Computer Security II Lab Network Security

Transcription

1 Computer Security II Lab Network Security Setup Boot lab machine into Windows. In Windows Explorer, navigate to \\evs2\compga02\ and download the three Virtual Machines clientvm1819.zip, servervm1819.zip and attacker1819.zip. Extract the.zip archive and import the three Virtual Machines following the same process you used in Computer Security II Lab - Introduction (NOTE: before importing the VMs make sure that previous instances of a virtual machines, and their configuration files, are correctly deleted). Alternative VM download sources (if you wish to download to your own laptop): * clientvm1819.zip: * servervm1819.zip * attackervm1819.zip

2 In the Oracle VM VirtualBox Manager dialogue window click on File > Host Network Manager. It will popup a window that allows you to configure your internal network. In the new window, left-click on Create to add a new network. The new network should be named vboxnet0 and have a configuration similar to the one shown below. After setting the values for IPv4 Address ( ) and IPv4 Network Mask ( ) click on the DHCP Server tab. Check the Enable Server box, and make sure that the configuration has the same values shown in the figure below.

3 Complete the configuration by left-clicking on Apply and then Close. After the import of the three VMs your Oracle VM VirtualBox Manager should be similar to the one in the picture below. One by one, select each VM, right-click on the machine and choose Settings. 1. Make sure that the box Enable Network Adapter is checked. 2. Left-click on the Network tab, and choose the following configuration: - Attached to: Host-only Adapter - Name: vboxnet0 (i.e., the same network name you assigned the network you created in the preivous step) 3. Left-click on Advanced to show the options about the network adapter. Click on the refresh symbol (bottom right circled in the figure) to renew the MAC address of the network card. Finalize the configuration by clicking on OK. Repeat the same operation for clientvm, servervm, attackervm. Start the three VMs by righ-clicking on the clientvm image, then select Start > Normal Start. After the system has booted, login using the following credentials: username: compsec2 password: compsec2 Quick tip: When executing commands in Terminal (inside the VM), use View > Scale Factor menu to adjust font size, if necessary.

4 IMPORTANT NOTE: The machines are NOT connected to the Internet. You should use the brower available on your windows/laptop hots to search for commands and hints about how do to the exercises. All the Python files that you need for this assignment, are already available on the VM. If you need to connect you VM to Internet (e.g. for downloading a file), use the following procedure. 1. Shut down the machine. 2. Right-click on the VM and select Settings. 3. Click on the Network tab. 4. Select the configuration in the figure below ( Attached to: NAT ). NOTE: after downloading the necessary files, if you want thevm to be able to communicate with the other VMs, you will need to shut down the machine again and configure the network with the Attached to: Host-only Adapter ) as you did during the first setup of the machine.

5 Exercises Note: On all machines the Python scripts are available in the /home/compsec2/scripts/ directory. As an alternative source, you can download the same Python scripts from Don t forget to update in all scripst the IP address of the clientvm/servervm/attackervm. 1. Launch the Scapy console on attackervm. 2. Construct an ICMP request (ping) to clientvm on attackervm using Scapy. 3. Send the ping to clientvm and monitor the response (Hint: run a Scapy sniffer on clientvm). What do you observe? How many packets do you see? 4. Download the UDPClient.py script to clientvm and the UDPServer.py script to servervm. Change the IP addresses listed in both scripts to match the IP configuration of your VMs. 5. Launch UDPClient.py and UDPServer.py scripts, input a message on UDPClient.py and use Scapy on clientvm to observe the data being received by UDPServer.py and relayed back. 6. From attackervm, perform a UDP port scan on servervm using nmap. Focus on port range 510 to 530. Which known services are listed? 7. From attackervm use nmap to find the MAC address of clientvm. 8. On attackervm, build a spoofed ARP reply using Scapy. Your goal is to convince servervm that clientvm s IP address corresponds to attackervm s MAC address. Launch an ARP spoofing attack against servervm, and on servervm observe the packets with tcpdump. 9. On attackervm, build a spoofed UDP packet that appears to have originated from UDPClient.py on clientvm. 10. On attackervm send the spoofed UDP packet to servervm. What do you observe on servervm? Did the attack succeed? 11. Start UDPServer.py on servervm, if it isn t running already. Run UDPClient.py on clientvm and send a few messages to servervm. 12. On attackervm look at the source code of ARPPoison.py (update IP addresses there, if necessary). With UDPServer.py still running (on servervm) and and UDPClient.py still running (on clientvm, start ARPoison.py with root privileges on attackervm. 13. Look at the source code of UDPMiTM.py (update IP addresses there, if necessary). Then, in another terminal window on attackervm, start UDPMiTM.py with root privileges. Send another message from UDPClient.py on clientvm. What do you observe? 14. Check UDPMiTM.py terminal window, and follow the instructions on it. What happens on UDPServer.py and UDPClient.py terminals? What happened to traffic between clientvm and servervm?

6 15. Connect to TCPServer.py on servervm by using netcat on client. Send data and observe it being relayed back. 16. Launch Wireshark on servervm. Perform a TCP scan from attackervm to servervm by using nmap. What do you see on Wireshark? 17. Launch Wireshark on servervm. Perform a FIN scan from attackervm to servervm by using nmap. What do you see on Wireshark? 18. Hijack the TCP connection between clientvm and servervm, by using the TCP hijacking technique highlighted in class. Did it succeed? 19. Look at the output for the hijacked TCP connection on Wireshark. Do you see the ACK storm?