Differences
This shows you the differences between two versions of the page.
|
isc:labs:10 [2023/03/29 10:41] mihai.chiroiu created |
isc:labs:10 [2024/12/11 10:20] (current) radu.mantu [[20p] 0. Setup & EasyRSA certificate generation] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 10 - Forensics ====== | + | ====== Lab 10 - Tunnels. Remote Network Security ====== |
| - | ===== Overview ===== | + | ===== Objectives ===== |
| - | Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. | + | Today, we're going to learn how to configure two of the most widely used |
| + | open-source VPN solutions: OpenVPN and WireGuard! | ||
| - | <hidden> | + | * Set up OpenVPN and WireGuard servers on a Linux machine; |
| - | ===== [BONUS] Completare formular de feedback ===== | + | * Configure clients to connect to each VPN; |
| + | * Customize routing through the VPN. | ||
| - | Vă invităm de asemenea să evaluați, dacă este posibil, activitatea echipei de ISC și să precizați punctele tari, punctele slabe și sugestiile voastre de îmbunătățire a materiei. Feedback-ul vostru este foarte important pentru noi să creștem calitatea materiei în anii următori și să îmbunătățim materiile pe care le veți face în continuare. | + | ===== Tasks ===== |
| - | [[https://curs.upb.ro/mod/feedbackadm/view.php?id=26590|Găsiți formularul de feedback aici]]. | + | As we will need at least two Linux systems (one for the VPN server, another for the client -- for OpenVPN, at least), you will need to work in pairs! |
| - | Vă mulțumim! | + | ==== [20p] 0. Setup & EasyRSA certificate generation ==== |
| - | -------- | + | 1. Install the ''openvpn'' and ''wireguard-tools'' packages from the APT repository. |
| - | \\ | + | |
| - | </hidden> | + | |
| - | ===== Exercises ===== | + | |
| - | You are a private investigator and you have 2h to solve 9 crimes. At the end of every crime you will find a flag that looks like **ISC{...}**. \\ | + | 2. We'll use EasyRSA to generate a PKI with CA & leaf certificates for server + clients: |
| - | Are you up to the task? \\ \\ | + | |
| - | {{:isc:labs:ISC-lab09.zip|Here}} is your data.\\ \\ | + | |
| - | All exercises can be solved on the local Linux machine. | + | |
| - | ==== 00. Capture 1 ==== | + | <code bash> |
| + | git clone https://github.com/OpenVPN/easy-rsa.git | ||
| + | cd easy-rsa/easyrsa3 | ||
| + | cp vars.example vars | ||
| + | vim vars # or nano, uncomment & edit COUNTRY, CITY, ORG etc. | ||
| + | ./easyrsa init-pki | ||
| + | ./easyrsa build-ca # and enter a min. 4 char password + remember it! | ||
| + | # verify CA details: | ||
| + | ./easyrsa show-ca | ||
| + | </code> | ||
| - | This is traffic capture of a suspect that we've been following for a long time. Can you find anything interesting like login credentials? | + | <note important> |
| - | <spoiler Hint1> | + | Generally, the CA needs to be created by the VPN server provider, while the certificate requests must be done by each client, then transfer it to the server to be signed. |
| - | Use wireshark to analyse the pcap. | + | But for simplity, we'll do them all on the same machine. |
| - | </spoiler> | + | </note> |
| - | <spoiler Hint2> | + | |
| - | Check the ports at statistics/conversations/tcp. | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 01. Unknown File Type ==== | + | |
| - | We've found this file on a confiscated machine, but we can't figure what it is. Can you help us? | + | 3. Now use the [[https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md|official instructions here]] to request & sign both a "Server" and a "Client" certificate (use whatever Common Names you want, but make them at least descriptive). Note: you must supply a password, though you can disable this by editing the ''vars'' file and uncommenting the ''EASYRSA_NO_PASS 1'' line ;) . |
| - | <spoiler Hint1> | + | |
| - | Today is not your lucky day. No hints for you. | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 02. Hidden Flag ==== | + | |
| - | There is something uncanny about this image. Is it trying to give us a hint? | + | Make sure to set the proper ''client'' or ''server'' certificate type for ''sign-req'''s argument! |
| - | \\ | + | |
| - | ==== 03. Corrupted File ==== | + | |
| - | During a transmission, one of our files got corrupted. Take a look and see if you can do something about it. | + | Also note the generated certificates path! |
| - | <spoiler Hint1> | + | You must transfer the CA + Client certificate + private key to the client machine (VM) -- you can do it now, or a bit later when told! |
| - | Maybe there is something wrong with the header. | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 04. Audio Visualization ==== | + | |
| - | We have intercepted an alien transmission, but there is no way to understand what is it saying. Maybe we should look at it. | + | <solution -hidden> |
| - | <spoiler Hint1> | + | <code bash> |
| - | Can you SEE it? | + | ./easyrsa gen-req Server |
| - | Check Audacity. | + | ./easyrsa sign-req server Server |
| - | </spoiler> | + | ./easyrsa gen-req Client |
| - | \\ | + | ./easyrsa sign-req client Client |
| - | ==== 05. Hidden File ==== | + | </code> |
| + | </solution> | ||
| - | There is something wrong with the size of this image. Is there anything else there? | + | ==== [40p] 1. OpenVPN Configuration ==== |
| - | <spoiler Hint1> | + | |
| - | Use Binwalk. "-e" option is buggy sometimes. | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 06. Censored ==== | + | |
| - | We've found a letter in the trash can of a suspect, but some of the info is censored. Do some magic and find what is underneath the black box. | + | We will use EasyRSA to generate a CA: |
| - | <spoiler Hint1> | + | |
| - | Use Google. | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ==== 07. Waiting for eternity ==== | + | |
| - | We stared at this gif for the last hour but nothing is happening. Would you like to join us and stare at it for the next hour? | + | Now choose your role (and help your colleague!): |
| - | \\ | + | |
| - | ==== 08. Capture 2 ==== | + | |
| - | This is an USB capture of a device connected to a suspect's machine. Can you find what he's been typing? | + | === A. OpenVPN Server === |
| - | <spoiler Hint1> | + | |
| - | [[https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf|USB Documentation]] | + | |
| - | </spoiler> | + | |
| - | \\ | + | |
| - | ===== Resources ===== | + | |
| - | * Hex Editor | + | |
| - | * Wireshark | + | |
| - | * Binwalk | + | |
| - | * Audacity | + | |
| - | * Image extractor | + | |
| - | * USB documentation | + | |
| + | **Note:** Must do all these steps logged in as ''root''! | ||
| - | <hidden> | + | 1. First, copy the server private key + certificate and the CA certificate to the OpenVPN's server configuration directory: |
| + | <code> | ||
| + | root in /etc/openvpn/server … | ||
| + | ➜ ls -l | ||
| + | total 16K | ||
| + | -rw------- 1 root root 1.2K 2024-12-08 19:56 ca.crt | ||
| + | -rw------- 1 root root 4.5K 2024-12-08 19:56 Server.crt | ||
| + | -rw------- 1 root root 1.7K 2024-12-08 19:56 Server.key | ||
| + | </code> | ||
| - | ====== STUFF FROM SUMMER 2016 ====== | + | 2. Copy the OpenVPN example ''server.conf'': |
| + | <code bash> | ||
| + | cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/server.conf | ||
| + | </code> | ||
| + | Open the config with your favorite editor, then: | ||
| + | * ensure that the ''ca'', ''cert'' and ''key'' point to the ones copied from EasyRSA (note: Linux is CaSe SeNsItiVe!); | ||
| + | * read the comments and generate ''ta.key''; | ||
| + | * read the comments and generate the Diffie-Hellman parameters file (''dh2048.pem''); | ||
| + | 3. Start/restart the service: <code bash> | ||
| + | systemctl restart openvpn-server@server.service | ||
| + | </code> | ||
| - | TODO!!!! | + | If it didn't complain, the congratulations! You're done with the server! |
| - | SCHIMBAT IP MASINA VIRTUALA SI MODIFICAT IN DOCUMENT | + | |
| - | Sa caute ultimul fisier modificat din filesystem | + | Use ''journalctl -u openvpn-server@server -n 100 -f'' to display the log flow of the OpenVPN server (also check it in case of any service startup error). |
| - | locatie in QR | + | |
| - | + | ||
| - | Adaugat ceva de mobile?? | + | |
| - | | + | |
| - | + | === B. OpenVPN Client === | |
| - | ===== Resources ===== | + | |
| - | + | ||
| - | *[[http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf|Volatility Cheatsheet]] | + | |
| + | 1. Transfer the Server CA (''ca.crt''), ''Client.key'' and ''Client.crt'' from the Server (check easyrsa's ''pki/'' directory). | ||
| - | ===== Overview ===== | + | <note tip> |
| - | + | Note: SSH is unusable without public key, so you'll need to do this using another service (e.g., paste bin, Teams / Discord / Messenger, netcat client/server text messaging etc.). | |
| - | *You are a forensic detective hired to investigate the recent attack on our database server. Fortunately, the security team detected the intrusion in time and the hacker had to run quickly, leaving his laptop in the server room. Using a cold boot attack, we managed to obtain a dump of his ram. Your job is to gather as much intel as you can. | + | |
| - | + | ||
| - | + | ||
| - | <note> | + | |
| - | Volatility usage: | + | |
| - | + | ||
| - | volatility-2.5.standalone.exe -f <dump> imageinfo; Look at the suggested profile | + | |
| - | + | ||
| - | volatility-2.5.standalone.exe -f <dump> --profile=<profile> kdbgscan; Look at the Offset (V) | + | |
| - | + | ||
| - | volatility-2.5.standalone.exe -f <dump> --profile=<profile> --kdbg=<offset> COMMAND | + | |
| </note> | </note> | ||
| - | | ||
| - | <note tip>You should look for processes, commands, files, history, connections and network traffic.</note> | + | 2. Copy the example client configuration from ''/usr/share/doc/openvpn/examples/sample-config-files/client.conf'' somewhere you want (e.g., in your home, or inside ''/etc/openvpn/client'', it doesn't really matter). |
| + | 3. Edit the config and enter the server's external IP address (the VLAN9 network IP address if on OpenStack) specified using the ''remote'' variable, then also check (and modify) the ''ca'', ''cert'' and ''key'' variables to point to where you have these files (which you've transfered earlier, RIGHT?). | ||
| + | 4. Try to run your client using ''openvpn <path-to-client.conf>''. Inspect the error... Something about ''ta.key'' -- yep, that's right, bring it from the server :( | ||
| - | ==== Solution: ==== | + | 5. Finally, connect to the VPN and (from another terminal, unless you spawned OpenVPN in daemon mode), ping it: <code> |
| + | ping 10.8.0.1 | ||
| + | </code> | ||
| - | volatility-2.5.standalone.exe -f memory.dmp imageinfo | + | ==== [40p] 2. WireGuard ==== |
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 kdbgscan | + | Wireguard is one of the latest open-source VPN technology, increasingly popular for its low complexity, straight-forward , security and performance due to its use of some modern cryptographic primitives (ChaCha20+Poly1305 for symmetric encryption, Curve25519 for ECDH, BLAKE2s for hashing). |
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 pslist > ps.txt | + | Authentication is done by simply exchanging public keys. Let's go! |
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 cmdline | + | 1. Both pairs should generate a private and public key pair and share the public counterpart. This is best done using the ''wg'' CLI utility: <code bash> |
| + | wg genkey | tee wg-priv.key | wg pubkey | tee wg-pub.key | ||
| + | # Q: what does `tee` do? (`man` it!) | ||
| + | </code> | ||
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 consoles | + | Only the public key is displayed on console (both are stored as files for backup!). Share it with your colleague! |
| - | volatility-2.5.standalone.exe -f memory.dmp --profile=Win7SP1x86 --kdbg=0x82b73c78 dumpfiles -D file > dump.txt | + | 2. Time to create our configuration file. Create a ''.conf'' file inside ''/etc/wireguard/'' (your choice of naming, though ''wg-isc'' sounds quite okay). |
| - | file: file.3640.0x86a44318 | + | Use the following code template and fill the variables (also remove/replace the ''<..>'' placeholders!): <code> |
| + | [Interface] | ||
| + | PrivateKey = <paste-your-private-key> | ||
| + | ListenPort = 55820 | ||
| - | find: "search" | + | [Peer] |
| + | PublicKey = <paste-your-colleagues's-pub-key> | ||
| + | Endpoint = <colleague-VM-IP>:55820 | ||
| + | AllowedIPs = <your-tunnel-subnet>/<mask> | ||
| + | </code> | ||
| - | http://www.bing.com/search?q=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1KAHXjGIT_8EX0gA5NGZSZ0A-PzcVbzIxm1NKtQClvME%2Fedit%3Fusp%3Dsharing&qs=n&form=QBLH&pq=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1kahxjgit_8ex0ga5ngzsz0a-pzcvbzixm1nktqclvme%2Fedit%3Fusp%3Dsharing&sc=0-96&sp=-1&sk=&cvid=32A3046F740B479DA10E524ABD27DB70 | + | Use a private space as the tunnel subnet address, e.g., ''10.12.34.252/30''. |
| - | https://docs.google.com/document/d/1KAHXjGIT_8EX0gA5NGZSZ0A-PzcVbzIxm1NKtQClvME/edit | + | 3. We'll create the wireguard interfaces the ''iproute2'' way (i.e., using the ''ip'' Linux utility): <code> |
| + | ip link add wg-isc type wireguard | ||
| + | wg setconf wg-isc /etc/wireguard/wg-isc.conf # or whatever you named your config | ||
| + | ip address add <your-address>/<mask> dev wg-isc | ||
| + | </code> | ||
| - | user besthacker | + | 4. Connectivity test! <code> |
| - | + | ping <colleague-private-tunnel-ip> | |
| - | WW91ciBwYXNzd2QgaXM6IENGVFVJQkRMRlM= BASE64decode | + | sudo wg # show wireguard statistics |
| - | + | </code> | |
| - | Your passwd is: CFTUIBDLFS | + | |
| - | + | ||
| - | ssh besthacker@..... | + | |
| - | + | ||
| - | </hidden> | + | |
| - | + | ||
| - | ==== 11. [10p] Feedback ==== | + | |
| - | + | ||
| - | Please take a minute to fill in the [[https://forms.gle/5Lu1mFa63zptk2ox9|feedback form]] for this lab. | + | |
| + | <note tip> | ||
| + | **Note:** there are even simpler ways of configuring Wireguard, like [[https://www.man7.org/linux/man-pages/man8/wg-quick.8.html|wg-quick]] (automates interface creation & IP address/routes configuration using a similar .conf file) and [[https://github.com/wg-easy/wg-easy|wg-easy]] (Web GUI for Wireguard) -- but we wanted to demonstrate its purest form (: | ||
| + | </note> | ||
