TECH 581 W Computer Network Operations: Laboratory 7, Team 2

Abstract

Penetration testing has been the point of this course.  Performing a live penetration test against a production network from time to time can result in the discovery of security holes.  Those security holes discovered during a penetration test might allow an attacker to gain unauthorized access to an organizations data, and use that data for their own purposes.  Any exposure of sensitive corporate information could cost an organization a large sum of money, or the ability to business at all through reputation of law.  For that reason penetration testers and security consultants make “the big bucks.”  However, in order to become a successful security practitioner we need to start somewhere.

In lab seven, we will be building on the results of all previous labs.  With that in mind, the point of lab seven is three fold.  The first point to secure a target machine against attack, second to actually attack ad adversary’s machine, and third to gather and report forensic data after a successful attack.

Literature Review

Breaking Blue: Automated Red Teaming Using Evolvable Simulations by Stephen Upton, Sarah Johnson, and Mary McDonald

In this article the authors talk about automated red teaming. The military defense community has used the red teaming technique with great success. The authors talk about automating this process using evolutionary algorithms and agent-based simulations. The system runs millions of simulations by which the system will learn thwart, evade, or exploit gaps against the blue team. The authors developed a test scenario with evolutionary algorithms. They used a simple mutation operator and tournament selection and ran the algorithm for 25 generations giving result of only a 100,000 runs. According to the authors this was enough volume of data.

Cyberattacks: A lab-Based Introduction to Computer Security by Amanda M. Holland-Minkley

This article is how the department of Information Technology Leadership at a liberal arts college answered the needed to teach information security to entry level and non-technology students. The department created a new course called Cyberattacks which would attract several types of students. According to the author the class has become such a success in the two times that the course was offered. Several students have continued taking classes within the department and some have even changed majors. Author goes into detail about the setup of the laboratory and the labs the students do throughout the course of the class.

Defense Against the Dark Arts by Mark Bailey, Clark Coleman, Jack Davidson

This article is similar to the previous article, Cyberattacks; a computer science department is struggling to keep attendance enrollment up. According to the article enrollment in there computer science department was at a decrease and they were looking at a way to reconnect with students. There solution, similar to the previous article, was to show students techniques for defending against viruses. They too give the class an attractive name, Defense Against the Dark Arts. After this installment, the department, also saw an improvement among attendance. In the two class that were offered, each class was filled with students. The authors reported back that the two classes were a success with students.

Protocol Preventing Blackbox Tests of Mobile Agents by Fritz Hohl and Kurt Rothermel

In this article the author talks about developing a protocol to preventing blackbox tests against mobile agents. The protocol proposed, “uses registries, i.e. services on other, trusted nodes”(p.1). The input data can also be hashed to be used as “some kind of challenge which ensures enough freshness of messages between an agent and a registry”. From the point of view of the attacker, the agent has “input and output of the blackbox can be observed by the attacker, and it is possible to execute the agent” (p.2). The auto defines the blackbox characteristics of mobile agents that can be protected. The author mentions that executing the testing techniques server times with different input parameters can be done sequentially or in parallel.

Investigating Sophisticated Security Breaches by Eoghan Casey

In this article the author talks about investigating cyber crimes require “out-of-the-box forensic. (p.49)” The author goes on to talk about how computer security professionals and digital investigators should and can work together. When an investigation is underway a team of information security professionals should be doing digital investigating. The team should have a wide range of skills such as “information security, digital forensics, penetration testing, reverse engineering, programming, and behavioral profiling (p.50)”. Investigations are often quickly paced and can cross several law enforcement jurisdictions.

Methods

There were four main parts to the completion of lab seven.  First, we created a penetration hardened target machine.  We secured the machine using the NIST security checklist for Windows Server 2003, as our target machine was Windows Server 2003 this seemed appropriate.  We specifically applied the patch settings specified by NIST and updated the system to the latest patch level.  We changed the administrator account name to “youwillnevergetin” and the password to “M@ryh@d@little”.  We turned up all of the security logging provided by Windows Server 2003.  We disabled all settings and services related to NetBIOS, computer browser, and the remote registry.  Finally we enabled the Windows firewall with only one exception, remote desktop protocol (RDP) on port 55581 instead of the typical 3389.  However, accessing our system via RDP required more than just connecting on the correct port.  The firewall rule also only allowed access from a specific IP address.  In order to obtain RDP access to our machine one would first need to RDP to the specific machine with IP address specified in the firewall rule.  Then they would have to start another RDP session to our target machine on the port specified.  We also enabled wire shark on one of our Windows XP machines with a capture filter of our target machine’s IP address to observe possible attack.  We performed these steps to insure that our attacking team team one would not be able to penetrate our target machine.  This was done using virtual machines running on VMware workstation inside Citrix Presentation Server on the subnet 205.215.116.0/24.  We then emailed our adversary (team one) our target machine’s IP address of 205.215.116.52.  The window for which we had to protect was from 7/22/2009 5pm until 7/25/2009 11pm, all times in central daylight time.

The second part of the lab was to create an exploit plan against our chosen target machine.  Team three was chosen for us, by the professor, as our primary adversary.  Full knowing the extent to which team three would go to protect their systems a plan was formed.  That plan was actually very simple; our exploit plan for team three was based on layer eight of the OSI reference model.  Due to the nature of our exploit plan, I am forbidden from discussing in any further detail.  This was performed outside of the VMware / Citrix environment and on 7/22/2009.  The third part of the lab was actually attack our adversary.  Based on our exploit plan, we first placed a packet capture with a filter of team three’s IP address (205.215.11.36) in motion.  We were able to gain access to team three’s systems on the first attempt, using our layer eight exploit.  We attempted to place the required file detailing our successful exploit on the root of team’s C: drive, but failed.  In an attempt to scare team three we placed an empty text file with our team name on the desktop of the user we broke into their systems with, and later deleted it.  This was achieved on 7/23/2009, multiple times, and on team three’s target virtual machine.  This task was performed as a result of our exploit plan per the direction of the lab design.  Once we had completed our plan against team three, we discovered that team one had lax security measures in place on their target machine, and we exploited it.  There was no plan in place, as we did not intend to do so in the beginning.  However, on 7/24/2009, we successfully placed the required text file at the root of team one’s target C: drive.  This was accomplished using Metasploit, and was performed because team one was our attacking team.

The fourth and final part of the lab was a forensic analysis of our target system.  There exists a declaration of “no joy” by team one, lack of a text file at the root of our C: drive from any team, and the captured packets for our target machine.  Based on these three items, all came out after the attack windows, on 7/26/2009 at 12pm CDT, we did not need to perform a forensic analysis.

Findings

We were not able to completely exploit team three’s target machine because they changed the access rights on the root of their C: drive from the default to read only for the user we gained access with.  We found that team three attempted to obfuscate their chosen operation system by installing SSH on windows XP SP3 and calling the user who had access to SSH “not_root.”  We discovered that the administrator account was renamed to “the_big_one.”  We found that based on the lab there was no requirement to neither attack just our chosen team, or to not gang up on any team.  With that in mind, team five and team two were able to exploit team one’s target machine on the first attempt using Metaploit and the MS04_007 killbill and MS04_011 lsass exploits.  This was accomplished after an NMAP scan revealed default open ports of 137, 139, and 445 on team one’s target machine.  We received team one’s target IP address of 205.215.116.50 from team five.  The exploit was achieved on 7/24/2009.  We also found that the packet capture placed on team three’s machine provided next to no information, but the one we placed on our target machine was useful in determining a lack of successful attack.  We did not find any text file on the root of the C: drive detailing a successful attack by any team, including team one.  This meant that we did not need to perform a forensic analysis as we were successful in defending our target machine from attack.

Issues

We had two issues with the lab.  First, on 7/24/2009 we cried foul against team three.  While they discovered the attack we performed against them, and shut down their system for one hour, they changed their account passwords in that offline hour.  This was a clear violation of the rules of the lab.  However, the professor’s judgment on the incident resulted in no sanctions against team three.  Team two takes issue in that the point of the lab, in team two’s opinion, is to show both how penetration testing works and how digital forensics factors in by monitoring and documenting suspicious activity.  By changing their passwords and taking the system offline team three defeats that purpose.  A MUCH more intelligent thing to do would have been to turn up all manner of logging BEFORE the exercise began.  Not to change account passwords.  If team three had done this, team two would never have known, they would not have scared off their attacker, we would not be here now, and their results would be that much more interesting.  As the professor always states, failure is an option.  In information security it is not a question if we get attacked, but when and what we do then. In real life contacting the authorities (aka the professor) would result in your systems being taken offline until the investigation was complete.  That renders you unable to conduct business, and therefore out of a job. While that is a valid course of action, I question team three’s choice as running away rather than dealing with the problem.

Second, The IP address provided by team one to team five was 205.215.116.50, which when attacked was a Windows machine the root of the machine being c:.  However, team one is reporting no files found in /root/.  This presents an issue in that they either sent out the wrong IP address, they did not disable DHCP, or they placed a “root” on c: (c:root) and indeed there is no file there.  If any of the above are tue

Conclusions

Performing a penetration test against an adversary can be a very rewarding if not scary process.  The thrill of actually breaking the security measure put in place in a capture the flag style approach can be very extreme high.  However once you realize what you achieved happens every day and can cost the company you work for their ability to do business, coming off that high is a traumatic experience.  Using the tools and techniques presented to us in this course. Performing a live penetration test on lab systems was a really amazing conclusion to the course.  By realizing that layer eight is more than just an idea, but a very real exploitable layer of the OSI model, we truly realize that people are the weakest link.  Enacting a good employee training program, and combining it with a progressive technological and policy based approach to information security, we can rest a little easier knowing that we’ve applied the concepts in this course to real life stakes, and have done so successfully.

Works Cited

Bailey, M., Coleman, C,. & Davidson, J. (2008) Defense Against the Dark Arts (pp.315-319)

Casey E. (2006) Investigating Sophisticated Security Breaches (pp. 48-55)

Fritz, H., &  Rothermel, K.(1999) A Protocol Preventing Blackbox Tests of Mobile Agents (pp. 1-12)

Holland-Minkley, A. (2006) Cyberattacks: A Lab-Based Introduction to Computer Secuirty (p.39-45)

Johnson, S., McDonald, M,. & Upton, S. (2004) Breaking Blue:Automated Red Teaming Using

Evolvable Simulations

, GECCO (pp. 1-3 )

10 comments for “TECH 581 W Computer Network Operations: Laboratory 7, Team 2

  1. dkender
    July 30, 2009 at 12:51 pm

    Team 2 begins with a discussion of the importance of penetration testing. They state that lab 7 builds on the results of all previous labs. They state that the objectives of lab 7 are three-fold. The first is to secure a target network. The second is to attack an adversary’s machine. The third is to gather and report forensic data of the successful attack.

    Team 2 continues with a literature review of the readings that had been assigned in conjunction with this lab. In their review of the article “Defense Against the Dark Arts” team 2 includes the sentence “According to the article enrollment in there computer science department was at a decrease and they were looking at a way to reconnect with students”. I believe in this context they should have used “their” instead of “there”. Team 2 provides a good, brief description of each article. However, they don’t compare the articles to each other and don’t relate the articles in any way to this laboratory assignment.

    Team 2 begins their methods section by discussing the system that they set up to be attacked. They describe the system as a Windows Server 2003 and used the NIST security checklist to harden it. They do not provide any mention in their references section concerning the NIST document that they used. They changed the default port of Windows Remote Desktop 55521 to help to hide it. They also enabled Windows Firewall and set packet filtering on port 55521 to only allow connections from a specific IP address. Although they did a very good job of hardening their system, they do not provide a reference to the security document that they used to secure it. One might have to question whether all of these methods that they used are contained within that security document (as required by the lab assignment).

    Team 2 then discusses their exploit plan. They state that they were assigned to attack Team 3. The only explanation of the methodology that they provide is that it fell within layer 8 of the OSI reference model and outside the VMware/Citrix environment. They state that “Due to the nature of our exploit plan, I am forbidden from discussing in any further detail”. Team 2 failed to meet the lab objectives as stated in the assignment, “exploit team must provide a detailed explanation exactly how they accomplished/failed to exploit the target system”. Certainly their unwillingness to disclose details of their exploit methods constitutes a failure to accomplish a portion of the laboratory assignment. This also raises questions about whether their methods were unethical, or even illegal. Their admission that their exploit was conducted outside the Citrix environment is a direct violation of a lab 7 directive; to use lab networks only. It is interesting that they state that they placed an empty text file within the file system of Team 3’s machine in an effort to “scare” Team 3. Since one of the objectives of the lab is that attackers must hide their tracks, I would have to wonder why they felt that it was necessary to draw attention to their breach of the system by attempting to “scare” the other team. Team 2 did not conduct any forensics analysis because they stated their system was not breached.

    In their issues section, Team 2 complains that Team 3 changed their password which prevented them from further access to the system. The lab assignment was unclear concerning the purpose of the 1-hour shutdown time, and therefore Team 3 misunderstood. In a real word scenario a system administrator who detected unauthorized access to a user account would disable that account or change the access credentials. A question exists though. If Team 2 had conducted a legitimate exploit, why then didn’t they repeat the steps to recover the new user name and password? We cannot answer this question since Team 2 is unwilling to reveal their exploit method.

    Overall, Team 2 did not fulfill the requirements of this laboratory assignment. Aside from the spelling and grammatical errors contained in their lab report, Team 2 does not provide the attack method used against their assigned target (as required by the laboratory assignment). Nor do they provide a reference to the NIST documentation that they claim to have used to secure their system. This leaves someone wishing to challenge their method of securing their system with little choice but to attempt to search for the document themselves. Although their literature review contains a good overview of each article, they failed to relate them to each other or our current laboratory assignment. It seems that with Team 2’s win-at-all-costs attitude they have forgotten that this is a class and that certain requirements must be met.

  2. jeikenbe
    July 30, 2009 at 4:36 pm

    This group’s abstract starts off by explaining the concept of penetration testing and why it is important. This explanation is not the type of information that should have gone in this abstract. This lab is dealing with anti-forensics. This abstract did not include any explanation of anti-forensics. The group should have tied this lab into the rest of the labs by showing how anti-forensics can be used to detect attacks and prevent further security breaches. The rest of the abstract explains the steps involved in this lab. The literature review was not written very well. The group lists each article and gives a brief summary of the article and nothing else. The literature reviews seemed like they were rushed. They did not tie the articles into the current lab or the whole course, they did not tie each article to each other, they did not explain the methodology or research involved in the article, and there were no errors or omissions suggested in this literature review. This literature review was not a review, but a summary of each article. The group’s methodology starts off with a confusing first few sentences. The group states that they are using a NIST document for a Windows Server 2003 machine, but do not declare what the system that they are trying to harden was. This only leads to the guess that a Windows Server 2003 operating system was used. This also leads to another problem. According to the rules of the lab only the following systems could be used: Windows XP, Windows Vista, Ubuntu, and Fedora 8. The group used a Windows server 2003 system to harden and that was not on the list. The group then goes on to explain how they hardened their system using the NIST document. They also explain how they opened a remote connection port for the professor to access, but they included a lot of restrictions to this port to make it more secure. They also explain that they used a separate system to monitor their hardened system using Wireshark. The team also could have monitored the network traffic against their system by watching the firewall logs. This would have exposed any scans of their system. In the next part of the methodology the group discusses their plan to exploit team 3’s target computer. They state that they used an extended OSI layer 8 attack, but do not explain the actual attack. They then explain that they tried to use the layer 8 attack, but failed to place the exploit file on the C: drive. They then explain that they placed an empty file, with the team’s name on it, on the desktop of the target computer in an attempt to scare team 3. This is confusing, because if they are able to place a file on the desktop of the target system, why do they not have access to the C: drive? They then found later that the target computer did have vulnerabilities in it and they were able to exploit the system and place the exploit file in the root drive. Another statement that did not make any sense was the statement about how the exploit was done using Metasploit, and was performed because team one was our attacking team. What did team one have to do with exploiting team 3? The team then explains that they did not do any forensic analysis, because there was no declaration of their system being exploited. In the findings the group does make the previous statement of why they were able to place the files on the desktop and not on the C: drive more clearly by changing the access rights to the root drive. The group then explains how they discovered how team three tried to hide their operating system using SSH on a Windows XP SP3 machine. The group then teamed up with team 5 in an attempt to penetrate team 1. They declare that they were successful in exploiting the system by placing the exploit file in the root drive. Both teams got this wrong though. Little did they know that the computer that they exploited was team 4’s Windows XP SP0 machine, which was not a target computer. The IP addresses must have been scrambled in all the attacks that were going on through the network. There was a lot of ARP poisoning going on in the network. The group then examines their hardened system and discovered that there were no exploit files on their root drive and forgoes the forensic analysis. In the issues section the group explains that team 3 did not follow the rules of the lab by changing their password while they brought their system down after detecting an attack on their target computer. This is arguable in that the rules state that the computer can be brought down for an hour and changes can be made to that system in that hour it is offline, but no changes can happen outside that hour offline. The team argues that team 3 was running away from the situation and not facing the attack. In my opinion team 3 was facing the attack by adjusting the system to stop the attack in accordance to the rules. Last in the issues the team states that team 1 was not honest about their setup. Team 2 and team 5 did not realize that the IP addresses were getting scrambled due to ARP poisoning and that they attacked the wrong computer. This only means that no one was to blame for foul play. In the conclusion the group states that the users of the systems are the weakest links and that through training, progressive technology, and policy based to information security could help improve the security of a system.

  3. mvanbode
    July 30, 2009 at 7:06 pm

    Has this class been about penetration testing or securing a system? Once again, the grammar in team 2’s lab report is bad. There are lots of typos, run-on sentences, and wording that just make it very hard to understand what the team is trying to get across to the audience. For as detailed as the lab write-up given to the teams was, I would expect more detail in the abstract on the outline of the lab experiment. The team made the lab seem like it would be 3 very basic, simple steps. This was not the case in other teams. Research was done, exploits were played with, and the forensic data report was only needed if the attack worked. The abstract could have stated that part of the lab was only needed if the attack worked. For some reason team 2 went from having slightly cohesive literature reviews, to ones that look like lists, have improper APA 5 citations, and are nowhere near the required length. What happened? Each article got basically a small paragraph for the review. Few of the required questions are answered. Reading the literature gave me little information about the articles are about, and how they pertain to this lab experiment.
    In the abstract, team 2 states that there is 3 parts to the lab. The very first sentence of the methods section states “There were four main parts to the completion of lab seven”. Items like this makes it very clear that more than one person wrote the lab report as well as that there was no collaboration between the team members when writing the lab report. The methods section was the most detailed it has ever been for this team. Good job!! If you are not able to discuss how you used a layer 8 exploit, then your team completely destroyed the ability of duplication of your lab. The methods section should be precise enough for anyone to pick up. A real penetration tester could not get away with saying they are forbidden from telling the client how they were able to get into the system. Tell the teams how!!! Maybe you can teach the rest of us something. The last sentences of the issues section seemed to be cut off. “If any of the above are true” is not a sentence. Was formatting the issue with this, or did team 2 not finish the lab report? The last reference is formatted oddly. Maybe team 2 had formatting issues for the entire lab report, but to me it just seemed like this report was rushed and put together too quickly. We had more than enough time to write the lab report, in fact about 3 days more. Of all the labs that team 2 has done, this is the worst formatted.

  4. tnovosel
    July 30, 2009 at 9:12 pm

    In the abstract, team two described the importance of penetration testing and briefly described what was to be accomplished in this last laboratory exercise.

    In the literature review section of the laboratory report, team two gave brief summaries of the assigned articles. However, team two did not relate the articles to each other or explain how the articles pertained to the course or laboratory exercise.

    In the method section of the laboratory report, team two described how they used a NIST checklist document to harden their Windows Server 2003 virtual machine. I was somewhat surprised that team two chose this operating system because I thought the assignment sheet indicated that the groups that wanted to use a Windows system must use Windows XP or Vista. I found some humor in name the group gave to their administrator account when they renamed to “youwillnevergetin”. Team two enabled all security logging, disabled all settings and services related to NetBIOS, computer browser, and the remote registry and enabled the Windows firewall with the exception of remote desktop protocol (RDP) on port 55581 instead of the typical 3389. The IP address of the team two’s Windows Server 2003 virtual machine was 205.215.116.52. When explaining how team two attacked team three I could not figure out why the team stated “ Due to the nature of our exploit plan, I am forbidden from discussing in any further detail. “I do not understand what is to be gained by withholding findings in a peer environment. However, the group did disclose part of their plan when they stated “Based on our exploit plan, we first placed a packet capture with a filter of team three’s IP address (205.215.11.36) in motion. “ With this technique group two stated that they were able to exploit team three’s computer. However, they were not able to able to place the text file proclaiming their victory onto the system. However, team two stated “In an attempt to scare team three we placed an empty text file with our team name on the desktop of the user we broke into their systems with, and later deleted it. “ I could not figure out why they were unable to put the file in the proper directory if they could do these other tasks. Team two then turned their attention to their attacker, team one and stated that they were able to exploit their system as well and stated that they successfully placed the required file on their c: drive. So the hunter became the hunted.

    In the results section, team two attributed their inability to place the file on team three’s drive on team three changing the access rights on the root of their C: drive from the default to read only for the user we gained access with. Team two team up with team up with team five to attack team one via Metasploit and the MS04_007 killbill and MS04_011 lsass exploits. Team two’s machine was never compromised during the exercise.

    In the issue section, team two cried foul against team three for changing their password when they discovered that they were under attack. The team also listed the IP conflict with team one’s system as an issue.

    In the conclusion section, team two described how enjoyable the last alb was and accounted part of their success to layer eight vulnerabilities.

  5. July 30, 2009 at 11:31 pm

    The abstract fails to summarize the lab activities with enough depth, instead the reader is treated to a brief summary of penetration testing and why it’s a good idea. The abstract makes no mention of the main topic of lab seven, anti-forensics. The literature review, again, is not in the appropriate format. Each piece of assigned literature is handled individually with no cohesion or comparison to the other papers or mention of how the literature relates to the lab exercises of lab seven. It’s difficult to criticize this any further as each paper is literally summarized in a short paragraph without even an opinion from the group on whether or not they agree or disagree with the statements made in the literature.

    The first sentence of the methodologies conflicts with a statement made earlier in the abstract. Are there three parts or four parts to the lab? Team two did mention the guide they used to secure the virtual machine but did not cite it anywhere so it would be difficult to reference the exact guide and steps they use. Being familiar with the NIST guide, I’m curious as to what settings from the guide were utilized. The NIST guide defines different levels of security depending on the system’s purpose, it would be useful for anyone attempting to recreate this lab to know which of those was chosen, why it was chosen, and how the steps were implemented. The steps used to implement the required remote access for the lab were better detailed and well thought out. The steps that team two used to exploit team three are severely lacking. With layer eight of the OSI model being “People,” it’s disappointing to see how the attack was performed. The excuse that discussing it is “forbidden” doesn’t satisfy the lab requirements. The exploit of team one’s machine was also severely lacking in detail. How was this machine exploited? Was it another layer eight attack that you’re “forbidden” to discuss? According to team five’s report a coordinated attack was performed utilizing different Metasploit exploits. Why wasn’t this mentioned in the methodologies? Also missing from both exploits was any mention of anti-forensic measures that were used to hide tracks or obfuscate efforts.

    The findings section is more of a summary of the methodologies and some detail that should have been present in the methodologies. The issues section, however, is very interesting. The detail of the “cry foul” procedures is very insightful along with the analysis of how team three handled the breach. I wholeheartedly agree with team two on this issue and believe that team three missed the point of the lab by doing what they did. Had they noticed the attack and discretely observed the activities in greater detail they would not have tipped off team two that they knew anything. Had they looked at their logs of the system, from what team two says, they would have seen a successful login attempt on the first try. If team two is connecting to the system on the first try with a successful password, some attack paths become obvious that should have warranted closer inspection.

  6. mafaulkn
    July 31, 2009 at 10:56 am

    I disagree with team 2’s assertion that the point of this course has been about penetration testing. We not only have learned about penetration testing but also how to defend against attacks, which was also the point of lab 7. Team 2’s abstract does not provide clear direction as to what the lab is going to be about. A discussion of anti-forensics should have been included in their abstract.
    Their literature review is nothing more than a summary and list of each of the articles and does not tie back to the lab exercises. In fact, team 2 was the only team that listed their articles by title. This was clearly not how the literature review is supposed be written. All of the reviews of the articles were summaries and did not have proper citations. The team did not answer many of the questions that are required in the literature review.
    Team 2’s methods section was well documented. I like how they separated their methods section into 4 sections. This made it easy to follow.
    The findings section is detailed and explained exactly what they found during the exercise. They discuss that on 7/24 they were able to exploit team 1’s machine and that they were not able to find any text file on the root of the C: drive detailing a successful attack by any team, including team one. Because of this finding they felt there was no need to perform forensic testing.

  7. gdekkerj
    July 31, 2009 at 11:37 am

    I believe team two showed substantial initiative in this exercise, as they were the only team to actually invade a legitimate target. I also admire the somewhat byzantine steps taken to insure secure remote login functionality. I also found team two’s aggressiveness with respect to the collaboration with team five against team one interesting. I think team two’s contribution to the entire exercise to be substantial, and praise the effort put forth to make the situation more interesting.

    Positive points aside, there are substantial problems evident in team two’s write up. First of note, the literature review was less than adequate. Not only was the discussion of every article very brief, nothing more than a shallow summary was attempted for each one. It almost appears team two, aware that this was the final report of the course, consciously put forth a minimal effort for this literature review: nothing more need be said than this.

    With respect to the team’s choice of ‘defendable’ machines: where is Windows Server 2003 listed as a valid option? While the differences between XP SP3 and Server 2003 may be in reality minimal, they do run different kernel versions. This, by all measure, is a technical violation of the exercise directives. It seems team two was willing to bend the rules of the laboratory exercise when it suited their own purposes.

    Additionally, the attack plan of team two against team three seemed quite shallow. I would ask, if the entire plan hinged on the success of one undisclosed measure; and when this ultimately failed, why did the team attempt no other course of action? It appears after team two’s initial thrust against team three failed; it resorted to attacking ‘soft’ ancillary targets. Conclusively, it appears no other effort was made on team three after the first easy success turned to failure: by anyone’s estimation successful penetration testing is often the culmination of persistence and patience; team two’s actions indicate little of these qualities were present.

    In the next issue, I must admit a bias, as my team was the target of team two’s “level eight” exploit; however I am certain this issue will be addressed by many other reviewers. To lay the groundwork: all the teams understood that at the end of the exercise, the methods of exploit would be required to be disclosed. By implication, it was apparent that this exposure of methodology would set guidelines for professional and ethical conduct during the execution of this exercise: i.e. do not participate in actions which a team would find embarrassing or incriminated when revealed. As team two refuses to divulge the means by which they obtained team three’s privileged information, I believe it raises questions regarding professional and ethical conduct. Also, as this really was the only “plan of attack” followed against the required target, its omission leaves a critical part of the team’s report missing: team two has failed to fulfill the report requirements with regard to relating an offensive plan.

    With regard to the actual intrusion by team two on team three: why did team two act in a such a reckless fashion while logged in to the machine? Team two possessed a substantial advantage at this point, and appeared to throw it away by “showing off” to “scare” team three. This behavior seemed ill-conceived with respect to the “stealth” goals of the exercise. If the mention in the conclusion section of the “thrill” and “extreme high” with respect to breaking into a system is any indication; team two may have let adrenalin overwhelm their better judgment during this incursion.

    Finally, the discussion of team two’s complaint against team three seemed somewhat incoherent. First, raising ‘real world’ considerations seemed pointless in the artificially constrained environment of this exercise. Certainly, in the ‘real world’ team three would have many other courses of action available to them, and would not have its hands tied while being forced to tolerate repeated attack. Furthermore, it is a strange assertion made that team three “ran away” and did not “deal with the problem.” Perhaps the simplest and most pragmatic way of “dealing with the problem,” given the limited actions allowed by the situation, was changing the compromised password. Certainly, this is not an action inconsistent with real world practices, and in a ‘real situation,’ a system administrator would have this ability without contacting “the authorities.” I believe this is the first thing a competent system administrator would do; to knowingly allow an unknown party attempt the compromise of critical resources is foolishness itself. Functionality and integrity are first priority; investigation is something done after the serious danger of the situation has been mitigated.

  8. shumpfer
    July 31, 2009 at 12:48 pm

    Team 2 begins their abstract with a small talk about penetration testing and how important it is to organizations. Then they state what is going to be occurring within lab seven. Next the team goes into their literature review. This was broken into section by each article and did not even discuss relations or arguments to the literature and the class. It seemed like the group was in a rush to get the literature review done. Within the reviews the briefly describe each article. The team then goes onto the methodologies. They describe what was done to secure their system and then what was done to the target system. They stated that they had successful attempts against team 1 and team 3’s machines. They then went onto explaining what time and date of the successful attempts. Then the team went onto the findings section and discussed this was a small section due to the fact that some of the information provided within the methodology section could have been place in the findings. They then go on to state that they did not need to write a forensic analysis due to the fact that their system was not penetrated. With the help of team 5 they where able to have access to team ones IP address. This shows that there are other vulnerabilities besides just those of the technology and go along with the mccumber cube that was discussed throughout the class. This could have been discussed within the findings to make it a more fulfilling section. Next the team goes onto the issues that occurred during the lab. They discusses about failing and to be ready for it. Along with this what can be done after an attack? What policies may be in place for such and event? The team brought up a very good point within this section that leads to a whole other area of systems with the policies and procedures set in place by an organization for their systems. Then the team concludes their lab with an overview of penetration testing and the conclusion not only for the lab but the course and what was learned throughout each lab. This was a nice conclusion. Even through their where some weak areas of the lab the team did a good job and provided more interest into the subject through discussion.

  9. Borton
    July 31, 2009 at 2:05 pm

    Team two‘s offering is incomplete and somewhat misses the point. It contains some of the same syntax errors we have seen from this group in the past.

    Your abstract states the point of the labs, but misses the idea of anti-forensics, the title of the exercise. Why do you think that is?

    For the thousandth time, the literature review is NOT a list of articles. It should be an integrated discussion of the material. The group summarizes the articles but does not relate hem to each other, the class, or the lab. There is a complete lack of evaluative material. If you don’t tell me why it was good bad or important, you have wasted my time. While the spelling has improved this time around, there are still problems with word choice, punctuation, and sentence structure. Please seek help early and often when writing. PUC has an entire group dedicated to providing this service.

    Team two’s methods section is missing large pieces of information and leaves the reader with several questions. There are several instances of data that should e presented in the findings section rather than the methods. The section does a good job of describing the defense of the machine. Why did the group choose the NIST documentation over anything else? You say you are forbidden from discussing your exploit method. Did you sign an NDA? Is it maybe just that the higher powers smiled on you and you got lucky with your attack? I’m skeptical. Why did you attempt to scare team three? Wasn’t the idea NOT to get caught? You were able to get team one? They didn’t mention it. Are you sure it was them? You didn’t do any forensic analysis at all? This seems incomplete. Did you not even look for evidence of scanning attempts?

    The group’s findings section feels disorganized. I’m still curious to know what exactly teams two and five did exploit since team one claims it was not breached.

    The group’s issues section is harsh. While team two may have interpreted the lab one way, the actions taken by team three were not specifically banned, and therefore fair play. Also, team two stops just short of accusing team one of cheating. Is it possible that factors out of their control may have been involved in the incident?

    The conclusion(s) section wraps up the report nicely, though some of the group’s ever-present syntax problems come up again. I still find it interesting that in a lab titled anti-forensics, the group made no effort to hide their attack or be vigilant about being attacked.

  10. prennick
    July 31, 2009 at 3:37 pm

    I think that group 2’s write-up for lab 7 was very good. The abstract for this lab was good and accurately described the laboratory. The literary review was good and adequately reviews the material. Group 2 answered all of the required questions for each reading. All of the citing for the literary review was done correctly. For this lab, the group answered all of the required questions and provided a good amount of detail about the steps that they used to exploit the target systems. However, the group did not report any findings of our port scan, which indicates that IP spoofing successfully worked. Also, for some reason, the group decided to attack “our vm” which was not in the instructions of the lab (Team 1 will attack Team 2, Team 2 will attack Team 3, etc.. until Team 5 attacks Team 1.). The only reason I could find is that they wanted to add more bulk to the lab report. Also, the group did not consider other issues why the IP address could have linked to another system, such as other attacks existing on the network, which appears to be the real problem (see my peer review for Team 4). Finally, the conclusion was written well and accurately sums up the laboratory.

Leave a Reply