Tech 581W Computer Network Operations, Laboratory 1: Team 4

Abstract

This lab will require the student team to build or modify a virtual lab envrionment that would include
a Linux, Windows Server 2003, Windows XPService with no service pack and Windows XP
with Service Pack3. The student team will locate and tabualte tools in relation to the OSI model
and McCumber’s cube.

When this lab has been completed, the student  team will have a virtual lab environment ready to
conduct labs and the ability to determine which tools affects what layer of the OSI model and the
McCumber cube.

Steps of the Process

Literature review

In the article EXPERIENCE WITH DETER: A TESTBED FOR SECURITY RESEARCH The   cyber-DEfense Technology
Experimental Research (DETER) test bed was created to meet the need to test   new theories and new
technologies in realistic scenarios in an experimental infrastructure (Benzel, Braden, Kim, Neuman,
Joseph & Sklower, 2006, p.2). Due to the different threats that exist in some of the experiments,
the DETER test bed has taken the steps necessary to isolate the test bed from the Internet (Benzel et al., 2006,p.2).

The article relates to the lab because it described a test environment for experimenting with potentially dangerous
programs that must be kept isolated from the public Internet, just like the lab environment that we have created withinvirtual machines. The article also related to the lab in that it claimed that virtual environments introduce artifacts that must be taken into consideration (Benzel et al., 2006, p.3).

The article It Takes a Thief: Ethical Hackers Test Your Defenses went explained the significance of ethical hacking in that it locates vulnerabilities using techniques that are used by attackers so corrective action could be taken to mitigate the vulnerabilities (Coffin, 2003, p.1). Some of the services done by ethical hackers includes External network hacking, internalnetwork hacking, application testing, wireless LAN assessment, war dialing, social engineering and  trashing(Coffin, 2003,p.2).The article also pointed out that ethical hacking is not an end all be all, for it is only able to detect vulnerabilities in the present (Coffin, 2003, p.3).

The article relates to the lab and to the course in that students are to use tools and techniques that are commonly used by attackers to find vulnerabilities in different systems so the vulnerabilities could be identified and mitigated.

The article Vulnerability Testing of Software System Using Fault Injectionpointed out that, programmers tend to make assumptions about the environment in which their applications will function. When these assumptions hold, the application is likely to behave appropriately(Du & Mathur, 1998,p.2)However, because the environment, as a shared resource, can often be agitated by other subjects, especially malicious users, these assumptions might not be true (Du et al., 1998,p.2)
This article relates to the lab in that it is unwise to make assumptions about the behavior of the tools that will be used in the virtual machines and the virtual environment itself.

The article BROADENING THE SCOPE OFPENETRATION-TESTING TECHNIQUES addresses short comings of penetration testing, for such methods are not thorough enough and leave many aspects of a network untested(Gula, 2001, p.1). The article pointed out the complexity of being allowed to perform
penetration tests due to the politics of the organization and the potential of stumbling onto confidential information (Gula, 2001, p.4). The article addressed the human factor of penetration testing in that administrators might harden system components before a penetration test to makethe network seem more secure and staff members could get emotional about the discovered vulnerabilities (Gula, 2001, p.4). The article brought
up the concept of fratricide or conducting vulnerability test on network segments that were not intended for penetration testing due to operator
error (Gula, 2001, p.5).

This article does not directly relate to the lab because labs will be conducted in a test environment , thus are free from the politics, emotions,and the potential for fratricide that occur if our penetration tests were to be tested on operational networks.

The article Cyberattacks: A Lab-Based Introduction to Computer Security described a class called cyber attacks at a liberal arts college that taught students about the vast amount of vulnerabilities that effect computing. The labs in the class gave students specific instructions on exposing lab machines to various exploits, required documenting the results, and recovering from the damage (Holland-Minkley, 2006,p.40).

The article somewhat followed a similar train of thought for the lab and course in that the students would use tools  used by  attackers  to gain a better understanding of security. However, creating viruses may go a little to far for doing a penetration test, for the idea is to find vulnerabilities, not destroy the system.

The article Is Attack Better Than Defense? Teaching Information Security the Right Way followed the premise that teaching students offensive techniquesmakes security students better than just teaching them defensive techniques (Mink & Freiling, 2006, p.44). The authors dismissed the claim that offensive methods should not be taught to students since this only increases the population of “malicious hackers” which will not raise but rather decrease the overall level of security in the Internet. (Mink et al., 2006, p.45). This was dismissed because the authors concluded that any security technique can be simultaneously used and abused (Mink et al., 2006, p.45).The authors created environments where the security classes were broken up into teams and one
team used offensive techniques while the other one used defensive techniques to  test their security skills (Mink et al., 2006, p.46).

This article relates to the lab in that the student is given the opportunity to learn about and use offensive security techniques to locate and mitigate vulnerabilities in systems as opposed to relying strictly on defensive techniques.

The article Building a Cyberwar Lab: Lessons Learned.Teaching cybersecurity principles to undergraduates described a security lab environment that allowed students to use both offensive and defensive security techniques by splitting up into two teams; one of defense and the other on offense.

This article differs from the lab in that the students are to focus more on the offensive security techniques as required for penetration testing thandefensive techniques. However, defensive techniques would be of great importance in mitigating the vulnerabilities that were identified by the offensive techniques.

The article BUILDING A NETWORK TESTBED FOR INTERNET SECURITY RESEARCH described a test networked system that has been built for Internet worm detection. The goal of the system was to simulate a global network containing heterogeneous systems, so the behaviors of various worms could be studied as well as
to design effective strategies for predicting, detecting, and quarantining outbreaks (Heinen, Massengale, & Wu,2008, p.73). Virtualized environments form a caged environment that allows one to prod and poke malicious software to gather data (Heinen et al., 2007, p.74). The authors of the article chose a virtual environment for their research on worms, due to virtualization allowing both a higher accuracy simulation of the real world with limited hardware resources and analysis of diverse worm outbreaks and propagations by utilizing a controlled environment (Heinen et al., 2007, p.75).

This article related to the lab in that it also used a virtualized environment to test the affects of software that could be malicious. However, the study of worms goes beyond the intent of the lab and course for our objective is to locate vulnerabilities in systems, not to study the behavior of worms.

The article Toward an Automated Attack Model for Red Teamsemphasized the importance of red teaming, which the article described as the practice of attackingsystems to better understand how to defend them (Ray, Vemuri & Kantubhukta, 2005, p18). Red teams must clearly classify an attacker’s inner workings, consider all points of interest, and map decision criteria to replicate the attack (Ray et al., 2005, p.18). Red-team members must understand the adversary’s goals, values, and limitations, all from that perspective (Ray et al., 2005, p.18).  To effectively attack their own systems, the team mustact like the attacker, including using the same resources and knowledge (Ray et al., 2005, p.18).

This article relates to the lab in that the student team will try to perform the same actions as a red team within the virtualized environment that has been created and modified. The student team was able to determine the mindset of attackers by visiting websites that contained downloadable attack tools as well as their overblown rhetoric about the lethality of their tools.

In the article Why Attacking Systems Is a Good Ideaa brief history of attack tools was given. The article recommended Red team exercises should be groundedin risk analysis and can be designed to raise the bar slowly and systematically over time, improving a target’ s security posture as they unfold( Arce & McGraw, 2004,pp.18-19). The article also pointed out that most of the people defending computer systems today are not programmers, but most of the people attacking our  systems  are ( Arce et al., 2004,pp.18-19).

This article relates to the lab in that it is important for us to study how various exploits and vulnerabilities are used to gain control of a computer. It is important to teach classes on how to do penetration tests to make sure that our systems are safe and secure. With this class we are learning how to Red Team a computer network and perform penetration tests on different types of environments.

Steps of the Process
Setting up the environment

The team used the preloaded operating Systems on Citrix, so the only preparations required was
to create static IP addresses for the different machines. The following is the team’s IP addresses
and other system information:

Win XP SP3 – 192.168.4.1
Linux Kubuntu – 192.168.4.2
Win XP SP0 – 192.168.4.3
Win Server 2003 – 192.168.4.4

Active Directory domain name: TECH581WGrp.local
DNS domain name: TECH581WGrp4.local
NetBIOS name: TECH581WGRP4

User names and passwords:
Linux kubuntu – UN: Administrator  PASS: Pa88word
Win Server 2003 – UN: Administrator PASS: Pa88word

OSI Layer

Technology

Exploit Method

McCumber

Layer 8/People

Threat

Confidentiality, Storage, Human Factors

Layer 8/People

Extortion

Confidentiality, Storage, Human Factors

Layer 8/People

Con

Confidentiality, Storage, Human Factors

Layer 8/People

Seduction

Confidentiality, Storage, Human Factors

Layer 8/People

Printed data

Dumpster diving

Confidentiality, Storage, Human Factors

Layer 8/People

Espionage

Confidentiality, Storage, Human Factors

Layer 8/People

Force

Confidentiality, Storage, Human Factors

Layer 8/People

Bribe

Confidentiality, Storage, Human Factors

Layer 8/People

Torture

Confidentiality, Storage, Human Factors

Layer 8/People

Masquerade as employee

Confidentiality, Storage, Human Factors

Layer 8/People

Follow company employees on social networking sites

Confidentiality, Storage, Human Factors

Layer 8/People

Locate terminated employees

Confidentiality, Storage, Human Factors

Layer 8/People

Team up with other hackers

Confidentiality, Storage, Human Factors

Layer 8/People

Fear tactics

Confidentiality, Storage, Human Factors

Layer 8/People

Deception

Confidentiality, Storage, Human Factors

Layer 8/People

Scopolamine

Confidentiality, Storage, Human Factors

Layer 8/People

Sodium pentothal

Confidentiality, Storage, Human Factors

Layer 8/People

Screen watching

Confidentiality, Storage, Human Factors

Layer 8/People

Shoulder surfing

Confidentiality, Storage, Human Factors

Layer 8/People

Look at post-it notes for passwords

Confidentiality, Storage, Human Factors

Layer 8/People

Get them drunk or high

Confidentiality, Storage, Human Factors

Layer 8/People

Locate naïve employees

Confidentiality, Storage, Human Factors

Layer 8/People

Plant an insider

Confidentiality, Storage, Human Factors

Layer 8/People

Place target under surveillance

Confidentiality, Storage, Human Factors

Layer 8/People

Pretexting

Confidentiality, Storage, Human Factors

Layer 8/People

Baiting

Confidentiality, Storage, Human Factors

Layer 8/People

Quid Pro Quo

Confidentiality, Storage, Human Factors

Layer 8/People

Casual inquiry about passwords

Confidentiality, Storage, Human Factors

Layer 8/People

Pick up the names of sensitive systems and secret projects

Confidentiality, Storage, Human Factors

Layer 8/People

Flatter

Confidentiality, Storage, Human Factors

Layer 7 / Application

HTTP

Crackwhore

Integrity, Processing, Technology

Layer 7 / Application

User settinga

Spyware

Confidentiality, Process, Technology

Layer 7 / Application

HTTP

Burp Scanner

Integrity, Storage, Technology

Layer 7 / Application

SQL

SA Exploiter

Layer 7 /Application

Log

Clearlogs

Availability, Storage, Technology

Layer 7 /Application

File

Wipe

Availability, Storage, Technology

Layer 7 /Application

VoIP registration

Erase_registration

Integrity, Storage, Technology

Layer 7 /Application

VoIP software

VoIPER

Integrity, Process, Technology

Layer 7 /Application

Software

GDB GNU Debugger

Confidentiality, Process, Technology

Layer 7 /Application

File recovery

Foremost

Availability, Storage, Technology

Layer 7 /Application

File recovery

Magic Rescue

Availability, Storage, Technology

Layer 7 /Application

e-mail

Mboxgrep

Confidentiality, Storage, Technology

Layer 7 /Application

File

Scalpel

Confidentiality, Storage, Technology

Layer 7 /Application

Thumbs.db files

Vinetto

Confidentiality, Storage, Technology

Layer 7 /Application

Keyboard

Xspy

Confidentiality, Processing, Technology

Layer 7 /Application

Application/system resources

Application flooding

Availability, Storage, Technology

Layer 7 /Application

HTTP

Burp Scanner

Integrity, Storage, Technology

Layer 7 /Application

HTTP

Gooscan

Integrity, Processing, Technology

Layer 7 /Application

Metadata

MetaGooFil

Confidentiality, Storage, Technology

Layer 7 /Application

Search Engine Databases

SEAT

Confidentiality, Storage, Technology

Layer 7 /Application

SNMP

5NMP

Integrity, Processing, Technology

Layer 7 /Application

SNMP

onesixtyone

Confidentiality, Process, Technology

Layer 7 /Application

KDE

Smb4k

Confidentiality, Process, Technology

Layer 7 /Application

Insecure registered Application

DIRE

Confidentiality, Storage, Technology

Layer 7 /Application

Buffers and Strings

BED

Integrity, Process, Technology

Layer 7 /Application

Browsers

bf2

Integrity, Process, Technology

Layer 7 /Application

Fuzzer for C programs

Bunny

Integrity, Process, Technology

Layer 7 /Application

Web Applications

JBroFuzz

Integrity, Process, Technology

Layer 7 /Application

Web Apps, SQL, .Net, etc.

Peach

Integrity, Process, Technology

Layer 7 /Application

HTTP SOAP

WSFuzzer

Integrity, Process, Technology

Layer 7 /Application

Applications

zzuf

Integrity, Process, Technology

Layer 7 /Application

SNMP

ADMsnmp

Integrity, Storage, Technology

Layer 7 /Application

SNMP

Snmpcheck

Confidentiality, Process, Technology

Layer 7 /Application

SNMP

SNMPEnum

Confidentiality, Storage, Technology

Layer 7 /Application

SNMP

Snmpwalk

Confidentiality, Storage, Technology

Layer 6 /Presentation

Kerberos Logins

KerbCrack

Confidentiality, Transmitted, Technology

Layer 6 /Presentation

File System/volumes

Autopsy

Confidentiality, Storage, Technology

Layer 6 /Presentation

Recover syskey bootkey

Bkhive

Availability, Storage, Technology

Layer 6 /Presentation

Password

CUPP

Confidentiality, Storage, Technology

Layer 6 /Presentation

Password

John the ripper

Confidentiality, Storage, Technology

Layer 6 /Presentation

Hashes

RainbowCrack

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows password hashes

Samdump2

Confidentiality, Storage, Technology

Layer 6 /Presentation

Password

Wyd

Confidentiality, Storage, Technology

Layer 6 /Presentation

sshd password

BruteSSH

Confidentiality, Storage, Technology

Layer 6 /Presentation

network logon

Hydra

Confidentiality, Storage, Technology

Layer 6 /Presentation

Passwords on Lotus Domino webserver system

Lodowep

Confidentiality, Storage, Technology

Layer 6 /Presentation

Login

Medusa

Confidentiality, Storage, Technology

Layer 6 /Presentation

Login into SSH server

SSHatter

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows passwords

chntpw

Confidentiality, Storage, Technology

Layer 6 /Presentation

Network traffic

dsniff

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Windows authenitcation

SmbRealy3

Confidentiality, Storage, Technology

Layer 6 /Presentation

SSL

SSL Man-in-the –middle attack

Confidentiality, Transmission, Technology

Layer 6 /Presentation

SSL

ssldump

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Keys

Aircrack-ng

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Passwords

Airsnarf

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Application Protocols

Amap

Confidentiality, Process, Technology

Layer 6 /Presentation

Web Server

httprint

Confidentiality, Process, Technology

Layer 6 /Presentation

Web Server

HTTSquash

Confidentiality, Process, Technology

Layer 6 /Presentation

IPsec VPN Servers

ike-scan

Confidentiality, Process, Technology

Layer 6 /Presentation

Keys

psk-crack

Confidentiality, Process, Technology

Layer 6 /Presentation

CISCO Routers

Cisco Auditing Tool

Integrity, Process, Technology

Layer 6 /Presentation

CISCO IOS

Cisco Global Exploiter

Integrity, Process, Technology

Layer 6 /Presentation

CISCO Router Passwords

Cisco Passwd Scanner

Integrity, Process, Technology

Layer 6 /Presentation

Windows Server

enum

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows Server

winfo

Confidentiality, Storage, Technology

Layer 5/ Session

VoIP usernames

EnumIAX

Confidentiality, Storage, Technology

Layer 5/ Session

VoIP authentication

SIPdump

Confidentiality, Storage, Technology

Layer 5/ Session

TCP/IP

Hping

Confidentiality, Transmission, Technology

Layer 5/ Session

RTP

RTP DoS

Availability, Transmission, Technology

Layer 5/ Session

TCP

Blind hijacking

Availability, Transmission, Technology

Layer 5/ Session

Layer 5/ Session

UDP

Session hijacking

Availability, Transmission, Technology

Layer 5/ Session

SQL

SA Exploiter

Integrity, Process, Technology

Layer 5/ Session

ICMP

ICMP Reset

Availability, Transmission, Technology

Layer 5/ Session

NetBIOS

nbtscan

Confidentiality, Process, Technology

Layer 5/ Session

SSL

SSLScan

Confidentiality, Process, Technology

Layer 5/ Session

DEC-RPC

Blaster

Availability, Processing, Technology

Layer 5/ Session

DEC – RPC

Sasser

Availability, Processing, Technology

Layer 5/ Session

VPN

IKECrack

Integrity, Process, Technology

Layer 5/ Session

VPN

IKE UDP DoS Attack

Availability, Process, Technology

Layer 5/ Session

RPC

ToolTalk Attack

Integrity, Process, Technology

Layer 5/ Session

RCP

snmpXdmid Attack

Integrity, Process, Technology

Layer 5/ Session

RCP

rstatd Vulnerability

Confidentiality, Process, Technology

Layer 5/ Session

RCP

Showmount Request

Confidentiality, Process, Technology

Layer 5/ Session

RCP

rpc.cmsd Exploit

Integrity, Process, Technology

Layer 5/ Session

RCP

cachefsd Exploit

Integrity, Process, Technology

Layer 5/ Session

RCP

Sun Rpc Auditor

Integrity, Process, Technology

Layer 5/ Session

SSL

IIS PCT/SSL Exploit

Integrity, Process, Technology

Layer 5/ Session

IDS

Snort Attack

Integrity, Process, Technology

Layer 5/ Session

LAN Hijack

Ettercap

Confidentiality, Transmission, Technology

Layer 5/ Session

TCP

Hunt

Confidentiality, Transmission, Technology

Layer 5/ Session

TCP

Juggernaut

Confidentiality, Transmission, Technology

Layer 5/ Session

Sniffing

T-Sight

Confidentiality, Transmission, Technology

Layer 5/ Session

SID

Session Fixation

Confidentiality, Processing, Technology

Layer 5/ Session

Online Sessions

Online Session Phishing

Confidentiality, Transmission, Technology

Layer 4/ Transport

Packets

NetSed

Integrity, Transmission, Technology

Layer 4/ Transport

TCP

TCP “SYN” attack

Availability, Transmission, Technology

Layer 4/ Transport

SSL

SSL Man-in-the-Middle Attacks

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

Land Attack

Availability, Transmission, Technology

Layer 4/ Transport

UDP

UDP Flood Attack

Availability, Transmission, Technology

Layer 4/ Transport

TCP

Port Scan Attack

Confidentiality, Transmission, Technology

Layer 4/ Transport

UDP

Port Scan Attack

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

TCP sequence prediction attack

Availability, Transmission, Technology

Layer 4/ Transport

TCP

TCP Loopback DoS attack

Availability, Transmission, Technology

Layer 4/ Transport

UDP

UDP port diagnostic attack

Availability, Transmission, Technology

Layer 4/ Transport

Packets

Scapy

Integrity, Transmission, Technology

Layer 4/ Transport

UDP

UDP spoofing

Integrity, Transmission, Technology

Layer 4/ Transport

TCP

TCP spoofing

Integrity, Transmission, Technology

Layer 4/ Transport

TCP

The Midder

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

Trin00

Availability, Processing, Technology

Layer 4/ Transport

TCP

Teardrop

Availability, Processing, Technology

Layer 4/ Transport

TCP

0trace

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

tcptraceroute

Integrity, Processing, Technology

Layer 4/ Transport

TCP SYN

tctrace

Integrity, Processing, Technology

Layer 4/ Transport

TCP

LetDown

Integrity, Process, Technology

Layer 4/ Transport

OS Fingering

p0f

Confidentiality, Process, Technology

Layer 4/ Transport

Ports

procecia

Confidentiality, Process, Technology

Layer 4/ Transport

TCP

Unicornscan

Confidentiality, Process, Technology

Layer 4/ Transport

OS Fingering

Xprobe2

Confidentiality, Process, Technology

Layer 4/ Transport

Ports

Netcat

Availability, Transmission, Technology

Layer 4/ Transport

Internet connection

Stacheldracht

Availability, Transmission, Technology

Layer 4/ Transport

IP

Fragroute

Availability, Transmission, Technology

Layer 4/ Transport

TCP/UDP

Fport

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP/UDP

Attacker

Confidentiality, Transmission, Technology

Layer 4/ Transport

UDP

UDPFlood

Availability, Transmission, Technology

Layer 3/Network

Sub-domains

ReverseRaider

Confidentiality, Process, Technology

Layer 3/Network

TCP connections through DNS traffic

Dns2tcp

Availability, Transmission Technology

Layer 3/Network

IPv6 tunneling

Miredo

Availability, Transmission, Technology

Layer 3/Network

IP through DNS

NSTX

Availability, Transmission Technology

Layer 3/Network

Tunnel TCP connections to a remote host via ping request

Ptunnel

Availability, Transmission Technology

Layer 3/Network

Tunnel UDP over a TCP connection

UDPTunnel

Availability, Transmission, Technology

Layer 3/Network

TCP stream

Tcpick

Confidentiality, Transmission, Technology

Layer 3/Network

TCP/IP

Wireshark

Confidentiality, Transmission, Technology

Layer 3/Network

RIP

IRPAS

Confidentiality, Transmission, Technology

Layer 3/Network

IP

DNSEenum

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnsmap

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnsmap – bulk

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnstracer

Confidentiality, Storage, Technology

Layer 3/Network

DNS

Dnswalker

Integrity, Processing, Technology

Layer 3/Network

IP

Fierce

Integrity, Process, Technology

Layer 3/Network

ICMP

itrace

Integrity, Processing, Technology

Layer 3/Network

Packets

lanmap

Integrity, Transmission, Technology

Layer 3/Network

Load Balancing

lbd

Confidentiality, Process, Technology

Layer 3/Network

IP

Maltego

Confidentiality, Transmission, Technology

Layer 3/Network

ICMP

netenum

Confidentiality, Process, Technology

Layer 3/Network

IP

Netmask

Confidentiality, Process, Technology

Layer 3/Network

IP

protos

Confidentiality, Process, Technology

Layer 3/Network

Subnets

Autoscan

Confidentiality, Transmission, Technology

Layer 3/Network

ICMP

fping

Confidentiality, Process, Technology

Layer 3/Network

Packets

hping2

Confidentiality, Process, Technology

Layer 3/Network

ICMP

hping3

Confidentiality, Process, Technology

Layer 3/Network

IP

Netdiscover

Confidentiality, Process, Technology

Layer 3/Network

IP

Nmap

Confidentiality, Process, Technology

Layer 3/Network

IP

Zenmap

Confidentiality, Process, Technology

Layer 3/Network

CISCO Routers

Cisco OCS Mass Scanner

Integrity, Process, Technology

Layer 3/Network

Network Protocols

SPIKE

Confidentiality, Process, Technology

Layer 2/ Datalink

Packets

Promiscuous mode card and driver

Confidentiality, Transmission, Technology

Layer 2/ Datalink

MAC address

MacChanger

Integrity, Storage, Technology

Layer 2/ Datalink

Datalink traffic

Etherape

Confidentiality, Transmission, Technology

Layer 2/ Datalink

BPDU

BPDU DoS

Availability, Transmission, Technology

Layer 2/ Datalink

BPDU

Flood of Configuration Message BPDUs with TC flag on

Availability, Transmission, Technology

Layer 2/ Datalink

BPDU

Flood of Topology Change Notification BPDUs

Availability, Transmission, Technology

Layer 2/ Datalink

BPDU

Flood of Configuration Message BPDUs claiming root role

Availability, Transmission, Technology

Layer 2/ Datalink

MAC

MAC poisoning attack

Integrity, storage, Technology

Layer 2/ Datalink

CAM

CAM overflow

Availability, storage, Technology

Layer 2/ Datalink

STP

Spanning tree attack

Availability, Transmission, Technology

Layer 2/ Datalink

MAC

Macof

Availability, Transmission, Technology

Layer 2/ Datalink

ARP

ARP spoofing

Confidentiality, Transmission, Technology

Layer 2/ Datalink

ARP

ARPd

Availability, Transmission, Technology

Layer 2/ Datalink

Cisco device information

CDP

Confidentiality, Transmission, Technology

Layer 2/ Datalink

STP

redirection

Availability, Transmission, Technology

Layer 2/ Datalink

MAC Address

Spoofed IP 5.1

Confidentiality, Processing, Technology

Layer 2/ Datalink

VLAN

VLAN hopping

Confidentiality, Transmission, Technology

Layer 2/ Datalink

DHCP

DHCP starvation

Availability, Storage, Technology

Layer 2/ Datalink

DHCP

Gobbler

Availability, Storage, Technology

Layer 2/ Datalink

Layer 2 protocols

Yersinia

Integrity, Transmission, Technology

Layer 2/ Datalink

Packets

Switch spoof

Confidentiality, Transmission, Technology

Layer 2/ Datalink

Layer 2 devices

Not disabling telnet

Integrity, Storage, Technology

Layer 2/ Datalink

Cisco equipment

Not enabling password with secret

Integrity, Storage, Technology

Layer 2/ Datalink

DHCP

DHCP spoofing

Availability, Storage, Technology

Layer 2/ Datalink

EAP

EAP Man in the middle attack

Integrity, Transmission, Technology

Layer 2/ Datalink

EAP

EAP session hijacking attack

Availability, Transmission, Technology

Layer 2/ Datalink

Switch

Overload ports to get switches to fail open

Integrity, Transmission, Technology

Layer 2/ Datalink

Cisco Equipment

CIScan

Confidentiality, Storage, Technology

Layer 2/ Datalink

MAC

MAC duplication attack

Integrity, Transmission, Technology

Layer 2/ Datalink

VTP

VTP Attack

Integrity, Transmission, Technology

Layer 1/ Physical

USB devices

USBView

Confidentiality, Storage, Technology

Layer 1/ Physical

SIP devices

Smap

Confidentiality, Storage , Technology

Layer 1/ Physical

Medium

tapping

Confidentiality, Storage , Technology

Layer 1/ Physical

Medium

Cutting

Availability,

Layer 1/ Physical

Medium

Electronic interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Microwave

interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Cordless phone

interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Bluetooth device interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Rogue access points

Confidentiality, Transmission, Technology

Layer 1/ Physical

WiFi

Radio Interference

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Homemade frequency generator

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Draft N

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Pre-N Wi-Fi

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

SpymodeX 900MHz – 2.5GHz wireless jammer

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Demarctech

Availability, Transmission, Technology

Layer 1/ Physical

802.11

FakeAP

Availability, Transmission, Technology

Layer 1/ Physical

802.11

Void11

Availability, Transmission, Technology

Layer 1/ Physical

802.11

File2air

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

microwave magnetron-based transmitters

Availability, Transmission, Technology

Layer 1/ Physical

Finger Print Scanner

Impersonating someone’s fingerprint

Integrity, Processing, Technology

Layer 1/ Physical

Hardware

Physical access to server room

Availability, Storage, Technology

Layer 1/ Physical

Voice Analyzer

Voice Synthesizer

Integrity, Processing, Technology

Layer 1/ Physical

Eye scanner

Impersonating someone’s eye signature

Integrity, Processing, Technology

Layer 1/ Physical

USB

Using USB devices to execute code embedded in it

Integrity, Processing, Technology

Layer 1/ Physical

Sensor Devices

Wormhole attack

Integrity, Processing, Technology

Layer 1/ Physical

802.11

Prism2 Card

Confidentiality, Transmission, Technology

Layer 1/ Physical

Hardware

Stealing Hardware

Confidentiality, Storage, Technology

Layer 1/ Physical

Power

Cutting the power

Availability, Process, Technology

Layer 1/ Physical

Environmental Control

Changing the environment to cause damage

Availability, Process, Technology

Layer 1/ Physical

Keystrokes

Logging Keystrokes

Confidentiality, Transmission, Technology

Layer 0/ Kinetic

Tools

netifera

N/A

Layer 0/ Kinetic

Traffic lights

Phrack

Integrity, Process, Technology

Layer 0/ Kinetic

CPU

Overclock the CPU to the point of failure

Availability, Process, Technology

Layer 0/ Kinetic

Fan speed

Drastically reduce fan speed

Availability, Process, Technology

Layer 0/ Kinetic

Climate control

Disable air conditioning

Availability, Process, Technology

Layer 0/ Kinetic

Fire suppression

Override fire suppression system to activate system

Availability, Process, Technology

Layer 0/ Kinetic

Fire suppression

Override fire suppression system to deactivate system

Availability, Process, Technology

Layer 0/ Kinetic

Scada systems

Alter Scada system settings

Integrity, Process, Technology

Issues

There did not seem to be many kinetic vulnerabilites / attack tools available.

Conclusion

This lab will required the student team to build or modify a virtual lab envrionment that would include
a Linux, Windows Server 2003, Windows XPService with no service pack and Windows XP
with Service Pack3. The student team  located and tabulate tools in relation to the OSI model
and McCumber’s cube.Now that this lab has been completed, the student  team has a virtual lab environment ready to
conduct labs and the ability to determine which tools affects what layer of the OSI model and the
McCumber cube.

References

Arce,I. & McGraw,G. (2004).Why attacking systems is a good idea. IEEE.

Benzel,T., Braden,R. , Kim,D . , Neuman,C., Joseph, A., Sklower,K., Ostrenga, R.& Schwab,
S.(2006). Experience with deter: a testbed for security research.IEEE.

Coffin, B. (2003).It takes a thief: ethical hackers test your defenses. Risk Management Magazine.
Du,W. & Mathur,A. (1998). Vulnerability testing of software system using fault injection.

Gula, R.(2001). Broadening the scope of penetration-testing techniques. ENTERASYS networks.

Heinen,C., Massengale,R. & Wu,N.(2008).Building a network testbed for internet security research.CCSC.

Holland-Minkley,A. (2006).Cyberattacks: a lab-based introduction to computer security.ACM.

Micco, M.& Rossman, H.(2002).Building a cyberwar lab: lessons learned.teaching cybersecurity principles to undergraduates.ACM.

Mink,M. & Freiling,F. (2006). Is attack better than defense? ACM.

Ray,H. Vemuri,R. & Kantubhukta,H. (2005).Toward an automated attack model for red teams. IEEE.

10 comments for “Tech 581W Computer Network Operations, Laboratory 1: Team 4

  1. mvanbode
    June 17, 2009 at 12:02 am

    The group’s abstract was much shortly that the requirement’s stated. The abstract was basically a short restatement of the first few sentences of the lab statement. The abstract should be a summary of what the lab report is and what is to be accomplished during the laboratory experiment. The next part of the lab report was the literature review. The reviews of the papers were quite short and did not have all of the required items for a literature review. The group did put citations along with page numbers in the reviews of the papers. The literature reviews did state how they relate to the lab but they were not compared to each other. The next part of the lab report was the steps of the process. This section was lacking for different reasons. First, the steps were not neatly written out for setting up the Citrix environment. Second, there were no screenshots of the process. Last, the research of the tools were not talked about in this section. Other groups went into more detail with their steps of the process of the methodology section.
    The next part of the lab report was the table of the tools and how they fit into the OSI model as well as the McCumber cube. The group had unique tools for layer 8, but all of the tools were not part of different categories, but were rather part of the same group. I have to disagree with the placement of some of the layer 8 tools, not all fit into the storage part of the McCumber cube. Some of the tools did not have the McCumber coordinates put into the table. I felt that the table was not complete and the time of submission. For future charts, it would look neater if the groups were put together instead of a different row for each tool. The one part of their table I thought was nice was that they put what the tool exploits. Not many other groups did this in their tables. The layer 0 did not have enough tools. I think some more kinetic tools that do not deal with technology are needed in the table. The group only had one issue with the lab experiment. This was that there were not enough kinetic tools. This was part of the research that the group was supposed do for this lab experiment. The issues could have been more elaborated on that just what was stated. The conclusion was weak. It looks like the conclusion was just copied and pasted from the abstract. With all of the research and work done with the lab experiment a conclusion should have been reached. This lab report was missing an important section, findings and answering of the questions. Not only were the questions not answered that were given to us but the questions were never mentioned in the group’s lab report.

  2. Borton
    June 17, 2009 at 12:57 am

    The formatting of the group’s submission makes it very difficult to follow. There are numerous spelling and grammar errors that make it extremely difficult to absorb the message. Inconsistent formatting and odd changes in voice add to the confusion. I recommend seeking an outside party to edit before submitting next time.
    There needs to be more depth to the content. It’s good that the group attempted to relate the literature review to the lab, but what are your thoughts about the papers? You lay out the tools in a very readable table, but you never really explain what it means. Are there more tools in one area than another? Are certain aspects of McCumber’s cube more heavily attacked? Why? The conclusion states “We did this” but it doesn’t really say what benefit there was to it.

  3. shumpfer
    June 17, 2009 at 3:01 am

    When reviewing this lab the first thing noticed was that the lab could have been cleaned up formatted better. After reading the lab multiple times it almost felt like something was missing. The abstract and conclusion sounded like a reiteration of each other. The abstract almost came off monotone and split up. One thing that made it feel this way is the formatting of the post, I do not believe this was intentional act, but in the future try to go back next time and make sure that not only is informative but put together to the formatting of the blog. The conclusion could have included the students experience and what they gained from the lab. Next the article reviews where nice in that they did relate them to the lab. What they can do to improve them in the future is to not separate how it relates but combine and make the reviews sound more cohesive. One thing that did stick out though was when they stated that there would be no politics, emotions, or fratricide involved with the lab environment. When people work together on any project there will always be human emotion towards the work that is done. Also sometimes things happen within groups even though the group member may not have wanted it that way. Also no matter how hard one may try politics can not be avoided it is just part of human interaction and part of working together. I can see how one hopes that these would not be a factor but it is something that is dealt with in every team large and small. Next they go on to described the components of the lab environment and
    show the operating systems and the addressing they used for each system. They did say they used preloaded operating systems. In the
    future this needs to be clarified as to are they virtual machines, or something different. One thing that can be improved is having a
    diagram of the system and this will help with the presentation and how people view what has been done. The table at first glance does what it is supposed to do but it seems cluttered and overwhelming to anyone reading it. In addition the table formatting looks off the font differs in places and the alignment for each off the cells is also out of alignment. Another thing with the table is not to forget to reference any tools that they have put into their lab. Overall the team did do a good point of explaining what was to be done they also had a good understanding of the subject matter. In the future better organization will help the group get the reader more interested and not distracted by little errors. Every group is not going to be perfect but this is part of our learning and we will be able to improve from the comments that will help each other refine the labs and give a better end product.

  4. nbakker
    June 17, 2009 at 9:30 am

    The fourth team, like teams one and three, presented a complete lab, however there were some issues that stood out right away. While the lab did meet most of the requirements of the syllabus, the first immediate issue was in the lab formatting. The syllabus clearly pointed out that copy/paste straight from Microsoft Word should be avoided as MSO tags are included “behind the scenes,” and effect the formatting of the lab once submitted through wordpress. It is immediately apparent that advice was not heeded by team four. Team four’s lab is formatted badly in the opening paragraphs, but does seem to improve shortly after that. The abstract however is lacking per the direction of the syllabus. The lab format seems to be that of an under-graduate lab, rather than a graduate student lab report, and lists steps of the process twice, while neglecting to place methods anywhere in the lab report. The issues section does not agree with any of the other lab reports, and that leads it to be suspect. The questions that are asked in the lab 1 guide are apparently missing, and the taxonomy while complete for layers 1 through 7, do not really agree with the other lab reports for layers zero and eight, again leading them to be slightly suspect. What could be considered a methods section is the second listing of steps of the process, and there the level of detail is lacking. While the technical information provided is both complete and matching as per the other labs, no thought is given to how the taxonomy was complete or how questions will be answered. The literature review itself is rather complete, and does aim to answer all of the literature review questions in the syllabus. This is done through an evaluation of the each individual reading followed by a few sentences detailing how it answers the literature review questions, and how it fits into the technical aspects of the lab. What is lacking here is cohesion, each reading analyzed separately, it does not create a well thought out evaluation and analysis of the state of the body of the literature. Team four does seem to agree with the other labs in areas of layers 1 through 7 of the taxonomy, as well as the steps taken to setup the VMware based lab environment, such as assigned IP addresses, as per the syllabus and lab guide. The technical merit of team fours position is hard to judge objectively as the technical aspects of this lab are rather simple, and as with the other lab reports, very much the same. Team fours approach to completing the lab is much like team one’s approach and not much like team three or five’s approach in terms of literature review and methods. Where improvements can be made is in lab formatting as well as better cohesion of the literature review. This team could benefit from a better understanding of the syllabus, and like the other teams, as this is the first lab in this class, team communication. Including a methods section would also be helpful in the future

  5. June 17, 2009 at 9:40 am

    The formatting of the text in this post contains lots of odd line breaks which make it very difficult to read. Another section contained what looked to be like improperly formatted code from the import as well as randomly capitalizing all of the letters in the title of each article also adding to the difficulty of reading this report.
    The literature review lacked cohesion between the various topics of the lab exercises and instead broke up the reviews to individual summaries of each of the articles with a paragraph afterword of how it related to the lab exercises. A standard Word spelling check of just the literature review revealed 13 spelling errors. None of the reviews contained any sort of opinion by the authors of the report on whether or not they agreed with the stances the articles took. In one of the reviews the stance is taken that many of the tool authors use “overblown rhetoric about the lethality of their tools.” Some examples of this would have been interesting to see along with the author’s opinion on why that particular tool wasn’t as lethal as the author was claiming.
    The OSI/McCumber table has some formatting issues and contains an extraneous column for “Technology” which often contained data that was fairly obvious (though not always) and the text was not always formatted similarly (some centered, some left aligned.) One major omission in this section was inclusion of links to any of the tools. This would’ve helped anyone desiring further information about the tool. Some of the tools listed in the table, “spanning tree attack” for instance, aren’t actually tools, they’re just non-descript attacks that one might perpetrate using tools. For the purposes of this exercise we were supposed to identify specific tools. Another issue with the table is in layer one where describing attacks against WiFi, the data in the technology column switches from WiFi to 802.11. Aren’t these the same thing? Further along in this section a Prism2 card is mentioned as an attack tool. How so? Isn’t this just a wireless card chipset? In layer zero, Phrack is mentioned as a tool against traffic lights. Is “Phrack” referencing a tool or the magazine? Directly following that is “overclock CPU to the point of failure.” Is there a tool to do this remotely (which would be really cool)? “Drastically reduc[ing] fan speed” could be the result of an attack using a tool such as a type of aerosol spray, reducing the speed would be the desired effect.
    The issues section was very weak and, with some of the post’s formatting issues I find it hard to believe that the only problem encountered was a lack of tools for layer zero attacks. The conclusions section was also incomplete. Simply restating the lab exercises and stating that they were completed doesn’t show what was learned or taken away from the lab exercises. Primarily the takeaway from viewing the threat taxonomy in relation to the questions asked by the professor for the lab assignment

  6. mafaulkn
    June 17, 2009 at 10:42 am

    Team 4’s abstract was too short and didn’t provide enough summary of what the lab excercise was to entail. The reviews of their articles were a bit short but did seem to tie them back to lab excercise. The steps of the set-up process were indicated but again Nick did such a good job of documenting the process that I think they should have used his screen shots and then provide an overview of what they thought of the set up process. There were apparent spelling and grammar errors as well as formatting errors. The research of the tools was not talked about. The other groups went into more detail. The table of the tools and how they tied together into the OSI model and McCumber cude was hard to folllow. Perhaps it was the formatting. In the future they may be better served to group the tools and layer together to better oranize the chart. Their conclusion was inadequate. One should have been reached given that this was research. The issue section could have been expanded beyond what they discussed.

  7. gdekkerj
    June 17, 2009 at 10:54 am

    My initial impressions of this lab write-up: the literature review was excellent. I feel that the literature review did an exceptional job of picking out the key points of the articles, and then relating them to the lab exercise. It is my belief that a ‘literature review’ is intended to examine and evaluate content, not necessarily style or conformance to document standards: in this regard I judged this review to be right on target. I was also impressed with the way the tool chart was composed. The additional ‘Technology’ heading which defined the entity/protocol which was being targeted was definitely a nice touch. I might suggest a different heading rather than ‘Technology’ however, as this leads to some confusion in regards to the McCumber classification system. Perhaps something more general like ‘Target’ might be in order. Additionally, it appeared to me that the tool classification was well researched, and the McCumber classifications done in a logical fashion.

    Now, however, I must address some of the problems with this write-up. The most obvious flaw is the omission of answers to the lab questions. This is extremely unfortunate, as these answers provide one of the primary means by which the lab can be discussed in a ‘positive’ way (i.e. five hundred words arrives rather quickly). Even worse, there is absolutely no discussion of the results of the lab. Equally bad (especially when accompanied by the previous deficiencies) is the simple hand-wave given to the problems section. So then, the question arises: what, if anything at all, is there to discuss about the write-up of this lab? It certainly puts peer reviewers in a difficult position, as most likely the only approach to gaining the required word count is to ramble on about nothing at all, or to nit-pick and blow rather minor flaws (left unmentioned if further material was available to discuss) well out of proportion. I recall that one of the other groups mentioned that ‘fratricide’ in the pen-testing sense was unlikely to be an issue in this lab group setup, but it does make one wonder if other forms of ‘fratricide’ could be encountered because of certain requirements and built-in factors associated with this class. I would plead that in the future, for everyone’s sake, that more attention be paid to ‘what’ should to be included in the lab write-up.

    So let’s begin then, shall we? I found that the lab was poorly transferred and/or formatted with respect to posting on the blog. Obvious issues with word wrapping made the write-up very difficult to follow because of the uneven line length. Additionally, some spaces were missing, especially in the literature review, which made the run-together words difficult to decipher: this was at the very least distracting. Additionally, I found the double ‘Steps of the Process’ heading to be distracting. Furthermore, it appeared to me that when the ‘Steps of the Process’ were spelled out, very little was said about what was actually done. Finally, through the lens of paranoia, the wisdom of posting so much information about the one’s penetration testing setup might be in doubt. In reality, with so much unknown about future lab exercises, is it not possible that the lab teams will be pitted against each other (red team versus blue team configurations)? This might be a substantial disadvantage to this team, as the machines would need to be reconfigured so as the published information could not be used against them (a bit of a stretch perhaps, but something to consider).

  8. chaveza
    June 17, 2009 at 1:34 pm

    In the abstract and in some of the Literature review, the formatting seems to be off and distracting. The group seemed to fail to mention any link statement to the literature review from the abstract. In the literature review they did relate the review back to the lab assignment. Under setting up the environment it is stated that the team used the preloaded operating systems that were on Citrix and only preparations were to create the static IP addresses for the machines. All the virtual machines seem to be consistent expect for the Linux virtual machine. The groups were given Debian and stated as the Linux virtual machine is Linux Kubuntu. Also stated are an Active Directory domain name, DNS domain name, and a NetBIOS name. The netbios name is to which box? Was another virtual machine created to be a domain controller, but as previously stated the only setup was adding static IP address to the virtual machines. Then the username and passwords were given to the Linux Kubuntu and Windows Server 2003.

  9. dkender
    June 17, 2009 at 2:48 pm

    Group 4 put together a very good document. There are some areas that I particularly liked. One is the Technology column that was placed in the OSI classification grid. For each attack tool they placed the attack vector which justifies the tools placement in that layer of the OSI model.

    Another good point that the author mentioned was isolating the DETER testbed to prevent malicious code from escaping. And, that testbed artifacts that must be taken into consideration when analyzing the data obtained from the tests.

    I agree that “broadening the scope of penetration testing” addresses many areas that may be overlooked in “real world” penetration testing. Since we are conducting our penetration testing in a laboratory environment, the article only serves to explain additional exploits that we may use (or may be used against us) during our experiments. It also gives us some foresight into the issues that we may encounter in real world penetration testing.

    I do have an area of contention with a statement made in this document however concerning the article “Vulerability Tesing of Sofware”. Group 4 relates this to the lab as “…it is unwise to make assumptions about the behavior of the tools that will be used in the virtual machines…”.The fault injection paper addressed software design that may contain vulnerabilities when the environment is outside the scope expected by the program. I believe that article was in our readings as a possible exploit target and not as limitation of testing tools.

    It was a very good description of the DETER lab. I agree that, although we are not going to work with internet worms per se, our labs may exploit some of the same vulnerabilities that internet worms exploit. As such, I believe that having an isolated lab with disposable operating systems is a good idea.

    The article does address the issue that there are not many attack tools for kinetic vulnerabilities.Although there may not be any tools specifically listed for kinetic vulnerabilities, that does not mean that it is not vulnerable. For example, in theory any of the above listed tools that would allow a hacker administrative access to the application controlling the kinetic device may also allow kinetic control of that device.

    All things considered, I believe this document is extremely well written and very detailed. There were only some minor points that I disagreed with.

  10. prennick
    June 17, 2009 at 4:21 pm

    I think that group 4’s write-up for lab 1 good in many areas but poor in others. The abstract for this lab was very short and didn’t sum up the lab. The literary review was adequate, but did not answer all of the required questions. The group should have discussed whether or not they agreed with each reading. All of the citing for the literary review was done well and the page numbers for the references were also included. The setup portion of the lab describing the networking of the machines was short, missing steps/information and was oddly formatted. The group did not indicate how they configured networking on their virtual machines. The table containing the penetration testing tools was very good in many areas because they applied many tools and techniques not added by other groups. However, many tools and techniques had no place in the table and were already covered by other entries (“getting them drunk or high”?) The issues and problems section could have had a lot more depth. The conclusion for this lab was weak at best. The odd formatting and several grammatical errors definitely took away from the overall professionalism of the lab.

Leave a Reply