20-CS-5155-001 Cyber Defense Overview Fall 2017

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

CDX Event

You have just been hired as the network and security administrators at a small company and will be taking administrative control of their web server. You know very little about the network, what security level has been maintained, or what software has been installed. You have a limited time frame to familiarize yourself with the network and systems and to begin the security updates and patches before the red team starts actively attacking your company.

Be sure to check the "Hints" section below periodically during the CDX for announcements or answers to hard problems

Services You Must Provide:
Your team must keep the following services available on all three IP addresses that were given to you:

  • Apache+PHP
  • MySQL (for the purpose of supporting the existing WordPress site)
  • WordPress site must continue providing the content in the MONITOR THIS entry, at the same URL (http://<Your IP>/wordpress/?p=4), and must continue to function as a WordPress site
  • The daytime service must continue providing the time of day on the server
  • FTP must continue providing anonymous access to log in and download any files hosted there
  • Your tap0 IP address must respond to ICMP ECHO REQUESTs (ping) per RFC 1122

The following username and password will allow you to log in to any of your VMs initially. Since these are the same for all teams, you are advised to change the password immediately:
  • username: student / password: student

The administrator of both MySQL databases has the following credentials:

  • username: root / password: (empty)
Both MySQL databases are owned by the following:
  • username: student / password: student
CDX Activities:
  1. examine the supplied VM and improve the security posture with changes to configuration files.
  2. allow the VM to undergo attack by the red teams during the CDX.
  3. submit a final report that includes a listing of all changes made to improve the security posture (and why), a Kill Chain description of cyber attack(s) against your server during the CDX period, and other items as described below and as the team sees fit to include.

The CDX period begins at 11:59PM, December 7 and ends 11:59AM, December 10. The final report is due before noon, December 12. A sample final report is here.

Download: CDX-2016.ova - Size: approx 2.0GB - Use "Import Appliance" in VirtualBox to install

  • SHA1sum: 7e0cbac620fd35b6b1e194ee145913268f311a1b

Red Team Rules of Engagement:
  • It is not OK to attempt to break out of the CDX network. That is, red team members should stick to poking IP address
  • If a VM is compromised (that is, password is discovered and red team can enter the VM and become root) it is not OK to attempt to open a connection to UC's network from the compromised VM.
  • It is OK to attack after 11:59PM on December 7 and before 11:59AM on December 10 only.
  • The red teams provide for scoring based on service availability and the scoring is posted via the internet.
  • The red teams provide a log of attacks
  • The red teams will generate benign traffic in addition to making attacks.

Blue Team Rules of Engagement:

  • Recovery using a snapshot is disallowed as it violates the spirit of a CDX where we are trying to improve skills of recovery from attack.
  • It is OK to transfer files between the host OS and the VM but not between the VM and a UC node. This means it is not OK to transfer a file from the VM to the host then from the host to a UC node.
  • It is OK to create new accounts, change passwords, add or remove users and groups in the VM. All changes need to be documented (the change and the date and time) in the final report.
  • At most one IP address can be blocked at a time by your firewall. But be careful not to make services unavailable when you do this. Please document such changes in the final report (include date and time).
  • You must defend only through proactive configuration and defensive blocking. In other words, you cannot attack anyone, whether it is a red team or a blue team member.
  • Points are deducted if the final report indicated an attack that was actually benign traffic.
  • It is OK to add or remove packages from the VM. For example, you may want to add some analysis tools and remove some potentially dangerous packages that are not needed.

Detailed Instructions, Hints, and Corrections:
Setup openvpn:
Your team leader received a blue-XX.tar file containing blue-XX.crt, blue-XX.key, ca.crt, and client.conf where XX are the two digits in your file names. Assuming you have an Ubuntu host, use command tar xf blue-XX.tar in some directory where you have write permission to unarchive those four files. Assuming you have openvpn, easy-rsa, and bridge-utils installed on your host, and you have directories /etc/openvpn, /etc/openvpn/easy-rsa, and /etc/openvpn/easy-rsa/keys, place client.conf in /etc/openvpn and the remaining files in /etc/openvpn/easy-rsa/keys. Open client.conf in a text editor. The lines you may want to change are the following:

    remote 1194   -> remote helios.ececs.uc.edu 1194
    cert /etc/openvpn/easy-rsa/keys/blue-XX.crt  -> change XX as above
    key /etc/openvpn/easy-rsa/keys/blue-XX.key   -> change XX as above
To connect to the CDX network, either start a socks proxy or connect to the UC network via VPN, then open a shell on your ubuntu host, cd to /etc/openvpn and execute this:
    sudo openvpn client.conf  
A successful connection results in transactions shown here.

Hint 1:
if the connection resets every 5 seconds you may have a second openvpn session running. This is possible because ubuntu installs openvpn to start automatically. To kill the other session do this:

    sudo killall openvpn    
then try again.

Socks Proxy:
Use the following command from a shell on your ubuntu host to establish a socks proxy to UC:

    ssh -N -f -T -D 8080 <your-username-on-ucfilespace>@ucfilespace.uc.edu
This assumes you have an active account on ucfilespace and you know your username and password on that machine. If you use a socks proxy (port 8080) you will have to put the following line into your client.conf file before starting openvpn:
    socks-proxy 8080    
preferably before the 'remote ...' line. In order to stay alive regardless of activity you will need to edit /etc/ssh/ssh_config before running the command above. The important lines to add are:
    ServerAliveInterval 30
    ServerAliveCountMax 5

After starting openvpn you should see a new internet interface called tap0 or tap1. If you execute ifconfig tap0 (alternatively, tap1) you will get this:

    tap0      Link encap:Ethernet  HWaddr 4a:5b:ac:d0:39:c6
              inet addr:  Bcast:  Mask:
              inet6 addr: fe80::485b:acff:fed0:39c6/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:5 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:808 (808.0 B)  TX bytes:578 (578.0 B)    
where the 52 could be anything from 50 to 255. We have a VM connected at Connect to it like this:
    [franco@franco ~]$ ssh student@
    The authenticity of host ' (' can't be established.
    ECDSA key fingerprint is 0c:30:5a:4f:2a:72:55:ef:06:10:90:8d:05:18:61:7b.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '' (ECDSA) to the list of known hosts.
    no such identity: /home/franco/.ssh/id_ed25519: No such file or directory
    student@'s password:
    Last login: Mon Nov 30 13:00:35 2015 from
The password is 'student'. The authenticity message shows up only the first time you log in. Please note that the connectivity to this test machine is flaky because it is connected via wireless, so the above not working does not mean your setup is not working.

Setup the VM:
Make sure openvpn is running without errors as above. Assuming you downloaded CDX-2016.ova and you have installed the latest virtualbox and guest additions, start virtualbox, drop the 'File'menu and select 'Import Appliance'. The next step is critical: Click 'Expert Mode' to reveal a screen such as this:

Check the box labeled 'Reinitialize the MAC address of all network cards' as shown in the figure. If you do not do this all hell will break loose: if the MAC of your NIC ends in C75A, then it will conflict with everyone else who has not reinitialized it, so check it. The result of not reinitializing is incredibly slow communication. Next, click the tiny icon to the right of the textfield and select the downloaded ova file. Progress through the installation, clicking the obvious boxes (and not trying to customize), which takes several minutes to finish. Now find the new VM in a list on the left side of the starting screen of virtualbox, select it, and click on the green arrow at the top.

When the VM is up, you will see a 'Downloads' icon to the upper left, a column of icons in the left margin, and a row of small icons at the top of the screen. Click the margin icon that looks like a terminal to open a shell. Execute ifconfig. You will see something that looks like this:

    eth0      Link encap:Ethernet  HWaddr 08:00:27:47:c7:5a
              inet addr:  Bcast:  Mask:
              inet6 addr: fe80::a00:27ff:fe47:c75a/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3768 errors:0 dropped:0 overruns:0 frame:0
              TX packets:661 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:463732 (463.7 KB)  TX bytes:87036 (87.0 KB)  
where eth0 may be tap0 or tap1. Observe that the IP address is This must be changed. In the top row there is a network icon that is normally one up arrow next to a down arrow (indicating an established connection). Right click that icon and select 'Edit Connections'. Select 'Wired Connection 1' and click on 'Edit'. Click on the 'IPv4 Settings' tab. Under 'Address' you see the number ''. Change that number to one of the three numbers that were emailed to your team leader (they all have the form where you supply the XX digits). Click 'Save' and 'Close'. Right click the networking icon in the top row and select 'Wired Connection 1'. Wait a minute. Execute ifconfig to verify the change in IP address. You are ready to defend.

Beginning two days before the CDX we may ask you via blackboard to make some minor changes to the OS. If you do not make those changes the red team will think that one or more of your services is down. Those changes will also be written on this page below.

Hint 2:
If you are getting connection resets every 5 seconds after using

    sudo openvpn client.conf
it may be caused by having an openvpn session already open. This is possible because ubuntu installs openvpn as automatically starting on boot. Do this to see if there is an openvpn session running:
    pstree | grep openvpn
Do this to kill a running openvpn:
    sudo killall openvpn

Hint 3:
If you can connect to the CDX network while at UC but not while outside UC's perimeter look at the 'remote' line in 'client.conf'. If it has try changing it to helios.ececs.uc.edu and restart openvpn.

Hint 4:
Make sure your important services are up! Use nmap to find out. Use nmap from the VM like this: nmap localhost. Use nmap from the host like this: nmap 10.8.0.XXX where 10.8.0.XXX is the tap0 address of your VM. The outputs should agree!

Correction 1:
To make sendmail public do this as root:

  edit /etc/mail/sendmail.mc                  /* make ports 25 & 587 public */
  replace occurrences of "" with ""  /* in two places */
  m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
  service sendmail restart                    /* restart sendmail service */

Correction 2:
To make MySQL public do this as root:

  edit /etc/mysql/my.cnf                      /* make port 3306 public */
  set bind-address =                  /* was */
  service mysql restart                       /* restart mysql */

Correction 3:
To make CUPS public do this as root:

  edit /etc/cups/cupsd.conf                   /* make port 631 public */
  change "Listen localhost:631" to "Listen"
  service cups restart                        /* restart cups */

Correction 4:
We have to have a DNS server added. Do this as root:

  apt-get install bind9
The server should start on its own. Configuration is as follows:
  • Download files named.conf.local, db.myzone, and db.reverse
  • Edit the files: replace my email address with yours and with your VM's CDX IP address. Do not use @. You can change the name of the domain, if you wish.
  • Dump all three files into /etc/bind, overwriting the existing named.conf.local
  • Restart the nameserver like this as root: /etc/init.d/bind9 restart
  • Important: every time you edit db.reverse or db.myzone you need to add 1 to the serial number before restarting the nameserver.