CSG 254 - Network Security

Systems Competition

Your team will participate in a competition against the other teams in the class that will test you skills at hardening and protecting computer systems. You will be required to manage two virtual machines, each running a number of services. One of these systems must act as a router, relaying traffic to the second system. The goal is to protect your team's resources while attacking the resources of the other teams. To assist your team in testing and attacking, you can optionally request a third machine to use as an attack/protection platform.

Choosing the Operating Systems

You will have two machines that provide services to the other teams. We will refer to the routing system as the "router" and the second system as the "server" throughout the rest of this document. Your team must run one Windows 2000 Server system and one Unix-like system. There is no requirement that your router be running Unix, but you must be sure you really are routing instead of bridging or proxying connections for your server.

You have a few options to consider when choosing the OS for your router and server:

1. You can keep your current machines as they are now.
2. You can have the lab supervisor reset the machines to the exact state they were in when the course began.
3. You can request to have access to the virtual machine software in order to install your own Operating System.

Remember, the goal is to make these machines as secure as possible given your time, skill, and the requirements described later. Keeping your current machine will seem like an attractive option to most teams, just make sure to secure it properly. Depending on how much experimentation you have done, you might want to consider reseting the machines to their original state.

To get the most out of this competition, we recommend you choose to install your own Operating System by using the virtual machine software. For your Unix system you can choose any open-source OS such as Debian, Ubuntu, Fedora, Gentoo, FreeBSD, or OpenBSD. There are a few pitfalls with this option however. Be aware that some distributions may have difficulties using the VMWare virtual hardware and that the lab supervisor will have few resources to help your team with such issues. You may experiment with distributions you have never used, but if you do so you will likely spend more time in configuration and less time protecting your resources and in developing attacks. It is recommended you go with a familiar distribution.

To assist your team in testing and attacking, you can be provided with an optional third machine to use as an attack/protection platform. We will refer to this machine as the "attacker". You are not required to use this machine. We can provide you with a pre-configured BackTrack machine, a Linux distribution specifically built for security professionals. This machine will have most of the tools you need already installed. Of course, you are welcome to install any OS you prefer, just remember to install all your tools as well.

Common Requirements

There are a few requirements that do not depend on the role of the machine.

Lab Supervisor Access

Access to both of your systems must be provided to the lab supervisor and Instructor. On your Unix system, you must install the provided SSH public keys into your root account's authorized_keys file. For your Windows system, you must create an account named netsecadmin and add it to the Administrators group. It should be given a random password which you will provide to the lab supervisor. If you do not rebuild your systems, you don't need to worry about this step.

Time Synchronization

Both of your systems must synchronize their clocks via NTP or through VMWare tools. If you install VMWare tools, configure it to synchronize the system clock with the host system's clock. Otherwise, you must configure an NTP daemon to communicate with 10.0.0.253 and/or 10.0.0.254 to receive time updates.

Team Remote Access

You must provide each team with remote access to both of your machines. On your Unix system, the team accounts must be accessible via SSH. On your Windows system, the team accounts must be accessible via RDP.

The team accounts must not be overly restricted. On your Unix machine, these user accounts must have typical user privileges and have access to binaries in /bin, /usr/bin, and /usr/local/bin. Restricted shells are permitted, but chroot environments for these accounts are not. Most importantly, be reasonable about any restrictions you place on users. If you have any questions about specific restrictions, please consult the lab supervisor.

Secret File

On both of your machines, you must create a file named secret.txt. This file should contain a sequence of 10 or more random characters and must be readable only by the root or Administrator account. For your Unix machine, this file must be stored in /secret.txt, while for your Windows machine the file must be stored in C:\secret.txt.

Teams will prove that they compromised a machine by providing the lab supervisor with that machine's secret file. Do not let another team grab your secret file!

Router Requirements

Your router is required to have the following services running during the competition:

FTP

You must create one user account for each team to access the FTP service. Additionally, this service must be accessible anonymously. Each team must be granted write access to exactly one directory which should be named teamTT, where TT is their team number. Anonymous users must be able to read all the team directories, but must not have write access to any of them.

NFS or SMB

You must make two NFS or SMB shares available. One share, named upload, must be world writable by anonymous users. Another share, named public must be readable -- but not writable -- by anonymous users.

Outgoing SMTP

Your router must be able to send outgoing mail to outside domains such as Hotmail or Gmail. You may achieve this either by having mail delivered directly from your host to the destination host (acting as a normal SMTP server) or by forwarding all mail to the main network routers (10.0.0.253 or 10.0.0.254). You are not required to allow the forwarding of mail by systems which you don't maintain.

Server Requirements

Your server is required to have a web server running, providing both HTTP and HTTPS services. You must install one of the following applications on your web server:

• iAMB (http://coopermcgregor.com/products/iamb/)
• phpBB (http://www.phpbb.com/)
• Board-TNK (http://www.linux-sottises.net/software.php#board-tnk)
• Snitz Forums 2000 (http://sourceforge.net/projects/sf2k)
• Forum Plus! (http://sourceforge.net/projects/forumplus)

You must include a web page at the root of your web server which has a link to your message board application. In addition, you must include a link to the specific version of the source code you installed for this application on this web page. You may make modifications to the source of the application you install for compatibility and security reasons, but these changes must not remove core functionality and you must include the changes in the source code you publish.

Keep in mind that most of the applications will require you to install other software such as a database. Also, some applications will be easier to install on your Unix machine while other applications will be easier to install on Windows.

Your HTTPS webserver may user a self-signed certificate, you do not need to buy one from a CA.

NOTE: If you have trouble getting the bulletin board software running on your server system, you may run it on your router instead. However, you must trade these HTTP/HTTPS services with either the FTP service or the SMB/NFS service.

Report

You need to submit two files for your report. The first file should describe the setup of your machines. Specifically, it should include:

1. The OS selection for the router, server, and the attacker (if you are using one).
2. For each of the requirements, the name of the software providing the service. For example, for the FTP service you might be using vsftp or proftp.

The second file should be include all the passwords. Copy the sample for Team 9 shown below and change all the appropriate information. Make sure to include the information for all the other teams. If your report is not in the format below, it will not be accepted. Make sure to save it as a simple text file.

Team 9

Windows Secret:     mysupersecretstring
Unix Secret:        anotherstrongsecret
NetSecAdmin passwd: optional_password_if_installed_own_OS

Team 9 --> Team 1
===========================================================================
FTP username:    team1
FTP password:    superpass1
FTP connection:  10.0.0.9 port 21

Win username:    team1
Win password:    supersuper1
Win connection:  10.0.9.2 port 3389

Unix username:   team1
Unix password:   blahblah
Unix connection: 10.0.0.9 port 22

Team 9 --> Team 2
===========================================================================
FTP username:    team2
FTP password:    superpass2
FTP connection:  10.0.0.9 port 21

Win username:    team2
Win password:    supersuper2
Win connection:  10.0.9.2 port 3389

Unix username:   team2
Unix password:   blahblah
Unix connection: 10.0.0.9 port 22