COMP4108 — Fall 2012

Computer Systems Security

Due 11:59PM on Tues OCT 30th

Due 11:59PM on Mon OCT 29th

Assignment out of 40 marks total

Please e-mail submissions (PDF) to:
dmccarney (àŧ) ccsl.carleton.ca Subject: COMP4108 A3


Submission Requirements (Individual, not team)

Please e-mail the TA a message with the subject line: COMP4108 A3 and a zip file containing the following attached:
  1. A PDF of your assignment report, including a cover page with your name and the assignment details on the front.
  2. Any code you wrote.
  3. Any scripts you wrote.
  4. Any separate output files referenced by the PDF report
This assignment is to be completed individually on your own VM. Every student must submit a unique assignment. Please adhere to the University policies on academic integrity.

Hint:
Instructions on how to copy files to and from your local machine and your VM have recently been added to the bottom of the VM page. You may find this useful for submitting code/scripts/log files

Introduction

When SSHing into your VM for this assignment you will be warned that the host key for your VM has changed. This is because since the last time you've connected your VM has been replaced with a new one at the same port/ip. You are safe to remove the old hostkey and trust the new one. For Linux/OSX users, edit ~/.ssh/known_hosts. On Windows with Putty I believe you just have to accept the new key when prompted.
Following up from the previous assignment you have gained root access on the VM your account was assigned to. Your rootkit is in place and you're reasonably confident that you can keep yourself hidden. What now? Time to build an empire.

Port Scanning

Conquest requires exploration, and for our purposes we're going to focus on port scanning. Port scanning allows an administrator (or an adversary) to probe a machine on the network in order to locate services the machine offers. Far from just determining if a port is open or closed the network reconnaissance tool we are going to use (nmap) is capable of numerous scan types, OS and service fingerprinting, and supports advanced scripting. The nmap project is so well known it has even had cameo appearance in several movies (including the Matrix). Whole books have been written on nmap, we are going to cover only a small subset of the core features.


Trinity, the Matrix, and Nmap
Lest you get misidentified as a script kiddie it's important you learn not only how to use nmap, but what the various scans are doing. A great way to do that is by diving into a system administrator's two best friends: netcat and tcpdump.

Netcat acts as a networking swiss army knife, allowing you to quickly erect and destroy TCP and UDP servers/clients. In keeping with the tenets of the UNIX philosophy netcat is a simple tool that acts as a filter, allowing you to pipe commands and files to/from network sockets. The TCP Dump command allows you to record traffic from network adapters in a raw form suitable for process by other tools. TCP Dump is invaluable for sniffing traffic and debugging network applications. You might find reading a quick primer on tcpdump helpful if you have not used it before.

Firewalls

Since you're getting so comfortable on your freshly rooted VM it might be time to fortify the defenses. You never know when someone with better exploits will stumble onto your hide-away.

A classic way a system administrator will lock down a machine, or network is by utilizing a firewall. The Linux Kernel supports a Firewall through the use of iptables. When wielded by the right user the iptables framework allows for sophisticated firewall rules to be crafted. We will be just scratching the surface of what iptables allows in the second part of the assignment.

The iptables man page and the Ubuntu IP Tables How To have enough information to get you started. It might also be helpful to read some example rules, and their explanations. An important thing to remember when learning iptables is that there are no confirmation messages, or logic to prevent you from doing something silly unintentionally. Without great care you can easily block all network access to the machine. This can be especially problematic when you are remotely administering the machine OVER the network you just blocked. Your friend from Assignment #2, the reboot request tool, will help you in the event this happens to you.

It is also worth stressing that the order that rules appear in the tables is very important! A best practice is to define your firewall in a bash script. At the beginning of the bash script you can drop all existing rules (see man iptables for how), then add each rule in the correct order from the script. This approach has many benefits:
  • Applying all of the rules with one command
  • Applying them in a fixed order to a known (i.e. empty) state
  • Allowing ample time to triple check you wrote the rules correctly before running them
Please do not use UFW, or any other layer on top of iptables to complete your assignment. While sometimes easier to use, these solutions are not as portable. Vanilla iptables are available on everything from a tiny Raspberry PI device to 64 CPU super computing clusters, regardless of Linux distro.

Dummy Services

On your VM a set of 18 dummy network services has been installed. These services listen on randomly chosen ports between 10000 and 20000. The port numbers differ from one student VM to the next, but remain constant between VM reboots. Each dummy service merely listens for one line of text over a TCP connection and replies with a translation of the input line.

For the first portion of the assignment you will be scanning your own VM to find these services using nmap, interacting with the services using netcat and observing traffic to/from your VM and the services using tcpdump The second portion of the assignment will have you building a firewall using iptables to shield the dummy services.

Reboot Request Tool

While writing your Firewall rules in Part B you may inadvertently firewall yourself off from your VM, breaking SSH connectivity and ruining your day. Luckily iptables rules are cleared on each reboot. Normally a system administrator would ensure the firewall is recreated on each machine boot, but we have skipped this step to facilitate testing.

In the event you block yourself from accessing your VM, or otherwise get the firewall into an unknown state, you may reboot your own VM and clear the firewall. The reboot request tool will ask for your VM username/password and reboot the node that you are assigned. It will not ask for confirmation after you enter your username and password! Give the VM a minute or two to boot up, if you are still unable to access your VM after this period contact the TA.

Part A - Nmap & TCP dump - 20 marks

  1. 2 Marks - Using nmap, perform a TCP SYN scan on your localhost to find all of the open TCP ports. Ensure that you exhaustively check all ports and not the just most popular services. Submit both the nmap command you ran as well as the output produced.

    Hint:
    The nmap command is incredibly versatile, offering a plethora of configuration options. Most of these settings have a default that is optimized for the more common scan scenarios. Be sure to read the nmap man page to learn what some of these defaults are.
  2. 4 Marks - Create a single line text file called input.txt containing a sentence of English. Using the netcat command send input.txt over the network to each of the open ports you found in Q1. For full marks, write a bash function or script that processes the output of nmap and uses netcat to transmit input.txt to each of the open ports automatically. Submit your input.txt file, any commands you enter, any scripts you write, and a copy of the output generated.

    Hint:
    A quick and dirty approach would be to use the many text manipulation tools available in a bash environment (head, tail, cut, sed, awk and so on) to process the nmap output.

    A better option is to use Nmap's XML output mode and the same text processing tools, or a scripting language such as Python.
  3. 2 Marks - Using the tcpdump command, create an expression to match TCP packets that meet the following criteria:
    1. Are received on the loopback or eth0 interface.

      Edit: Discard this requirement, instead listen on all interfaces with -i any.
    2. Have a destination port equal to one of the services from Question 1. Choose one of the services you were able to find/interact with.
    Verify that your tcpdump command works by connecting to the port you specified using netcat and transmitting your input file. Submit both your tcpdump command expression as well as the output generated by tcpdump when you connect with netcat.
  4. 2 Marks - Modify the tcpdump command that you created for the previous question such that it prints the headers and data of the packet in hex format, and outputs to a file. Submit both the tcpdump expression as well as an output file created when you test the expression.
  5. 4 Marks - Run both a nmap TCP FIN scan as well as a TCP ACK scan on localhost. Capture the packets from both scans to a file using tcpdump. Using exerpts from the capture file, explain the difference between the TCP FIN and TCP ACK scans. Submit the commands you used to run the scans, the command you used to capture the packets, and your explanation.
  6. 4 Marks - Run both a nmap TCP connect() and a TCP SYN scan on localhost. Capture both scans to a file using tcpdump. Using exerpts from the capture file, explain the difference between the TCP connect() and TCP SYN scans. Submit the commands you used to run the scans, the command you used to capture the packets, and your explanation.
  7. 2 Marks - Run a nmap discovery scan on all hosts on the 192.168.122.* network. Make sure you only perform a discovery scan and not a port scan. When scanning a large block of hosts it often makes sense to find which hosts are online using a discovery scan and then following up later with a port scan. Submit both the nmap command you ran as well as the output generated.

Part B - IP Tables Firewall - 20 Marks

  1. 1 mark - List the active rules in the INPUT, OUTPUT, and FORWARD chains of iptables from your VM before you have added any rules. Submit the command you ran as well as the output.
  2. 8 Marks - Write a firewall script that when run, does the following:
    1. Zeroes the iptables counters
    2. Adds a rule for the INPUT chain that drops all packets with an invalid state.
    3. Adds a rule for the INPUT chain to allow packets with states ESTABLISHED or RELATED to be accepted.
    4. Adds a rule that allows TCP packets with the syn flag set, destined for port 22, in the NEW state to be accepted.
    5. Adds a rule that accepts ICMP packets with type echo-request to be accepted.
    6. Adds a rule that drops all packets that do not meet any of the above rules.

    Submit the firewall script file in its entirety.

    Hint:
    Order matters! The order of the rules in your script should adhere to the ordering of the questions.

    Hint:
    The firewall script does not have to be a complex script. Most often an iptables script is just an easy way to run a handful of static iptables commands at once. The advanced features of bash can be introduced as required. Using bash allows for anything from keeping commonly referenced IP addresses or ports in a variable to accepting command line arguments, resolving hostnames, or looking up system information as required.
  3. 3 marks - Run your firewall script to apply the rules. Verify the rules are working by opening a new SSH connection into your machine and running your nmap scan from Part A, Q1. Also try connecting to some of the services you found in Part A, Q1 using netcat. Submit the list of active firewall rules (including their counter values) as generated by iptables-save, as well as the results of your nmap scan.

    Hint:
    Each iptable rule keeps a counter of the number of packets that it matched. This behavior can be very useful when debugging new firewall rules, or verifying their behaviour.
  4. 3 marks - Modify your firewall script to add a rule that accepts TCP packets that meet the following conditions:
    1. The syn flag is set
    2. The destination port is a service of your choice from Part A, Question 1.
    3. The connection is in the NEW state
    4. The connection source address is local to your VM
    Flush your iptables rules, apply the new script, and test that you can now connect to the service port from localhost. Submit the new filewall rule as well as the output from your testing.

  5. Edit: This question will be discarded. Formulating this in one iptables rule is more difficult than intended.
    3 marks - Modify your firewall script to add a rule that accepts TCP packets that meet the following conditions:
    1. The syn flag is set
    2. The destination port is a service of your choice from Part A, Question 1. Please use a different service than you used for the previous question.
    3. The connection is in the NEW state
    4. The connection data contains the string comp4108
    Flush your iptables rules, apply the new script, and test that you can now connect to the service port from localhost when your input contains the comp4108. Submit the new firewall rule as well as the output from your testing.
  6. 2 marks - Modify your firewall script to add a rule to drop outbound tcp connections to port 25. Flush your iptables rules, apply the modified script, and test that you can no longer telnet to shakespeare.ccsl.carleton.ca on port 25 from your assigned VM. Submit the new firewall rule as well as the output from your testing.

    Hint:
    The telnet command is another quick way to test a network service. Feel free to use netcat instead of telnet.