Lab 08 - Network Security

Objectives

Port Scanning (nmap)
Traffic filtering / manipulation (iptables)
Port knocking
Man in the Middle Attack

Preparation

Please spawn a virtual machine on openstack.

You need to prepare the playground:

To make it easier for others to identify your VM, please run this command:

echo "<h1>Hello, I am "<insert your 31337 name here>" </h1>" | sudo tee /var/www/html/index.html

To prevent main SSH account trolling, you might want to change the password of your account ASAP:

sudo passwd student
# set an unbreakable password, but make sure you won't forget it until the end of the lab!

After that, enable the hacker guest account for your ~~enemies~~ colleagues to use (and don't cheat!):

# let the h4x0rs in (enables the account):
sudo usermod -e -1 -U hacker

Leave hacker's password unchanged!

No trolling / spamming yet, please!

Overview

Think about how much we depend on networks: sending emails, shopping online, streaming Netflix, or storing personal and professional data. These networks are the backbone of our online lives. But with that power comes risk — attackers can exploit weaknesses to:

Steal sensitive information like passwords or credit card details.
Disrupt services through attacks like DDoS, which can overwhelm and shut down systems.
Take control of systems via malware or open ports.

Examples of common attacks include:

Port Scanning: Identifies open entry points, similar to burglars checking for unlocked windows.
Man-in-the-Middle (MitM) Attacks: Intercepts sensitive data, like passwords, often using tactics like “Evil Twin” Wi-Fi traps in public spaces.
Traffic Manipulation: Takes advantage of poorly configured systems to enable brute force attacks, data theft, or malware injection.
Port Knocking: Adds stealth authentication, granting access only after a specific sequence is followed.

This lab combines both offensive (attacking) and defensive (securing) techniques to help you understand both perspectives.

Tasks

[30p] 1. Port Scanning

You can read here more about port scanning techniques.

Port scanning is a fundamental technique in cybersecurity, both for attackers and defenders. It allows you to identify what services a system is running and determine potential vulnerabilities. Think of it as a building where every room has a door. Some doors are open, some are locked, and some are guarded. Port scanning is like walking down the hallway, checking which doors are open and what’s behind them.

Why would you do this? As a defender, you scan your network to identify potential vulnerabilities, misconfigurations, or services that shouldn't be accessible. It’s a proactive way to patch security gaps.
Why would an attacker do this? Attackers scan to map out your network, identify potential entry points, and target systems running vulnerable or misconfigured services.

Real-World Example: The Mirai Botnet Attack (2016) is a notable example of port scanning used maliciously. Attackers used port scanning to identify IoT devices ( with open Telnet (port 23) and weak credentials, compromising them to create a botnet. This botnet launched massive DDoS attacks, including the one on Dyn (a company that controls much of the internet’s dns infrastructure), disrupting major websites like Twitter and Netflix. The attack highlighted the importance of securing open ports, updating firmware, and using strong credentials to prevent similar exploits.

For the following exercises, you should be working on an OpenStack VM, scanning for the VMs of your colleagues.

[10p] Discover Devices on the Network

STEP 1: Scan the network with nmap (using ping scan)

What It Does: Sends ICMP Echo Requests (pings) or TCP/UDP requests to detect devices on the network.
Strengths: Works across subnets and can identify devices beyond the local network.
Limitations: May miss devices that block ICMP or TCP requests.

TASK: Run a nmap with ping scan to discover active hosts in your network using nmap (you can use CIDR notation! Remember OpenStack's network prefix?). Hint: Search on google how to run a “nmap with ping scan option”

STEP 2: Scan the network with arp scan

What it does: Sends ARP requests to resolve IPs to MAC addresses.
Strengths: Extremely accurate within the local subnet; detects devices even if ICMP is blocked.
Limitations: Limited to the local network (Layer 2) and cannot scan beyond the subnet.

TASK: Run an ARP scan to detect devices on the local subnet

TASK: If you are doing this exercise with colleagues, try to find each other's hosts (note: since you all have the same VM images, try to find one with the same ports!).

[10p] Scan a Machine for Open Ports on TCP/UDP (work in pairs)

STEP 1: Set up a TCP netcat server

Purpose: Helps understand how scanning tools like `nmap` detect open ports on a target system.

TASK: Work in pairs. One person opens a TCP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10001). Hint: use -p <port range> for faster, directed scanning.

STEP 2: Scan the TCP Server with nmap

TCP Connect Scan:
1. What It Does: Establishes a full TCP connection to detect open ports.
2. Strengths: Reliable, works on systems that block SYN packets.
3. Limitations: Slower and more noticeable than other methods.

SYN Scan:
1. What It Does: Sends a SYN packet to detect open ports without completing the handshake.
2. Strengths: Faster and stealthier; common for reconnaissance.
3. Limitations: May require root permissions.

Xmas Scan:
1. What It Does: Sends packets with unusual flags set to detect firewalls or poorly configured systems.
2. Strengths: Useful for probing firewalls or legacy systems.
3. Limitations: Ineffective against modern, hardened devices.

TASK: Use 'nmap' to run TCP Connect, SYN, and Xmas scans on the target IP and observe the results.

STEP 3: Set up an UDP netcat server

Purpose: Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments.

TASK: Work in pairs. One person opens an UDP server on their VM using netcat, while the other scans for it. Choose a non-standard port (e.g., 10002). Hint: use -k when opening the server to allow multiple connections

STEP 4: Scan the UDP Server with nmap

What It Does: Sends UDP packets to detect open ports and services.
Strengths: Detects open UDP services like DNS and SNMP.
Limitations: Slower and less reliable due to the lack of acknowledgments in UDP.

TASK: Use `nmap` to perform an UDP scan on the target IP and observe the open port.

[10p] OS/Version scans

STEP 1: Perform OS Detection with nmap

Purpose: Identify the operating system and running services on a target system, which allows attackers to tailor their exploits to known vulnerabilities for that specific OS or service version.

TASK: Use `nmap` to perform OS detection on your partner’s VM or another detected host. Observe the detected OS and note its potential vulnerabilities.

STEP 2: Perform Service Version Detection with nmap

Purpose: Identify services running on open ports and their versions by sending request and matching responses to a signature database. Reveals outdated or vulnerable services, which attackers can exploit using known vulnerabilities.

TASK: Use `nmap` to detect service versions on the same target. Match the service version to potential vulnerabilities.

Explore CVE and MITRE ATT&CK for Additional Context

Why CVEs Matter: CVEs (Common Vulnerabilities and Exposures) provide detailed information about specific vulnerabilities, helping you understand how they are exploited and how to mitigate them.
Why MITRE ATT&CK Matters: MITRE ATT&CK techniques classify tactics and methods attackers use at various stages of an attack, offering a deeper understanding of their strategies.
Next Steps: If interested, explore the CVE database at https://cve.mitre.org/ and MITRE ATT&CK at https://attack.mitre.org/ to learn more about how these concepts relate to scanning and securing networks.

[30p] 2. Iptables

Here's an iptables cheeatsheet to help you get started.

Iptables is a command-line utility that acts as an interface to the netfilter firewall built into the Linux kernel. Think of it as the security checkpoint at a building. Guards check who’s entering, leaving, and passing through, ensuring only authorized people (or data packets) are allowed. With iptables, you establish these security checkpoints for your system's network traffic.

Why would you do this? As a defender, iptables enables you to define network access rules by allowing or blocking traffic to specific ports, protocols, or IP addresses. You can prevent malicious activity, such as unauthorized SSH access or DDoS attacks.
How can an attacker exploit this? Attackers often aim to bypass firewall rules, exploit misconfigurations, or flood open ports with traffic (e.g., DDoS attacks). Misconfigured or permissive iptables rules can create entry points for attackers to exploit vulnerabilities.

Real-World Importance

Defending Against Attacks: Iptables is often used to defend against brute-force SSH attacks by blocking IPs after too many failed login attempts.
Mitigating DDoS Attacks: Administrators use iptables to rate-limit connections to web servers, reducing the impact of distributed denial-of-service (DDoS) attacks.
Access Control: By combining whitelists and blacklists, iptables ensures that only authorized users can access specific services or ports.

Real-World Examples: A real-world example highlighting the consequences of misconfigured iptables rules is the “IptabLes and IptabLex botnet attacks”. In 2014, security experts at Akamai-Prolexic discovered a botnet dubbed “IptabLes and IptabLex” that infected and exploited poorly maintained Linux servers to run large-scale Distributed Denial of Service (DDoS) attacks.

Example in Action: Imagine a situation where a server is being spammed with SSH login attempts from a malicious IP. Using iptables, you can block this IP address immediately:

 iptables -A INPUT -s <malicious-IP> -p tcp --dport 22 -j DROP

[5p] Best practices

Here are some best practices when writing firewall rules (read them):

Put specific rules at the top of the policy and generic rules at the bottom. The order matters
The more criteria you specify in the rule, the less chance you will have of locking yourself out. There are plenty of ways in which you can be more specific, such as specifying the input or output interface (-i | -o), the source IP address (-s), the destination IP address (-d), the protocol and ports (-p <tcp|udp> --dport|sport <number>.
First, place a rule at the very top of the INPUT chain, which includes the IP address of your workstation (in our case, the fep will originate your ssh packets to OpenStack), so that you won’t get locked out. A rule for whitelisting your IP address at the top of the policy looks like this. Notice that Insert (-I) was used instead of Append (-A), because we want this rule to be the first.
```
 iptables -I INPUT -s "<FEP IP address>" -j ACCEPT 
```
Add whitelist or blacklist rules for the types of traffic you use (or don't want to receive); you will do that for the next subtask! You should use the INPUT chain for that.
You should use the connection tracking module(s) to bypass the firewall for already established (usually, outgoing) connections, otherwise replies cannot be received (if you drop them in INPUT).

Try to not get locked out of ssh-ing your virtual machine! Double-check the rule before you add it to a iptables chain (always ask yourself: does it match a broad range of packets / will it filter my SSH traffic from fep)!

[10p] Secure Your VM from Unwanted SSH/HTTP Traffic (work in pairs)

STEP 1: Access Your Colleague’s VM and Observe Traffic

Purpose: Learn how to interact with a remote machine, analyze incoming SSH and HTTP traffic, and apply appropriate filtering rules to manage access.

TASK: Work in pairs. Follow these steps:

Ask your colleague for their VM IP address.
Use `curl` to connect to their HTTP server and display the server’s response
Attempt to SSH into their VM using the credentials `hacker:student`
If successful, send a broadcast message to your colleague’s system
```
hacker@<colleague-VM>$ wall "Wazzaap?" 
```

STEP 2: Monitor Incoming Traffic with tcpdump

Purpose: Analyzing network traffic is essential for troubleshooting, identifying unauthorized access, and auditing security. You can identify which machines are connecting to your services and how they interact with your system.

TASK: Use the 'tcpdump' tool to observe SSH connections to your machine:

Run the following command to monitor all incoming traffic except packets from the FEP:
```
tcpdump -i eth0 'host not <FEP's IP address>'
```
Watch the output and note the source IPs of the OpenStack VMs connecting to your machine.
Record the IPs for later use when setting up firewall rules.

STEP 3: Block Unwanted SSH and HTTP Traffic

Purpose: Controlling access to services is critical for securing systems against spam, unauthorized users, and brute-force attacks. Blocking unnecessary SSH and HTTP traffic helps prevent abuse and protects sensitive data.

TASK: Use `iptables` to block SSH and HTTP connections from unauthorized machines:

Use the OpenStack CIDR range to block SSH (TCP port 22) and HTTP (TCP port 80) traffic:
Double-check your own IP is not in the blocked range to avoid locking yourself out.

STEP 4: Allow Trusted Colleagues to Access Your VM

Purpose: While blocking unwanted access is critical, allowing trusted colleagues or team members to connect to your system ensures collaboration and prevents unintentional disruptions in a shared environment.

TASK: Add rules to allow SSH and HTTP traffic from your colleague’s IP:

Insert the rules before the block rules
Verify the rule placement using:
```
iptables -L -v
```

If you want to stop `wall` messages from appearing on your terminal, check out the `man mesg` command.

Reminder: If you're using nested shells (e.g., switching from `student` to `root` using `su`), ensure you run `mesg` in the original tty spawned by SSH.

[5p] Workstation Firewall

Purpose: Everyone should take proactive measures to secure their workstation, especially when connecting to public Wi-Fi hotspots such as those found in coffee shops or hotels. By blocking all traffic and only allowing specific connections, you significantly reduce the risk of unauthorized access or compromise. This policy ensures only essential traffic is permitted, while unknown packets are automatically dropped, maintaining robust security.

Note: While this task is for reference, implementing such a policy is highly effective for laptops used in insecure or high-risk environments. It minimizes exposure to threats by defaulting to a “deny-all” approach unless explicitly allowed.

Workstation Firewall Script

# Remove any existing rules from all chains
iptables --flush
 
# Allow traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
# Allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
# Accept any related or established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
# Outbound DNS lookups
iptables -A OUTPUT -o ens3 -p udp -m udp --dport 53 -j ACCEPT
 
# Allow outbound SSH
iptables -A OUTPUT -o ens3 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
 
# Outbound PING requests
iptables -A OUTPUT -o ens3 -p icmp -j ACCEPT
 
# Outbound Network Time Protocol (NTP) requests
iptables -A OUTPUT -o ens3 -p udp --dport 123 --sport 123 -j ACCEPT
 
# Outbound HTTP and HTTPS
iptables -A OUTPUT -i ens3 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -i ens3 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

[10p] DNS Blocking

Purpose: DNS blocking is a practical way to restrict access to unwanted websites or domains, such as blocking social media on a corporate network. By intercepting and dropping DNS queries for specific domains, you can prevent users from accessing restricted content without interfering with the broader network's functionality.

Task: Block access to Facebook by dropping all DNS queries containing “facebook.com.”

Hint: The `string` iptables module allows packet content matching, including DNS queries. Use the `–hex-string` option to specify binary contents, and choose an appropriate string matching algorithm for efficient filtering.
Note: you can supply a hex string parameter with the syntax |HH HH HH …|<plaintext> (e.g., hello|20 57 6F|rld) to match binary contents of a packet! Also choose a string matching algorithm!

[0p] Task E: Port Knocking (Bonus)

Purpose: Port knocking is a powerful security technique used to obscure access to sensitive network services. By requiring a specific sequence of connection attempts (knocks) before opening a port, this method prevents unauthorized users from detecting or accessing the service. It’s particularly useful for protecting services on machines that need to remain hidden until needed, such as administrative tools or diagnostic servers.

Task:

Start a `netcat` TCP server on port `31337`.
Configure a port knocking scheme so the server remains invisible (closed/filtered) until the correct sequence of port “knocks” is performed.
Ask a colleague to scan your port. It should appear closed or filtered.
Provide your colleague with the correct knock sequence and confirm they can access the `netcat` server after performing it.

Why It's Helpful:
1. Protects services from being discovered by malicious scans.
2. Adds an extra layer of security for sensitive applications or servers.
3. Enables stealthy and controlled access without leaving ports exposed.

Hint: Use the `recent` iptables module to track and validate the knock sequence.

Reference: [Arch Wiki: Port Knocking](https://wiki.archlinux.org/index.php/Port_knocking)

[30p] 3. Man in the Middle

The Address Resolution Protocol (ARP) is used to map IP addresses (Layer 3) to MAC addresses (Layer 2) on local networks. However, ARP is inherently vulnerable because it lacks authentication. Attackers can exploit this weakness by forging ARP responses, tricking a victim into associating a legitimate IP (e.g., the router) with the attacker’s MAC address. This allows the attacker to intercept and manipulate network traffic, a classic example of a Man in the Middle (MitM) attack.

Think of this as you’re mailing a letter to your bank. A middleman secretly intercepts the letter, opens it, reads all your private information, and replaces it with their own fake letter before sending it to the bank. You never realize your communication was tampered with, but the middleman now has all your sensitive details. This is essentially what a Man-in-the-Middle attack does in a digital network.

Why would you do this as an attacker?
1. To intercept sensitive information like credentials or financial data being transmitted over the network.
2. To disrupt communications, redirect traffic, or inject malicious content into a victim's browsing session.
3. To gather intelligence on a target network or exploit vulnerabilities in intercepted traffic.

Real-World Example: The 2015 Superfish Visual Discovery vulnerability in Lenovo laptops exposed millions of users to Man-in-the-Middle attacks by allowing attackers to intercept and decrypt HTTPS traffic, highlighting the dangers of pre-installed software and weak security practices.

Is MitM Still Used? Yes, Man-in-the-Middle attacks are still used today and remain a serious threat. Their methods, however, have evolved with the advance in technology

Public Wi-Fi Networks: Attackers exploit insecure hotspots to intercept traffic.
IoT Devices: Poorly secured devices provide new opportunities for interception.
Advanced Techniques: Attacks like SSL/TLS downgrades and HTTPS spoofing target encrypted connections.

Mitigation Today:

Strict SSL/TLS protocols and certificate validation.
Secure DNS implementations like DNSSEC and DNS over HTTPS.
Use of Virtual Private Networks (VPNs) for secure communication on public networks.

For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks.

[20p] ARP Cache Poisoning

STEP 1: Set up the environment

Create a simulated network with Docker containers to demonstrate how ARP cache poisoning works in a controlled environment.

Ensure the host system forwards packets between devices. This is crucial for traffic to flow through the attacker container.

sudo sysctl -w net.ipv4.ip_forward=1

Open a “Victim” terminal (inside your VM):

docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04

Open an “Attacker” terminal with IP forwarding enabled:

docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04

Open a third terminal for an additional attacker session:

docker exec -ti attacker /bin/bash

STEP 2: Configure the victim container

Prepare the victim machine to simulate a normal user in the network.

Inside the “Victim” terminal

apt update && apt install -y iproute2 iputils-ping netcat-openbsd

Find the IP address of the victim container

ip a sh

STEP 3: Launch the ARP spoofing attack

Perform ARP cache poisoning from the attacker container to impersonate the gateway (router) for the victim.

Inside the “Attacker” terminal

apt update && apt install -y dsniff tcpdump iproute2 iputils-ping

Start ARP poisoning

arpspoof -i <INTERFACE> -t <VICTIM_IP> <GATEWAY_IP> -r

STEP 4: Verify the Setup

Observe the impact of ARP poisoning and verify the attack's success.

Open a second session on the attacker container

 tcpdump -i <INTERFACE> -nvvX

Check the victim’s ARP table to confirm the gateway MAC address has been replaced with the attacker’s MAC. The victim’s traffic should now flow through the attacker.

 ip nei sh

[10p] Test Implementation

STEP 1: Monitor DNS traffic from the victim

Capture DNS traffic intercepted during the MitM attack to demonstrate how attackers can steal sensitive information.

In the attacker terminal

tcpdump udp port 53 -nvvX

STEP 2: Simulate victim activity

Generate network traffic from the victim to verify interception. Observe DNS traffic in the tcpdump output to confirm interception.

In the victim terminal, check the ARP table

 ip nei sh

Ping a website to generate traffic

 ping my.secretwebsite.com

Unfortunately, IP forwarding inside containers doesn't work in this simulation, but the tcpdump on the attacker should still show intercepted ARP or DNS traffic.

Mitigation and Defense

Why Mitigation is Necessary: ARP spoofing is a common attack on local networks, especially public Wi-Fi. Implementing defenses can prevent unauthorized access and secure sensitive data.

Mitigation Techniques:
1. Use static ARP tables to bind specific IP-MAC pairs.
2. Enable dynamic ARP inspection (DAI) if supported by your network hardware.
3. Use encryption protocols (e.g., HTTPS, VPNs) to secure communications even in the presence of MitM attacks.
4. Deploy intrusion detection systems (IDS) to monitor for unusual ARP activity.

[10p] 4. Feedback

Please take a minute to fill in the feedback form for this lab.

Table of Contents