CSG 254 - Network Security

Lab: Introduction

In this short introductory lab, you will be forming your teams and preparing your machines for the rest of the upcoming labs. You will be required to understand and acknowledge the lab rules and you will get your first taste of the Network Security Lab layout.

1. Understanding the Rules

The labs are a fun way to explore security legally. However, it is easy to accidently attack the wrong computer and get everyone into major trouble. You MUST follow these rules, otherwise you will fail the class, face disciplinary action, or worse.

1. Since anyone can connect to your machines from the Internet, at least in a restricted way, both of your machines can and probably will receive tons of scans and automated attacks. We have secured these services as much as possible. However, setting weak passwords is an easy way to get your machines compromised. If you get compromised because of a weak password, you fail the class. There will be no discussion here -- you just fail.

2. There will be many times when the Lab TA will need to log into your machines. For this purpose, the Lab TA has accounts on both of your machines. Under no circumstances are you to delete or limit access to the Lab TA.

3. You DO NOT have permission to attack any machine outside of the NetSec network. There is no flexibility here. If you do attack a machine that is not part of our class lab, you are committing a crime. You could be suspended, expelled, or even arrested. Please do not do this!

4. You do have permission to attack machines within the NetSec network, but only when you are doing a lab and only when the lab requires it. Each lab will spell out which machines are fair game. If you ignore these instructions, your grades will be penalized brutally.

5. Attacks should be completely contained within the NetSec network. They should only originate from inside the NetSec network from lab machines. They should never originate from outside of it, such as from your home, your work, the school network, or the library. The people who run those networks might think your are committing a crime and you could be in serious trouble. Please do not do this!

6. Your attacks should never leave the NetSec network. If you are attacking any address besides those in 10.0.0.0/8, you could potentially break the previous rules and you will definitely upset the Lab TA. Brutal grade penalties will follow.

If any of these rules are not clear, please consult with the Lab TA or Professor Noubir.

2. Building a Team

Since you will be completing all of the labs as part of a team, the first thing you need to do is create one. Professor Noubir will let you know how many students he expects per team. You are responsible for choosing your teammates, so consider your choice carefully. Successful teams are made up of individuals who:

• Complement each other well in the areas of Unix Systems Administration, Windows Systems Administration, Java programming, and Cryptography.

• Get along well with one another under stressful situations and can stay organized in a task-oriented environment.

Once you have chosen your teammates, send an email to the Lab TA (with a CC to Professor Noubir) with the following information:

• Team name

• Team member names

• Team member account names

• Team member email addresses

Once you email the Lab TA, he will bring a note to class with your team number and credentials to remotely access your machines. At this point, you may begin the next section.

3. Creating Accounts

Each teammate will have their own account on the team machines so that they can work on the labs. Once you have received the credentials for your machines, you create the accounts with these steps:

1. Have one team member log into your Linux machine via SSH and create one user account for each team member using the useradd(8) command. Read the man page first for usage information. When creating the accounts, use the account names you provided the Lab TA. Also, use the -G option to add them to the wheel group as well as the default initial group. If you forget to do this when creating an account, see the man page for group(5) and add them manually with a text editor.

2. By default, each newly created account is disabled. To enable the new accounts, have a team member login as root and set a new, temporary password using the passwd(8) command. Each team member should then login immediately to the router and change their password. Do not use weak passwords, temporary or otherwise.

3. Each team member should read the man page on sudo(8), to understand how they may execute privileged commands with their own less-privileged account. Review the current /etc/sudoers file to understand the currently granted privileges.

4. Have one team member log into your Windows server via a terminal services client using the Administrator account credentials provided. Create one account for each user in your team, using the same usernames for each user that were used on your Linux system. The passwords for each account need not be the same between the two systems.

5. Add each of the newly created user accounts to the Administrators group.

6. Change the root password on your Linux router and the Administrator password on your Windows server if you have not already done so.

NOTE: Be sure to use strong passwords for the accounts. All systems will be partially exposed to the Internet and password brute-force attacks have become common-place.

4. Reviewing the Network Settings

In order to perform any kind of attack, you will need to understand the network layout. To review your network settings, follow these steps, saving all the information for your report:

1. On your Linux router, determine network interfaces on the machine and their configuration using the ifconfig(8) command.

2. Determine the routing table using the route(8).

3. On your Windows server, determine its IP address, subnet mask, default gateway, and DNS servers by checking the properties on the Local Area Connection.

Password Audit

Soon after you are expected to finish this lab, the Lab TA will audit all the passwords you selected for your accounts. Any team member with a weak password will be penalized. Make sure to choose strong passwords, we will be checking!

Report

For this lab, your team must submit a report with the following information:

1. Why were the Linux accounts you created added to the wheel group?

2. What is the purpose of the sudo(8) command? What advantages does it have over the su(1) command?

3. What are the network settings for you Linux router and Windows server?

Grading

Your grade for this lab will be composed of:

• 20% - Sent the team information to the Lab TA and picked up the credentials.

• 50% - Created all the required accounts and chose strong passwords.

• 30% - Answers from the lab report.