Tech 581W Computer Network Operations, Laboratory 1: Team 1

ABSTRACT

With an ever increasing number of threats to network environments, it has become important for information technology students to be informed and aware of how hacker attacks, viruses, Trojans, and exploits will affect their systems.  A virtual test lab environment would be an effective way to research the effects of security risks, and understand their affect on deployed systems.  This paper will detail the steps used in the process of creating our virtual test environment.  We will discuss the operating systems and software used.  This test lab will allow students to compare and contrast the different aspects of red teaming, penetration testing, and vulnerability testing.

This lab is very important to get right the first time around.  The setup of the virtual machines is a crucial step to be done right in order for the rest of the future labs to work properly.  The tools that will be researched in this lab will be used in the future labs so it is necessary to make sure that they are put into the correct categories.

Literature Review


Ivan Acre and Gary McGraw wrote an article called Why Attacking Systems is a Good Idea.  The article is an opinion on why purposely attacking your own system is a good thing to do.  This relates to the laboratory assignment in a couple of different ways.  First, we are looking for tools and applying them to the OSI 7 layer model in order to have a clear list of what to use to attack the virtual machines that were setup in the first part of the lab.  Second, the entire class is about penetration testing and how it can be useful for someone to learn.  There is not a research question but rather a statement that there is a rise in opinion that the only way to properly test a system is to attack it (Acre et al, pg1).  In comparison to the other articles read, this article has the same standpoint that attacking a system is the only way to fully understand how it can be attacked and how to protect it.  Acre et al looked at previous cases of people attacking a system and getting fired for it.  They then proceeded to look at the growing trends and why they have changed so much over a few years.  All Acre et al did was look at what others have done and made an opinion about it, without doing much work of their own.

Benzel et al wrote an article called Experience with DETER: A Testbed for Security Research. The article is about creating a test area for the advancement of security practices and techniques.  In the first part of the lab, groups had to create their own “testbed” for future work in the class.  It will be used to further research in penetration testing, while giving the groups more experience will the tools that are available.  The problem statement is that due to the rapid advances in security, they require a more complex testing ground (Benzel et al, 2006,  pg1).  The other articles talk about how the test ground already exists and that one can begin testing right away.  Benzel and the rest of the authors made their DETER testbed and went to work doing some tests against it.  The supporting literature comes from others who have done work in the field and using their procedures and results to set up their own test.  There are no apparent errors or omissions.

Bill Coffin wrote an article called It Takes a Thief: Ethical Hackers Test your Defenses. The main focus on this article is explaining all the different terms that deal with ethical hacking.  The article relates to the lab because this lab is the first step in which the groups learn to become ethical hackers.  This article does not have a research question or problem statement.  In comparison to the rest of the articles, this is basically a dictionary for ethical hacking terminology.  This is no supporting research due to the lack of references.  This is also an apparent error.

Wenliang Du and Aditya Mathur wrote Vulnerability Testing of Software System Using Fault Injection. The article is about performing penetrating testing against software systems using fault injections to find flaws.  The problem statement is programmers make assumptions about the environment causing faults to be inherent of the system (Du et al, 1998, pg2).  The authors of this article realize that the system has faults and other articles state the same thing.  Supporting research includes many papers about fault injection tools as well as penetration testing methods.  The research method used is an experiment that can be translated in the group’s experiment.  There were no apparent errors or omissions.

Mary Micco and Hart Rossman wrote an article called Building a Cyberwar Lab:  Lessons Learned.  Teaching cybersecurity principles to undergraduates.

This article discusses how a stand alone lab was set up for students to learn penetration testing techniques.  The article explained the objectives of the lab, which were to make students more knowledgeable about securing their systems and to test the vulnerabilities of current systems by trying out assessment tools.  The article described in detail the setting up of the lab, preparing for the attack, attacks and counter measures, and lessons learned.  This correlates to the laboratory assignment in that our course is about penetration testing and how it can be useful for someone to learn.  We are also right in the throws of setting up our labs.  There is not a research question here that I can decipher but mainly a statement as how to properly set up a lab for penetration testing.  The supporting data comes from their actual testing results.

There are no apparent errors or omissions.

Chris Heien, Rick Massengale, and Ninging Wu from the Applied Science Department at the University of Arkansas at Little Rock wrote an article called Building A Network Testbed for Internet Security Research.

The purpose of the article is to discuss a test network system that was built for research projects involving Internet Worm detection.  The article discussed the purpose of their lab, the hardware configuration, client configuration, other equipment, and virtualization.

The problem statement in this article is that devastating worms rage through global networks affecting businesses, residences, and impeding the daily activities of all networked technology (Heien et al, 2008 pg1).

The purpose of the lab is to allow monitoring of worm propagation, not just in software simulation but also in an actual physical environment. The supporting literature comes from their USE CASE, in which the case describes the simulation of a worm traffic sniffing session.  Their future work is three fold; first they plan to test their large collection of different worm instances and their test network so that they can study their propagating properties.  Second, they will research effective techniques for early prediction, detection, and isolation of internet worms.  Third, they will keep enhancing their network in order to implement future solutions

There are no apparent errors or omissions.

Helayne T. Ray, Raghunah Vemuri, and Hariprasd R. Kantubhukta wrote an article called Toward an automated Attack Model for Red Teams.

The objective of the paper was to introduce an attack model that guides red teams in documenting security attacks in a reusable format, and lets system developers easily automate the attack (Ray et al, 2005, Pg 8).  Future work will consist of taking the attack documentation developed form using their model and writing automated attacks.

The problem statement is that because we rely so heavily n the internet we expose our weaknesses to attack by remote adversaries (Ray et al, 2005, Pg1).

The authors believe that Red teaming is necessary to understand how adversaries can exploit insecurities in our systems.  The research methods used were several different Red teaming events sponsored by the US Government.  There are no apparent errors or omissions.

The main topic to the article Broadening the Scope of Penetration-Testing Techniques by Ron Gula, is the techniques and problems involved in performing penetration tests. The article’s research question is “What are the benefits and potential pitfalls of performing penetration tests?” The author goes on to explain some of the tools and techniques that are commonly used to perform penetration tests as well as some of the areas that are most often overlooked when performing penetration tests. This information is applicable for the current laboratory because it informs the reader about many of the purposes for penetration testing as well as some areas that should be included during testing. For supporting research and data, the author did not provide much. The article only contained a handful of references. While most of the data provided is common knowledge among security professionals and can easily be verified, more references should have been used. The only errors I noticed in the article are some generalized statements with no sort of evidence for the claim. For instance, “Most ethical hackers do not attempt to test database servers because they are not familiar with them. In general, network security professionals do not ascend from the ranks of database administrators.” (Gula, 2001, p. 9)

The main topic to the article Is Attack Better Than Defense? Teaching Information Security the Right Way by Martin Mink and Felix C. Freiling, is the benefits of teaching offensive security. The article’s research question is “What are the benefits of teaching aspiring security professionals offensive methods as well as defensive methods as opposed to solely teaching defensive methods?” The authors go on to explain scenarios and experiments that were performed that prove their hypothesis, that offensive coursework is more beneficial than defensive coursework. The authors also cover the criticisms of teaching offensive security, such as a higher likeliness for the students to become criminals with the knowledge they have obtained and thus “will not raise but rather decrease the overall level of security in the Internet. We feel that this line of argument is flawed.” (Mink & Freiling, 2006, p. 2) This information is applicable for the current laboratory because it informs the reader about the importance of the material involved in this particular course. For supporting research and data, the authors performed their own research with test subjects covering the material and included several references. I was not unable to detect any errors with the information the authors provided, nor do I believe there were any omissions.

The main topic to the article Cyberattacks: A Lab-Based Introduction to Computer Security by Amanda M. Holland-Minkley, is the techniques and problems involved in performing penetration tests. The article’s research question is “What are the benefits of teaching the fundamentals of cyberattacks and malicious code to information technology students?” The author goes on to explain the coursework and lab activites for the students, to prove her hypothesis, which is teaching the fundamentals of cyberattacks and malicious code to IT students helps them to better understand computer security. This information is applicable for the current laboratory because it indicates to the reader about the importance of cyberattack and malware awareness. For supporting research and data, the authors performed their own research with test results covering malware awareness from students who have and have not taken the course. For instance, based on a question about malware, “students with technological expertise were more likely to disagree with such a statement than students from a general population.” (Holland-Minkley, 2006, p. 6) I was not unable to detect any errors with the information the authors provided, nor do I believe there were any omissions.

Bibliography

Acre, I., & McGraw, G. (2004). Why Attacking Systems is a Good Idea.

Benzel, T. (2006). Experience with DETER: A Testbed for Security Research.

Coffin, B. (2003). It Takes a Thief: Ethical Hackers Test your Defenses.

DU, W., & Mathur, A. P. (1998). Vulnerability Testing of Software System Using Fault Injection.

Heien, C., Massengale, R., & Wu, N. (2008). Building A Network Testbed for Internet Security Research.

Micco, M., & Rossman, H. (2002). Building a Cyberwar Lab: Lessons Learned. Teaching cybersecurity principles to undergraduates.

Ray, H. T., Vemuri, R., & Kantubhukta, H. R. (2005). Toward an automated Attack Model for

Red Teams.

Gula, R. (2001). Broadening the Scope of Penetration-Testing Techniques. Retrieved 2009, from Enterasys Networks: www.enterasys.com

Holland-Minkley, A. M. (2006). Cyberattacks: A Lab-Based Introduction to Computer

Security. Washington, PA.

Mink, M., & Freiling, F. C. (2006). Is Attack Better Than Defense? Teaching Information

Security the Right Way.

Methods

The first part of the lab was to create the virtual machines, following Nick Pendergast’s instructions that were given to everyone in the class.  The next part of the lab was just plan research of hacking tools.  The tools found had to be then categorized into what fits them best in the OSI 7 layer model as well as the McCumber cube.

One question that needs to be answered is why almost all of the tools are going to be related to technology versus policy and procedure or personnel.  This question will be answered after creating the table of the tools found.  The other question to be answered is once the tools have been placed into the table, if it suggests a substantial bias or issue for penetration testing and perhaps self selecting attacks may not be the best strategy.  This question can also be answered only after the tools have been put into the matrix and seeing where they fit into the McCumber cube.

Findings

OSI 7 Layer Model Layer Tool Name McCumber Cube coordinate
People /8 Dumpster diving, social engineering, ID fraud Confidentiality, processing, policy
People/8 Following FedEx Confidentiality, transmission, human
People/8 Stealing mail Availability, storage, human
People/8 Disregarding policy, not locking computers, Integrity, processing, human
Application /7 Mbenum, netenum, netmask, psinfo, psfile, smtp-vrfy, whoami, amap, p0f, psk-crack, sinfp, unicornscan, xprobe2, pbnj, zenmap, cisco torch, curl, smb bruteforcer, smb client, stompy, phoss, pasco, rootkirhunter, sleuthkit, vinetto, Confidentiality, storage, technology
Application /7 Confidentiality, storage, policy
Application /7 Confidentiality, storage, human
Application /7 Getsids, http put, halberd, httprint, httprint gui, metoscan, mescal http/s, mibble mib browser, onesixtyone, openssl-scanner, paros proxy, peach, rpcdump, smb serverscan,  smb-nat, tnscmd, taof, vnc_bypauth, wapiti, 3proxy, obexftp, hcidump, redfang, ussp-push, gdb server, gnu ddd, Confidentiality, processing, technology
Application /7 Confidentiality, processing, policy
Application /7 Confidentiality, processing, human
Application /7 0trace, relay scanner, sqlquery, Confidentiality, transmission, technology
Application /7 Confidentiality, transmission, policy
Application /7 Confidentiality, transmission, human
Application /7 Privoxy, proxytunnel, Integrity, storage, technology
Application /7 Integrity, storage, policy
Application /7 Integrity, storage, human
Application /7 Gfi languard, sqlupload, msfconsole, openssl to open, pirana, ascend attacker, cdp spoofer, cisco enable bruteforcer, tinyproxy, Integrity, processing, technology
Application /7 Integrity, processing, policy
Application /7 Integrity, processing, human
Application /7 Goog mail enum, google-search, Integrity, transmission, technology
Application /7 Integrity, transmission, policy
Application /7 Integrity, transmission, human
Application /7 Pstools, Availability, storage, technology
Application /7 Availability, storage, policy
Application /7 Availability, storage, human
Application /7 Fuzzer, sqldict, sqldumplogins, crunch dictgen, dhcpx flooder,  medusa, Availability, processing, technology
Application /7 Availability, processing, policy
Application /7 Availability, processing, human
Application /7 Availability, transmission, technology
Application /7 Availability, transmission, policy
Application /7 Availability, transmission, human
Presentation/6 Finger google, googrape, maltego, metagoofil, checkpwd, cicso auditing tool, cisco enable , bruteforcer, cisco global expoiter, isr-form, jbrofuzz, list-urls, metacoretex, mistress, nikto, OAT, sidguess, smb4k, collision, hydra, hydra gtk, john the ripper, lodowep, wyd, xspy, chntpw, allin1, autopsy, Confidentiality, storage, technology
Presentation/6 Confidentiality, storage, policy
Presentation/6 Confidentiality, storage, human
Presentation/6 Pslist, psgetsid, psloggedin, psloglist, pstoreview,matahari, aircrack-ng, airdecap-ng, aireplay-ng, airmon-ng, airpwn, airsnarf, airbase-ng, dcfldd, dd rescue, Confidentiality, processing, technology
Presentation/6 Confidentiality, processing, policy
Presentation/6 Confidentiality, processing, human
Presentation/6 Sql scanner, sqllibf, spoondrv, spoonwep, Confidentiality, transmission, technology
Presentation/6 Confidentiality, transmission, policy
Presentation/6 Confidentiality, transmission, human
Presentation/6 Absinthe, vncrack, foremost, magicrescue, Integrity, storage, technology
Presentation/6 Integrity, storage, policy
Presentation/6 Integrity, storage, human
Presentation/6 Sql inject, webcrack, Integrity, processing, technology
Presentation/6 Integrity, processing, policy
Presentation/6 Integrity, processing, human
Presentation/6 Cowpatty, Integrity, transmission, technology
Presentation/6 Integrity, transmission, policy
Presentation/6 Integrity, transmission, human
Presentation/6 Bed, cirt fuzzer, Availability, storage, technology
Presentation/6 Availability, storage, policy
Presentation/6 Availability, storage, human
Presentation/6 Sqlbrute, Availability, processing, technology
Presentation/6 Availability, processing, policy
Presentation/6 Availability, processing, human
Presentation/6 Availability, transmission, technology
Presentation/6 Availability, transmission, policy
Presentation/6 Availability, transmission, human
Session/5 Airodump-ng, airoscript, airsnort, Confidentiality, storage, technology
Session/5 Confidentiality, storage, policy
Session/5 Confidentiality, storage, human
Session/5 Packet, rcrack, sipdump, Confidentiality, processing, technology
Session/5 Confidentiality, processing, policy
Session/5 Confidentiality, processing, human
Session/5 Dnstracer, tcptraceroute, tctrace, ike-scan, ikeprobe, superscan, Confidentiality, transmission, technology
Session/5 Confidentiality, transmission, policy
Session/5 Confidentiality, transmission, human
Session/5 Thc pptp, tcpick, urlsnarf, hotspotter, karma, kismet, btcrack, pcapsipdump, Integrity, storage, technology
Session/5 Integrity, storage, policy
Session/5 Integrity, storage, human
Session/5 Afrag, asleap, bluebugger, blueprint, btscanner, carwhisperer, minicom, Integrity, processing, technology
Session/5 Integrity, processing, policy
Session/5 Integrity, processing, human
Session/5 Hsrp spoofer, wifitap, wicrawl, wifizoo, Integrity, transmission, technology
Session/5 Integrity, transmission, policy
Session/5 Integrity, transmission, human
Session/5 Availability, storage, technology
Session/5 Availability, storage, policy
Session/5 Availability, storage, human
Session/5 Sipsak, sipcrack, sipdump, sip, Availability, processing, technology
Session/5 Availability, processing, policy
Session/5 Availability, processing, human
Session/5 Availability, transmission, technology
Session/5 Availability, transmission, policy
Session/5 Availability, transmission, human
Transport/4 Dnswalk, mboxgrep, memfetch, Confidentiality, storage, technology
Transport/4 Confidentiality, storage, policy
Transport/4 Confidentiality, storage, human
Transport/4 Confidentiality, processing, technology
Transport/4 Confidentiality, processing, policy
Transport/4 Confidentiality, processing, human
Transport/4 Snmp walk, snmp scanner, smb get serverinfo, snmpcheck, snmp enum, httpcapture, mailsnarf, smb sniffer Confidentiality, transmission, technology
Transport/4 Confidentiality, transmission, policy
Transport/4 Confidentiality, transmission, human
Transport/4 Integrity, storage, technology
Transport/4 Integrity, storage, policy
Transport/4 Integrity, storage, human
Transport/4 Icmp redirect, icmpush, igrp spoofer, irdp responder, irdp spoofer, wireshark, wireshark wifi, icmptx, pcaptpsip, Integrity, processing, technology
Transport/4 Integrity, processing, policy
Transport/4 Integrity, processing, human
Transport/4 Firewalk, Integrity, transmission, technology
Transport/4 Integrity, transmission, policy
Transport/4 Integrity, transmission, human
Transport/4 Availability, storage, technology
Transport/4 Availability, storage, policy
Transport/4 Availability, storage, human
Transport/4 Smb dumpusers, Availability, processing, technology
Transport/4 Availability, processing, policy
Transport/4 Availability, processing, human
Transport/4 Availability, transmission, technology
Transport/4 Availability, transmission, policy
Transport/4 Availability, transmission, human
Network/3 DNS-Ptr, dns-bruteforce, dnsenum,  dnsmap, dnspredict,  subdomainer, angry ip scanner, iodine, nstx, Confidentiality, storage, technology
Network/3 Confidentiality, storage, policy
Network/3 Confidentiality, storage, human
Network/3 Dig, protos, Confidentiality, processing, technology
Network/3 Confidentiality, processing, policy
Network/3 Confidentiality, processing, human
Network/3 Ass, Autoscan, fierce, fping, genlist, hping, hping2, hping3 , netcat, cryptcat,netdiscover, nmap, ping, protos, scanline, scanrand, revhosts, dnsspoof, driftnet, dsniff, etherape, nemesis spoofer, netsed, netenum, netmask, ntop, sing, sbd, socat, smap, Confidentiality, transmission, technology
Network/3 Confidentiality, transmission, policy
Network/3 Confidentiality, transmission, human
Network/3 Btftp, hidattack, Integrity, storage, technology
Network/3 Integrity, storage, policy
Network/3 Integrity, storage, human
Network/3 Integrity, processing, technology
Network/3 Integrity, processing, policy
Network/3 Integrity, processing, human
Network/3 Fport, intrace, ltrace, yersinia, Integrity, transmission, technology
Network/3 Integrity, transmission, policy
Network/3 Integrity, transmission, human
Network/3 Availability, storage, technology
Network/3 Availability, storage, policy
Network/3 Availability, storage, human
Network/3 Spike, Availability, processing, technology
Network/3 Availability, processing, policy
Network/3 Availability, processing, human
Network/3 Availability, transmission, technology
Network/3 Availability, transmission, policy
Network/3 Availability, transmission, human
Data Link/2 Dmitry, host, nmbscan, Confidentiality, storage, technology
Data Link/2 Confidentiality, storage, policy
Data Link/2 Confidentiality, storage, human
Data Link/2 Confidentiality, processing, technology
Data Link/2 Confidentiality, processing, policy
Data Link/2 Confidentiality, processing, human
Data Link/2 Confidentiality, transmission, technology
Data Link/2 Confidentiality, transmission, policy
Data Link/2 Confidentiality, transmission, human
Data Link/2 Macchanger, Integrity, storage, technology
Data Link/2 Integrity, storage, policy
Data Link/2 Integrity, storage, human
Data Link/2 File2cable, Integrity, processing, technology
Data Link/2 Integrity, processing, policy
Data Link/2 Integrity, processing, human
Data Link/2 Bdaddr, bss, Integrity, transmission, technology
Data Link/2 Integrity, transmission, policy
Data Link/2 Integrity, transmission, human
Data Link/2 Availability, storage, technology
Data Link/2 Availability, storage, policy
Data Link/2 Availability, storage, human
Data Link/2 Tftp brute, Availability, processing, technology
Data Link/2 Availability, processing, policy
Data Link/2 Availability, processing, human
Data Link/2 Availability, transmission, technology
Data Link/2 Availability, transmission, policy
Data Link/2 Availability, transmission, human
Physical/1 Confidentiality, storage, technology
Physical/1 Confidentiality, storage, policy
Physical/1 Confidentiality, storage, human
Physical/1 Confidentiality, processing, technology
Physical/1 Confidentiality, processing, policy
Physical/1 Confidentiality, processing, human
Physical/1 Ettercap, Confidentiality, transmission, technology
Physical/1 Confidentiality, transmission, policy
Physical/1 Confidentiality, transmission, human
Physical/1 Integrity, storage, technology
Physical/1 Integrity, storage, policy
Physical/1 Integrity, storage, human
Physical/1 Integrity, processing, technology
Physical/1 Integrity, processing, policy
Physical/1 Integrity, processing, human
Physical/1 Fakeap, wiassistant, hstest, Integrity, transmission, technology
Physical/1 Integrity, transmission, policy
Physical/1 Integrity, transmission, human
Physical/1 Availability, storage, technology
Physical/1 Availability, storage, policy
Physical/1 Availability, storage, human
Physical/1 Availability, processing, technology
Physical/1 Availability, processing, policy
Physical/1 Availability, processing, human
Physical/1 Availability, transmission, technology
Physical/1 Availability, transmission, policy
Physical/1 Availability, transmission, human
Kinetic/0 Weather, natural disasters, bombs Availability, processing, policy
Kinetic/0 EMP, power outage Availability, processing, technology
Kinetic/0 Biochemicals Availability, processing, human
Kinetic/0 Hammer Availability, storage, technology

One main reason why almost all of the tools are related to technology is because these tools are used for attacking a computer, making it hard for them to attack policies and people.  The best way to attack people is to do it in person.  As far as attacking policy, one must know the procedures in place in order to properly attack them, which is hard to do using an exploit.  Since many of the tools can go into multiple categories, there is a bias towards what must tools will attack.  Also this makes it more difficult to be able to focus an attack onto just one area, while not affecting other areas.

Issues

The group found that one of the only problems was the numerous numbers of tools that were needed to be put into the table.  There was initially a problem setting up the virtual machines, which after some testing was fixed allowing all students to start the lab.  Another issue was trying to communicate with 3 members of a group as opposed to 2.  All was worked out and everything went smoothly after that.

Conclusions

The final results show that most of the tools for hacking are for attacking technology.  Hackers can be those that perform social engineering and even dumpster diving.  They use the policies and procedures against the company in order to obtain information.  Natural disasters and weather fit into the McCumber cube along with the tools found in BackTrack and other hacking tools.  This lab was a basis for the rest of the labs so it was very important to get the virtual machines setup and get the tools into the correct categories.

9 comments for “Tech 581W Computer Network Operations, Laboratory 1: Team 1

  1. jeikenbe
    June 16, 2009 at 4:00 pm

    The groups abstract covers what the lab is for and how it is important. The abstract said that the paper will detail the steps in creating this lab, but the paper didn’t cover the steps that they took in actually creating the lab. The abstract said also that they would talk about the operating systems that will be used, but the paper doesn’t explain which ones that they used. Then the abstract concludes with describing how important it is to get this lab done correctly the first time. This group did a good job in reviewing the readings and relating them with the current lab. In each reading the topic and theme of the paper was identified and also how it pertained to the current lab. The research question of each reading was identified and compared to the other readings. The supporting data was identified. The group tried to find any errors or omissions but didn’t find too many. The only thing that I did not see done was the identifying of the methodology and how it could be used to answer the lab questions. The group also did a nice job in citing their work at the end of the literature review. As for the next part of the lab the group quickly went over how they set up the lab and didn’t go into any details on how their lab was set up. The group didn’t give a step by step procedure on how they were to set up their lab. In the next section the group set up the table that was used to detail out each of the tools that are going to be used in the penetration tests. The group did a good job in assembling the table to compare and contrast the tools in relation to the McCumber cube to show how most of the tools were labeled under technology and not policies or human factors. On problem is that the group could have come up with some more exploits or tools for a couple of the layers like the Physical and the Data Link layers. The group was able to answer the question of why most tools fell under the Technology category in the McCumber cube. I agree that almost all the tools that are going to be used are going to be in the Technology category. This should be viewed by the other groups in this lab. The group could have done a better job in answering the question on whether the table shows a bias or not. Next the group described some of the problems they had with the lab. The group said that one of the problems was the number of tools. The group didn’t explain the exact problem they had with this enormous amount of tools. The group next said that they had some problems with setting up the virtual machines. They didn’t explain the problems that they were having with setting up the virtual machines. They said after testing them they solved the problem, but this didn’t explain the solution to well. They also said that one of the issues that they were having was communication with each other. One statement that the group did make that was a good statement was the one about how the first lab is the important lab because it is the basis of all the other labs. I agree with this statement in that all the other labs are going to rely on how this lab is set up. If this lab is improperly set up then more work is going to be needed in the future to make upcoming labs work properly. Also the first lab sets the pace in the class and shows how things are going to run and gives you a window into how to work all the other labs.

  2. Borton
    June 17, 2009 at 12:59 am

    Team one prepared an informative, direct literature review that directly related all the articles to the assigned lab. There is little evaluation of the material. The only other major flaw I can find in the team’s review is that you missed the fact that the Gula paper is a vendor white paper, and likely contains an agenda.
    The methods section needs more fleshing out. What were the steps to prepare the lab? You say the team followed instructions but you don’t say specifically what they were. I’m unclear about the blank areas in the table. Do they show that some tools fit more than one coordinate set in the cube? I disagree with the team’s placement of tools in “Layer 0” The tools do have a kinetic effect, but are physical in nature, and have nothing to do with the transmission of electronic signal into physical force. Your findings suggest that the “computer” is easier to attack than policy or procedure. What is it about the nature of the “computer” that makes this so? In the issues section, the team says there was a problem starting the VMs. Can you elaborate? What was done to solve the problem? In your conclusion, the team says that most tools are geared toward technology, but then go on to say that hackers can be those who attack with non-technological means. Is it possible to be both?

  3. nbakker
    June 17, 2009 at 9:28 am

    The first team presented a complete and well thought out lab exercise. The lab met most of the requirements as per the syllabus. There were no real apparent issues or problems that stuck out at first examination. However, there were a few items that could be improved upon. The abstract did not meet the requirements of the syllabus in terms of length. The literature review read more like an annotated bibliography than a true literature review. Each paper to be read for the week was listed individually, notes taken by the reviewer were listed, and then the literature review questions posted in the syllabus were answered. There was no direct correlation or comprehensive synthesis of the state the literature. Besides a few issues with the literature review, the penetration testing taxonomy was very complete and seemed to agree with results as per the other labs in this course. There are a number of places were team 1 agrees with the other teams these include the findings in the literature review on how the DETER test bed plays at part in the creation of the VMware lab. They also agree on the apparent errors in the coffin article as well as the issues that seem to come up in Gula piece. Their penetration testing taxonomy does mach up rather well with the rest of the class, and contains an adequate number of tools. The answers to the questions asked do also seem to match up with the answers presented by the other teams, in terms of why the attack tools work on the technology vector of the McCumber cube. The technical merits of the position that team one has taken well thought out and complete. They explain how they built their lab, as well as the answers to the questions that were asked in the lab. Since the actual technical portion of the lab was rather simple, mainly just giving four VMs their correct IP addresses, every team did the same thing here. Team 1 approached the lab a lot like how the other teams approached the lab. They performed a literature review that was close to the other literature reviews. They worked through the steps of the setting up the VMs, like the other teams, filled out the taxonomy like the other teams, and answered the presented questions, like the other teams. This is because that is the format presented in the syllabus for completing the labs. Where they differed slightly was in what tools they placed at layers 8 and 0 of the taxonomy, as well as their approach to directly stating the objectives of each reading, and then presenting how that reading did or did not fit in with the rest of the readings, the level of scholarship in the readings, and how it worked with the lab. The only enhancement that can be made is in the cohesion of the literature review. They do not need to find any additional materials, other than maybe on working better as a team, and their methods are sound.

  4. June 17, 2009 at 9:38 am

    The literature review was a bit disjointed. I felt as if it was only looking at each article in the context of the lab work instead of looking at all of the articles together as a whole in the context of the lab work. Some of the formatting in the bibliography section was not correct, some lines were spaced incorrectly. There was some unnecessary capitalization in the literature review as well. In one of the papers reviewed, It Takes a Thief: Ethical Hackers Test your Defenses, an error is mentioned in the paper but no further details are given about the error or even a page number of where to find it.
    In the literature review, there was an article mentioned that talks about the necessity of building test environments but that is never tied with the activities in this lab. Showing how the readings were tied in to the virtual lab activities would have been helpful. The article Cyberattacks: A Lab-Based Introduction to Computer Security, makes mention of being tied to the lab but only that “this information is applicable for the current laboratory because it indicates to the reader about the importance of cyberattack and malware awareness.” While this may seem obvious (but can’t always be assumed with Prof. Liles) more detail and examples should be given to tie it to the lab activity.
    Some items in Layer 0/Kinetic are not categorized properly. I’m not sure if “weather” or “natural disasters” are tools that can be used in a kinetic attack against a system as they are (almost) impossible to control. If weather were a tool in an attack against a system, I’m also fairly certain it would not be an attack against policy.
    One major omission from the matrix was the inclusion of links to any of the tools. It’s hard to determine which tools are programs and which are actions an attacker might take. In the quick-changing world of exploit tools, it would also be helpful to provide links because often, tools change sites or names or move around and it can be difficult for someone to try searching for those tools and ensure they’re coming up with the same on you used in your matrix.
    In the matrix, the blank sections for some of them McCumber cube coordinates seem to indicate that there aren’t any tools for those items. The literature taught us that in circumstances of penetration testing, when the testers weren’t able to break in to the network, it didn’t necessarily mean that the network was unbreakable, just that it wasn’t breakable at that point in time with that attacker’s particular skill set, I think the same would apply here and should be noted in the issues section if these are going to be left blank. On that note, the issues section of the document is a little weak. Mention is made of problems building the virtual machines but no details are given so that anyone attempting to reproduce the lab could learn from them. Also, an issue is raised with communication between three group members. How was that worked out? How do you communicate among the three members of the group? Other groups could learn from this and it could help out how they communicate amongst themselves.
    Overall the grammar, formatting, and punctuation had some issues, the literature review lacked cohesion, and the issues and conclusions sections were weak.

  5. gdekkerj
    June 17, 2009 at 10:47 am

    First, I will relate the things I thought were good or intriguing about this lab write-up. I thought that this group did a reasonable job of connecting the material in the provided literature with the lab exercise itself. I also agreed with the statement that one of the problems was the sheer number of tools that ultimately appeared to be required for the lab–this was a problem that was most assuredly common to all the teams. Finally, I am intrigued by the assertion that “natural disaster and weather” fit into the McCumber cube model / OSI classification tool chart. It gives one pause for thought–certainly these forces can present opportunities for exploitation, however I am unconvinced of their ultimate utility, as they are notorious for being inconsistent in their behavior and timeliness. I would submit that any entity gaining the ability to control these forces would need no other tools than these. Until this is possible, I would view them as unplanned opportunities, but would not go so far as to rely on them as useful tools. An interesting view on the matter by this team, nonetheless.

    Now, unfortunately, it is my academic duty to be critical. I was a bit taken aback by the predominately negative tone of the literature review section. I too have done reviews for other classes which examined style, formatting, and number of sources, etc. However, I suggest that this was not really the intent of a ‘review’ for a technical class such as this. Nearly all the academic papers that I have read, in my humble opinion, could be considered to be liturgically flawed in at least some minor way–yet I find this a non-issue with regard to overall content (usually of substantial worth) which is presented in the paper. Indeed, I was amused (for various reasons) by the phrase “All… [the authors] …did was look at what others have done and made an opinion about it, without doing much work of their own.” I would ask the question: is that not ‘really’ what we as masters students are all doing in this lab? Some would go as far to say that very little new ‘real’ primary research happens in this day and age, that nearly everything ‘new’ being published is just a different interpretation or rehash of other’s prior research. I, myself, do not feel qualified to offer up an opinion as to whether this is true or not, however.

    Additionally, in the most gracious manner possible, I wish to comment that I considered the content in this report a bit ‘lean.’ I realize the time constraints that many of us are operating under, and I realize that the execution of the lab was relatively uncomplicated; however, a few more details may have been in order for thoroughness. Also, the answer to the ‘why technology’ question seemed to miss the point. The answer “…because these tools are used for attacking a computer” is analogous to saying “I use a hammer because it’s a nail,” which really assumes that the listener knows why a hammer works for a nail-and so truly explains nothing. Furthermore, I do take exception to the assertion that “the best way to attack humans is in person.” I would counter that such technological ‘tools’ such as indirect fire weapons (i.e. artillery), or airborne weapon systems (both conventional and the occasional nuclear device) are nearly always far more ‘effective’ at ‘attacking’ other humans (with the option of being totally indiscriminant) than an ‘in person’ attack: the question is whether anything useful is gained. To be fair, I believe that ‘exploit’ was meant rather than ‘attack,’ and I would be much more inclined to entertain that statement as correct-semantic choice can make all the difference in the world.

    Finally, there were some noticeable gaps in the tool listings-I understand time constraints, but there were some very ‘large’ gaps. Now, I am no expert on networking technology, but I have read a few books on the matter: the classification of the tools looked, well, random. There is definitely room for opinion on some of the OSI layer fit for the TCP/IP suite, however: tools for SNMP in layer four (a layer seven protocol in most opinions), A TFTP tool in layer two (also generally considered layer seven), DNS tools in layer three (also seven in most literature I have seen), NetBIOS/BEUI tools in layer two (no lower than layer three in most regards), ICMP tools in layer four (most certainly belonging in three), and the list goes on. It would be dishonest if I said that I thought this was well researched, in that a simple web search yields a wealth of information on these issues. I would rather not touch the McCumber classifications: in my opinion, generally those tools which target data moving on the network are “transmission” type tools, and those which attack host based services are after static “storage” or compromising “processing,” but I think there is room for differences. In this case, being many tools are ‘well’ out of place-I think it pointless to critique classifications resulting from initial incorrect assumptions.

  6. dkender
    June 17, 2009 at 12:27 pm

    Overall, group 1 had a fairly good paper. The introduction was well written and a good lead into the remainder of the paper. The literature review was very thorough, however not always accurate with what the article stated. I particularly liked the synopsis of the article on fault injection and that it mentions that anomalies in the environment can cause faults within the software system. The review of “Building a Cyberwar Lab:Lessons Learned”, and how it discussed how the system was put together, and how it relates to our own lab was also very good. It was a very good review of “Broadening the Scope of Penteration-Testing”, very detailed.

    In the literature review, however, it mentions that Arces article discusses “previous cases of people attacking a system and getting fired for it”. In actuality, the document discusses the irony that Dan Farmer was fired from Silicon Graphics for releasing the scanning tool SATAN, and that now systems administrators may get fired for not scanning their networks. The literature review also discusses applying the OSI 7 layer model in that article. However, the article only mentions general classes of hacker tools in the section “Understanding the attacker’s toolkit”.

    The author lists a very large set of tools, some of which were missed by the other groups. However, many seemed to be simply placed on the list to increase the size of the content without reviewing the functions of the tools. One example of this is placing network scanning tools at the application level of the OSI model. In my opinion network scanning tools should be placed at the network layer (layer 3) or transport layer (layer4) of the OSI model, since that is the initial area of attack. Some examples follow.
    Netenum is a program that pings the network to find available hosts. I believe that it would be better placed in the network layer (layer 3) of the OSI model rather than in the application layer. Amap is a network penetration testing tool. As such I believe it should be put into the transport layer rather than the application layer of the OSI model.
    Unicorn scan works introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Because it is acting on the TCP protocol, I believe that it should be placed on layer 4, the transport layer.
    PBNJ is also a network scanning tool, and therefore don’t believe that it belongs in the application layer. I believe it would either go into layer three, the network layer, or layer four, the transport layer.

    One glaringly obvious mistake on the part of the author was placing Zenmap in the application area. Zenmap is a graphical user interface for nmap, a network scanning tool. Ironically, the author placed nmap in the network layer while Zenmap was placed in the application area. They are basically the same program, one with a command line interface and the other with a GUI interface.
    There were also some tools listed that were not attack tools at all. For example, Privoxy is a proxy server designed to help protect the user’s privacy. Another example is Proxytunnel. Proxytunnel isn’t an attack tool either. It is a utility for sending HTTPS encrypted data across a network. There are others that I believe are either misclassified on the OSI 7 layer model, or misclassified as attack tools.

    As a whole the document had many good points. However, some of the errors reflected the rushed nature with which the document was completed. I can certainly relate to that dilemma. Perhaps in the future the author will have more time to check things like tool descriptions and the accuracy of article reviews.

  7. chaveza
    June 17, 2009 at 1:32 pm

    Along with the abstract I agree that teaching students about network environment threats is an important part of an information technology track. They had good literature reviews on the reading but did not see where they answered the questions. Is there a differenece between Ethereal and Wireshark? They used wireshark in there matrix chart. Protecting against known attacks is simpler then the unknown attacks. Showing students the different known attacks against a network environment can also show them the ways to protecting themselves from such attacks, such as in a virtual test lab environment as mention. The article by Mary Micco and Hart Rossman built a Cyberwar lab for there students to learn such ways in a protected environment. Unfortunately, not mentioned is that they only used one operating systems, Linux Red Hat 7.1 and if they were attacking just clients and or servers. The reading did not indicate that any of the labs required having Red Hat 7.1 server however in our lab requirement we had to have different clients and a server.
    In the methods section was one line about receiving virtual machines from Nick Pendergast’s however indicating what virtual machines were used would be a great benefit to know.
    Your matrix chart has a nice format. After review past layer 8 there seem to be tools there were missing but the layer and McCumber Cube coordinate are present.

  8. tnovosel
    June 17, 2009 at 1:35 pm

    Within the literature review section Team 1 addressed the topic, listed the research question if the article had one, and acknowledged if the articles had any errors or omissions, compared the theme of the articles to each other, and at times addressed the methodology used. However, the supporting data part of the review seemed very minimal at times and the review of some of the articles did not relate the article to the lab. In the Bill Coffin article the group said that they found an error or omission, but did not go into any detail to explain what the error was. In the Martin Mink and Felix C. Freiling article it was not necessary to point out that the higher likeliness for the students to become criminals with the knowledge they have obtained and thus “will not raise but rather decrease the overall level of security in the Internet because the author’s of the article already had pointed out that the statement was flawed.

    The group did a good job with their method section by giving a brief overview of the lab and presenting the questions that are to be addressed by completing the lab.

    There were a few discrepancies discovered in the section that had the exploits table. The table was missing the technology column, which would explain what particular technology that exploit or attack tool would effect. Some of the sections such as the people layer did not contain the required number of 30 exploits. I could not figure why the team included blank spaces in the table for the McCumber categories that did not contain any tools. It was implied that there would not be any attack tools or exploits to attack people or policy in McCumber’s cube below the eighth layer of the OSI model. However, I liked the efficiency of your group by placing all of the related tools into one single box. While some attack tools could be used to attack different layers of the OSI model depending upon their functionality, some of the tools appeared to be in the wrong layers. One particular example was Yesinia, which it said on its website affects the Data link layer. The kinetic layer appeared to contain exploits that would affect the Physical layer. Was the Kinetic layer for exploits that used computers to physically affect another computer or a system or machine that were connected to a network such as devices connected to SCADA controllers? Technically a bio-chemical attack would not affect computer devices themselves but the human operators that use them.
    I was somewhat unclear on what your team meant when the team stated:” Since many of the tools can go into multiple categories, there is a bias towards what must tools will attack. “I agree that some tools could fit into multiple categories, but their attacks are limited to doing a certain function or functions, so there is a definite service or protocol that the attack tools will affect.

  9. shumpfer
    June 17, 2009 at 4:23 pm

    To start the group began and gave their abstract. This was well designed and gave a good understanding as to what the lab was about and an overview as to what was going to be done. They then go onto the literature review. They do a nice job at reviewing each piece of literature and explaining the papers/articles while they go through them. Just like some of the others is that doing an overall comparison of the literature to each other will set a topic that can be thought about when someone is reading the lab. The one big thing that through me off was the location of there bibliography as this is to be put at the end of the document as per APA5 rules. This was not the only group that had a little trouble with citations but again help can be found at this website for future labs. ( http://owl.english.purdue.edu/owl/printable/560/) It is a good tool to have when creating labs or papers in APA 5 format. After the literature reviews they go into discussing the methodologies and what is to be done to create the lab environment. The did however not explain the lab environment enough and was vague on what the actual setup. It just says that one of the partners setup the lab per the instructions. How was it setup and what was used to set it up. Include what virtual machine where used and what is the environment of them. One thing that I had noticed going over the lab a couple times was that they left one of the questions out that needed to be answered between ethereal and wire shark. This was part of the requirements of the lab and is missing. They then go onto there table and it needs to be worked on. I do not know what happened but there are blank spots in the table where there is a coordinate for the Mccumber cube but there is no tool for that location. In the make sure to review any submissions before putting them onto the blog as it is a different format then any word processor. They did do a good job at categorizing what tools they had it just sticks out as the table is incomplete with the blank spaces. After the table they then go onto there findings and what they found while doing the lab. Next they go onto issue that they had occurred and did a good job explaining that they had an error this is what was done to resolve the issue. The last part was their conclusion and explained the purpose of the lab and why they where doing it but what was there also anything learned from the lab that may have not been know before. Overall the group had some issue with formatting and citation, but they did accomplish what was to be done. In the future labs the feed back from the peer reviews will be able to help this group create a more refined and complete lab.

Leave a Reply