CS 4740/6740 - Network Security

Lab: Introduction

In this short introductory lab, you will be forming your teams and preparing your machines for the rest of the upcoming labs. You will be required to understand and acknowledge the lab rules and you will get your first taste of the Network Security Lab layout.

1. Understanding the Rules

The labs are a fun way to explore security legally. However, it is easy to accidently attack the wrong computer and get everyone into major trouble. You MUST follow these rules, otherwise you will fail the class, face disciplinary action, or worse.

1. You DO NOT have permission to attack any machine outside of the NetSec network (that is your Virtual Machines and class infrastructure). There is no flexibility here. If you do attack a machine that is not part of our class lab, you are committing a crime. You could be suspended, expelled, or even arrested. Please do not do this!

2. You do have permission to attack machines within the NetSec network, but only when you are doing a lab and only when the lab requires it. Each lab will spell out which machines are fair game. If you ignore these instructions, your grades will be penalized brutally.

3. Attacks should be completely contained within the NetSec network. They should only start from your VMs and constrainted by the VPN to only interact with the class infrastructure.

4. Your attacks should never leave the NetSec network. If you are attacking any address besides those in 10.0.0.0/8, you could potentially break the previous rules and you will definitely upset the Lab TA. Brutal grade penalties will follow.

If any of these rules are not clear, please consult with the Lab TA or Professor Noubir.

2. Building a Team

Since you will be completing all of the labs as part of a team, the first thing you need to do is create one. Professor Noubir will let you know how many students he expects per team. You are responsible for choosing your teammates, so consider your choice carefully. Successful teams are made up of individuals who:

• Complement each other well in the areas of Unix Systems Administration, Windows Systems Administration, Java programming, and Cryptography.

• Get along well with one another under stressful situations and can stay organized in a task-oriented environment.

Once you have chosen your teammates, send an email to the Lab TA (with a CC to Professor Noubir) with the following information:

• Team name

• Team member names

• Team member CCIS account names

• Team member email addresses

The labs are to be done over a hybrid infrastructure: two virtual machines per team (one linux and one Microsoft Windows Server). The linux VM will connect through a VPN to the course lab network running on the CCIS/NEU infrastructure. In addition the linux machine will act as a NAT-gateway for your Windows server.

• Download and install VirtualBox.

• Download the generic linux virtual machine and a Microsoft Windows Server virtual machine. The credentials to first connect to the VMs can be found here. Make sure to change the passwords as soon as you can.

3. Creating Accounts

Each teammate will have their own account on the team machines so that they can work on the labs. Once you have received the credentials for your machines, you create the accounts with these steps:

1. Each team member should read the man page on sudo(8), to understand how they may execute privileged commands with their own less-privileged account. Review the current /etc/sudoers file to understand the currently granted privileges.

2. Log into your Linux machine, and create one user account using the useradd(8) command. Read the man page first for usage information. Use the -G option to add the account to the sudo group as well as the default initial group. If you forget to do this when creating an account, see the man page for group(5) and add it manually with a text editor.

3. By default, each newly created account is disabled. To enable the new account, login as the initial admin user given to you by the TA, and set a new password. Do not use weak passwords, temporary or otherwise.

4. Log into your Windows server using the Administrator account credentials provided. Create an account,, using the same username that was used on your Linux system. The passwords for the account need not be the same between the two systems.

5. Add the newly created user account to the Administrators group.

6. Change the initial admin user password on your Linux router and the Administrator password on your Windows server if you have not already done so.

NOTE: Be sure to use strong passwords for the accounts. All systems will be partially exposed to the Internet and password brute-force attacks have become common-place.

4. Setting up your VPN Connection

Your linux VM will act as a NAT-gateway to the class' infrastructure through a VPN. We are using OpenVPN and it has already been installed and partially setup for you. You need to:

1. Copy your email@husky.neu.edu.key and email@husky.neu.edu.crt credential files provided to the /etc/openvpn/ directory in your linux VM. You can transfer files to your linux machine from the host running VirtualBox by connecting scp or WinSCP to localhost port 3322. LAter you can copy the keys to the approprite directory using sudo:

       you@my-computer$ scp -P 3322 email@husky.neu.edu.crt email@husky.neu.edu.key team@localhost:/home/team
       team@linux-vm$ sudo cp email@husky.neu.edu.* /etc/openvpn/
       

2. Update the configuration file located at /etc/openvpn/openvpn.conf to refer to the keys provided to you as part of your credentials.
3. Manually run openvpn with the appropriate configuration file parameter. Make sure that no error messages show up in your output and save it for your report. Note that in future boots the openvpn service will be started automatically.
4. Test that your VPN connection is working by obtaining the IP address of strawman.nslab machine and pinging it. Save this information for your report.

5. Reviewing the Network Settings

In order to perform any kind of attack, you will need to understand the network layout. To review your network settings, follow these steps, saving all the information for your report:

1. On your Linux router, determine network interfaces on the machine and their configuration using the ifconfig(8) command.

2. Determine the routing table using the route(8) command.

3. On your Windows server, determine its IP address, subnet mask, default gateway, and DNS servers by checking the properties on the Local Area Connection.

Report

For this lab, your team must submit a report with the following information:

1. Why were the Linux accounts you created added to the sudo group?

2. What is the purpose of the sudo(8) command? What advantages does it have over the su(1) command?

3. What are the network settings for you Linux router and Windows server?

4. Provide the output of your manual run of openvpn, the IP address of strawman.nslab, and the ping output.

Grading

Your grade for this lab will be composed of:

• 20% - Sent the team information to the Lab TA.

• 80% - Answers from the lab report.