|20-CS-5155-001||Cyber Defense Overview||Fall 2017|
You have just been hired as the network and security administrators at a small company and will be taking administrative control of their web server. You know very little about the network, what security level has been maintained, or what software has been installed. You have a limited time frame to familiarize yourself with the network and systems and to begin the security updates and patches before the red team starts actively attacking your company.Be sure to check the "Hints" section below periodically during the CDX for announcements or answers to hard problems
Services You Must Provide:
The following username and password will allow you to log in to any of your VMs initially. Since these are the same for all teams, you are advised to change the password immediately:
The administrator of both MySQL databases has the following credentials:
Download: CDX-2016.ova - Size: approx 2.0GB - Use "Import Appliance" in VirtualBox to install
Blue Team Rules of Engagement:
Detailed Instructions, Hints, and Corrections:
remote 10.52.10.253 1194 -> remote helios.ececs.uc.edu 1194 ... cert /etc/openvpn/easy-rsa/keys/blue-XX.crt -> change XX as above key /etc/openvpn/easy-rsa/keys/blue-XX.key -> change XX as aboveTo connect to the CDX network, either start a socks proxy or connect to the UC network via VPN, then open a shell on your ubuntu host, cd to /etc/openvpn and execute this:
sudo openvpn client.confA successful connection results in transactions shown here.
sudo killall openvpnthen try again.
ssh -N -f -T -D 8080 <your-username-on-ucfilespace>@ucfilespace.uc.eduThis assumes you have an active account on ucfilespace and you know your username and password on that machine. If you use a socks proxy (port 8080) you will have to put the following line into your client.conf file before starting openvpn:
socks-proxy 127.0.0.1 8080preferably before the 'remote ...' line. In order to stay alive regardless of activity you will need to edit /etc/ssh/ssh_config before running the command above. The important lines to add are:
ServerAliveInterval 30 ServerAliveCountMax 5
tap0 Link encap:Ethernet HWaddr 4a:5b:ac:d0:39:c6 inet addr:10.8.0.52 Bcast:10.8.0.255 Mask:255.255.255.0 inet6 addr: fe80::485b:acff:fed0:39c6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:808 (808.0 B) TX bytes:578 (578.0 B)where the 52 could be anything from 50 to 255. We have a VM connected at 10.8.0.60. Connect to it like this:
[franco@franco ~]$ ssh firstname.lastname@example.org The authenticity of host '10.8.0.60 (10.8.0.60)' can't be established. ECDSA key fingerprint is 0c:30:5a:4f:2a:72:55:ef:06:10:90:8d:05:18:61:7b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.8.0.60' (ECDSA) to the list of known hosts. no such identity: /home/franco/.ssh/id_ed25519: No such file or directory email@example.com's password: Last login: Mon Nov 30 13:00:35 2015 from 10.8.0.56 student@cyber-box:~$The password is 'student'. The authenticity message shows up only the first time you log in. Please note that the connectivity to this test machine is flaky because it is connected via wireless, so the above not working does not mean your setup is not working.
Setup the VM:
Check the box labeled 'Reinitialize the MAC address of all network cards' as shown in the figure. If you do not do this all hell will break loose: if the MAC of your NIC ends in C75A, then it will conflict with everyone else who has not reinitialized it, so check it. The result of not reinitializing is incredibly slow communication. Next, click the tiny icon to the right of the textfield and select the downloaded ova file. Progress through the installation, clicking the obvious boxes (and not trying to customize), which takes several minutes to finish. Now find the new VM in a list on the left side of the starting screen of virtualbox, select it, and click on the green arrow at the top.
When the VM is up, you will see a 'Downloads' icon to the upper left, a column of icons in the left margin, and a row of small icons at the top of the screen. Click the margin icon that looks like a terminal to open a shell. Execute ifconfig. You will see something that looks like this:
eth0 Link encap:Ethernet HWaddr 08:00:27:47:c7:5a inet addr:10.8.0.200 Bcast:10.8.0.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe47:c75a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3768 errors:0 dropped:0 overruns:0 frame:0 TX packets:661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:463732 (463.7 KB) TX bytes:87036 (87.0 KB)where eth0 may be tap0 or tap1. Observe that the IP address is 10.8.0.200. This must be changed. In the top row there is a network icon that is normally one up arrow next to a down arrow (indicating an established connection). Right click that icon and select 'Edit Connections'. Select 'Wired Connection 1' and click on 'Edit'. Click on the 'IPv4 Settings' tab. Under 'Address' you see the number '10.8.0.200'. Change that number to one of the three numbers that were emailed to your team leader (they all have the form 10.8.0.2XX where you supply the XX digits). Click 'Save' and 'Close'. Right click the networking icon in the top row and select 'Wired Connection 1'. Wait a minute. Execute ifconfig to verify the change in IP address. You are ready to defend.
sudo openvpn client.confit may be caused by having an openvpn session already open. This is possible because ubuntu installs openvpn as automatically starting on boot. Do this to see if there is an openvpn session running:
pstree | grep openvpnDo this to kill a running openvpn:
sudo killall openvpn
edit /etc/mail/sendmail.mc /* make ports 25 & 587 public */ replace occurrences of "127.0.0.1" with "0.0.0.0" /* in two places */ save m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf service sendmail restart /* restart sendmail service */
edit /etc/mysql/my.cnf /* make port 3306 public */ set bind-address = 0.0.0.0 /* was 127.0.0.1 */ save service mysql restart /* restart mysql */
edit /etc/cups/cupsd.conf /* make port 631 public */ change "Listen localhost:631" to "Listen 0.0.0.0:631" save service cups restart /* restart cups */
apt-get install bind9The server should start on its own. Configuration is as follows: