form your paper like this (but if you have a better format, please feel free to use it):
Introduction (specify the purpose of the lab)
Hardening Techniques
Attacking Techniques
Technique Analysis
Conclusion
Game Point Justifications
Team Member Contributions
References to web sites, books, articles, etc.
In the report’s technique analysis, you should give justifications for the points you earned in the lab. You should discuss how you found an exploit, how you used it, and some proof that the exploit worked like the shadow password file or a screenshot (please learn to take screenshots and to use the script command). Try to give us reasons to assign as much partial credit as we can. If something didn’t work, please give us your best guess why it didn’t work. We want to learn from your experiences.

What To Turn In

The reports are due Wednesday, April 15, because we don’t want you to do too much work on them. PDF or text format is preferred. (If you need extra time, please ask.)
The reports are to be sent via email (to Dr. Copeland and all four coordinators) and should not have any large sections of source code or log files or anything else that would belong in an appendix.
Do not add the appendix to the report but rather describe the contents of the tarball (containing your appendix) that I will describe later.
Your hard drive is due in class on Wednesday, April 15.
In the root home directory of the hard drive (/root), create a gzipped tarball called: netsec-09Spring-//teamname//.tar.gz where //teamname// is your team name (e.g. Gators).
The tarball should have a README file describing the contents of the tarball (this should be about the same as the “appendix” that you will add to the report)
The tarball should contain files of interest to the lab including log files, exploit source code (no binaries please), tcpdump files, and anything that you’d like to reference from your report for proof.
Please reset your root password to ‘rootme’ to make our lives easier.

Document Revision History

* original (3/24/2009) at http://chrislee.dhs.org/projects/netseclab/lab_description.html DateVersionAuthorNotes
11/18/031.0ChrisInitial Version
11/19/032.0ChrisMajor rehash of System Setup and Reports section.
11/19/032.1JulianSuggested über bonus, minor corrections.
11/19/032.2ChrisChanged schedule to have team numbers instead of order and a better description of the competition setup.
11/21/032.3ChrisAdded penalty for getting hacked. Changed CGI to custom-written echo server.
11/23/032.4ChrisRemoved erroneous port from nfs port. Extended competition time to 1 hour.
12/03/032.5ChrisAdded report specifications, hard drive turn-in instructions, and many other things. Created Spring version of the lab.
10/29/042.6ChrisChanged to four groups. All groups attack on both days. Some prose clarifications.
11/07/042.7ChrisChanged rules for unpreinstalled boxes.
11/06/052.8ChrisUpdated for Fall 2005
11/22/052.9ChrisRemoved NFS and added MySQL
11/19/063.0ChrisUpdated OS to FC3, dates, and webapp
03/27/083.2ChrisUpdated OS to CentOS 5.1, dates, and services for Spring 2009
03/24/093.4JACUpdated OS to Ubuntu, dates, and services for Spring 2009
04/27/093.4SelcukMoved the NetSecLab web under the new CSC web