• Port Scanning (nmap)
• Traffic filtering / manipulation (iptables)
• Port knocking
• Man in the Middle Attack

Please spawn a virtual machine on openstack.

• To make it easier for others to identify your VM, please run this command:

echo "<h1>Hello, I am "<insert your 31337 name here>" </h1>" | sudo tee /var/www/html/index.html

• To prevent main SSH account trolling, you might want to change the password of your account ASAP:

sudo passwd student
# set an unbreakable password, but make sure you won't forget it until the end of the lab!

• After that, enable the hacker guest account for your enemies colleagues to use (and don't cheat!):

# let the h4x0rs in (enables the account):
sudo usermod -e -1 -U hacker

Think about how much we depend on networks: sending emails, shopping online, streaming Netflix, or storing personal and professional data. These networks are the backbone of our online lives. But with that power comes risk — attackers can exploit weaknesses to:

• Steal sensitive information like passwords or credit card details.
• Disrupt services through attacks like DDoS, which can overwhelm and shut down systems.
• Take control of systems via malware or open ports.

Examples of common attacks include:

• Port Scanning: Identifies open entry points, similar to burglars checking for unlocked windows.
• Man-in-the-Middle (MitM) Attacks: Intercepts sensitive data, like passwords, often using tactics like “Evil Twin” Wi-Fi traps in public spaces.
• Traffic Manipulation: Takes advantage of poorly configured systems to enable brute force attacks, data theft, or malware injection.
• Port Knocking: Adds stealth authentication, granting access only after a specific sequence is followed.

This lab combines both offensive (attacking) and defensive (securing) techniques to help you understand both perspectives.

You can read here more about port scanning techniques.

Port scanning is a fundamental technique in cybersecurity, both for attackers and defenders. It allows you to identify what services a system is running and determine potential vulnerabilities. Think of it as a building where every room has a door. Some doors are open, some are locked, and some are guarded. Port scanning is like walking down the hallway, checking which doors are open and what’s behind them.

• Why would you do this? As a defender, you scan your network to identify potential vulnerabilities, misconfigurations, or services that shouldn't be accessible. It’s a proactive way to patch security gaps.
• Why would an attacker do this? Attackers scan to map out your network, identify potential entry points, and target systems running vulnerable or misconfigured services.

Real-World Example: The Mirai Botnet Attack (2016) is a notable example of port scanning used maliciously. Attackers used port scanning to identify IoT devices ( with open Telnet (port 23) and weak credentials, compromising them to create a botnet. This botnet launched massive DDoS attacks, including the one on Dyn (a company that controls much of the internet’s dns infrastructure), disrupting major websites like Twitter and Netflix. The attack highlighted the importance of securing open ports, updating firmware, and using strong credentials to prevent similar exploits.

For the following exercises, you should be working on an OpenStack VM, scanning for the VMs of your colleagues.

STEP 1: Scan the network with nmap (using ping scan)

• What It Does: Sends ICMP Echo Requests (pings) or TCP/UDP requests to detect devices on the network.
• Strengths: Works across subnets and can identify devices beyond the local network.
• Limitations: May miss devices that block ICMP or TCP requests.

STEP 2: Scan the network with arp scan

• What it does: Sends ARP requests to resolve IPs to MAC addresses.
• Strengths: Extremely accurate within the local subnet; detects devices even if ICMP is blocked.
• Limitations: Limited to the local network (Layer 2) and cannot scan beyond the subnet.

STEP 1: Set up a TCP netcat server

• Purpose: Helps understand how scanning tools like `nmap` detect open ports on a target system.

STEP 2: Scan the TCP Server with nmap

• TCP Connect Scan:
  1. What It Does: Establishes a full TCP connection to detect open ports.
  2. Strengths: Reliable, works on systems that block SYN packets.
  3. Limitations: Slower and more noticeable than other methods.

• SYN Scan:
  1. What It Does: Sends a SYN packet to detect open ports without completing the handshake.
  2. Strengths: Faster and stealthier; common for reconnaissance.
  3. Limitations: May require root permissions.

• Xmas Scan:
  1. What It Does: Sends packets with unusual flags set to detect firewalls or poorly configured systems.
  2. Strengths: Useful for probing firewalls or legacy systems.
  3. Limitations: Ineffective against modern, hardened devices.

STEP 3: Set up an UDP netcat server

• Purpose: Helps test UDP scanning, which is slower and behaves differently than TCP due to the lack of acknowledgments.

STEP 4: Scan the UDP Server with nmap

• What It Does: Sends UDP packets to detect open ports and services.
• Strengths: Detects open UDP services like DNS and SNMP.
• Limitations: Slower and less reliable due to the lack of acknowledgments in UDP.

STEP 1: Perform OS Detection with nmap

• Purpose: Identify the operating system and running services on a target system, which allows attackers to tailor their exploits to known vulnerabilities for that specific OS or service version.

STEP 2: Perform Service Version Detection with nmap

• Purpose: Identify services running on open ports and their versions by sending request and matching responses to a signature database. Reveals outdated or vulnerable services, which attackers can exploit using known vulnerabilities.

Explore CVE and MITRE ATT&CK for Additional Context

• Why CVEs Matter: CVEs (Common Vulnerabilities and Exposures) provide detailed information about specific vulnerabilities, helping you understand how they are exploited and how to mitigate them.
• Why MITRE ATT&CK Matters: MITRE ATT&CK techniques classify tactics and methods attackers use at various stages of an attack, offering a deeper understanding of their strategies.
• Next Steps: If interested, explore the CVE database at https://cve.mitre.org/ and MITRE ATT&CK at https://attack.mitre.org/ to learn more about how these concepts relate to scanning and securing networks.

Here's an iptables cheeatsheet to help you get started.

Iptables is a command-line utility that acts as an interface to the netfilter firewall built into the Linux kernel. Think of it as the security checkpoint at a building. Guards check who’s entering, leaving, and passing through, ensuring only authorized people (or data packets) are allowed. With iptables, you establish these security checkpoints for your system's network traffic.

• Why would you do this? As a defender, iptables enables you to define network access rules by allowing or blocking traffic to specific ports, protocols, or IP addresses. You can prevent malicious activity, such as unauthorized SSH access or DDoS attacks.
• How can an attacker exploit this? Attackers often aim to bypass firewall rules, exploit misconfigurations, or flood open ports with traffic (e.g., DDoS attacks). Misconfigured or permissive iptables rules can create entry points for attackers to exploit vulnerabilities.

Real-World Importance

• Defending Against Attacks: Iptables is often used to defend against brute-force SSH attacks by blocking IPs after too many failed login attempts.
• Mitigating DDoS Attacks: Administrators use iptables to rate-limit connections to web servers, reducing the impact of distributed denial-of-service (DDoS) attacks.
• Access Control: By combining whitelists and blacklists, iptables ensures that only authorized users can access specific services or ports.

Real-World Examples: A real-world example highlighting the consequences of misconfigured iptables rules is the “IptabLes and IptabLex botnet attacks”. In 2014, security experts at Akamai-Prolexic discovered a botnet dubbed “IptabLes and IptabLex” that infected and exploited poorly maintained Linux servers to run large-scale Distributed Denial of Service (DDoS) attacks.

Example in Action: Imagine a situation where a server is being spammed with SSH login attempts from a malicious IP. Using iptables, you can block this IP address immediately:

 iptables -A INPUT -s <malicious-IP> -p tcp --dport 22 -j DROP

Here are some best practices when writing firewall rules (read them):

• Put specific rules at the top of the policy and generic rules at the bottom. The order matters
• The more criteria you specify in the rule, the less chance you will have of locking yourself out. There are plenty of ways in which you can be more specific, such as specifying the input or output interface (-i | -o), the source IP address (-s), the destination IP address (-d), the protocol and ports (-p <tcp|udp> --dport|sport <number>.
• First, place a rule at the very top of the INPUT chain, which includes the IP address of your workstation (in our case, the fep will originate your ssh packets to OpenStack), so that you won’t get locked out. A rule for whitelisting your IP address at the top of the policy looks like this. Notice that Insert (-I) was used instead of Append (-A), because we want this rule to be the first.

   iptables -I INPUT -s "<FEP IP address>" -j ACCEPT 

• Add whitelist or blacklist rules for the types of traffic you use (or don't want to receive); you will do that for the next subtask! You should use the INPUT chain for that.
• You should use the connection tracking module(s) to bypass the firewall for already established (usually, outgoing) connections, otherwise replies cannot be received (if you drop them in INPUT).

Try to not get locked out of ssh-ing your virtual machine! Double-check the rule before you add it to a iptables chain (always ask yourself: does it match a broad range of packets / will it filter my SSH traffic from fep)!

STEP 1: Access Your Colleague’s VM and Observe Traffic

• Purpose: Learn how to interact with a remote machine, analyze incoming SSH and HTTP traffic, and apply appropriate filtering rules to manage access.

STEP 2: Monitor Incoming Traffic with tcpdump

• Purpose: Analyzing network traffic is essential for troubleshooting, identifying unauthorized access, and auditing security. You can identify which machines are connecting to your services and how they interact with your system.

STEP 3: Block Unwanted SSH and HTTP Traffic

• Purpose: Controlling access to services is critical for securing systems against spam, unauthorized users, and brute-force attacks. Blocking unnecessary SSH and HTTP traffic helps prevent abuse and protects sensitive data.

STEP 4: Allow Trusted Colleagues to Access Your VM

• Purpose: While blocking unwanted access is critical, allowing trusted colleagues or team members to connect to your system ensures collaboration and prevents unintentional disruptions in a shared environment.

• Purpose: Everyone should take proactive measures to secure their workstation, especially when connecting to public Wi-Fi hotspots such as those found in coffee shops or hotels. By blocking all traffic and only allowing specific connections, you significantly reduce the risk of unauthorized access or compromise. This policy ensures only essential traffic is permitted, while unknown packets are automatically dropped, maintaining robust security.

• Note: While this task is for reference, implementing such a policy is highly effective for laptops used in insecure or high-risk environments. It minimizes exposure to threats by defaulting to a “deny-all” approach unless explicitly allowed.

# Remove any existing rules from all chains
iptables --flush
 
# Allow traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
# Allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
# Accept any related or established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
# Outbound DNS lookups
iptables -A OUTPUT -o ens3 -p udp -m udp --dport 53 -j ACCEPT
 
# Allow outbound SSH
iptables -A OUTPUT -o ens3 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
 
# Outbound PING requests
iptables -A OUTPUT -o ens3 -p icmp -j ACCEPT
 
# Outbound Network Time Protocol (NTP) requests
iptables -A OUTPUT -o ens3 -p udp --dport 123 --sport 123 -j ACCEPT
 
# Outbound HTTP and HTTPS
iptables -A OUTPUT -i ens3 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -i ens3 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

• Purpose: DNS blocking is a practical way to restrict access to unwanted websites or domains, such as blocking social media on a corporate network. By intercepting and dropping DNS queries for specific domains, you can prevent users from accessing restricted content without interfering with the broader network's functionality.

• Hint: The `string` iptables module allows packet content matching, including DNS queries. Use the `–hex-string` option to specify binary contents, and choose an appropriate string matching algorithm for efficient filtering.
• Note: you can supply a hex string parameter with the syntax |HH HH HH …|<plaintext> (e.g., hello|20 57 6F|rld) to match binary contents of a packet! Also choose a string matching algorithm!

• Purpose: Port knocking is a powerful security technique used to obscure access to sensitive network services. By requiring a specific sequence of connection attempts (knocks) before opening a port, this method prevents unauthorized users from detecting or accessing the service. It’s particularly useful for protecting services on machines that need to remain hidden until needed, such as administrative tools or diagnostic servers.

• Why It's Helpful:
  1. Protects services from being discovered by malicious scans.
  2. Adds an extra layer of security for sensitive applications or servers.
  3. Enables stealthy and controlled access without leaving ports exposed.

• Hint: Use the `recent` iptables module to track and validate the knock sequence.

• Reference: [Arch Wiki: Port Knocking](https://wiki.archlinux.org/index.php/Port_knocking)

The Address Resolution Protocol (ARP) is used to map IP addresses (Layer 3) to MAC addresses (Layer 2) on local networks. However, ARP is inherently vulnerable because it lacks authentication. Attackers can exploit this weakness by forging ARP responses, tricking a victim into associating a legitimate IP (e.g., the router) with the attacker’s MAC address. This allows the attacker to intercept and manipulate network traffic, a classic example of a Man in the Middle (MitM) attack.

Think of this as you’re mailing a letter to your bank. A middleman secretly intercepts the letter, opens it, reads all your private information, and replaces it with their own fake letter before sending it to the bank. You never realize your communication was tampered with, but the middleman now has all your sensitive details. This is essentially what a Man-in-the-Middle attack does in a digital network.

• Why would you do this as an attacker?
  1. To intercept sensitive information like credentials or financial data being transmitted over the network.
  2. To disrupt communications, redirect traffic, or inject malicious content into a victim's browsing session.
  3. To gather intelligence on a target network or exploit vulnerabilities in intercepted traffic.

Real-World Example: The 2015 Superfish Visual Discovery vulnerability in Lenovo laptops exposed millions of users to Man-in-the-Middle attacks by allowing attackers to intercept and decrypt HTTPS traffic, highlighting the dangers of pre-installed software and weak security practices.

Is MitM Still Used? Yes, Man-in-the-Middle attacks are still used today and remain a serious threat. Their methods, however, have evolved with the advance in technology

• Public Wi-Fi Networks: Attackers exploit insecure hotspots to intercept traffic.
• IoT Devices: Poorly secured devices provide new opportunities for interception.
• Advanced Techniques: Attacks like SSL/TLS downgrades and HTTPS spoofing target encrypted connections.

Mitigation Today:

• Strict SSL/TLS protocols and certificate validation.
• Secure DNS implementations like DNSSEC and DNS over HTTPS.
• Use of Virtual Private Networks (VPNs) for secure communication on public networks.

For the following exercises, we will use Docker containers to simulate a local network vulnerable to ARP spoofing attacks.

STEP 1: Set up the environment

• Ensure the host system forwards packets between devices. This is crucial for traffic to flow through the attacker container.

sudo sysctl -w net.ipv4.ip_forward=1

• Open a “Victim” terminal (inside your VM):

docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04

• Open an “Attacker” terminal with IP forwarding enabled:

docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04

• Open a third terminal for an additional attacker session:

docker exec -ti attacker /bin/bash

STEP 2: Configure the victim container

• Inside the “Victim” terminal

apt update && apt install -y iproute2 iputils-ping netcat-openbsd

• Find the IP address of the victim container

ip a sh

STEP 3: Launch the ARP spoofing attack

• Inside the “Attacker” terminal

apt update && apt install -y dsniff tcpdump iproute2 iputils-ping

• Start ARP poisoning

arpspoof -i <INTERFACE> -t <VICTIM_IP> <GATEWAY_IP> -r

STEP 4: Verify the Setup

• Open a second session on the attacker container

 tcpdump -i <INTERFACE> -nvvX

 ip nei sh

STEP 1: Monitor DNS traffic from the victim

• In the attacker terminal

tcpdump udp port 53 -nvvX

STEP 2: Simulate victim activity

• In the victim terminal, check the ARP table

 ip nei sh

• Ping a website to generate traffic

 ping my.secretwebsite.com 

• Unfortunately, IP forwarding inside containers doesn't work in this simulation, but the tcpdump on the attacker should still show intercepted ARP or DNS traffic.

• Why Mitigation is Necessary: ARP spoofing is a common attack on local networks, especially public Wi-Fi. Implementing defenses can prevent unauthorized access and secure sensitive data.

• Mitigation Techniques:
  1. Use static ARP tables to bind specific IP-MAC pairs.
  2. Enable dynamic ARP inspection (DAI) if supported by your network hardware.
  3. Use encryption protocols (e.g., HTTPS, VPNs) to secure communications even in the presence of MitM attacks.
  4. Deploy intrusion detection systems (IDS) to monitor for unusual ARP activity.

Please take a minute to fill in the feedback form for this lab.