TKK | Tietoverkkolaboratorio | Opetus

S-38.153 Security of Communication Protocols (2 cr)

Exercises, spring 2004
 

• 1.4.2004: Remember that two different reports are required. More information on the main page of this course.
  
• 7.2.2004: The dead-line for all reports is friday 7.5.2004.
  

The laboratory network, which is used by all exercises, is documented shortly here.

Exercises

In spring 2004, you are required to write two kinds of reports:

1. Exercise report: This is approximately 10 pages long, and contains short description of all the 7 different laboratory exercise tasks.
2. Laboratory work description: This is also approximately 10 pages long, and contains a detailed description for one exercise task that you did in the laboratory.
   

For more information about the course requirements, see the main course page.

There are 7 exercise times in this course.
The exercises are in the student laboratory of Networking laboratory. There are 3 times booked for every week for this course: Wednesday 12:15 - 14, Wednesday 14:15 - 16 and Wednesday 16:15 -18. It is not intended that you come 2 times a week every week.
It is intended that you join a group of 3 students, select one exercise time and come every second week.
If you cannot come on this time, it is in principle possible to come some other time when there is room in the laboratory, but we do not encourage this since it disturbs laboratory works.

You are supposed to work independently and make the following exercises in any order: Your group must write a report of what you have done in the exercises, like what you did, did it work, how far you got, what you had to fix to get it running, how difficult you found it, how much time it took, etc. This report does not need to be in a fancy format, but contain enough information. It is like a learning diary.

You will get a superuser password which works in all computers in the test network. There was some instability last year in our test network, Markus Peuhkuri can help if the network falls down. Concerning the content of the exercises, in getting the software working, you are mostly on your own. I cannot help much, but I will be present in most exercises. You can probably get more help from the other students. With a nonzero probability the guy next to you is an experienced midnight hacker, only pretending to be working in some security firm.

In the student feedback from last year, the exercises were considered to be very poorly arranged indeed. This is because in order to do these exercises well, you need at least one person in your group who can use Linux fairly well, mix the groups so that this is the case, or be prepared to put an effort on learing the basics of Linux at the same time. It is not so much Linux you ned to know, but writing and reading from a floppy (imagine, this can be a problem in Linux!), untarring directories and files, fixing the proxy settings for web browsers, compiling C-code, using Perl, adding users, that is mostly enough, how about Intel assembly for the exploits? it is not really needed. Additionally, you should prepare to most exercises at home by finding the relevant material from the web and thinking how you can do the exercise in the 2 hours.

If you find some other nice exercise, not mentioned here, you can do it instead of the one described here. In books of practical Internet security, the authors describe many nice attacks. You can try them and replace any of the exercises below with new ones. It is a good idea to buy some thick Internet/Windows/Linux security bible of 600-1000 pages (in case you are not broke, as students tend to be). Namely;
1) if you spot an evil hacker, you can hit him in the head with the book, and
2) security holes and tools tend to stay valid only for a very short time.
You are not required to buy any book, you can pass the exam with 5 (not a joke, some did last year) without any such material, but you may learn more than from my lectures. You can also look at web pages for tools: Try
http://www.antionline.com,
http://www.anticode,com, are they still there
http.//www.cert.org,
http://www.ciac.org,
http://www.securityfocus.com

Last year we tried the following exercises, which work reasonably well, considering that hackers are not writing best quality code. If you do not invent better exercises, try to do these (all of them). In the report, it is not required that you manage to do all of the exercises, but you must make a serious attempt and document the reasons why you failed. I know that many groups got all of these working last year.

You should change the computer in different weeks so that you work both on Linux and on Windows. Mostly Linux is nicer for these exercises, there is not as much to do in a Windows.

2.
Try root exploits (Linux)
Look at bug lists from the Web, try with key words like root exploit in some search machines. Find exploit code that should work with some of the computers in the test network. Try it and fix it to work if needed. Look for more exploits if this was too easy. You may find some weakness in NT, like ISS, you probably need a Linux to try if it works. You probably need to look at the bug lists at home in order to do this in 2 hours at the exercises. That is, look for root exploits for Linux or NT of the versions we use.

3.
Get familiar with rootkits (Linux)
There is one rootkit in our test laboratory, which we captured from a hacker who broke to our laboratory last year. Check what it does. In a rootkit there are modified binaries of routines like login, ps, netstat etc. These modified routines contain trapdoors, steal passwords etc. There are many different rootkits, it is not difficult to write your own rootkit. There is a whole dump of the hard disc, so do not extract the whole disc. Your job is to find where is the rootkit of the hacker, extract it and try it. Save the original binaries in the computer before installing the hacker's versions, and after you tried this exercise, restore the originals. After this, look from the web if you find other rootkits, check if they are different. This should be straightforward and can be done without preparation at home.

4.
Try the HUNT tool and capturing a TCP connection with it (Linux)
Look for the HUNT tool in the Web. It has instructions, follow them. This is straightforward. Read the description of HUNT from the Web before the exercise, but it should work. You need to agree with other groups that they try Telnet which you capture.

5.
Set protection to a computer in the test laboratory. (Linux, Windows )
Look for possible alternatives, select some way to make a computer secure. Install the mechanism. Check that it protects. There are firewall tools (like FWTK, TCP Wrappers, netfilter), proxy firewalls, IDS, detectors for scanning. You should get acquinted to them before the exercise not to waste time on selecting what you want to do during the exercise.

6.
Find spying software form the Web, like netspy or netbus. Install such in a PC running Windows. Try it. (Windows)
Look for information of macro viruses or worms in the Web. See how a macro virus is sent. Try to install spying software remotely by sending email containing spying software as a payload of a virus, or in some other way. It is pretty easy to use spy software, but installing it remotely was hard for most. You shoud search the web for macro viruses at home and try to find code pieces which do the job. Nobody managed to do this last year, but it is possible.

7.
Try password crackers(Linux, Windows)
Find password cracker software, like L0pthCrack, jack the ripper, from the Web. Invent a way how you can try it. (You could get a password file from somewhere, or you can make a password file and see what kind of passwords the cracker finds.) Try cracking. You better do the cracking at home, because if you have found large dictionaries form somewhere (web), cracking takes a long time, 2 hours is not enough.

8.
DoS (Linux, Windows?)
To do DoS you actually need many computers. However, try to find DoS software from the web and try how it works against the computers in the test laboratory. There are for instance TCP SYN flood, Ping of death etc.

9.
Web, do offline at home
Look for underground or other interesting web pages. Be a bit careful with them, you may be caught by US police interested in people searching for bad pages, these pages are also said to contain programs which have viruses inserted intentionally. You may invite a hacker to attempt hacking into your computer. There are more friendly pages, like pages containing hostile java applets. The purpose of this exercise is to see how much relevant information you can find. Is it easy to find underground information, or difficult? Do not use this knowledge for hacking purposes.

10.
Study the security setting of NT or Windows 2000 (Windows)
See what you can change. Try to find weaknesses and use them from another computer. You must study Windows security from some source before the exercise, else you will not manage to do anything useful. If you have studied, it is simply to verify that the menus are there and try to change them. Invent some attack that works if security settings are not good, verufy that it works, then set the security higher and verify that the problem is removed.

11.
Try sniffer code(Linux)
Find a sniffer from the web. Sniff passwords from Telnet or FTP connections in the test network. This should be very easy. You do not need to prepare to this. The main problem is to find a sniffer.

?
If there is time, try to design an experiment where a group of protectors try to make a computer secure, and a group of hackers try to break in. If this experiment looks possible, try it. We did not manage to do this test last year, maybe somebody invents a way to do it.

About exercise report

• The exercise report is done jointly by the group. It is evaluated accepted/rejected. It contains information from all tasks you have tried during the exercises.

• The report must contain:

- the name of the course, your names and student numbers.
- the format is free.

• Report must be returned to me as a paper version, not on email. You can leave report in the box number 10 under Networking Laboratorys notice board or you can return it to me in person, send it on paper mail, or put it to an incoming mailbox in the janitors office. If returned in a letter put the name


Jorma Jormakka
HUT, Networking laboratory
P.O.Box 3000, HUT 021015

on the cover.

• The report contains:

- a description of what you did for each task (trying rootkit: to locate the rootkit we user tar tvfz yyy |grep "xxx"", we checked that login has a trapdoor and it steals passwords to file xxx, netstat did not run, telnetd we could not figure out, ls worked like..,
in a bit more words so that somebody reading it and not knowing the work in advance can understand what you did.
- how it worked, (trying satan: did not get it running, we think it is because of...)
- where you found the tool and material, (the tool is in http://www.xxx.yyy, the bug we used has this source code and was obtained from ...)
- how much time it took and how difficult it was, (cracking took about 2 minutes, and we did not manage to crack anything as we had no idea that one is supposed to find dictionaries, we did it again and then ..., finding the underground page ... took several days of searching but there was a new bug to Windows'2000 which we will explain ... )
- did you have to fix something to get it running, (we had to fix the Perl code in the following way..) if it did not work why you think it did not, (the bug did not work in Linux 7, it said "nice try" and did nothing)
- any comments of the course or exercises, (one could add the following nice tool to the next years exercise...)
- You do not need to try each task, try as many tools as you have time to (you do have time to try most of them and get them running, I know it from last year). You can try other tools, or do more.
- etc.

Tietoverkkolaboratorio on nyt osa Tietoliikenne- ja tietoverkkotekniikan laitosta. Tällä sivulla oleva tieto voi olla vanhentunutta.

Kurssien ajantasainen tieto on MyCourses-palvelussa.

Tämän sivun sisällöstä vastaavat ja Webmaster. Sivua on viimeksi päivitetty 01.04.2004 13:50. URI: http://www.netlab.tkk.fi/opetus/s38153/k2004/exercises.shtml [ TKK > Sähkö- ja tietoliikennetekniikan osasto > Tietoverkkolaboratorio > Opetus ]

Kysy

Anna palautetta!

• If you do not have the possibility to do the normal exercises as group work in the laboratory (times do not suit you, all groups full etc.) you can replace these laboratory exercises with a private exercise.
• The contents of this kind of a private exercise are the following:
• Choose one security tool that is used either for attacking or defending:
• This tool should not be available in the laboratory exercise network at the moment
• Choose such tool, that can be used in the current hosts of the laboratory exercise networks (check the operating system versions etc.),.
  
• Test this tool in a secure network environment (you are not supposed to cause harm to any third parties).
• Write approximately a 10-page report:
• report structure should resemble the structure of the ordinary exercise reports (see above)
• write it in english
• return it as a paper version in the locker number 10 in fron of the notice board of this course
• return the report also as a doc-format file, and attach it with a mail to jmolsa@netlab.hut.fi
• The amount of work in the private exercises must be about 1 credit point (provided you do this alone)
• You can see some examples in "Extra Material" (see the main course page).