You should submit the following TWO files:
For each question, include the following (where applicable or otherwise unspecified):
Note that, depending on the question, some of the above requirements will not necessarily exist. Also, #1 and #2 from above can often be combined into a single screencap. Also note that some questions may explicitly state what to submit. This is to ensure you submit the correct information we're looking for, and the other requirements are expected as well (see list above).
These requirements may seem tedious and unnecessary; however, they are useful for markers to see that you completed each question, explained that you understood the question, and provided proof that the task was successfully completed.
When in doubt, explain as much as you can. I need to see that you understand the answer and the process you used to get the answer. Not including an explanation or providing too little explanation may result in lost marks.
Any code or scripts included in the tar archive is for the TA to test, and should therefore be submitted in a format that is easy to run/compile, e.g., with an appropriate directory structure (if needed), required Makefiles, etc.
Code that you include in your report is for the TA to read, and may therefore be formatted to best explain what you did, e.g., by sectioning the code, highlighting lines of interest and including additional comments, etc.
SUBMITTING CODE WITHOUT EXPLANATION WILL RESULT IN SEVERE PENALTY!
netcat
and tcpdump
.
iptables
. When wielded by the right user the iptables framework allows for sophisticated firewall rules to be crafted. We will be just scratching the surface of what iptables allows in the second part of the assignment.man iptables
for how), then add each rule in the correct order from the script. This approach has many benefits:
nmap
, interacting with the services using netcat
and observing traffic to/from your VM and the services using tcpdump
The second portion of the assignment will have you building a firewall using iptables
to shield the dummy services.
While writing your firewall rules in Part B, you may inadvertently firewall yourself off from your VM, breaking your SSH connectivity. Thankfully, in the event that you block yourself from accessing your VM, or otherwise get the firewall into an unknown state, you may access your VM console from the OpenStack web interface and clear the offending firewall rule.
Also note that iptables rules are cleared on each reboot. Normally a system administrator would ensure the firewall is recreated on each machine boot, but we have skipped this step to facilitate testing.
nmap
, perform a TCP SYN
scan on your localhost
to find all of the open TCP ports. Ensure that you exhaustively check all ports and not the just most popular services. Submit both the nmap command you ran as well as the output produced.nmap
command is incredibly versatile, offering a plethora of configuration options. Most of these settings have a default that is optimized for the more common scan scenarios. Be sure to read the nmap man page to learn what some of these defaults are.
input.txt
containing a sentence of English. Using the netcat
command send input.txt over the network to each of the open ports you found in Q1. For full marks, write a bash function or script that processes the output of nmap
and uses netcat
to transmit input.txt to each of the open ports automatically. Submit your input.txt file, any commands you enter, any scripts you write, and a copy of the output generated.head
, tail
, cut
, sed
, awk
and so on) to process the nmap output.tcpdump
command, create an expression to match TCP packets that meet the following criteria:
netcat
and transmitting your input file. Submit both your tcpdump command expression as well as the output generated by tcpdump when you connect with netcat.tcpdump
command that you created for the previous question such that it prints the link-layer headers and data of the packet in hex format, and outputs to a file. Submit both the tcpdump expression as well as an output file created when you test the expression.nmap
TCP FIN
scan as well as a TCP ACK
scan on localhost
. Capture both incoming and outgoing packets from both scans to a file using tcpdump
. Using excerpts from the capture file, explain the difference between the TCP FIN
and TCP ACK
scans. Submit the commands you used to run the scans, the command you used to capture the packets, and your explanation of what information these scans capture (i.e., when/why would you use them) and how they glean this information.nmap
TCP connect()
and a TCP SYN
scan on localhost
. Capture both incoming and outgoing packets from both scans to a file using tcpdump
. Using excerpts from the capture file, explain the difference between the TCP connect()
and TCP SYN
scans. Submit the commands you used to run the scans, the command you used to capture the packets, and your explanation of what information these scans capture (i.e., when/why would you use them) and how they glean this information.nmap
discovery scan on all hosts on the 192.168.18.0/23
network. Make sure you only perform a discovery scan and not a port scan. When scanning a large block of hosts it often makes sense to find which hosts are online using a discovery scan and then following up later with a port scan.
nmap
OS Detection feature to attempt identification of the OS that it is running. Submit the command that you ran and the output generated (use the verbose flag). Do the results confirm your hypothesis from (b)? Explain why or why not, along with any potential reasons.
Use sudo
for the discovery scan and OS detection function. Without it, you'll get an incomplete list of hosts.
tcpdump
is a useful tool for implementing which security principle mentioned in Chapter 7 of the course textbook? Give the principle name, number, and a brief description of how it is relevant to tcpdump
.INPUT
, OUTPUT
, and FORWARD
chains of iptables from your VM before you have added any rules. Submit the command you ran as well as the output.
INPUT
chain that drops all packets with an invalid state.INPUT
chain to allow packets with states ESTABLISHED
or RELATED
to be accepted.
INPUT
chain that allows TCP packets with the syn flag set, destined for port 22, in the NEW
state to be accepted.
INPUT
chain that accepts ICMP packets with type echo-request
to be accepted.
INPUT
chain that rejects all packets that do not meet any of the above rules.
iptables
commands at once. The advanced features of bash can be introduced as required. Using bash allows for anything from keeping commonly referenced IP addresses or ports in a variable to accepting command line arguments, resolving hostnames, or looking up system information as required.
tcpdump
. Submit the list of active firewall rules (including their counter values) as generated by iptables-save
, as well as the results of your nmap scan.INPUT
chain to drop all packets that do not meet any other rule. Again, run your nmap scan from Part A, Q1. Capture both incoming and outgoing packets from the scan to a file using tcpdump
. Compare the output of this packet capture with the one performed in the previous question. Using excerpts from the packet captures, describe the difference between the drop and reject behaviour.
NEW
statemail.ccsl.carleton.ca
on port 587 from your assigned VM. Submit the new firewall rule as well as the output from your testing.telnet
command is another quick way to test a network service. Feel free to use netcat
instead of telnet
.