20-CS-[51|60]55 Cyber Defense Overview Fall 2018

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

CDX Event

You have just been hired as the network and security administrators at a small company and will be taking administrative control of their web server. You know very little about the network, what security level has been maintained, or what software has been installed. You have a limited time frame to familiarize yourself with the network and systems and to begin the security updates and patches before the red team starts actively attacking your company.

Be sure to check the "Hints" section below periodically during the CDX for announcements or answers to hard problems

Services You Must Provide:
Your team must keep the following services available on all three IP addresses that were given to you:

  • Apache+PHP
  • MySQL (for the purpose of supporting the existing WordPress site)
  • WordPress site must continue providing the content in the MONITOR THIS entry, at the same URL (http://<Your IP>/wordpress/?p=4), and must continue to function as a WordPress site
  • The daytime service must continue providing the time of day on the server
  • FTP must continue providing anonymous access to log in and download any files hosted there
  • The print service (ipp) must be running
  • Your tap0 IP address must respond to ICMP ECHO REQUESTs (ping) per RFC 1122

The following username and password will allow you to log in to any of your VMs initially. Since these are the same for all teams, you are advised to change the password immediately:
  • username: student / password: student

The administrator of both MySQL databases has the following credentials:

  • username: root / password: (empty)
Both MySQL databases are owned by the following:
  • username: student / password: student
CDX Activities:
  1. examine the supplied VM and improve the security posture with changes to configuration files.
  2. allow the VM to undergo attack by the red teams during the CDX.
  3. submit a final report that includes a listing of all changes made to improve the security posture (and why), a Kill Chain description of cyber attack(s) against your server during the CDX period, and other items as described below and as the team sees fit to include.

The CDX period begins at 12:01AM, November 30 and ends 11:59, December 1. The final report is due before noon, December 8. A sample final report is here.

Download: ubuntu-cdx.ova - Size: approx 2.0GB - Use "Import Appliance" in VirtualBox to install

  • SHA1sum: 7e0cbac620fd35b6b1e194ee145913268f311a1b

Red Team Rules of Engagement:
  • It is not OK to attempt to break out of the CDX network. That is, red team members should stick to poking IP address
  • If a VM is compromised (that is, password is discovered and red team can enter the VM and become root) it is not OK to attempt to open a connection to UC's network from the compromised VM.
  • It is OK to attack after 11:59PM on November 30 and before 11:59AM on December 1 only (this has been changed to all day December 2 and all day December 6).
  • The red teams provide for scoring based on service availability and the scoring is posted via the internet.
  • The red teams provide a log of attacks
  • The red teams will generate benign traffic in addition to making attacks.

Blue Team Rules of Engagement:

  • Recovery using a snapshot is disallowed as it violates the spirit of a CDX where we are trying to improve skills of recovery from attack.
  • It is OK to block ports that are not used to provide necessary services.
  • It is OK to transfer files between the host OS and the VM but not between the VM and a UC node. This means it is not OK to transfer a file from the VM to the host then from the host to a UC node.
  • It is OK to create new accounts, change passwords, add or remove users and groups in the VM. All changes need to be documented (the change and the date and time) in the final report.
  • You must defend only through proactive configuration and defensive blocking. In other words, you cannot attack anyone, whether it is a red team or a blue team member.
  • Points are deducted where the final report indicates an attack that was actually benign traffic or has no mention of an attack that occurred.
  • It is OK to add or remove packages from the VM. For example, you may want to add some analysis tools and remove some potentially dangerous packages that are not needed.

Detailed Instructions, Hints, and Corrections:
Setup openvpn on the host and connect:

  1. Download openvpn if you do not already have it installed.
    In Ubuntu: sudo apt-get install openvpn
  2. Create directory
    In Ubuntu: sudo mkdir /etc/openvpn ; sudo mkdir /etc/openvpn/credentials
  3. Inspect and modify client.conf
    Contents of client.conf:
       dev tap
       proto tcp
       remote helios.ececs.uc.edu 1194
       resolv-retry infinite
       user nobody
       group nobody
       ca /etc/openvpn/credentials/ca.crt
       cert /etc/openvpn/credentials/blue-xx.crt (note: xx=the 2 or 3 numbers just before '.crt' in your given certificate)
       key /etc/openvpn/credentials/blue-xx.key (note: ditto)
       ns-cert-type server
       cipher AES-128-CBC
       verb 4
       socks-proxy 8080
  4. Put client.conf and credentials in proper directories
    In Ubuntu: sudo mv client.conf /etc/openvpn
       sudo mv blue-xx.crt /etc/openvpn/credentials
       sudo mv blue-xx.key /etc/openvpn/credentials
       sudo mv ca.crt /etc/openvpn/credentials

  5. Start a SOCKS proxy
    In Ubuntu: ssh -N -f -C -D 8080 ucfilespace.uc.edu
    note: you should use some number other than 8080 so as not to conflict with someone else using that port - whatever you choose, client.conf should be updated.
  6. Exit any running instances of openvpn (may have started automatically)
    In Ubuntu: pstree -paul | grep openpvn
         | +-openvpn,14297 /etc/openvpn/client.conf
         sudo kill -9 14297
  7. Start the openvpn client
    In Ubuntu: cd /etc/openvpn
        sudo openvpn client.conf
  8. Check the connection:
    1. Sample output from ifconfig:
             tap0  Link encap:Ethernet  HWaddr 12:bf:49:ef:3f:2e
                   inet addr:  Bcast: Mask:
                   inet6 addr: fe80::10bf:49ff:feef:3f2e/64 Scope:Link
                   UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
                   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                   TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
                   collisions:0 txqueuelen:100
                   RX bytes:0 (0.0 B)  TX bytes:8171 (8.1 KB)
    2. Output from openvpn:
             Fri Nov 17 05:46:53 2017 us=930280 do_ifconfig, tt->ipv6=0, ...
             Fri Nov 17 05:46:53 2017 us=930441 /sbin/ip link set dev tap0 up mtu 1500
             Fri Nov 17 05:46:53 2017 us=937983 /sbin/ip addr add dev tap0
             Fri Nov 17 05:46:53 2017 us=943727 GID set to nogroup
             Fri Nov 17 05:46:53 2017 us=943819 UID set to nobody
             Fri Nov 17 05:46:53 2017 us=943844 Initialization Sequence Completed
    A successful connection results in transactions shown here.
Install, Configure, and Operate the VM:
  1. Download the ubuntu-cdx.ova appliance
  2. Open virtualbox - update to latest version, if needed
       menu: File -> Check for Updates...
       Latest versions available at https://www.virtualbox.org/wiki/Downloads
  3. Update or install extensions
       menu: File -> Preferences... -> Extensions
       make sure the latest is listed
       Latest extension available at https://www.virtualbox.org/wiki/Downloads
  4. Import appliance
       File -> Import Applicance...
       Click small square icon on the right
       Find ubuntu-cdx.ova and select
       Click Next
       VERY IMPORTANT: Click 'Reinitialize the MAC address' of all network cards
       Click Import
  5. Set network parameters
       With virtualbox started and proxy running, select Ubuntu-CDX
       icon: Click Settings, select Network
       menu: Attached to: -> Bridged Adapter
       menu: Name: -> tap0    exit the dialog
  6. Boot the Ubuntu-CDX
       With Ubuntu-CDX selected in virtualbox, click the green arrow
       The OS boots without requiring username and password but username and password are both 'student'
  7. Change password and/or create new users
       change password: passwd
       create new user: sudo useradd
       sudo passwd
  8. Change network address
       You will be given an address 10.8.0.xxx where xxx is a number from 100-199. This needs to be made your IP address
    1. Click the network icon in the menu bar at the top of the VM frame. If you are connected, which you should be, the icon will be two vertical arrows, one pointing up the other down.
    2. Click Edit Connections...
    3. Click Wired connection 1
    4. Click Edit...
    5. Click IPv4 Settings
    6. Click Add
    7. Enter assigned address (10.8.0.yyy) - we gave you the yyy    Enter netmask (
         Enter gateway (
    8. Click Save and exit all dialogs
  9. Check network connection. command: ifconfig
  10. Check services
       from host: nmap 10.8.0.yyy
         22/tcp open  ssh
       from VM: nmap localhost
         7/tcp  open  echo
         13/tcp open  daytime
         21/tcp open  ftp     (missing - not yet started)
         22/tcp open  ssh
         25/tcp open  smtp    (missing - not yet started)
         37/tcp open  time
         80/tcp open  http    (missing - not yet started)
        631/tcp open  ipp
       3306/tcp open  mysql
       from VM: telnet 10.8.0.yyy 13
Hint 1:
if the connection resets every 5 seconds you may have a second openvpn session running. This is possible because ubuntu installs openvpn to start automatically. To kill the other session do this:
    sudo killall openvpn    
then try again.

Socks Proxy:
Use the following command from a shell on your ubuntu host to establish a socks proxy to UC:

    ssh -N -f -C -D 8080 <your-username-on-ucfilespace>@ucfilespace.uc.edu
This assumes you have an active account on ucfilespace and you know your username and password on that machine. If you use a socks proxy (port 8080) you will have to put the following line into your client.conf file before starting openvpn:
    socks-proxy 8080    
preferably before the 'remote ...' line. In order to stay alive regardless of activity you will need to edit /etc/ssh/ssh_config before running the command above. The important lines to add are:
    ServerAliveInterval 30
    ServerAliveCountMax 5

After starting openvpn you should see a new internet interface called tap0 or tap1. If you execute ifconfig tap0 (alternatively, tap1) you will get something like this:

    tap0      Link encap:Ethernet  HWaddr 4a:5b:ac:d0:39:c6
              inet addr:  Bcast:  Mask:
              inet6 addr: fe80::485b:acff:fed0:39c6/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:5 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:808 (808.0 B)  TX bytes:578 (578.0 B)    
where the 52 could be anything from 50 to 255. We have a VM connected at Connect to it like this:
    [franco@franco ~]$ ssh student@
    The authenticity of host ' (' can't be established.
    ECDSA key fingerprint is 0c:30:5a:4f:2a:72:55:ef:06:10:90:8d:05:18:61:7b.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '' (ECDSA) to the list of known hosts.
    no such identity: /home/franco/.ssh/id_ed25519: No such file or directory
    student@'s password:
    Last login: Mon Nov 30 13:00:35 2017 from
The password is 'student'. The authenticity message shows up only the first time you log in. Please note that the connectivity to this test machine is flaky because it is connected via wireless, so the above not working does not mean your setup is not working.

Setup the VM:
Make sure openvpn is running without errors as above. Assuming you downloaded CDX-2016.ova and you have installed the latest virtualbox and guest additions, start virtualbox, drop the 'File'menu and select 'Import Appliance'. The next step is critical: Click 'Expert Mode' to reveal a screen such as this:

Check the box labeled 'Reinitialize the MAC address of all network cards' as shown in the figure. If you do not do this all hell will break loose: if the MAC of your NIC ends in C75A, then it will conflict with everyone else who has not reinitialized it, so check it. The result of not reinitializing is incredibly slow communication. Next, click the tiny icon to the right of the textfield and select the downloaded ova file. Progress through the installation, clicking the obvious boxes (and not trying to customize), which takes several minutes to finish. Now find the new VM in a list on the left side of the starting screen of virtualbox, select it, and click on the green arrow at the top.

When the VM is up, you will see a 'Downloads' icon to the upper left, a column of icons in the left margin, and a row of small icons at the top of the screen. Click the margin icon that looks like a terminal to open a shell. Execute ifconfig. You will see something that looks like this:

    eth0      Link encap:Ethernet  HWaddr 08:00:27:47:c7:5a
              inet addr:  Bcast:  Mask:
              inet6 addr: fe80::a00:27ff:fe47:c75a/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3768 errors:0 dropped:0 overruns:0 frame:0
              TX packets:661 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:463732 (463.7 KB)  TX bytes:87036 (87.0 KB)  
where eth0 may be tap0 or tap1. Observe that the IP address is This must be changed. In the top row there is a network icon that is normally one up arrow next to a down arrow (indicating an established connection). Right click that icon and select 'Edit Connections'. Select 'Wired Connection 1' and click on 'Edit'. Click on the 'IPv4 Settings' tab. Under 'Address' you see the number (like) ''. Change that number to one of the three numbers that were emailed to your team leader (they all have the form where you supply the XX digits). Click 'Save' and 'Close'. Right click the networking icon in the top row and select 'Wired Connection 1'. Wait a minute. Execute ifconfig to verify the change in IP address. You are ready to defend.

Beginning two days before the CDX we may ask you via blackboard to make some minor changes to the OS. If you do not make those changes the red team will think that one or more of your services is down. Those changes will also be written on this page below.

Hint 2:
If you are getting connection resets every 5 seconds after using

    sudo openvpn client.conf
it may be caused by having an openvpn session already open. This is possible because ubuntu installs openvpn as automatically starting on boot. Do this to see if there is an openvpn session running:
    pstree | grep openvpn
Do this to kill a running openvpn:
    sudo killall openvpn

Hint 3:
If you can connect to the CDX network while at UC but not while outside UC's perimeter look at the 'remote' line in 'client.conf'. If it has try changing it to helios.ececs.uc.edu and restart openvpn.

Hint 4:
Make sure your important services are up! Use nmap to find out. Use nmap from the VM like this: nmap localhost. Use nmap from the host like this: nmap 10.8.0.XXX where 10.8.0.XXX is the tap0 address of your VM. The outputs should agree!

Correction 1:
To make sendmail public do this as root:

  edit /etc/mail/sendmail.mc                  /* make ports 25 & 587 public */
  replace occurrences of "" with ""  /* in two places */
  m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
  service sendmail restart                    /* restart sendmail service */

Correction 2:
To make MySQL public do this as root:

  edit /etc/mysql/my.cnf                      /* make port 3306 public */
  set bind-address =                  /* was */
  service mysql restart                       /* restart mysql */

Correction 3:
To make CUPS public do this as root:

  edit /etc/cups/cupsd.conf                   /* make port 631 public */
  change "Listen localhost:631" to "Listen"
  service cups restart                        /* restart cups */

Correction 4:
We have to have a DNS server added. Do this as root:

  apt-get install bind9
The server should start on its own. Configuration is as follows:
  • Download files named.conf.local, db.myzone, and db.reverse
  • Edit the files: replace my email address with yours and with your VM's CDX IP address. Do not use @. You can change the name of the domain, if you wish.
  • Dump all three files into /etc/bind, overwriting the existing named.conf.local
  • Restart the nameserver like this as root: /etc/init.d/bind9 restart
  • Important: every time you edit db.reverse or db.myzone you need to add 1 to the serial number before restarting the nameserver.

Members    Group Name    IP addresses
Benner, Deibel, Wendelken, Flick, Burley   Group 0100-102
Hafner, Kanu, Wolff   Group 1103-105
LaDu, Frantz, Kapoor   Equifax106-108
Gyurgyak, Lavin, Horner, Bauer   Group 3109-111
Patnaik Na, Krishna Chinatapalli, McPhillips, Tej Gidijala   Trojans112-114
Bellanti, Climes, Hammond, Poole, Romstadt   Group 5115-117
Gudaramachandra, Cheerla, Mavireddy   Group 6118-120
Carlson, Geisler, Nelson, Nichols   Group 7121-123
Smith, Lambright, Reed, Burnam, Gupta   Team_Rocket124-126
Pulavarthi, Chagarlamudi, Nevuri, Pusapati   Group 9127-129
Isburgh, Mikolay, Jenkins, Tran   Botsyn_FTW130-132
Long, Malpede, Thompson, Vergara, lankitus   Group 11133-135