Assignment 3

Due date: December 3, 11.59pm. No late penalty on assignments submitted by Dec 5, 11.59pm.

Submission Format: UTM Submit system.

Systems Security

  1. [2 Marks] (RH7.2) You now want to add intrusion detection to your hardened server. Do this by using tripwire to create an initial database for your hardened system. Next run tripwire to check the systems integrity (producing twreport1). Finally, touch a few important system files and then rerun tripwire (producing twreport2). Submit twreport1 and twreport2. Tripwire password is "passphrase".

  2. [3 Marks] (RH7.2) Run john the ripper on the system and determine if there are any bad passwords. Describe how you force a good password policy on users of this system. Describe how you limit users resources on this system. Decide on a good password and resources policy and implement it. Submit all relevant files.

  3. [2 Marks] (Windows) Use Cain and Abel on the system and determine if there are any bad passwords. Implement a good password policy. Submit all relevant files, screenshots, etc.

  4. [5 Marks] (RH7.2) For this part of the assignment, you will harden the lab image using bastille linux. Your goal will be to use this system as a http and smtp server. You will also allow ssh access to this system, but only from the local network.

    Run bastille --assess to determine the systems score using the default weightings. Now run bastille and harden your VM. After running bastille and executing the resulting script (and following their advice) rerun bastille --assess and determine your systems score. Make sure that you are still providing the required services.

    For your report, describe how you configured your system so that it was hardened and at the same time, it provides the required services. Submit /etc/Bastille/config as well as the TODO file and the final assessment (after hardening). Include any additional steps you took as a result of question 1.

Network Security

  1. [5 Marks] (Backtrack) Use nmap or zenmap to perform a network footprinting exercise on the private (192.168.0.*) network. Report all services and versions running all systems inside the network.

  2. [10 Marks] For this assignment you will be making extensive use of supplied virtual machines. Find the following VM's: DSL, FC4, Ubuntu804, RH7.2, Windows XP Professional Base, and Backtrack5. Please let me know ASAP if you have any problem running these. You will setup the following network: ------------------------------------------------------------------------------------------------- Private Side: VMNET8, 192.168.0.0/255.255.255.0 Ubuntu: 192.168.0.100 Serving web and mail to the private network sudo bash for root Backtrack5: IP (dhcp) root/toor Windows XP Pro: 192.168.0.70 csc347/password DSL: 192.168.0.80 (To put this on the private network, you will need to switch to VMNET8) Administrators machine sudo su for root Setup networking by DSL > Setup > Net Setup > netcardconf. Make the firewall the default gateway. Make sure you choose the correct side of the firewall depending on where you put this on the network. FC4 Firewall/Gateway: eth1: 192.168.0.10 eth0: 10.10.10.10 root/password see /etc/sysconfig/myFirewall.bash Public Side: VMNET1, 10.10.10.0/255.255.255.0 RH72: 10.10.10.111 (configure this yourself) (see /etc/sysconfig/network-scripts/ifcfg-eth0 and reboot) hacker/password root/password DSL: 10.10.10.130 (you can switch the IP of this machine manually) DSL: 10.10.10.131 DSL: 10.10.10.132 (CEO) Configure your FC4 firewall using IP tables (see the lecture notes for my example firewall scripts).
    1. The 10.10.10.* network is the public network. The 192.168.0.* is the private network.
    2. Configure your firewall so that external http, https and smtp traffic can get to your web/mail server (the Ubuntu box).
    3. The web/mail server will also need to connect out on port 555 to relay email (the RH72 machine should be running a mail server for testing). You may have to sign in as root, change the port (/etc/mail/sendmail.cf) start the service on the RH7.2 machine (/etc/init.d/sendmail start).
    4. Allow 192.168.0.80 to ssh and ftp into the firewall. No other access into the firewall is permitted.
    5. Allow 10.10.10.130,131 (outside the local network) to ftp and ssh into the web/mail server by using ports 3344 and 3345 respectively on the external side of the firewall. This is the only external ftp and ssh access allowed into the web/mail server.
    6. The CEO has a windows box inside the private network (192.168.0.70). The CEO (with fixed IP 10.10.10.132) would like to have remote desktop access to his desktop on port 7784. Configure your firewall so that this is the case. The CEO's windows machine should have RDP restricted so that only their external machine can connect (discuss what should be done to make sure this is the case). See this document on how the change the RDP port on Windows XP.
    7. All machines inside the private network have their default route set to 192.168.0.10. All external machines know nothing about the internal network. Their default route can be set to 10.10.10.99 (a non-real machine).
    8. Finally, imagine that the only routable IP is 10.10.10.10. All internal machines should share this IP for internet traffic.

    Submit your firewall script annotated so that it is clear which parts of your script accomplish which parts of this question.


  3. [10.5 Marks] You work in KGB as a digital security expert. Your boss gave you a network capture pcap file (evidence02.pcap) and asked you to investigate it. In particular, he suspects that one of the employees communicated with an agent from some other US-based spy organization. He thinks they arranged a meeting at which his employee might try to sell classified information. In order to prevent this, he wants to find out everything about this employee, the US spy organization, the agent, the location and details of their meeting point. Prepare answers to the following questions for your report. Document how you discovered the answers from the evidence file.
    1. What is the source IP of the email sender (0.5 point)?
    2. What is the computer ID of the email sender (0.5 point)?
    3. Who is the sender of the email (0.5 point)?
    4. What username does the sender of the email use to log into the mail system (1 point)?
    5. What is the sender's email (0.5 point)?
    6. Do you find any vulnerabilities in the mail system (1 point)?
    7. What organization was the email sent to (0.5 point)?
    8. What encoding scheme does the mail system for coding usernames/passwords use (0.5 point)?
    9. What is the email password (1 point)?
    10. Who was an email sent to (0.5 point)?
    11. What is the NAME of the attachment sent (0.5 point)?
    12. What is the person instructed to bring with him (0.5 point)?
    13. What is the MD5sum of the attachment sent (1 point)?
    14. In what CITY is their meeting point (1 point)?
    15. What is the MD5sum of the image embedded in the document (1 point)?

  4. [10 Marks] Backtrack VM has scapy networking library installed. Knowing that the firewall passes traffic to a destination port 555 out of web/mail server (Ubuntu host), your goal (as an attacker) to write 2 scripts that send a the message "Private network is hacked" from Backtrack VM appearing as they are coming from the Ubuntu host. That is, script1 will be run on a backtrack setup in the private network. Script2 will be run on a different copy of backtrack in the public network. Script1 should construct fake packets with the message encoded appearing as they are coming from the Ubuntu host. Script2 should listen for these fake packets and print out the message. Submit the scripts and document how to use them.
    1. BONUS 1: To prevent the administrators from noticing this secret message, encrypt/decrypt the message using any encryption algorithm (2 points).
    2. BONUS 2: Extend the functionality to support sending any file (4 points).


Q and A Section:
  1. Note the update in the last question.
  2. Q: "What tools do I need to use for Network Security Q2?" A: You just need to use iptables on the FC4.
  3. Q: "What is the TODO file for the Bastille question?" A: The TODO file must include any additional steps which you think are required to complete to harder the OS.
  4. Q: "Which RH VM should I use?" A: Please use RH72LabImage_2013_2.rar. Also, use Ubuntu804Server_ftp.rar and FC4_ftp.2013.tar.gz. You need ftp server for the firewall question. Sue installed vsftpd on those machines. You will need to add a user for testing (google any how-to).