Tech 581W Computer Network Operations, Laboratory 1: Team 4

Abstract

This lab will require the student team to build or modify a virtual lab envrionment that would include
a Linux, Windows Server 2003, Windows XPService with no service pack and Windows XP
with Service Pack3. The student team will locate and tabualte tools in relation to the OSI model
and McCumber’s cube.

When this lab has been completed, the student  team will have a virtual lab environment ready to
conduct labs and the ability to determine which tools affects what layer of the OSI model and the
McCumber cube.

Steps of the Process

Literature review

In the article EXPERIENCE WITH DETER: A TESTBED FOR SECURITY RESEARCH The   cyber-DEfense Technology
Experimental Research (DETER) test bed was created to meet the need to test   new theories and new
technologies in realistic scenarios in an experimental infrastructure (Benzel, Braden, Kim, Neuman,
Joseph & Sklower, 2006, p.2). Due to the different threats that exist in some of the experiments,
the DETER test bed has taken the steps necessary to isolate the test bed from the Internet (Benzel et al., 2006,p.2).

The article relates to the lab because it described a test environment for experimenting with potentially dangerous
programs that must be kept isolated from the public Internet, just like the lab environment that we have created withinvirtual machines. The article also related to the lab in that it claimed that virtual environments introduce artifacts that must be taken into consideration (Benzel et al., 2006, p.3).

The article It Takes a Thief: Ethical Hackers Test Your Defenses went explained the significance of ethical hacking in that it locates vulnerabilities using techniques that are used by attackers so corrective action could be taken to mitigate the vulnerabilities (Coffin, 2003, p.1). Some of the services done by ethical hackers includes External network hacking, internalnetwork hacking, application testing, wireless LAN assessment, war dialing, social engineering and  trashing(Coffin, 2003,p.2).The article also pointed out that ethical hacking is not an end all be all, for it is only able to detect vulnerabilities in the present (Coffin, 2003, p.3).

The article relates to the lab and to the course in that students are to use tools and techniques that are commonly used by attackers to find vulnerabilities in different systems so the vulnerabilities could be identified and mitigated.

The article Vulnerability Testing of Software System Using Fault Injectionpointed out that, programmers tend to make assumptions about the environment in which their applications will function. When these assumptions hold, the application is likely to behave appropriately(Du & Mathur, 1998,p.2)However, because the environment, as a shared resource, can often be agitated by other subjects, especially malicious users, these assumptions might not be true (Du et al., 1998,p.2)
This article relates to the lab in that it is unwise to make assumptions about the behavior of the tools that will be used in the virtual machines and the virtual environment itself.

The article BROADENING THE SCOPE OFPENETRATION-TESTING TECHNIQUES addresses short comings of penetration testing, for such methods are not thorough enough and leave many aspects of a network untested(Gula, 2001, p.1). The article pointed out the complexity of being allowed to perform
penetration tests due to the politics of the organization and the potential of stumbling onto confidential information (Gula, 2001, p.4). The article addressed the human factor of penetration testing in that administrators might harden system components before a penetration test to makethe network seem more secure and staff members could get emotional about the discovered vulnerabilities (Gula, 2001, p.4). The article brought
up the concept of fratricide or conducting vulnerability test on network segments that were not intended for penetration testing due to operator
error (Gula, 2001, p.5).

This article does not directly relate to the lab because labs will be conducted in a test environment , thus are free from the politics, emotions,and the potential for fratricide that occur if our penetration tests were to be tested on operational networks.

The article Cyberattacks: A Lab-Based Introduction to Computer Security described a class called cyber attacks at a liberal arts college that taught students about the vast amount of vulnerabilities that effect computing. The labs in the class gave students specific instructions on exposing lab machines to various exploits, required documenting the results, and recovering from the damage (Holland-Minkley, 2006,p.40).

The article somewhat followed a similar train of thought for the lab and course in that the students would use tools  used by  attackers  to gain a better understanding of security. However, creating viruses may go a little to far for doing a penetration test, for the idea is to find vulnerabilities, not destroy the system.

The article Is Attack Better Than Defense? Teaching Information Security the Right Way followed the premise that teaching students offensive techniquesmakes security students better than just teaching them defensive techniques (Mink & Freiling, 2006, p.44). The authors dismissed the claim that offensive methods should not be taught to students since this only increases the population of “malicious hackers” which will not raise but rather decrease the overall level of security in the Internet. (Mink et al., 2006, p.45). This was dismissed because the authors concluded that any security technique can be simultaneously used and abused (Mink et al., 2006, p.45).The authors created environments where the security classes were broken up into teams and one
team used offensive techniques while the other one used defensive techniques to  test their security skills (Mink et al., 2006, p.46).

This article relates to the lab in that the student is given the opportunity to learn about and use offensive security techniques to locate and mitigate vulnerabilities in systems as opposed to relying strictly on defensive techniques.

The article Building a Cyberwar Lab: Lessons Learned.Teaching cybersecurity principles to undergraduates described a security lab environment that allowed students to use both offensive and defensive security techniques by splitting up into two teams; one of defense and the other on offense.

This article differs from the lab in that the students are to focus more on the offensive security techniques as required for penetration testing thandefensive techniques. However, defensive techniques would be of great importance in mitigating the vulnerabilities that were identified by the offensive techniques.

The article BUILDING A NETWORK TESTBED FOR INTERNET SECURITY RESEARCH described a test networked system that has been built for Internet worm detection. The goal of the system was to simulate a global network containing heterogeneous systems, so the behaviors of various worms could be studied as well as
to design effective strategies for predicting, detecting, and quarantining outbreaks (Heinen, Massengale, & Wu,2008, p.73). Virtualized environments form a caged environment that allows one to prod and poke malicious software to gather data (Heinen et al., 2007, p.74). The authors of the article chose a virtual environment for their research on worms, due to virtualization allowing both a higher accuracy simulation of the real world with limited hardware resources and analysis of diverse worm outbreaks and propagations by utilizing a controlled environment (Heinen et al., 2007, p.75).

This article related to the lab in that it also used a virtualized environment to test the affects of software that could be malicious. However, the study of worms goes beyond the intent of the lab and course for our objective is to locate vulnerabilities in systems, not to study the behavior of worms.

The article Toward an Automated Attack Model for Red Teamsemphasized the importance of red teaming, which the article described as the practice of attackingsystems to better understand how to defend them (Ray, Vemuri & Kantubhukta, 2005, p18). Red teams must clearly classify an attacker’s inner workings, consider all points of interest, and map decision criteria to replicate the attack (Ray et al., 2005, p.18). Red-team members must understand the adversary’s goals, values, and limitations, all from that perspective (Ray et al., 2005, p.18).  To effectively attack their own systems, the team mustact like the attacker, including using the same resources and knowledge (Ray et al., 2005, p.18).

This article relates to the lab in that the student team will try to perform the same actions as a red team within the virtualized environment that has been created and modified. The student team was able to determine the mindset of attackers by visiting websites that contained downloadable attack tools as well as their overblown rhetoric about the lethality of their tools.

In the article Why Attacking Systems Is a Good Ideaa brief history of attack tools was given. The article recommended Red team exercises should be groundedin risk analysis and can be designed to raise the bar slowly and systematically over time, improving a target’ s security posture as they unfold( Arce & McGraw, 2004,pp.18-19). The article also pointed out that most of the people defending computer systems today are not programmers, but most of the people attacking our  systems  are ( Arce et al., 2004,pp.18-19).

This article relates to the lab in that it is important for us to study how various exploits and vulnerabilities are used to gain control of a computer. It is important to teach classes on how to do penetration tests to make sure that our systems are safe and secure. With this class we are learning how to Red Team a computer network and perform penetration tests on different types of environments.

Steps of the Process
Setting up the environment

The team used the preloaded operating Systems on Citrix, so the only preparations required was
to create static IP addresses for the different machines. The following is the team’s IP addresses
and other system information:

Win XP SP3 – 192.168.4.1
Linux Kubuntu – 192.168.4.2
Win XP SP0 – 192.168.4.3
Win Server 2003 – 192.168.4.4

Active Directory domain name: TECH581WGrp.local
DNS domain name: TECH581WGrp4.local
NetBIOS name: TECH581WGRP4

User names and passwords:
Linux kubuntu – UN: Administrator  PASS: Pa88word
Win Server 2003 – UN: Administrator PASS: Pa88word

OSI Layer

Technology

Exploit Method

McCumber

Layer 8/People

Threat

Confidentiality, Storage, Human Factors

Layer 8/People

Extortion

Confidentiality, Storage, Human Factors

Layer 8/People

Con

Confidentiality, Storage, Human Factors

Layer 8/People

Seduction

Confidentiality, Storage, Human Factors

Layer 8/People

Printed data

Dumpster diving

Confidentiality, Storage, Human Factors

Layer 8/People

Espionage

Confidentiality, Storage, Human Factors

Layer 8/People

Force

Confidentiality, Storage, Human Factors

Layer 8/People

Bribe

Confidentiality, Storage, Human Factors

Layer 8/People

Torture

Confidentiality, Storage, Human Factors

Layer 8/People

Masquerade as employee

Confidentiality, Storage, Human Factors

Layer 8/People

Follow company employees on social networking sites

Confidentiality, Storage, Human Factors

Layer 8/People

Locate terminated employees

Confidentiality, Storage, Human Factors

Layer 8/People

Team up with other hackers

Confidentiality, Storage, Human Factors

Layer 8/People

Fear tactics

Confidentiality, Storage, Human Factors

Layer 8/People

Deception

Confidentiality, Storage, Human Factors

Layer 8/People

Scopolamine

Confidentiality, Storage, Human Factors

Layer 8/People

Sodium pentothal

Confidentiality, Storage, Human Factors

Layer 8/People

Screen watching

Confidentiality, Storage, Human Factors

Layer 8/People

Shoulder surfing

Confidentiality, Storage, Human Factors

Layer 8/People

Look at post-it notes for passwords

Confidentiality, Storage, Human Factors

Layer 8/People

Get them drunk or high

Confidentiality, Storage, Human Factors

Layer 8/People

Locate naïve employees

Confidentiality, Storage, Human Factors

Layer 8/People

Plant an insider

Confidentiality, Storage, Human Factors

Layer 8/People

Place target under surveillance

Confidentiality, Storage, Human Factors

Layer 8/People

Pretexting

Confidentiality, Storage, Human Factors

Layer 8/People

Baiting

Confidentiality, Storage, Human Factors

Layer 8/People

Quid Pro Quo

Confidentiality, Storage, Human Factors

Layer 8/People

Casual inquiry about passwords

Confidentiality, Storage, Human Factors

Layer 8/People

Pick up the names of sensitive systems and secret projects

Confidentiality, Storage, Human Factors

Layer 8/People

Flatter

Confidentiality, Storage, Human Factors

Layer 7 / Application

HTTP

Crackwhore

Integrity, Processing, Technology

Layer 7 / Application

User settinga

Spyware

Confidentiality, Process, Technology

Layer 7 / Application

HTTP

Burp Scanner

Integrity, Storage, Technology

Layer 7 / Application

SQL

SA Exploiter

Layer 7 /Application

Log

Clearlogs

Availability, Storage, Technology

Layer 7 /Application

File

Wipe

Availability, Storage, Technology

Layer 7 /Application

VoIP registration

Erase_registration

Integrity, Storage, Technology

Layer 7 /Application

VoIP software

VoIPER

Integrity, Process, Technology

Layer 7 /Application

Software

GDB GNU Debugger

Confidentiality, Process, Technology

Layer 7 /Application

File recovery

Foremost

Availability, Storage, Technology

Layer 7 /Application

File recovery

Magic Rescue

Availability, Storage, Technology

Layer 7 /Application

e-mail

Mboxgrep

Confidentiality, Storage, Technology

Layer 7 /Application

File

Scalpel

Confidentiality, Storage, Technology

Layer 7 /Application

Thumbs.db files

Vinetto

Confidentiality, Storage, Technology

Layer 7 /Application

Keyboard

Xspy

Confidentiality, Processing, Technology

Layer 7 /Application

Application/system resources

Application flooding

Availability, Storage, Technology

Layer 7 /Application

HTTP

Burp Scanner

Integrity, Storage, Technology

Layer 7 /Application

HTTP

Gooscan

Integrity, Processing, Technology

Layer 7 /Application

Metadata

MetaGooFil

Confidentiality, Storage, Technology

Layer 7 /Application

Search Engine Databases

SEAT

Confidentiality, Storage, Technology

Layer 7 /Application

SNMP

5NMP

Integrity, Processing, Technology

Layer 7 /Application

SNMP

onesixtyone

Confidentiality, Process, Technology

Layer 7 /Application

KDE

Smb4k

Confidentiality, Process, Technology

Layer 7 /Application

Insecure registered Application

DIRE

Confidentiality, Storage, Technology

Layer 7 /Application

Buffers and Strings

BED

Integrity, Process, Technology

Layer 7 /Application

Browsers

bf2

Integrity, Process, Technology

Layer 7 /Application

Fuzzer for C programs

Bunny

Integrity, Process, Technology

Layer 7 /Application

Web Applications

JBroFuzz

Integrity, Process, Technology

Layer 7 /Application

Web Apps, SQL, .Net, etc.

Peach

Integrity, Process, Technology

Layer 7 /Application

HTTP SOAP

WSFuzzer

Integrity, Process, Technology

Layer 7 /Application

Applications

zzuf

Integrity, Process, Technology

Layer 7 /Application

SNMP

ADMsnmp

Integrity, Storage, Technology

Layer 7 /Application

SNMP

Snmpcheck

Confidentiality, Process, Technology

Layer 7 /Application

SNMP

SNMPEnum

Confidentiality, Storage, Technology

Layer 7 /Application

SNMP

Snmpwalk

Confidentiality, Storage, Technology

Layer 6 /Presentation

Kerberos Logins

KerbCrack

Confidentiality, Transmitted, Technology

Layer 6 /Presentation

File System/volumes

Autopsy

Confidentiality, Storage, Technology

Layer 6 /Presentation

Recover syskey bootkey

Bkhive

Availability, Storage, Technology

Layer 6 /Presentation

Password

CUPP

Confidentiality, Storage, Technology

Layer 6 /Presentation

Password

John the ripper

Confidentiality, Storage, Technology

Layer 6 /Presentation

Hashes

RainbowCrack

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows password hashes

Samdump2

Confidentiality, Storage, Technology

Layer 6 /Presentation

Password

Wyd

Confidentiality, Storage, Technology

Layer 6 /Presentation

sshd password

BruteSSH

Confidentiality, Storage, Technology

Layer 6 /Presentation

network logon

Hydra

Confidentiality, Storage, Technology

Layer 6 /Presentation

Passwords on Lotus Domino webserver system

Lodowep

Confidentiality, Storage, Technology

Layer 6 /Presentation

Login

Medusa

Confidentiality, Storage, Technology

Layer 6 /Presentation

Login into SSH server

SSHatter

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows passwords

chntpw

Confidentiality, Storage, Technology

Layer 6 /Presentation

Network traffic

dsniff

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Windows authenitcation

SmbRealy3

Confidentiality, Storage, Technology

Layer 6 /Presentation

SSL

SSL Man-in-the –middle attack

Confidentiality, Transmission, Technology

Layer 6 /Presentation

SSL

ssldump

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Keys

Aircrack-ng

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Passwords

Airsnarf

Confidentiality, Transmission, Technology

Layer 6 /Presentation

Application Protocols

Amap

Confidentiality, Process, Technology

Layer 6 /Presentation

Web Server

httprint

Confidentiality, Process, Technology

Layer 6 /Presentation

Web Server

HTTSquash

Confidentiality, Process, Technology

Layer 6 /Presentation

IPsec VPN Servers

ike-scan

Confidentiality, Process, Technology

Layer 6 /Presentation

Keys

psk-crack

Confidentiality, Process, Technology

Layer 6 /Presentation

CISCO Routers

Cisco Auditing Tool

Integrity, Process, Technology

Layer 6 /Presentation

CISCO IOS

Cisco Global Exploiter

Integrity, Process, Technology

Layer 6 /Presentation

CISCO Router Passwords

Cisco Passwd Scanner

Integrity, Process, Technology

Layer 6 /Presentation

Windows Server

enum

Confidentiality, Storage, Technology

Layer 6 /Presentation

Windows Server

winfo

Confidentiality, Storage, Technology

Layer 5/ Session

VoIP usernames

EnumIAX

Confidentiality, Storage, Technology

Layer 5/ Session

VoIP authentication

SIPdump

Confidentiality, Storage, Technology

Layer 5/ Session

TCP/IP

Hping

Confidentiality, Transmission, Technology

Layer 5/ Session

RTP

RTP DoS

Availability, Transmission, Technology

Layer 5/ Session

TCP

Blind hijacking

Availability, Transmission, Technology

Layer 5/ Session

Layer 5/ Session

UDP

Session hijacking

Availability, Transmission, Technology

Layer 5/ Session

SQL

SA Exploiter

Integrity, Process, Technology

Layer 5/ Session

ICMP

ICMP Reset

Availability, Transmission, Technology

Layer 5/ Session

NetBIOS

nbtscan

Confidentiality, Process, Technology

Layer 5/ Session

SSL

SSLScan

Confidentiality, Process, Technology

Layer 5/ Session

DEC-RPC

Blaster

Availability, Processing, Technology

Layer 5/ Session

DEC – RPC

Sasser

Availability, Processing, Technology

Layer 5/ Session

VPN

IKECrack

Integrity, Process, Technology

Layer 5/ Session

VPN

IKE UDP DoS Attack

Availability, Process, Technology

Layer 5/ Session

RPC

ToolTalk Attack

Integrity, Process, Technology

Layer 5/ Session

RCP

snmpXdmid Attack

Integrity, Process, Technology

Layer 5/ Session

RCP

rstatd Vulnerability

Confidentiality, Process, Technology

Layer 5/ Session

RCP

Showmount Request

Confidentiality, Process, Technology

Layer 5/ Session

RCP

rpc.cmsd Exploit

Integrity, Process, Technology

Layer 5/ Session

RCP

cachefsd Exploit

Integrity, Process, Technology

Layer 5/ Session

RCP

Sun Rpc Auditor

Integrity, Process, Technology

Layer 5/ Session

SSL

IIS PCT/SSL Exploit

Integrity, Process, Technology

Layer 5/ Session

IDS

Snort Attack

Integrity, Process, Technology

Layer 5/ Session

LAN Hijack

Ettercap

Confidentiality, Transmission, Technology

Layer 5/ Session

TCP

Hunt

Confidentiality, Transmission, Technology

Layer 5/ Session

TCP

Juggernaut

Confidentiality, Transmission, Technology

Layer 5/ Session

Sniffing

T-Sight

Confidentiality, Transmission, Technology

Layer 5/ Session

SID

Session Fixation

Confidentiality, Processing, Technology

Layer 5/ Session

Online Sessions

Online Session Phishing

Confidentiality, Transmission, Technology

Layer 4/ Transport

Packets

NetSed

Integrity, Transmission, Technology

Layer 4/ Transport

TCP

TCP “SYN” attack

Availability, Transmission, Technology

Layer 4/ Transport

SSL

SSL Man-in-the-Middle Attacks

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

Land Attack

Availability, Transmission, Technology

Layer 4/ Transport

UDP

UDP Flood Attack

Availability, Transmission, Technology

Layer 4/ Transport

TCP

Port Scan Attack

Confidentiality, Transmission, Technology

Layer 4/ Transport

UDP

Port Scan Attack

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

TCP sequence prediction attack

Availability, Transmission, Technology

Layer 4/ Transport

TCP

TCP Loopback DoS attack

Availability, Transmission, Technology

Layer 4/ Transport

UDP

UDP port diagnostic attack

Availability, Transmission, Technology

Layer 4/ Transport

Packets

Scapy

Integrity, Transmission, Technology

Layer 4/ Transport

UDP

UDP spoofing

Integrity, Transmission, Technology

Layer 4/ Transport

TCP

TCP spoofing

Integrity, Transmission, Technology

Layer 4/ Transport

TCP

The Midder

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

Trin00

Availability, Processing, Technology

Layer 4/ Transport

TCP

Teardrop

Availability, Processing, Technology

Layer 4/ Transport

TCP

0trace

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP

tcptraceroute

Integrity, Processing, Technology

Layer 4/ Transport

TCP SYN

tctrace

Integrity, Processing, Technology

Layer 4/ Transport

TCP

LetDown

Integrity, Process, Technology

Layer 4/ Transport

OS Fingering

p0f

Confidentiality, Process, Technology

Layer 4/ Transport

Ports

procecia

Confidentiality, Process, Technology

Layer 4/ Transport

TCP

Unicornscan

Confidentiality, Process, Technology

Layer 4/ Transport

OS Fingering

Xprobe2

Confidentiality, Process, Technology

Layer 4/ Transport

Ports

Netcat

Availability, Transmission, Technology

Layer 4/ Transport

Internet connection

Stacheldracht

Availability, Transmission, Technology

Layer 4/ Transport

IP

Fragroute

Availability, Transmission, Technology

Layer 4/ Transport

TCP/UDP

Fport

Confidentiality, Transmission, Technology

Layer 4/ Transport

TCP/UDP

Attacker

Confidentiality, Transmission, Technology

Layer 4/ Transport

UDP

UDPFlood

Availability, Transmission, Technology

Layer 3/Network

Sub-domains

ReverseRaider

Confidentiality, Process, Technology

Layer 3/Network

TCP connections through DNS traffic

Dns2tcp

Availability, Transmission Technology

Layer 3/Network

IPv6 tunneling

Miredo

Availability, Transmission, Technology

Layer 3/Network

IP through DNS

NSTX

Availability, Transmission Technology

Layer 3/Network

Tunnel TCP connections to a remote host via ping request

Ptunnel

Availability, Transmission Technology

Layer 3/Network

Tunnel UDP over a TCP connection

UDPTunnel

Availability, Transmission, Technology

Layer 3/Network

TCP stream

Tcpick

Confidentiality, Transmission, Technology

Layer 3/Network

TCP/IP

Wireshark

Confidentiality, Transmission, Technology

Layer 3/Network

RIP

IRPAS

Confidentiality, Transmission, Technology

Layer 3/Network

IP

DNSEenum

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnsmap

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnsmap – bulk

Confidentiality, Storage, Technology

Layer 3/Network

DNS

dnstracer

Confidentiality, Storage, Technology

Layer 3/Network

DNS

Dnswalker

Integrity, Processing, Technology

Layer 3/Network

IP

Fierce

Integrity, Process, Technology

Layer 3/Network

ICMP

itrace

Integrity, Processing, Technology

Layer 3/Network

Packets

lanmap

Integrity, Transmission, Technology

Layer 3/Network

Load Balancing

lbd

Confidentiality, Process, Technology

Layer 3/Network

IP

Maltego

Confidentiality, Transmission, Technology

Layer 3/Network

ICMP

netenum

Confidentiality, Process, Technology

Layer 3/Network

IP

Netmask

Confidentiality, Process, Technology

Layer 3/Network

IP

protos

Confidentiality, Process, Technology

Layer 3/Network

Subnets

Autoscan

Confidentiality, Transmission, Technology

Layer 3/Network

ICMP

fping

Confidentiality, Process, Technology

Layer 3/Network

Packets

hping2

Confidentiality, Process, Technology

Layer 3/Network

ICMP

hping3

Confidentiality, Process, Technology

Layer 3/Network

IP

Netdiscover

Confidentiality, Process, Technology

Layer 3/Network

IP

Nmap

Confidentiality, Process, Technology

Layer 3/Network

IP

Zenmap

Confidentiality, Process, Technology

Layer 3/Network

CISCO Routers

Cisco OCS Mass Scanner

Integrity, Process, Technology

Layer 3/Network

Network Protocols

SPIKE

Confidentiality, Process, Technology

Layer 2/ Datalink

Packets

Promiscuous mode card and driver

Confidentiality, Transmission, Technology

Layer 2/ Datalink

MAC address

MacChanger

Integrity, Storage, Technology

Layer 2/ Datalink

Datalink traffic

Etherape

Confidentiality, Transmission, Technology

Layer 2/ Datalink

BPDU

BPDU DoS

Availability, Transmission, Technology

Layer 2/ Datalink

BPDU

Flood of Configuration Message BPDUs with TC flag on

Availability, Transmission, Technology

Layer 2/ Datalink

BPDU

Flood of Topology Change Notification BPDUs

Availability, Transmission, Technology

Layer 2/ Datalink

BPDU

Flood of Configuration Message BPDUs claiming root role

Availability, Transmission, Technology

Layer 2/ Datalink

MAC

MAC poisoning attack

Integrity, storage, Technology

Layer 2/ Datalink

CAM

CAM overflow

Availability, storage, Technology

Layer 2/ Datalink

STP

Spanning tree attack

Availability, Transmission, Technology

Layer 2/ Datalink

MAC

Macof

Availability, Transmission, Technology

Layer 2/ Datalink

ARP

ARP spoofing

Confidentiality, Transmission, Technology

Layer 2/ Datalink

ARP

ARPd

Availability, Transmission, Technology

Layer 2/ Datalink

Cisco device information

CDP

Confidentiality, Transmission, Technology

Layer 2/ Datalink

STP

redirection

Availability, Transmission, Technology

Layer 2/ Datalink

MAC Address

Spoofed IP 5.1

Confidentiality, Processing, Technology

Layer 2/ Datalink

VLAN

VLAN hopping

Confidentiality, Transmission, Technology

Layer 2/ Datalink

DHCP

DHCP starvation

Availability, Storage, Technology

Layer 2/ Datalink

DHCP

Gobbler

Availability, Storage, Technology

Layer 2/ Datalink

Layer 2 protocols

Yersinia

Integrity, Transmission, Technology

Layer 2/ Datalink

Packets

Switch spoof

Confidentiality, Transmission, Technology

Layer 2/ Datalink

Layer 2 devices

Not disabling telnet

Integrity, Storage, Technology

Layer 2/ Datalink

Cisco equipment

Not enabling password with secret

Integrity, Storage, Technology

Layer 2/ Datalink

DHCP

DHCP spoofing

Availability, Storage, Technology

Layer 2/ Datalink

EAP

EAP Man in the middle attack

Integrity, Transmission, Technology

Layer 2/ Datalink

EAP

EAP session hijacking attack

Availability, Transmission, Technology

Layer 2/ Datalink

Switch

Overload ports to get switches to fail open

Integrity, Transmission, Technology

Layer 2/ Datalink

Cisco Equipment

CIScan

Confidentiality, Storage, Technology

Layer 2/ Datalink

MAC

MAC duplication attack

Integrity, Transmission, Technology

Layer 2/ Datalink

VTP

VTP Attack

Integrity, Transmission, Technology

Layer 1/ Physical

USB devices

USBView

Confidentiality, Storage, Technology

Layer 1/ Physical

SIP devices

Smap

Confidentiality, Storage , Technology

Layer 1/ Physical

Medium

tapping

Confidentiality, Storage , Technology

Layer 1/ Physical

Medium

Cutting

Availability,

Layer 1/ Physical

Medium

Electronic interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Microwave

interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Cordless phone

interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Bluetooth device interference

Integrity, Transmission, Technology

Layer 1/ Physical

WiFi

Rogue access points

Confidentiality, Transmission, Technology

Layer 1/ Physical

WiFi

Radio Interference

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Homemade frequency generator

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Draft N

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Pre-N Wi-Fi

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

SpymodeX 900MHz – 2.5GHz wireless jammer

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

Demarctech

Availability, Transmission, Technology

Layer 1/ Physical

802.11

FakeAP

Availability, Transmission, Technology

Layer 1/ Physical

802.11

Void11

Availability, Transmission, Technology

Layer 1/ Physical

802.11

File2air

Availability, Transmission, Technology

Layer 1/ Physical

WiFi

microwave magnetron-based transmitters

Availability, Transmission, Technology

Layer 1/ Physical

Finger Print Scanner

Impersonating someone’s fingerprint

Integrity, Processing, Technology

Layer 1/ Physical

Hardware

Physical access to server room

Availability, Storage, Technology

Layer 1/ Physical

Voice Analyzer

Voice Synthesizer

Integrity, Processing, Technology

Layer 1/ Physical

Eye scanner

Impersonating someone’s eye signature

Integrity, Processing, Technology

Layer 1/ Physical

USB

Using USB devices to execute code embedded in it

Integrity, Processing, Technology

Layer 1/ Physical

Sensor Devices

Wormhole attack

Integrity, Processing, Technology

Layer 1/ Physical

802.11

Prism2 Card

Confidentiality, Transmission, Technology

Layer 1/ Physical

Hardware

Stealing Hardware

Confidentiality, Storage, Technology

Layer 1/ Physical

Power

Cutting the power

Availability, Process, Technology

Layer 1/ Physical

Environmental Control

Changing the environment to cause damage

Availability, Process, Technology

Layer 1/ Physical

Keystrokes

Logging Keystrokes

Confidentiality, Transmission, Technology

Layer 0/ Kinetic

Tools

netifera

N/A

Layer 0/ Kinetic

Traffic lights

Phrack

Integrity, Process, Technology

Layer 0/ Kinetic

CPU

Overclock the CPU to the point of failure

Availability, Process, Technology

Layer 0/ Kinetic

Fan speed

Drastically reduce fan speed

Availability, Process, Technology

Layer 0/ Kinetic

Climate control

Disable air conditioning

Availability, Process, Technology

Layer 0/ Kinetic

Fire suppression

Override fire suppression system to activate system

Availability, Process, Technology

Layer 0/ Kinetic

Fire suppression

Override fire suppression system to deactivate system

Availability, Process, Technology

Layer 0/ Kinetic

Scada systems

Alter Scada system settings

Integrity, Process, Technology

Issues

There did not seem to be many kinetic vulnerabilites / attack tools available.

Conclusion

This lab will required the student team to build or modify a virtual lab envrionment that would include
a Linux, Windows Server 2003, Windows XPService with no service pack and Windows XP
with Service Pack3. The student team  located and tabulate tools in relation to the OSI model
and McCumber’s cube.Now that this lab has been completed, the student  team has a virtual lab environment ready to
conduct labs and the ability to determine which tools affects what layer of the OSI model and the
McCumber cube.

References

Arce,I. & McGraw,G. (2004).Why attacking systems is a good idea. IEEE.

Benzel,T., Braden,R. , Kim,D . , Neuman,C., Joseph, A., Sklower,K., Ostrenga, R.& Schwab,
S.(2006). Experience with deter: a testbed for security research.IEEE.

Coffin, B. (2003).It takes a thief: ethical hackers test your defenses. Risk Management Magazine.
Du,W. & Mathur,A. (1998). Vulnerability testing of software system using fault injection.

Gula, R.(2001). Broadening the scope of penetration-testing techniques. ENTERASYS networks.

Heinen,C., Massengale,R. & Wu,N.(2008).Building a network testbed for internet security research.CCSC.

Holland-Minkley,A. (2006).Cyberattacks: a lab-based introduction to computer security.ACM.

Micco, M.& Rossman, H.(2002).Building a cyberwar lab: lessons learned.teaching cybersecurity principles to undergraduates.ACM.

Mink,M. & Freiling,F. (2006). Is attack better than defense? ACM.

Ray,H. Vemuri,R. & Kantubhukta,H. (2005).Toward an automated attack model for red teams. IEEE.

10 comments for “Tech 581W Computer Network Operations, Laboratory 1: Team 4

Leave a Reply