This shows you the differences between two versions of the page.
cdci:exam [2020/05/22 17:24] mihai.chiroiu |
cdci:exam [2022/06/03 12:12] (current) mihai.chiroiu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Exam - 22 May 2020 ====== | + | ====== Exam - 03 June 2022 ====== |
Use OpenStack CDCI template to start a new VM. To access the VM, login to fep.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using "ubuntu" as a username and your ssh key. | Use OpenStack CDCI template to start a new VM. To access the VM, login to fep.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using "ubuntu" as a username and your ssh key. | ||
+ | |||
+ | First, you need to sync your CDCI directory from the git. | ||
+ | |||
+ | <code> | ||
+ | ubuntu@cdci-test:~$ cd cdci/ | ||
+ | ubuntu@cdci-test:~/cdci$ sudo su | ||
+ | root@cdci-test:/home/ubuntu/cdci# git pull | ||
+ | root@cdci-test:/home/ubuntu/cdci# cd containers/ | ||
+ | root@cdci-test:/home/ubuntu/cdci/containers# cd exam_docker/ | ||
+ | root@cdci-test:/home/ubuntu/cdci/containers/exam_docker# make | ||
+ | [...] THIS TAKES ABOUT 5 MINUTE [...] | ||
+ | root@cdci-test:/home/ubuntu/cdci/containers# cd ../snort_lab07 | ||
+ | root@cdci-test:/home/ubuntu/cdci/containers/snort_lab07# make | ||
+ | [...] THIS TAKES ABOUT 10 MINUTE [...] | ||
+ | </code> | ||
+ | |||
+ | Second, start the topology from one terminal, and use three others to connect to the virtual nodes. | ||
+ | <code> | ||
+ | ubuntu@cdci-v2:~/cdci/labs/lab07$ cd /home/ubuntu/cdci/labs/lab07/ | ||
+ | ubuntu@cdci-v2:~/cdci/labs/lab07$ sudo python3 topology.py | ||
+ | |||
+ | ubuntu@cdci-v2:~/cdci/labs/lab07$ sudo ./h1.sh | ||
+ | ubuntu@cdci-v2:~/cdci/labs/lab07$ sudo ./h2.sh | ||
+ | ubuntu@cdci-v2:~/cdci/labs/lab07$ sudo ./ids.sh | ||
+ | </code> | ||
Due to the fact that we have to work remote, please make sure that you record your screen while working. Here is how. | Due to the fact that we have to work remote, please make sure that you record your screen while working. Here is how. | ||
Line 43: | Line 68: | ||
===== Tasks ===== | ===== Tasks ===== | ||
- | ==== 01. [1p] IMCP Payload ==== | + | ==== 01. [2p] IMCP Payload ==== |
Send the “CDCI-EXAM” payload from H1 to H2 using the ping command. Display the payload on H2 as it is received (using tcpdump). | Send the “CDCI-EXAM” payload from H1 to H2 using the ping command. Display the payload on H2 as it is received (using tcpdump). | ||
Line 53: | Line 78: | ||
==== 03. [1p] Encryption ==== | ==== 03. [1p] Encryption ==== | ||
- | Use AES128 EBC mode and encrypt the “CDCI-EXAM-TODAY” string in. Save it as Base64 in a local file. Use any password for encryption. | + | Use AES128 ECB mode and encrypt the “CDCI-EXAM-TODAY” string in. Save it as Base64 in a local file. Use any password for encryption. |
==== 04. [2p] ICMP Tunnel ==== | ==== 04. [2p] ICMP Tunnel ==== | ||
- | Create an ICMP tunnel between H1 & H2 and send the following string over the tunnel “CDCI-EXAM-TODAY”. [1p] Save the traffic and open it using Wireshark (on your personal computer). | + | Create an ICMP tunnel between H1 & H2 and send the following string over the tunnel “CDCI-EXAM-TODAY”. Save the traffic and open it using Wireshark/tcpdump (on your personal computer). |
==== 05. [1p] Snort1 ==== | ==== 05. [1p] Snort1 ==== | ||
- | Write down a snort rule that matches any type of ICMP traffic. Snort is installed on the IDS. Make sure an alert is generated with the following message: “ICMP for CDCI-EXAM”. | + | Write down a snort rule that matches any type of ICMP or TCP traffic. Snort is installed on the IDS. Make sure an alert is generated with the following message: “ICMP for CDCI-EXAM”. |
<note>You can run SNORT with the following command: “snort -A fast -b -p -v -c /etc/snort/snort.conf -k none -i IDS-eth0” for faster processing. </note> | <note>You can run SNORT with the following command: “snort -A fast -b -p -v -c /etc/snort/snort.conf -k none -i IDS-eth0” for faster processing. </note> | ||
==== 06. [1p] Snort2 ==== | ==== 06. [1p] Snort2 ==== | ||
- | Write down a snort rule that matches any ICMP traffic with the “CDCI-EXAM” payload. Make sure an alert is generated with the following message: “PAYLOAD CDCI-EXAM”. | + | Write down a snort rule that matches any ICMP or TCP traffic with the “CDCI-EXAM” payload. Make sure an alert is generated with the following message: “PAYLOAD CDCI-EXAM”. |
==== 07. [1p] Snort3 ==== | ==== 07. [1p] Snort3 ==== | ||
- | Write down a snort rule that matches any ICMP traffic with the “EXAMCDCI-[A-Z]{3}“ payload encoded as Base64. Make sure an alert is generated with the following message: “EASY CDCI-EXAM”. | + | Write down a snort rule that matches any ICMP or TCP traffic with the “EXAMCDCI-[A-Z]{3}“ payload encoded as Base64. Make sure an alert is generated with the following message: “EASY CDCI-EXAM”. |
<note> Note: “EXAMCDCI-[A-Z]{3}“ is a regex and will match something like: EXAMCDCI -AZI, EXAMCDCI -YES, etc. (https://regex101.com/). </note> | <note> Note: “EXAMCDCI-[A-Z]{3}“ is a regex and will match something like: EXAMCDCI -AZI, EXAMCDCI -YES, etc. (https://regex101.com/). </note> | ||