Documentation of Shine

Documentation of SHiNE

bachelorproject ws 07/08

March 31, 2008 Abstract

SHiNE - Security and Hacking in Network Environments is a students Bachelor project based on the Master project NetS-X. The target of this project is an implementation of a learning environment, which leads the user through network speciﬁc problems and security tasks.

2 Contents

1 Objectives [ar, rb] 7

2 Competitor analysis [dl, pm] 7

2.1 Overview ...... 7

2.2 Applied security laboratory ...... 8

2.3 Tele-Lab IT-Security ...... 8

2.4 Cyber Ciege ...... 8

3 2D-Game 8

3.1 Description of 2D Game[cs] ...... 8

3.2 Overall story [fe, af, sg] ...... 9

3.3 Sequence chart[fe, af, sg] ...... 10

3.4 Integration items/characters in overall story [sg, fe, af] ...... 11

3.5 In-Game assistance [sg, fe, af] ...... 13

3.6 Behavior NPCs (Implementation XML)[sg, fe, af] ...... 13

3.7 Realisation Flash-Client[cs, ju] ...... 14

3.7.1 Implementation ...... 15

3.7.2 State Machine ...... 16

3.7.3 Gameobjects(NPCs, items, trigger areas) ...... 18

3.7.4 Tile editor ...... 19

3.7.5 Waypoint editor [dl] ...... 20

4 Description of Game Topology [ts] 22

5 Scenarios 23

5.1 Basic scenarios [jp] ...... 23

5.1.1 Console ...... 23

5.1.2 Vi ...... 25

5.2 Man-in-the-middle scenarios ...... 26

5.2.1 ARP-Spooﬁng [rb] ...... 26

5.2.2 Hijacking[rb] ...... 29

3 5.2.3 SSL-Cracking [aoe] ...... 31

5.3 Passwort Hacking [ts] ...... 32

5.3.1 John the Ripper ...... 32

5.3.2 Cron John ...... 33

5.3.3 Hydra ...... 34

5.4 Honeyd [pm] ...... 35

5.4.1 honeypot detection ...... 35

5.5 Monitoring Tools [cg] ...... 37

5.5.1 Cacti ...... 37

5.6 IDS scenarios [jl] ...... 39

5.6.1 Run snort ...... 39

5.6.2 Create snort rule ...... 40

5.7 DNS [mt] ...... 42

5.7.1 DNS Basics ...... 42

5.7.2 DNS Server manipulation ...... 43

5.7.3 DNS-Spooﬁng ...... 44

5.7.4 Domain ...... 46

5.8 Learning scenarios [ts] ...... 47

5.8.1 LDAP ...... 47

5.8.2 RADIUS ...... 47

6 Overall System Conventions and Design [ar, dg, sd, tr] 48

6.1 Conventions ...... 48

6.1.1 Overall Systemconcept [ar, sd, tr] ...... 48

6.1.2 Overall Designconcept [ar, dg, sd, tr] ...... 49

6.1.3 Nameﬁnding [ar] ...... 52

6.1.4 Styleguide [dg] ...... 52

6.1.5 Rights [tr] ...... 58

6.2 Webinterface [ar, dg, sd, tr] ...... 60

6.2.1 Login / Registration [dg] ...... 61

6.2.2 PDA-Screens [ar, sd] ...... 61

4 6.2.3 Administration Screen [master] ...... 63

6.3 2D Gamedesign ...... 64

6.3.1 The Flashgame Graphics [tr, ar] ...... 64

6.3.2 The Characters [dg, mf] ...... 64

6.4 Implementation MVCs in CakePHP [sd] ...... 65

7 Overall Gameplay-Improvements [af, sg, tr] 66

7.1 Enhancements in Communications ...... 66

7.2 Improvements to the game itself ...... 66

7.3 Missions ...... 67

7.4 Graphics ...... 67

7.5 Real world and 2D-Game relationship ...... 68

7.6 Content creation for the 2D-Game ...... 68

A Capability planning[fe] 68

A.1 Personnel planning ...... 68

A.2 Time management with Gantt-Diagram ...... 69

B External presentation 71

B.1 Flyer, poster, handouts [dg, cs] ...... 71

B.2 Website [rb, ar] ...... 73

C 2D-Game 74

C.1 Script[fe, af, sg] ...... 74

C.2 Realisation Flash-Client[cs, ju] ...... 80

C.2.1 Game server interface [cs, ju] ...... 80

C.2.2 The tile map [cs, ju] ...... 83

C.2.3 Scene management and animations [cs] ...... 85

C.2.4 Pathﬁnding [cs, ju] ...... 86

C.2.5 Class diagram [cs, ju] ...... 89

5 D Game topoloy 90 D.1 Manual Net Topology installation [jl, mt, aoe] ...... 90 D.1.1 Activate Topology at the PC’s ...... 90 D.1.2 Setting up the Network devices ...... 91 D.2 Manual Game server installation [sd] ...... 91 D.2.1 Linux installation ...... 91 D.2.2 Windows installation ...... 92

E Scenarios 93 E.1 Basic scenarios [jp] ...... 93 E.1.1 Console ...... 93 E.1.2 Vi ...... 97 E.2 Man-in-the-middle scenarios ...... 102 E.2.1 ARP-Spooﬁng [rb] ...... 102 E.2.2 Hijacking[rb] ...... 114 E.2.3 SSL-Cracking [aoe] ...... 125 E.3 Passwort Hacking [ts] ...... 132 E.3.1 John the Ripper ...... 132 E.3.2 Cron John ...... 138 E.3.3 Hydra ...... 144 E.4 Honeyd [pm] ...... 147 E.5 Monitoring Tools [cg] ...... 152 E.5.1 Cacti ...... 152 E.5.2 Ntop ...... 161 E.6 IDS scenarios [jl] ...... 162 E.6.1 Run snort ...... 162 E.6.2 Snort rule ...... 165 E.7 DNS [mt] ...... 165 E.7.1 DNS Basics ...... 165 E.7.2 DNS Server manipulation ...... 174 E.7.3 DNS-Spooﬁng ...... 191 E.7.4 Domain ...... 203

6 SHiNE 7

1 Objectives [ar, rb]

The objective target of the SHiNE project is to ﬁll out the base system of the NetS-X project, with scenarios, a game story and a playable game as well as a continuous design. Referring to the NetS-X project the primary objectives of the implemented system are:

• development of an innovative learning environment in form of an interactive game incor- porating an already existing real world network infrastructure.

• conveyance of both theoretical knowledge and practical skills about information and network security issues.

• teaching aspects of ethical hacking for the purpose of increasing security in computer networks.

• creating a fun atmosphere and competition between teams situated in remote locations using a game topology of similar design.

Furthermore the learning environment is split into three parts, which are finally implemented by the Masters group, and on which SHiNE was set up. The first one is the game, which is the starting place for every player. There the player receives orders, which he has to complete in a real network environment. This is the most difference between a network game in the common sense and our network learning environment. We let the player not just play a hacking or security game, we let him design and test a real network implementation. This network environment is the second base of SHiNE. It is lean against a normal business environment with different network zones, a DMZ, two Firewalls and the whole stuff located in a network topology. And again, this topology is a real topology, the player has to interact with real Linux servers and Cisco routers as hardware components and with services like LDAP, RADIUS, APACHE, BIND, CACTI, SNORT, KERBEROS and many more. Furthermore the player has to use tools for network and security testing. The third base of SHiNE is a wiki with informations about the tools, services, hardware, and some guides how to use this tools. This part is not just a passive part, the wiki is interactive. Players can add articles, for example if they found out an other way to test a given problem.

2 Competitor analysis [dl, pm]

2.1 Overview

We tried to take a look at a wide spectrum of network and ”hacking” projects. So we decided to focus on one game and two other projects. As a conclusion we can say that SHiNE is a bachelorproject ws 07/08 SHiNE 8

modern technique to teach network-security. Here we can say that it is a kind of edutainment. That means a mixture of education and entertainment and it belongs to the genre of serious gaming. Here you can ﬁnd the complete presentation as pdf-ﬁle: https://www.netzlabor.hs- bremen.de/wiki/index.php/Recherche zu %C3%A4hnlichen %22Hacker-Spielen%22

2.2 Applied security laboratory

This is a university-project where two students work in groups. They have to plan and realize a complete network system. At the end of the semester, some professionals from the economy visit the university and tell the students how their daily works looks like.

2.3 Tele-Lab IT-Security

Tele lab gives users diﬀerent aspects of IT-security on the basis of exercises in line with standard usage. The user can complete all exercises in a realistic environment, without endangering the own or other computers. During the training Tele-lab-IT-Security gives the user advices. Before the user begins with the practical exercises, he receives basic informations about the appropriate topic with the most important tools.

2.4 Cyber Ciege

This is an innovative game/tool to teach network environment and network security. It is especially for training and education of the US-government and military. Meanwhile it is used as a trainingtool in universities. This project was sponsored by the US-Navy and other educational institutions. One team of the developers come from ”Rivermind”, the developer of ”Medal of Honor”. The player has a 3D-View like in ”The Sims” and he has to buy and install network environment. He also has to manage collegues and make them satisﬁed by keeping the network connection alive.

3 2D-Game

3.1 Description of 2D Game[cs]

The 2D game is the first screen a SHiNE player will see. By using the mouse the player can walk around and is able to talk with none playing characters (npcs). He also may pick up items and use them. It is an interactive game world and simulates an office with co workers, bosses and other typical staff. The idea is to guide the player in a network company and provide the opportunity to gain knowledge that is necessary for real tasks. With several ingame information and links to the game wiki he will gain skills and escorted by the story line npcs will give him bachelorproject ws 07/08 SHiNE 9

tasks to solve. These problems or scenarios are not part of the 2D game and will be played with real tools in a real network environment. A special monitoring mechanism observes the actions of the player in the network and if he fullﬁll a required task the game will be informed. Back in the virtual 2D oﬃce he will be rewarded with score and the story line goes on and new tasks will be accessible.

3.2 Overall story [fe, af, sg]

An overall story is precondition for a good learning achievement in a learning game, but a bad structured story can also demotivate the player, e.g. the player gets his missions in the story with the tasks and has to accomplish one by one without any other information or action. The player has to be lead through a suitable storyline, which motivates him to complete the upcom- ing tasks to go on.

To create a good story you need to determine some preconditions. To declare these preconditions we had to brainstorm.

It was predetermined that the game must be played in a company that is concerned with any kind of network security, be it a department or the whole company that is concerned of this subject. After deﬁning the preconditions we created a coarse story environment. We had the idea to play within an intelligence service like the BND in Germany or the CIA in the USA. The leading thought behind that advisement was that the tutors could easily implement aggressive or defensive scenarios in the game and the storyline. But after a consultation with the whole project group we discarded that idea, because of political causes and replaced it with an ordinary network-security-company.

Because of the current discussion about protection of data privacy and the observation of citi- zens in terms of computer observation with a Trojan we had the idea that this might be already true.

The state is collecting massive amounts of data and perishes under that. To deal with this amount of data they ordered this network-security-company to handle it. Because of this more work the company had to employ more clerks and trainees. The player plays the part of a trainee. Continuative the player realizes after a short amount of time, that his supervisors have fraudulent intents. This offers a wide range for aggressive scenarios and perhaps a moral conflict because of the law. Later in the game the player could get in contact with the hacker scene, which is operating against the methods of the network-security-company. This offers a wide range of aggressive und defensive scenarios and maybe an interesting and motivating turn for the player. bachelorproject ws 07/08 SHiNE 10

For more detailed stories to several senarios please refer to script C.1.

3.3 Sequence chart[fe, af, sg]

The sequence Chart is an overview of the several chapters of the story. A Chapter consists of obtaining the skill and completing the scenario. To be able to create a continuous story, first it was necessary to know in which order the skills are obtained and the scenarios are played. To realize this, we needed an exchange of information with the whole scenario group for getting whose conceptions and a part of the master group for getting whose file reports. We had a discussion of the complexity of the scenarios and the relation between every single scenario to find an order of all given scenarios. The player can’t play a scenario until he unlocks the preconditioned skills. Basically the order of the chapters and the split-up in traces are completely based on the preconditions of the scenarios.

The result of this discussion was the sequence Chart. The description of it is very simple. Every box represents a story part. Also they are (-), (*) and (-) which describe if the story part a scenario (-), a learningscenario (*) and/or a skill (-) is. The arrows between the boxes describe the relationship between every box. The colors of the arrows have no matter. The player starts

Figure 1: Sequence Chart with a given task, where he has to get familiar with the basics of Linux. As soon as the player accomplish the task there are ﬁve possible story parts avaible for the player. He is almost free bachelorproject ws 07/08 SHiNE 11

in his decision, which story part he chooses. But if he has chosen one he has to accomplish it before he start the next one. Also he has to regard the constriction for each story part, which means that for some scenarios have to be finished until other scenarios can be played, e.g. the scenario DNS Spoofing can be played only if the scenarios DNS server manipulation, Hydra and DHCP are finished. This system allows the player to choose between different tasks, without the risk to get to deep into one subject without especial previous knowledge!

3.4 Integration items/characters in overall story [sg, fe, af]

Beside of many nameless colleagues there are some special characters who accompany the player through the story. They provide the player with background information and guide him through the story. Following ﬁxed NPCs are already implemented:

Department chief: Description or speciﬁcation: The department chief is a harshly, egoistic person. He is always busy and has no time for the player. He also takes all the credit for things that his staﬀ has achieved.

Function: The DC is the one person a loyal player should work for, but because of the DCs egoistic character the player should have no problem to work for anybody else then the DC.

Janitor: Description or speciﬁcation: The janitor is a very angry guy who seems not to like his work although he’s doing it very good. The only thing he seems to like less than his work are other people and so he hates the player character from the very beginning and the player won’t be able to change that. So if he doesn’t want to see the player as a friend, why shouldn’t the player have a little fun angering the janitor? ;)

Function: There is no learning aim in getting in contact with the janitor at all. He just gives the game a little more realism. He won’t help the player. But maybe he can be helpful for the player without wanting it?

The Geek: Description or speciﬁcation: A guy nobody wants as a friend. He knows everything better and will tell everybody if you tell him about your problems. However he really knows a lot, but to get information will have a high prize: Unpopularity.

Function: Although he is at the moment not integrated we have to say that the Geek was one of the earliest ideas for in game character. If you have any problems with a scenario, he’s the bachelorproject ws 07/08 SHiNE 12

one who can help you. But asking him will bring you the anger of your other colleagues. Right now it’s sorrowfully to complex to integrate an NPC in Shine who can help you whatever you need, but maybe one day somebody will implement him and write all his clever helpings down.

Secretary: Description or speciﬁcation: A nice and sexy woman. She helps wherever she can and seems to like the player. She is always busy but never too busy to give any help she can give. To have her as a friend might be a good idea.

Function: The secretary is the second voice of the DC. She is the one you would always help, if help is needed. And so will she. She gives the most orders of the DC to the player, whenever the DC has no time. She helps the player if she can and as a vision it might be a later goal of the game to date her. But to date her you have to show her ﬁrst, what a tough and hardworking guy you are. And please don’t talk to the Geek. He is so *** she won’t date you if she would know about it.

Larry: Description or specification: That nice young guy seems to be a little rebel. He doesn’t like the DC and will do whatever he can to annoy him. On the other hand he seems to be a very clever guy and to help him could be profitable. He does anything but working. Look at the coffee machine first if you look for him.

Function: Larry gives the player a chance to be a bit of a rebel. Larry always wants the player to help him to annoy the DC. By time he could even become a connection to a hacker society inside Shine, which wants to get rid of the DC because he is playing a foul game.

Flyer: Description or specification: Just hanging around the whole day you can find the flyer on a wall near the kitchen. Maybe it offers important information, maybe it doesn’t.

Function: To give the game a little more realism the player can ”talk” to the ﬂyer to get a new job to do. If there is anything important to do the ﬂyer might give that info to the player if he just takes a look. This makes the player believe he is looking for a job himself and isn’t only the stupid learning-game playing guy who has to do what the next colleague says.

Elevator access card: Description or speciﬁcation: a card for using the elevator. It’s made of plastic and holds a chip. What else you expected?

bachelorproject ws 07/08 SHiNE 13

Function: To give the game a more RPG-like style there is a card which allows the player to use the elevator instead of going stairs. To get it you must help some an NPC. Using the elevator may bring the player to floors he couldn’t reach by taking the stairs. As a vision the building could have an endless number of floors, but to get there he first needs to find the access cards with clearance for a new number of those floors. And before getting a new access card the player has to fulfill some special scenarios. So each floor could act as a new difficulty level.

3.5 In-Game assistance [sg, fe, af]

To support the player inside the 2D-Game we planned to realize a special NPC on a ﬁxed position, beside the common assistance by the normal NPCs. This special NPC should come in the metaphor of a geek. The player can visit this NPC every time he wants. This geek helps the player for free with common information and hints. This information is also available in the wiki, but more detailed. The player can also ask for precise information to solve a special task, but he has to pay with his gotten points for this information. So the player should think about it, if he really wants to pay for this information, because he hasn’t unlimited points. There was also a sympathy-system planed, where the player could earn sympathy-points from a female employee with every successful accomplished task. If the player asks the geek for concrete help he will lose one sympathy point by the female employee. The target of this system is to aﬀect the player not to ask too often for help. He shall try to reach and keep a positive relationship to the secretary and see how this relationship could evolve.

3.6 Behavior NPCs (Implementation XML)[sg, fe, af]

To achieve the wanted storyline main theme of Shine there was a need of coordination between the great numbers of NPCs by using their implementable abilities. Needles to say the plot so far features that much complexity that while implementation of a new plot it is useful to also create new NPCs as often as possible because they can become integrated more easy than adjusting already existing ones. Detailed technical information about an NPC’s xml structure shouldn’t become described at this point again. Much more interesting might be to have a little look on already existing NPCs of Shine and the motivation for their special way of implementation:

First of all every single NPC should get his own characteristic way of talking. How do you want the NPC to come over to the player? Is it a friendly one, or a direct one? Is he/she shy, or is he/she annoying the player? The way of talking should become implemented already at the beginning of the NPC’s implementation via placing in the so called Smalltalk-chapter. Because an NPC can have as many Smalltalk’s as you want it to have (they will randomly appear in game, whenever the NPC is being talked without having any important information to tell the player) this point of implementation should be used. This technique will also help other pro- grammers to easily ﬁgure out each existing NPC’s way of talking and maybe also its fads and bachelorproject ws 07/08 SHiNE 14

tics by consulting the Smalltalk-chapter. Some examples:

The department chief is a very directly talking character. He talks short-timed and dictatorially. So he personates the selﬁsh supervisor who seems to believe that he has to show is subordinates his higher position to become accredited. That behavior should quickly make him the last person the player wants meet very often in game. Another example may be the secretary. Whenever she comes across she is friendly and helpfully, sometimes she is even ﬂirting a bit or leaves her desk to meet the player to bring information to him. She seems to be a woman doing her job very assiduously and taking charge of the whole bureau. Maybe she is also afraid of not becoming accepted because she is the bureau’s bad guy’s assistant.

Basically the implementation of a new NPC is not the problem. The real problem might be the faultless matching of different NPCs with each other as a part of a more complex plot. The given implementation format makes the programmer to take care of what a new NPC shall do, for example if that NPC may be able to react differently on different situations. At this point any programmer may be strongly reminded of writing up sequence charts. This is elementarily important for the clarity. To show the described implementation problems in the Shine game itself you may remember the sequence chart of Shine’s main storyline. Watching it you should easily notice the great number of story chapters implying diverse foregoing chapters. According to this the involved NPCs have to become actualized correctly after the ending of each chapter and mustn’t accidently become set to an already passed state. This special case added to the possible case of an NPC able to give more than one job to the player at the same time, what maybe has been triggered by the situation of passing the storyline in some unusual but possible way brings a multiple of complexities and so the need of additional complementation of diverse NPC states. Inferentially the present format of the NPCs is good for quick add-ons and elementarily very functional. But if you want to implement a storyline which is just a little bit complex, this undertaking requires detailed planning.

3.7 Realisation Flash-Client[cs, ju]

This section is about the implementation of the flash game and surrounding interfaces. It gives an overview about the new features and how they were implemented. The first step was our decision to rewrite the entire flash game. The team came up with several requirements which could not be fulfilled by the previous implementation. Our goal was to create an interactive environment that provides more then just a link between the different scenarios. We introduced a complete new graphics engine with a slide depth simulation, sprite animations and compatibility to a tile editor. This enables the designer to create huge worlds with different areas and animated objects. With the implementation of the state-machine-engine the game becomes fully interactive. There are three object types which represents e.g. none playing characters (npc), items or doors. Each object contains a state machine and thus it can bachelorproject ws 07/08 SHiNE 15

be completely controlled by the game designer. The user changes the world with his individual interactions and so he dives deeper into the game experience. As a result of this the world gets much more interesting and less static. The npcs are able to walk along a path which can be created with a waypoint-editor. This allows pathﬁnding and an exact movement controlling.

We improved the integration of external tasks ”in the real world”. Now the npc-objects can unlock the skills for a certain task. So the user is able to gain them by communicating with ingame characters. We developed an interface between Flash and JavaScript so the browser based pda menu can be opened from the game directly without annoying popup windows.

To ensure that closing the browser will not eﬀect the current game state, the state-machine- engine is connected to the remote game server and all changes are saved immediately to its database. The position of the player and the walking npcs are being saved as well.

Finally the ﬂash game is designed as a game engine. It only interpretates external data like maps, object-state-machines and waypoint maps. As a result of this the game content and even the graphics can be exchange completely without the need of changing the actual game code.

3.7.1 Implementation

The implementation of the ﬂash game can be subdivided into four major components (see ﬁgure 2).

Figure 2: major components

The graphic engine is responsible for the presentation of the game. It handles user input, determines collisions, organize the scene, manage path ﬁnding, provides the dialog boxes and supports the animation script. For the user input we introduced a hierarchical manager do delegate the mouse/keyboard inputs to the right game component. This is done in order to prevent that a mouse click is notiﬁed by more then one input object (for instance the player itself and the open talk dialog). The collision is done with simple geometrical intersection tests. Each object contains one rectangle and whenever the collision rectangle of two objects overlap the engine detects a collision. Through the slide perspective view of the game it is necessary to bachelorproject ws 07/08 SHiNE 16

sort the visible sprites by its vertical position. The animation script allows the designer to deﬁne nearly any kind of animation. The perspective and the view angle of the object are managed by the animation set principle. Each object got his own bitmap with all its animation frames. The animation script/set deﬁnes under which circumstances which animation frame is used. An detailed description can be found in the appendix ”scene management and animations”.

The game controller is the link between the other components and controls the entire game. It loads the map, create objects (npcs, triggerareas and items), handles map switches and delegates messages from the game server to the graphics engine.

Game server interface is the interface to the remote game server (written in CakePHP). It supports functions for scoring, exchanging the game state, unlocking skills and scenario organi- sation. The detailed interface description can be found in the appendix ”Game server interface”. The state machine engine is nested in the game server interface and runs fully within the ﬂash game. In further implementation it may be relocated to the game server. To ease this step we hid it behind the game server interface. Nevertheless it provides the core controlling of the game. All state machines are grouped here and it supports functions to dispatch events and query states. (For further studies of the game architecture see the ”class diagram of the ﬂash game” in the appendix)

3.7.2 State Machine

State machines are a wildly spread approach in the informatics and enables us to describe simple behaviors for the objects (e.g. NPCs, Items). The statemachine could be called the Gamelogic. Statemachines, also called ”‘Finite state machines”’ are a concept of solving logical problems. We used them to have an easy and scriptable behavior for every interacable object in our game. Our Statemachine consists of 3 main object types. First the States. A state is the description of every changable attribute that belongs to a speciﬁg game object. For example the attributes

• visible

• collision

• active would be a good start for a Statemachine called Pitfall. The Statemachine holds several of These States with the menioned attributes but different values. The second part are so caled ”‘connections”’ betwen states, they define to which states the current state can change. These connections have different conditions on wich they react, eg. State ”‘Disabled”’ has a connection to state ”‘Active”’ where the attributes for the state ”‘Disabled”’ are visble, no collision, inactive (normally these would be variable types but readable values are used for illustration) and for ”‘Active”’ it would be not visible, has collision, active . Now the new connection, lets call it ”‘Activate”’ waits for an Event, maybe ”‘Trigger”’. If the Statemachine is in the State bachelorproject ws 07/08 SHiNE 17

”‘Disabled”‘ and receives the Event ”‘Trigger”’ it would change into the state ”‘Active”’ because our connection between ”‘Disabled”’ and ”‘Active”’ is waiting for the event ”‘Trigger”’. If you imagine the Pitfall in a game the State ”‘Disabled”’ would mean everybody can see it and walk over it without anything happening. Now after activating it, maybe by a switch, nobody could see it but if someonle would walk over it he would fall in. What happens is quite simple, after Triggering the state from ”‘Disabled”’ to ”‘Active”’ our object associatet to the game machine got an collision area and if someone runs over it the game would get the response ”‘Oh look, someone walked on out pitfall, do something”’ and had to react in a propper way, maybe let the player die. But out pitfall can only be Acitvated, because there is no connection from the State ”‘Activate”’ to ”‘Disabled”’. If we create one that waits for the same ”‘Trigger”’ Event, we could switch out Pitfall on and off. To extend the example we add a connection from ”‘Active”’ to a new state called ”‘Released”’ that waits for the event ”‘Collision”’. Collision would be triggerd if someone walks on our pitfall and it is activated. After someone walked on out pitfall it would be disabled and could not be enabled again, because there is no connection back from ”‘Released”’, it is a one-way state. It is also possible to automaticly dispatch events to other statemachines if you change a state. The switch to enable and disable out pitfall does exactly that. It is a state machine with two states, on and off, and with two connections that wait on the playerevent ”‘Action”’. If the player uses his action key on his keybord and thus triggering the action event at out switch statemachine, it changes in the next state and because both states wait for the same event it is an endless on, off, on, off loop. So when the swich changes its state it sends the event ”‘Trigger”’ to out pitfall state machine which waits exactly for this events. You can also make several connections that are waiting on different triggers to create a more complex behavior. The possibilities are almost endless.

bachelorproject ws 07/08 SHiNE 18

3.7.3 Gameobjects(NPCs, items, trigger areas)

There are three main types of game objects in our game, NPCs, Items and Trigger Areas. All these objects have a statemachine working in the background to controll their behaviour; but with different parameters. If you compare NPCs with Items there are several differences, eg. you can use talk events on NPCs but not on items, a Statemachine for items dont now this event and will ignore it. It is even impossible to script items that react to talk events because of the predefines xsd structures that forbid to do so.

The NPC (no player character) is a computer controlled character and has the most interaction and controll possibilities of all game types. It can talk with you, ask you questions and wait for a correct answer (even multiple choice is possible). If it has nothing to do it can walk arround and will stop if you want to talk to him and tell you something random if there is no real text to say. It can search speciﬁc (way)points in the map and walk to them or do nothing at all. Npcs can react on following events:

• talk (the player talks to the npc)

• touch (the player comes near the npc)

• action (the player presses the action buttion on his keyboard and is near the npc)

• collision (the player hits the npc)

• correctAnswer (the player gives the correct answer(s))

• answer (the player gives a not correct answer)

• reachDest (the npc reaced his desired waypoint)

• triggerEvent (the npc got an event from another statemachine)

• globalEvent (event that every statemachine gets)

An item represents a gameobject that is either lieing arround on the ﬂoor, collected and in the playerinventory or is removed from the game wich means it is not lying arround nor is it in the player inventory. These items if in the inventory can be used to open doors, repairing switches, bringing a cup of coﬀee to your boss or gaining access to a computers etc.. In contrast to npcs they are passive objects that dont do anything on their own until the player interacts with them. Items can react to the following events:

• touch (the player comes near the npc)

• action (the player presses the action buttion on his keyboard and is near the npc)

• collision (the player hits the npc) bachelorproject ws 07/08 SHiNE 19

• triggerEvent (the npc got an event from another statemachine)

• globalEvent (event that every statemachine gets)

The Triggerarea is not realy an object the player can use or see, it is more a scripting help for the content builders. Trigger areas have the shape of an rectangle of any size and are invisible. Their only purpose is to send ”‘Trigger”’ Events to other statemachines if the player move on them. They cant do anything more and are only used if something should automaticly happen if the player enters a special area. For exapmple you could place a Triggerarea on en entrance of a room that swiches the light on if the player enters the room (and therefore walks on the trigger area). Triggerareas can react to the following events:

• collision (the player hits the npc)

• triggerEvent (the npc got an event from another statemachine)

• globalEvent (event that every statemachine gets)

3.7.4 Tile editor

One of the key decisions of recreating the Flash Game was to use the ”Tiled” Editor for creating the 2D world. It is a free editor (GNU license) which allows the designer to create any kind of 2D tile map and it is written in Java. Thus it can be used on any common operating system. The code is well commented and can be expanded for further requirements. It uses multiple layers to simulate different height. One of the major features of the editor is the possibility to customize all components of the map. The whole map, each layer and each tile can be appended with key value pairs (properties) to configure the map for our goals. The result is a short XML file that can be read by the flash game and is the main definition of a certain area (e.g. a burro, the cellar or the entrance). On the one hand it is the tool to design the layers with the tile graphics and the graphical overview of a map and on the other hand it enables the designer to put the objects on the map and define collisions. Normally the editor does’t support placing game objects in the world. To achieve this goal the map designer can put a certain property for a layer (e.g. type=objects) and now the flash game treats the whole layer as an object placement layer. Instead of drawing the placed tiles the flash game reads the property of each tile and depending on its configuration the flash game loads an NPC, TriggerArea, Item or a SpawnPoint. The collision for a tile can be defined by the property ”block=true”. For further documentation of creating a map look at the appendix ”the tile map”.

bachelorproject ws 07/08 SHiNE 20

3.7.5 Waypoint editor [dl]

Overview

Name: Waypoint-Editor Created by: Daniel Lueers Size: 76 kb Runnable on: Windows, Mac, Unix Output-Filetype: XML Used program-language: Java 6.0

Description Waypoints could be set with the tiled-editor, but the option to connect the waypoints with each other is very complicated and there are no visual connections. So we decided to assign one person with developing our own waypoint editor for our special requirements. The programmer has respected special attention to the usability. So every important option is directly positioned on the main screen. There is no searching needed to ﬁnd any feature. When a user works the ﬁrst time with the program, he will directly know what to do. There are also tooltips for the most function, which tell the user whatfor the function is, or how to use it. The waypoint editor can be used in later projects which need waypoints.

Main functions

Auto-Create-Connection-Function The ”auto-create-connection”-function is very useful for fast working. By setting a waypoint, a connection will automatically be set from the last waypoint to the current waypoint.

Add-Additional-Connections-Function Furthermore, you can add additional connections between any waypoints. There is no limit for setting connections to one waypoint.

Rename-Function The waypoints have automatically names. For example ”Waypoint-Nr.1”. But there is the ”rename-function” for renaming the waypoints. There is no limit for the amount of letters for a name.

Set-Connection-Weight-Function With the ”Set-connection-weight”-function you are in position to give the waypoints weights.

bachelorproject ws 07/08 SHiNE 21

The higher a weighting the sooner a NPC will walk along that connection.

Delete-Function Of course there is a ”delete”-function for removing waypoints and/or connections.

Wireframes In the view-menu the user finds an option to enable two different kind of wireframes. The first one shows the user a 25x25-pixel sized wireframe. The second wireframe splits the screen into 50x50 pixel-sized squares. With this wireframe it is very easy to set a waypoint on the correct position by the first time.

Auto-Position-Function The ”auto-position”-function runs in the background and it is not possible to disable it, because it would not make sense to disable it. The function calculates on every mouseclick which 50x50- square the user meant with his click and sets the waypoint on the right position. With the help of this function you can work very fast with the program.

Drag-and-Drop Sometimes you don’t want that the program calculates a ”perfect” position for you. For this the developer implemented a ”drag-and-drop”-function. So the user can click on a waypoint and while his mouse is down, he can drag the waypoint back and forth. The connections that belong to the dragging waypoint will be recalculated in real time. Thats a reason for the very liquid and fast workﬂow. Every change the user makes will be directly visualized.

Drag-and-Drop for map-files This feature allows the user to drag a map-file into the program. The program knows what to do with a map-file and calls automatically the appropriate methods so the user doesn’t have to use the implemented File-Chooser. Load-Map-Function The ”load-maps”-function is for loading maps. It was very difficult to implement that, because the tiled-editor creates an xml-file where some informations are stored bitwise. For example the information which tile has its position. This information looks like

< dataencoding = ”base64”/ > EQAAAAAARAAAAEQAAAAAARAAAAA < /data >

The programmer had to implement a Base64-Decoder, which was very diﬃcult and needed much time.

Load-and-Save-Waypoints-Function The user can save his work. Then the normal XML-File will be generated. He is also able to bachelorproject ws 07/08 SHiNE 22

load such a XML-File to continue his work later. Responsible for this function is the java-class Pathload.java.

Technical details The program is developed with Java 6.0. It works under Windows, Mac OS and Unix systems. It has the same look and feel like the system and it is a stand alone software. It is independent from other programs like e.g. Internet Explorer. It consists of 17 classes. The code is documented and very thoroughly, so any programmer who wants to continue developing shouldn’t have any big problems to work with that code.The developer has used the model-view-controller pattern. If any data changed the gui will currently update. That’s i.a. a reason for the stability and speed of the waypoint editor. The programmer created a XML-Generator to save the path and for creating the xml-ﬁle, which will be read from the game. The path-loader is for loading saved path(xml)-ﬁles so you can continue your work later.

4 Description of Game Topology [ts]

The topology clones a fictive company’s network. Almost everything that is to be found in today’s networks is implemented. The network consists of three different areas: the (Game) Internet, the DMZ (Demilitarised Zone) and the LAN (Local Are Network) which itself is divided into severeal VLANs (Virtual LANs). The Internet and the DMZ are connected by a firewalled router as are the DMZ and the LAN. Inside every area a switch connects the machines.

There are a lot of security features implemented in the topology. Honeypots in the Game Internet and the DMZ are placed to lure attackers into attacking them instead of the real network/clients. Honeypots are virtual networks/clients that look very attractive. So it’s likely attackers will attack them. There are also IDSs (Intrusion Detection Systems) and Monitoring Tools. ntop/cacti are used for monitoring whereas Snort, Samhain and Prelude implement intrusion detection.

The Game Internet consists of 3 machines. The ﬁrst is the OpenVPN Server. It allows users from the real internet to connect to the game and topology. The second is the game server and the third is the game engine server. It has a direct communication channel to the LAN, so that players and the game engine can access machines behind the ﬁrewalls.

The DMZ consists of 2 machines. The ﬁrst is the honeypot and the second the DMZ server which acts as DNS server, FTP Server, mail server and internet server.

The LAN consists of several machines divided into several VLANs. The IDSs and monitoring tools are hosted on machines there. The Snort machine is connected to every switch via a layer 2 (see OSI layer model) link so that it is able to monitor and control the whole network traﬃc.

bachelorproject ws 07/08 SHiNE 23

Figure 3: The Topology

5 Scenarios

5.1 Basic scenarios [jp]

5.1.1 Console

In-Game name of scenario

Practice makes perfect

Learning target

For the whole game and nearly all of the following scenarios the player needs knowledge of using a linux system. Even though most users will have some linux experience as well as there is a need for a basic linux scenario to explain the very primary commands on a linux command line. The user should also learn, how to navigate through the ﬁle system and how a linux ﬁle system looks like. Another basic knowledge which should be communicated to is user, is how he can get information about his own system. Summarized there are three learning targets in this scenario: bachelorproject ws 07/08 SHiNE 24

• basic commands on a Linux command line

• Navigation through the ﬁle system / ﬁle handling

• getting information about the own system (e.g. ip-adress)

Problem and task

The player has a list of serveral tasks in this ﬁrst scenario:

• ﬁnd the directory where log ﬁles normally would be

• copy the ﬁle in own home-directory

• get the ip-adress of the own system

• rename the ﬁle: ip-adress as new ﬁlename

Order from boss

• ﬁnd out in which directory log ﬁles normally would be saved

• check the log ﬁles as one of this must mention a ”secret tool”

• copy this log ﬁle to your home directory

• detect the ip-adress of your system

• rename the log ﬁle in your home directory with your ip-adress but don’t forget the .log extension

In-Game assistance non speciﬁc

Wiki

For player assistance there are many information about the basic linux commands in the wiki. (See E.1.1 on page 93)

Precondition Skills

This is the very ﬁrst scenario which every player has to play. Therefore there are no preconditions for the user skills. A player without any linux experience should be able to solve this scenario as well as a linux pro.

Precondition Scenarios

Like the preconditions for user skills here are no preconditions for other scenarios too. This one is the very ﬁrst. bachelorproject ws 07/08 SHiNE 25

Precondition Environment

This scenario runs on a single machine and doesn’t eﬀect any serious system conﬁguration. Therefore there are no special preconditions for the environment. Only a normal installed linux system, to which the player has access as a normal user, is needed.

Implementation framework

The scenario was implemented as a set of linux shell-scripts. Due to the framework implementation there are several scripts for setting up the target linux system, evaluating the players result and cleaning up the system afterwards.

5.1.2 Vi

In-Game name of scenario

Nobody is playing

Learning target

A Linux system has almost thousands of configuration files. This would be normally text-files. Therefor a player needs knowledge of how to modify a text-file in a linux command line. For this purpose the editor Vi is the all-time favorite. This scenario will train the user in handling a newer and better version of this editor called Vim. But modify configuration files is not the only thing, the player needs knowledge about how to find a special file in the entire system. After this scenario, he should know this. In summary there are these two learning targets:

• search ﬁles with a special expression

• basic usage of the Vi/Vim editor

Problem and task

The player needs a few steps to achieve this scenario:

• get information about the usage of Vi/Vim (Wiki ->vimtutor)

• self-educated training of Vim commands

• ﬁnd a ﬁle with a special string inside

• modify this ﬁle in various ways

Order from boss

• ﬁnd a ﬁle on your system which contains the string ”Myrath” bachelorproject ws 07/08 SHiNE 26

• modify the ﬁle in following ways:

- delete the data set of ”Bill Jobs”

- change the salary for ”Steve Gates” to 100.000

- add a ”holiday” section with a value of 30 to every employee

• save the changed ﬁle

In-Game assistance non speciﬁc

Wiki

There are serveral information about searching a ﬁle in a linux system and the usage of the Vim editor in the wiki. (See E.1.2 on page 97)

Precondition Skills

The player needs only skills in basic Linux practise.

Precondition Scenarios

For this scenario the player has to complete the Linux basics scenario ﬁrst. So this should be the second scenario and another cornerstone for the further way of learning.

Precondition Environment

Implementation framework

5.2 Man-in-the-middle scenarios

5.2.1 ARP-Spooﬁng [rb]

In-Game name of scenario Whom’s th’MAC?!

Learning target

• Knowledge of MAC Addresses

• Knowledge of ARP bachelorproject ws 07/08 SHiNE 27

• understand Spooﬁng

Problem and task The Player has to find out how to use the arp command. His task is to show if something is wrong in the network and an attacker is spoofing the net. Therefor him is given the hint to use the arp command and the manual for this commandline tool. He has to find out

• which devices are connected with his computer

• the mapping of IP addresses and MAC addresses

• which host is spooﬁng

Order from boss “There is something wrong in the network please check the connections” In-Game assistance the man pages Wiki

• arp E.2.1

• mac E.2.1

• arp spooﬁng E.2.1

Precondition Skills

• linux basics

• arp

Precondition Scenarios

• linux basics

Precondition Environment This szenario is a single player szenario. It is located in the DMZ and the arp spoofing could have influences on other players. Implementation framework This scenario uses the hosts DMZ-Server and DMZ-HoneyD. In this scenario one host is used as the users host, the other is the automatic spoofer. If the user is using the arp command the spoofer will be informed and spoof the host for a given time. The user should see the changes in the arp table before spoofing, while spoofing and after spoofing. To give the user a chance to see the correct arp table, the spoofing is started after a short break after using the arp command. Changes in the environment while gameplay Host user bachelorproject ws 07/08 SHiNE 28

Figure 4: Scenario ARP Location

• replacing the arp command at the users host to know when the user is using the arp command, and to time the spooﬁng

• add a group with sudo rights for using the arp program

• installation of expect for automatic remote connection

• add backup directory and undo scripts

• add the user into group with partitial sudo rights

Figure 5: Scenario ARP sequence

bachelorproject ws 07/08 SHiNE 29

Host Drone

• install sudo and ettercap if it isn’t

• add a spooﬁng user

• add a spooﬁngscript which spoofes the users ip if started

5.2.2 Hijacking[rb]

In-Game name of scenario Intruders!

Learning target

• Knowledge of TCP

• 3 Way Handshake

• Knowledge about ARP-Spooﬁng and poisoning

• man in the middle attacks

• poor security of telnet

Problem and task The user has to ﬁnd out how to start a man in the middle attack.

Order from boss

In-Game assistance linux manuals

Wiki

• telnet E.2.2

• ettercap E.2.2

• man in the middle E.2.2

• session hijacking E.2.2

Precondition Skills

• telnet

• mitm

• spooﬁng

• ettercap bachelorproject ws 07/08 SHiNE 30

• arp

Precondition Scenarios

• linux basics

• mitm arp

Precondition Environment

This szenario is a single player szenario. It is located in the DMZ and the arp spooﬁng could have inﬂuences on other players.

Implementation framework

Changes in the environment while gameplay

Host User

• installation of ettercap and sudo if it isn’t installed

• add a group with sudo rights for ettercap usage

• add the user to this group

Host Drone

• installation of arpwatch and expect if it isn’t installed

• add a script for automatic telnet login

• add a backgound check if this host is being spoofed

If the drone is spoofed, the automatic telnet script will be login to a telnet server for 5 times, to give the user 5 chances to see the password. This password is the needed string for string evaluation in the gameengine.

bachelorproject ws 07/08 SHiNE 31

Figure 6: Scenario ARP sequence

5.2.3 SSL-Cracking [aoe]

In-game name of scenario Bugging operations

Learning target The user should learn about the dangers of Man in the Middle attacks and how diﬃcult it is to recognize them even within a secure SSL request. To achieve this goal he has to learn how to set up a Man in the Middle attack against a SSL connection. Within this large topic the user also has to get know the function of SSL and SSL certiﬁcates, the way of forwarding network packages, how DNS works and how it can be used together with webproxies for emulating a website.

Problem and task SSL communication to webserver is always encoded and under normal conditions impossible to read from a third person. Therefore it is mainly used at security relevant requests such as online banking or payment.

For sniffing the traffic made to a SSL server as a third person, the user has to reroute the whole traffic of the targeted PC over his own Computer using a ARP-Spoofing attack. Now all traffic can be read by him, but the SSL traffic is still not readable due its encryption. To change this the user has to make the attacked Computer believe that the targeted SSL server is on the users computer using DNS spoofing to map the webaddress to his own local IP address. Now all requests for the targeted SSL server will end at the users computer. Because the content of the SSL webserver is not on the players computer it will only be an empty website. The user has to load the content from the real SSL server using a web proxy into his faked webserver. The attacked PC now sees the website like he used to see it, but he is accessing it through the users bachelorproject ws 07/08 SHiNE 32

computer. Now a new SSL certificate can be written and given to the attacked computer. With this new certificate the traffic can be decrypted and read.

Order from boss An employee communicates with a suspicious SSL webserver. The boss assumes espionage by the employee. Because of this, the user has to decrypt the traﬃc of the employee and report it to the boss.

Wiki The user will be supported by articles in the wiki concerning ARP-Spooﬁng, Man-in-the- middle Attacks and SSL.

Precondition Skills

The user needs the Skills: DNS, DNS Server Manipulation, mitm, ARP, Spooﬁng, SSL, Sniﬃng, Proxys

Precondition Scenarios

The user should have completed the Hijacking Scenario as well as the DNS-Spooﬁng scenarios.

Precondition Environment

The Scenario can only be played by one person at time.

Implementation framework

The setup scripts of this scenario will startup a SSL webserver in the Game Internet, start a task at the attacked computer which checks the webserver every 20 seconds and install all needed tools at the players PC.

The validation script will check if the traﬃc of the attacked computer has been read.

The cleanup scripts will shutdown the SSL webserver and the task at the attacked compute.r It also removes all special tools for this scenario from the players PC.

5.3 Passwort Hacking [ts]

5.3.1 John the Ripper

In-Game name of scenario Security Gap

Learning target

• selection of safe passwords

• diﬀerence between dictionary and brute force attack

Problem and task the player has te check the company’s password hashes for weak passwords

Order from boss bachelorproject ws 07/08 SHiNE 33

In-Game assistance None

Wiki

See E.3.1.

Precondition Skills

• basic Linux knowledge

• vi

• /etc/shadow

• Secure passwords

• MD5

Precondition Scenarios

Precondition Environment access to /etc/shadow and /etc/passwd

Implementation framework

See E.3.1.

5.3.2 Cron John

In-Game name of scenario

A matter of routine

Learning target automation of recurring tasks with cron/crontab

Problem and task the player has to set a weekly recurring attack on the password hashes by using john and cron

Order from boss

In-Game assistance

Wiki

See E.3.2.

Precondition Skills

• basic Linux knowledge bachelorproject ws 07/08 SHiNE 34

• vi

• /etc/shadow

• MD5

• Secure passwords

• John the Ripper

Precondition Scenarios

• VI

• John the Ripper

Precondition Environment access to /etc/shadow and /etc/passwd

Implementation framework

See E.3.2.

5.3.3 Hydra

In-Game name of scenario

Your secrets are our secrets

Learning target

Using Hydra for a dictionary attack

Problem and task

The player has to ﬁnd out the password of a login for an FTP-Server

Order from boss

In-Game assistance

Wiki

See E.3.3.

Precondition Skills

• basic Linux knowledge

• vi

• /etc/shadow bachelorproject ws 07/08 SHiNE 35

• Secure passwords

• MD5

Precondition Scenarios

Precondition Environment

A set up FTP-Server

Implementation framework

See E.3.3.

5.4 Honeyd [pm]

5.4.1 honeypot detection

In-Game name of scenario

Spooky spook

Learning target The player learns with this Scenario what are at all Honeypots and how low interaction honeypots to detect. The second training aim is how to use the tools Hping, which the player uses as main tool.

Problem and task On one of the Computers in the network topology, for example PC2, the program Honeyd will be installed. It allows to set up and run multiple virtual hosts on a computer network. The player has to scan the network and ﬁnd out which hosts are virtual. Then he has to compare IP’s of the hosts with string in game engine.

Order from boss The boss tells the player that his brother works in a competitor’s company. He works there as network administrator and he secures his network with honeypots. The player has to help honeypots to detect. He makes it not alone because the brother knows how he works.

In-Game assistance Boss Secret solution: Sending an ICMP packet that contains the word e.g. Security to a Honeypot will result in no packet loss. And ethereal/Wireshark will show that the response packet contains the same that we have send [1]:

#hping2 -1 -d 5 -E testpacket.txt -c 1 10.0.0.20 bachelorproject ws 07/08 SHiNE 36

HPING 10.0.0.20 (eth0 10.0.0.20): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): Success Warning: can’t disable memory paging! len=46 ip=10.0.0.20 ttl=64 id=3471 icmp_seq=0 rtt=1.2 ms

--- 10.0.0.20 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss roundtrip min/avg/max = 1.2/1.2/1.2 ms

But if we are now sending a packet that contains a shellcode, so we will get no response or we will get a packet that contains a diﬀerent content:

#hping2 -1 -d 45 -E shellcode.txt -c 1 10.0.0.20 HPING 10.0.0.20 (eth0 10.0.0.20): icmp mode set, 28 headers + 45 data bytes [main] memlockall(): Success Warning: can’t disable memory paging! --- 10.0.0.20 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss roundtrip min/avg/max = 0.0/0.0/0.0 ms

Wiki

• hping E.4

Precondition Skills

• nmap

• sudo

Precondition Scenarios

• linux basics

• nmap

• vi

Precondition Environment

• DMZ HONEYD host with installed honeyd and farpd application which emulates small network topolgy

• host with installed hping application bachelorproject ws 07/08 SHiNE 37

• installed sudo command

Implementation framework This scenario is single player. Only one player can play it at once. The honeyd server used for the scenario in the current topology is PC02 DMZ HONEYD. During the scenario player cannot play on DMZ HONEYD. He muss to play on another host(for example PC01 DMZ - SSERVER). The following CAKE variables are needed for the scenario:

• GROUP - can be any alphanumeric string that is valid as an unix group name

• USERNAME - can be any alphanumeric string that is valid as an unix user name

• PASSWORD - a valid unix user password

To setup the scenario on honeyd host run setup env honeyd server and then on player host run setup usr and setup env . After the player enter the right string into game engine the scenario will be ﬁnished. To cleanup user and honeyd enviroment run: cleanup usr cleanup - env usr and cleanup env honeyd server .

5.5 Monitoring Tools [cg]

5.5.1 Cacti

In-Game name of scenario

Sneaking suspicion

Learning target

• Get to know Cacti

• Understanding of graphical display of traﬃc data

Problem and task

An employee copies a large amount of data via the net. These are internal company data which he is going to misappropriate. The player has to ﬁnd out the hostname of the computer which causes the traﬃc so that the corresponding employee can be found out.

Order from boss

The boss has got an anonymous tip saying that someone of his fellow employees will try to abstract internal company data via the net. Due to the fact that he won’t give himself away by saying anything and because he has got no evidence, he asks you to pay especially close attention to exceedingly high data traﬃc via the net. bachelorproject ws 07/08 SHiNE 38

Story after successful completion of Scenario: The boss has certainly taken the person in question to task. In doing so he discoverd that the concerning employee only wanted to sent the latest very large catalogue of products to a customer.

In-Game assistance

None

Wiki

• Cacti E.5.1

• RRDtool E.5.1

• SNMP E.5.1

Precondition Skills

• Basic linux knowledge

• Basics of network/topology

• Router konﬁguration

• ACLs

Precondition Scenarios

• Linux basics

• Knowlegde of Topology

• Router konﬁguration

• Router ACLs

Precondition Environment

• Routers, switches and host PCs with an installed and conﬁgured SNMP agent

• Properly conﬁgured routers and switches enabling SNMP-queries by the cacti server

• A cacti server which collects and monitors the data

bachelorproject ws 07/08 SHiNE 39

Implementation framework First of all it was thought of implementing a scenario which should provide a comparison with normal daily traffic to unusual high traffic. But this was not possible due to the fact that the date of the Round Robin Databases could not be manipulated by data traffic recorded previously[2]. So it’s been decided to implement the current solution with the advantage of showing the traffic data at runtime.

Because Cacti is installed on Ramses in the topology, the player should always play this scenario on PC4. Therefore a nxclient connection must be established before the scenario could be started and the player could get access to Cacti via the webbrowser.

The cacti scenario is a single player scenario with drone but it can also be played together with other scenarios at the same time (which made it perhaps a little more difficult to discover the traffic created by shell script). The drone user could be set up on any PCs in the topology. But due to the story it would make more sense if the traffic is sent from a host PC in a vlan to a PC in the DMZ Zone. For testing the scripts they were executed on Pluto and DMZ Server.

5.6 IDS scenarios [jl]

5.6.1 Run snort

First steps to get to know and learn to use the Intrusion Detection System snort In-Game name of scenario The restart helper Learning target The Player learns how to run a pre-configured snort on the correct network interface with the a valid configuration file. Problem and task On the computer which scans the whole network traffic snort is down on one of the interfaces. The Player is supposed to log into this machine and find out which interface isn’t scanned anymore. Then he has to restart snort on this interface using the correct configuration file. Order from boss The boss tells the player that some traffic in the company network doesn’t seem to be scanned anymore. The person who normally is maintaining the snort machine is busy at the moment, so the player should determine why this is the case and fix the problem. The player is given the login data for this machine. In-Game assistance none Wiki The wiki article needed for this scenario can be found on page 162 in section E.6.1 bachelorproject ws 07/08 SHiNE 40

Precondition Skills

• sudo

Precondition Scenarios

• linux basics

Precondition Environment

• machine with several network interface cards

• application snort with correctly setup conﬁguration

• installed sudo command

Implementation framework This scenario is single player with a dedicated machine, so only one player can play it at once and the machine it is played on is locked until the scenario is ﬁnished. The client used for the scenario in the current topology is PC16 CLEOPATRA. The following CAKE variables are needed for the scenario

• H GROUPNAME - can be any alphanumeric string that is valid as an unix group name

• H USERNAME - can be any alphanumeric string that is valid as an unix user name

• H PASSWORD - a valid unix user password in its hashed way like in /etc/shadow

• H INTERFACE - one of the interfaces snort is scanning on. Currently either eth2 or eth3

To setup the scenario run environment and then player setup scripts. After the player assigns the scenario to be ﬁnished the evaluation script is run. If the script returns ’0’ the player has accomplished the scenario. Otherwise - with a return code greater than ’0’ - the player didn’t complete his task correctly. To cleanup the environment run environment and then player cleanup scripts.

5.6.2 Create snort rule

Create own rules for the Intrusion Detection System snort

In-Game name of scenario Rule for tool

bachelorproject ws 07/08 SHiNE 41

Learning target The player should be able to create own scanning rules for snort an implement them into the conﬁguration.

Problem and task The network traffic scanner snort isn’t setup sufficiently so that some attacks aren’t detected. The Player is supposed to solve this issue by creating a new rule. Therefor he has to log on the snort machine, create a new file containing the fitting rule and include this rule to the configuration. After the rule was created correctly the player has to restart all running snort instances.

Order from boss A new thread was detected and the company has to be protected against it as soon as possible. The boss instructs the player to bring the IDS up to date and gives him information about the protocol, scanned target port, scanned target IP and possible source IP.

In-Game assistance none

Wiki The wiki article needed for this scenario can be found on page 165 in section E.6.2

Precondition Skills

• sudo

• vi or similar editor

Precondition Scenarios

• linux basics

• run snort

Precondition Environment

• machine with several network interface cards

• application snort with correctly setup conﬁguration

• installed sudo command

• H GROUPNAME - can be any alphanumeric string that is valid as an unix group name

• H USERNAME - can be any alphanumeric string that is valid as an unix user name

• H PASSWORD - a valid unix user password in its hashed way like in /etc/shadow

• H PROTOCOL - protocol for the scan (can be any )

• H TARGET PORT - the port which is scanned

• H TARGET IP - the scanned IP (can be any )

• H SOURCE IP - the scanning IP (can be any )

The scenario is setup by running the environment and the player setup scripts. After the player assigns to be ﬁnished the evaluation script is run. Only if this returns ’0’ the player has succeeded else he has to go on with the scenario. When he has ﬁnished successfully environment and player cleanup scripts are run.

5.7 DNS [mt]

5.7.1 DNS Basics

In-Game name of scenario The new mailserver

Learning target

• comprehension of the DNS tree and stored records like A-Records, NS-Records, MX- Records, PTR-Records.

• comprehension of the mapping: IP addresses and names

Problem and task

The player has to ﬁnd out some records of a domain. To complete this task he has to ﬁll a out a given document which has included a recordlist.

Order from boss

Please check the given list in your home directory and ﬁll it out.

In-Game assistance linux manual for the programs dig/nslookup

Wiki

• DNS E.7.1 bachelorproject ws 07/08 SHiNE 43

Precondition Skills

• linux basics

• DNS

Precondition Scenarios

• linux basics

Precondition Environment a nameserver which stores the asked records Implementation framework First of all the user is set up at the target maschine. Him is given an automatic generated list which includes his task an the records he have to search. After searching the records the user has to ﬁll out the document. For assisting a background script is implemented, which show hints which records aren’t correct, after writing the document ﬁle.

5.7.2 DNS Server manipulation

In-Game name of scenario Payback! Learning target

• How to use the nameserver bind.

• How to store records at the nameserver.

• How to build a dns zone.

Problem and task The uses has to append a dns zone. This task is splitted in 3 parts. level 1 : insert a mailserver and a wwwserver level 2 : insert the reverse zone for a given subnet level 3 : insert a new zone for a subnet Order from boss Please append our DNS Server with some records. In-Game assistance linux manual for bind Wiki bachelorproject ws 07/08 SHiNE 44

• DNS E.7.1

• Bind E.7.2

Precondition Skills

• linux basics

• domain basics

• dns basics

Precondition Scenarios

• linux basics

• dns basics

• domain

Precondition Environment package support for bind9

Implementation framework

In the environment script the dns server of hs-bremen.game is cloned and started at the target maschine. This maschine could be every maschine in the environment, cause the server the user has to change is completely separated from the infrastructure (So the user don’t inﬂuences other player, he just block his own maschine if he made something wrong)

After preparing the environment the user is set up at the target maschine and he get a document in his home folder with the task he has to implement ( 1,2 or all of the 3 tasks depends on the chosen diﬃculty ). To do his task he has the rights to inter operat with the nameserver bind in any way. Him is given the full admin level for this service by granting sudo rights for all needed ﬁles.

After ﬁnishing the evaluation script is questioning the local DNS server and the records will be veriﬁed.

5.7.3 DNS-Spooﬁng

In-Game name of scenario The recruiter

Learning target

• Become more familiar with the DNS System. bachelorproject ws 07/08 SHiNE 45

• Get the context of the functionality of DNS delegation.

Problem and task The player has to manipulate the DNS server for the whole gamenet, with a given zone record. Order from boss In-Game assistance linux manual for bind Wiki

• DNS E.7.1

• Bind E.7.2

• DNS Spooﬁng E.7.3

Precondition Skills

• linux basics

• domain basics

• dns basics

• dns server

Precondition Scenarios

• linux basics

• domain basics

• dns basics

• dns server

Precondition Environment package support for bind9 Implementation framework In the environment script the dns server of hs-bremen.game is cloned and started at the target maschine. This maschine could be every maschine in the environment, cause the server the user has to change is completely separated from the infrastructure (So the user don’t influences other player, he just block his own maschine if he made something wrong) The user will be set up at the local maschine and the users task is given in a document in the users home directory. The user has to set up the new zone at the DNS server. After finishing, the evaluation script is questioning the local DNS server and the records will be verified. bachelorproject ws 07/08 SHiNE 46

5.7.4 Domain

In-Game name of scenario New provider wanted

Learning target

• What is a domain ?

• Which records are stored by a registrar ?

• How can you see this records ?

Problem and task

The player has to ﬁnd out same speciﬁc records for a domain and have to complete a given recordlist in his home folder.

Order from boss

In-Game assistance linux manual for the program whois given hints in the console

Wiki

• Domain E.7.4

Precondition Skills

• linux basics

Precondition Scenarios

Precondition Environment

Internet connection, cause whois queries only make sense with a registrar.

Implementation framework

The implementation is diﬀered in 3 Parts, ﬁrst the user is set up at the target maschine, then the script automatic generates a list of records which the user has to append, depending on the given top level domain from the game engine.

The third part is setting up a background script, which gives hints if the user isn’t working like expected. (It shows the hint which ﬁle the user has to read to get instructions, later it informs the user if his task is done right, and if not, where he made a mistake)

The game engine hand out the user and password and the given domain, the script generates the speciﬁc tasks by it’s own. bachelorproject ws 07/08 SHiNE 47

5.8 Learning scenarios [ts]

5.8.1 LDAP

In-Game name of scenario Learnings, what else?

Learning target

• directory service

• username and password

• rights

Problem and task the player has to learn what LDAP is

Order from boss

In-Game assistance

Wiki

Precondition Skills

• basics of network and topology

• OSI

• TCP & UDP protocol internals

Precondition Scenarios topology

Precondition Environment none

Implementation framework

5.8.2 RADIUS

In-Game name of scenario More learnings

Learning target

RADIUS is a client-server protocol for authentication, authorization, accounting for dial-up to a network

Problem and task bachelorproject ws 07/08 SHiNE 48

the player has to learn what radius is

Order from boss

In-Game assistance

Wiki

Precondition Skills

• basics of network and topology

• OSI

• TCP & UDP protocol internals

• LDAP

Precondition Scenarios

• topology

• LDAP

Precondition Environment none

Implementation framework

6 Overall System Conventions and Design [ar, dg, sd, tr]

6.1 Conventions

6.1.1 Overall Systemconcept [ar, sd, tr]

The overall goal of the SHiNE system is to immerse the user in a modern, user-friendly game, while educating the user in the topics of network security. To accomplish this immersion, we use a typical roleplaying/adventure perspective with a point and click interface to which most gamers are already accustomed. Adobe Flash was used to build the gameworld, wherein the user gathers information and tasks. For some of these tasks, the user has to use real tools in his desktop environment to complete them.

The PDA acts as a central device for all game-relevant information and bundles corresponding functionalities into compact views. The goal here was to avoid scattering of information and provide quick access to all relevant data from within the game without ”leaving” it. Therefore the PDA buttons in the game’s menu bar bring the corresponding PDA screen into view, while the bachelorproject ws 07/08 SHiNE 49

game is still running in the background. The user can view the tasks he got (button ”tasks”) and ﬁnd information on them in the wiki. Or he could view his current ranking and details (button ”players”) and his competitors details in the same screen.

Administrative tasks are accessible via a tab (if the user has admin privileges) and use the same frame as the game. The admin views share only the general look (colors, fonts) with the rest of the game, partly because the admin has no need for them and mostly because of the limited space the frame oﬀers. Some tasks normal users can do are available in the pda views though, like editing wiki articles or the players data.

6.1.2 Overall Designconcept [ar, dg, sd, tr]

The general look is heavily influenced by recent web 2.0 styles with mirror effects and color gradients for buttons, tabs, logo and typography. Nice colorful buttons with a ”shine” effect when hovered, complement this to a modern and user-friendly look. A few of the icons used are in part from the crystal project icon package (http://www.everaldo.com/crystal/).

Colors: Monochrome green and black as dominant colors plus their variants (gray, light green) are used to create the feeling of a hacker” environment. See the styleguide for speciﬁc color values.

Fonts: While the web 2.0 ”rules” say we should use relatively big font-sizes, we had to com- promise in the PDA views because of the limited space. So 12px for headlines and 10px for text will suﬃce. Verdana is the font used for all html.

Buttons:

Menu buttons: backgrounds passive state, hovered state

Dimensions: 39x39px

Font: 9px Myriad Pro, 25 character spacing, #a0a0a0

Figure 7: Menu buttons: passive state

Figure 8: Menu buttons: hovered state

bachelorproject ws 07/08 SHiNE 50

Skillset icons:

Dimensions: 32x32px

Background: Gradient: #101010 bottom, #515151 top

Foreground icon: dropshadow 134 5px distance, 5px size

Figure 9: Skillset icons

Tooltips:

To save space and oﬀer additional info, we use tooltips where possible. For example as a description text on the skill icons.

Usage:

A modiﬁed version of a javascript from dhtmlgoodies.com is used to display the tooltips, which must be included in the header of the html ﬁles.

In the html body we need a placeholder div for the tooltip, its layout is described in the css. bachelorproject ws 07/08 SHiNE 51

To add a tooltip to a link or button, use a mouseover action:

Figure 10: A tooltip

bachelorproject ws 07/08 SHiNE 52

6.1.3 Nameﬁnding [ar]

The original name ”NetS-X” - short for ”NetSecurity-eXperience” - wasn’t liked by everybody. Complicated spelling and strange results in google search lead to the conclusion that we needed a better name for the project. Thus, we had a voting in the netzlabor wiki, which ended on 06.11.2007. Several candidates were proposed and everybody had the chance to allocate every name a value (– for the worst to ++ for the best).

The results with positive values were:

• SHiNE (Security and Hacking in Network Environments) +6

• Password: Backdoor +3

• SkyNet +3

• NetWars +2

The full results can be found at: https://www.netzlabor.hs-bremen.de/wiki/index.php/Nameﬁnding

6.1.4 Styleguide [dg]

This section shows and explains the diﬀerent logos and their respective use throughout the project, the layout of the webinterface and the other graphical elements, such as fonts and colors, which are described in detail further down.

Logos:

The first requirement of the logo, the CI of the project, was its recognizability. It had to resemble the style of gameplay and the name of the game, thus the first thing to do was to find an appropriate color-scheme for the whole game, which is described under the Color-Scheme section and something to illustrate the projects name. We decided to use a sunrise-like shine effect to accomplish this requirement and used a small reflection underneath the SHiNE writing to create the illusion of some kind of horizon to support the sunrise metaphor.

The next page shows some ﬁgures with a short description of the usage of the particular logos.

bachelorproject ws 07/08 SHiNE 53

Figure 11: Single logo graphic used in posters and ﬂyers.

Figure 12: Header logo graphic used for the webinterface as standard logo graphic.

bachelorproject ws 07/08 SHiNE 54

Figure 13: Textual footer graphic used for the webinterface as footer logo graphic.

Figure 14: Diﬀerent styles of the textual footer logo. To be used as letterhead.

bachelorproject ws 07/08 SHiNE 55

Typography:

Our goal was to use the least amount of fonts possible to keep a straight and clean image throughout the design process. It was obligatory that the fonts used were easy to read, nice to look at and above all sans-serif. For this purpose we decided to use the following font-faces.

Figure 15: The Myriad Pro font.

Myriad Pro has been used for the logo as well as for all texts that are embedded in the graphics. It has been chosen, because it is a modern, serious and professional looking font, which is sans-serif and easy to read.

Figure 16: The Verdana font.

Verdana has been used for the login-box and throughout the Wiki. It is a widely used and good readable font, thus it has been chosen for this purposes.

bachelorproject ws 07/08 SHiNE 56

Color-scheme:

One of the most diﬃcult tasks during the design process was to elaborate a simple but impressive and interesting color-scheme. Below the results are shown. It is obvious, that the theme of the game is clear, due to the choice of colors. We decided to use strong and more darker green and gray colors, mostly used in gradients. This is supposed to evoke the feeling of getting into the hacking / security / IT materia.

Figure 17: The color-scheme of SHiNE

bachelorproject ws 07/08 SHiNE 57

Screen layout:

The following graphics show how the screen layout is devised. It shows the main screen of the game as it appears in the browser, with the sizes (in pixels) of the diﬀerent areas for the logos box and the ﬂash game. The next images show the login screen and the register screen as well as the main screen of a logged in member.

Figure 18: Main screen view with size overlays.

Figure 19: Login view

bachelorproject ws 07/08 SHiNE 58

Figure 20: Registration view

Figure 21: Main view of logged in member

6.1.5 Rights [tr]

Tutors and administrators have more rights in SHiNE than players do, due to the roles they have to play in the game. The admin has to keep the technical things up, while the tutor has to take care of the players and the ﬂow of the game. While the tutor is the one to ask if you have

bachelorproject ws 07/08 SHiNE 59

problems playing the game because you do not understand the mechanisms of it, the admin is the one to call if something’s broken or not working.

The rights everybody has are described below.

Everybody may create a new player-character (PC) and thus become a player.

Each player may:

• change his player-character’s proﬁle.

• prepare articles for the WiKi. These articles have to be accepted by a tutor or admin to be included into the Wiki.

• play tests.

• propose new tests, that have to be accepted by a tutor or admin to be included into the game.

• play scenarios.

• play the 2D-Game.

Each tutor may:

• do everything, a player may do.

• write articles for the Wiki or either accept or reject articles for the Wiki, that have been prepared by a player.

• create and delete scenarios.

• invent or delete tests.

• add or delete skills.

• delete player characters.

• edit a players proﬁle except the character’s name.

• grant or remove tutor’s rights to players.

Each admin is allowed to do the same a tutor is allowed to do.

bachelorproject ws 07/08 SHiNE 60

6.2 Webinterface [ar, dg, sd, tr]

The web interface consists of

• the login and registration screen

• the pda screens

• some administration pages.

All oﬀ these are displayed in the center frame as html pages, written in Cake PHP, spiced with some ajax and javascript, based on a mysql database.

The layout is optimized for a 1024x768 screen resolution and the Mozilla Firefox browser, with a windows taskbar and statusbars visible. No scrolling should be necessary to view the page content.

The ﬂash game and the pda are visibile in the center frame, which has a size of 720x450px.

Figure 22: Flash game interface

Our goal was, again, to minimize the number of pages to get information or to do things like editing player data. Also, to keep the player ”in” the game by integrating all the information he needs (PDA) and the ﬂashmovie into a single frame. The player shouldn’t have to visually leave the game except for solving the desktop scenarios. bachelorproject ws 07/08 SHiNE 61

6.2.1 Login / Registration [dg]

These are basic pages for registering a new character (not players) and logging these into the game. The player can choose a unique nickname for his character, which will be directly available after creation. After logging in, the ﬂash game starts and the character is placed whereever it left the game with all its states and attributes restored.

6.2.2 PDA-Screens [ar, sd]

Though html, the PDA and the information it presents are ”part” of the ﬂash game. We can call its pages from within the game menu and see them directly in the same frame.

The goal was to streamline the visual appearance of the diﬀerent views, so that we had the same look and feel for every functionality. So we have selection lists on the left, sortable with tabs, and a ”details” view on the right with integrated ”edit” functionality when possible.

When the game loads, the PDA is placed in a div container behind the flash game using the z-index. This way we avoid loading the PDA content everytime we call it and avoid the even longer loading times of the flashmovie if we had to switch the html pages. Upon access, the pda div is displayed above the flash movie by changing its z-index with javascript (the flash movie’s z-index property can’t be changed). PDA content is in part changed via AJAX.

The PDA screens are as follows:

Players: This view shows a list of selectable entrys of every player on the left, ordered by score or by name. On the right side it shows details about the selected player like rank, name, score and unlocked skills. The Player’s character is selected by default and some of its data (i.e. name) can be edited directly by the player using the ”edit” button.

Tasks: This view contains a list of all playable and ﬁnished scenarios and tasks. On the right side the details of the selected scenario are shown. A scenario can be started from either within the Flashgame or the Tasks-screen.

Wiki: Contains a listing of Wiki-topics on the left. On the right the wikitext of the selected topic is shown, including an edit option. Using the ”Add” Button, the player can submit a wiki article, which has to be approved by an admin.

Technical Details:

The stylesheet used for the pda is the pda.css (www/nets-x/app/webroot/css in most cases).

Images used in the pda can be found in the app/webroot/img/pda directory.

The PDA as such is contained in the ”pda” wrapper container (div id=pda). The second enclosing div tag handles the appearance of the following divs, for example div class=”player” changes the content of the header div accordingly (which needs to be empty). As we have tabs only on the left side, they are handled separately (div class tabs). bachelorproject ws 07/08 SHiNE 62

Figure 23: Players-screen

Figure 24: Tasks-screen

bachelorproject ws 07/08 SHiNE 63

Figure 25: Wiki-screen

The left and right container share the same class, but get their positioning by adding another class (right/left).

The navigation menu is stored in a class=”nav” container, using an unsorted list and giving each list item a class (wiki, exit etc.). In order for the tooltips to work, we need the tooltip.js linked in the header and a div id=tooltip container next to the opening body tag.

The PHP Code, the so-called views, for the PDA are stored in the app/views folders. They handle the data presentation using controllers without having direct database access.

6.2.3 Administration Screen [master]

The administration pages are accessible via the administration-tab if the user has the required privileges. As administrator, the user has the following options:

Scenario administration: Add, edit and delete scenarios

Game administration: Add a Non-Player-Character (NPC), Start state-machine editor

Administration: User administration, i.e. edit and delete Player characters

Wiki administration: Approve and publish or decline Wiki-articles

Assessment-test administration:Approve and publish or decline tests bachelorproject ws 07/08 SHiNE 64

6.3 2D Gamedesign

6.3.1 The Flashgame Graphics [tr, ar]

The ﬂashgame graphic is made up of several tiles, each 50 by 50 pixels in size and drawn by hand in Adobe Photoshop and the Gimp. Some of the larger objects, like tables and walls, are made up of two or more tiles.

All the tiles of the game are included in a single graphics-ﬁle (*.png), called the tileset, that is bound into the game. The game refers to the single tiles by their position respective position and size inside the tileset.

Figure 26: Tileset

6.3.2 The Characters [dg, mf]

There are several characters in the game and each of these is made up of an animation sequence of 12 images. These images were drawn using Pixen (a pixelbased imageeditor for Mac) and Adobe Photoshop.

Each character comes with all his animation-images in a single graphics-ﬁle (*.png), that is used as a sprite in the ﬂashgame. The Figure below shows the player’s character and all his animation images. The carachter is drawn from front, back, left and right.

bachelorproject ws 07/08 SHiNE 65

Figure 27: PC & NPCs

6.4 Implementation MVCs in CakePHP [sd]

The game engine is implemented in CakePHP and uses the MVC-concept (model-view-controller). In the MVC-concept input, processing, and output of an application are separated from each other.

Models: php-ﬁles are stored in the /app/models -folder and served to database access.

Controller: PHP-ﬁles are stored in the /app/controllers -folder. They are responsible for the logic. In the controllers the functions are stored, which are called via url in the address bar in the browser.

Views: PHP(ctp)-ﬁles are stored in /app/views. They present the game interaction. The views load a default layout stored in /app/views/layouts.

The naming convention in SHiNE(derived from the naming convention of CakePHP):

Models: Model class names are singular. Model ﬁlenames use a lower-case underscored syntax.

Examples: content.php, players scenario.php

Controllers: Controller class names are plural. Controller ﬁle names use a lower-case underscored syntax. Controller ﬁle names also end with ” controller”’.

Examples: wiki controller.php, players controller.php.

bachelorproject ws 07/08 SHiNE 66

Views: Views are named after the actions they display. Name the view ﬁle after action name, in lowercase.

Examples:wiki controler::index() expects a view in app/view/wiki/index.ctp

We have four important types of classes:

7 Overall Gameplay-Improvements [af, sg, tr]

In this section we discuss some ideas, that would improve the game for the players.

A Mission Tracker could be displayed in the upper right corner of the ﬂashgame, to show the player if a new skill was attained or to inform him or her of some new mission that could be played, etc.

7.1 Enhancements in Communications

In this section we take a look at some improvements of the game, that would help the players to better get into communication with each other.

An eMail-button could be added to the PDA-Buttons in the panel at the bottom of the ﬂashgame. Players could use this button to open some editor to write an send a written message (like an eMail) to one or more of the other players in the game. Incoming eMails could be listed and displayed in this place as well.

A chat-button could also be added to the game. Due to the fact, that several players could be around in the game at the same time, this would improve the communication between them.

7.2 Improvements to the game itself

Make use of Virtual Machines (VMWare, Virtual PC, Virtual Box, etc.). It could improve the game a lot, if the Machines, where the players have to use their ’real guns’ to play the missions, would be virtual machines. Thus, the software and state of the machine could be previously prepared and no setup or cleanup scripts would be needed. All the needed software and tools for the actually played mission could be installed on the machine, that could be run on any operating system. bachelorproject ws 07/08 SHiNE 67

These virtual machines can not be damaged, even if the user would change some of it’s settings. Next time the machine is loaded, it has returned to its original conﬁguration.

Sympathy-system The player earns for every succesfull accomplished scenario one or more sympathy-points from a female employee. The more sympathy-points he has the better is his relationship to the female employee. This would give the game a little more depth, because the player would try to keep a good relationship to the female employee to see how the relationship goes on.

An oppertunity to import auto-presentations. Tutors could create special auto-presentations to teach the player easier in speciﬁc subjects. This would be a good alternative to the Wiki.

Oppertunity to choose a special role. As soon as there are some more scenarios realised it would be possible to create a special game environment for several roles, e.g. the hacker-scene, the network-security-employee, etc. to give the player some variety. This would also open up the oppertunity to create several versions of the same scenario with some diﬀerences.

7.3 Missions

There could always be new missions included into the game. While on the ﬁrst hand it could bring more depth and colour to the game, it could also include newer, advanced technologies into the game. Teamwork-missions: It would be nice, if there would be missions included into the game, where two or even more players have to work together on a single mission to ﬁnd the solution. It would even be possible to include missions, where the players had to work in teams and to try to beat the other team(s).

7.4 Graphics

If you think about a sequel to the game, you should make some changes and improvements to the graphics, because that’s the first thing a player will notice. But there are also some improvements, that have some more functionality. A Player’s items should be visible on his character, if possible. While some pocket-thing like a coin would not be visible, some fancy clothing, bags or devices (like a labtop or a vacuum-cleaner) should be shown. Different character images for the player to choose from, when he creates a new character. This would make the game more personal for the player. Several different tilesets for the flashgame graphics, that would give some different looks to the environment where the players walk around. This would make everything a little funnier. bachelorproject ws 07/08 SHiNE 68

7.5 Real world and 2D-Game relationship

To keep the relationship between the 2D-Game and the real world in the players mind it would be helpful to login some NPCs on real machines in the network. If the player checks up the userprocesses he will recognize some names of the NPCs and is reminded of the 2D-Game.

7.6 Content creation for the 2D-Game

A Capability planning[fe]

A.1 Personnel planning

The personel planning was arranged in on weekend at a trip to Cuxhaven. First we found out which topics we had for the whole project. We found seven big topics ”Scenarios”, ”2D- Game”, ”Webinterface”, ”Authoring Gateway”, ”Rule and Rights”, ”Tutorialimplementation” and ”Wiki”. Every person had to choose than one of the ﬁrst three topics, which he likes to work on it. Afterwards the last four topics where combined with the ﬁrst three one. ”2D-Game”with ”Rule and Rights” and ”Tutorialimplementation” and ”Webinterface” with ”Authoring Gate- way” and ”Wiki”. ”Scenarios” we let stay alone. Now we had three big groups and every group had his functuality:

Group 1: Scenarios

a) Researching: scenarios, hacking situation and tools b) Implementation of the scenarios c) Remote desktop d) Regard content connection to the Wiki and the quizzes

Group 2: 2D-Game

a) Concept: including help functions, time pressure and personalisation b) Interaction implementation c) Graphics and Design in/of the 2D-World d) Map-Editor e) Playing with active help f) Self-assessment

Group 3: Webinterface bachelorproject ws 07/08 SHiNE 69

a) Usability and Navigation b) Design c) Corporate Design d) Interface: Administrator, Author and Player e) Wiki: 1. Functionality, Searching and Editing f) Wrapping and Metaphor

The following persons took the following group:

1. Group 1: M. Toepfer, A. von Oehsen, R. Brauer, T. Schroeder, J. Leins, J. Panten, P. Meyer, C. Gaisser

2. Group 2: S. Graul, F. El-Khatib, A. Fink, J. Urbschat, C. Schnackenberg, D. Luers

3. Group 3: D. Gieseler, A. Rossner, M. Friedrich, T. Rosenberger, S. Deltchev

But this wasn’t the whole work! Everybody was also a multiple job holder. We got some extra jobs, which have to work out:

1. Objectives, making-of, Contact worked out by R.B. and A.R. 2. Editorial Record, Standard format and dates worked out by C.G. 3. Sheet-Design (Flyer, Poster, Handouts) worked out by 4. Play - concept and further development (Vision-Concept, Manual) worked out by T.R., S.G. and A.F. 5. Source Administration (Code, Manuals, Docs, Protocols) worked out by J.U. 6. HW-Access Topology - ”plugging” worked out by T.S. 7. Net Topology installation (Manual) worked out by M.T. and A 8. Game-Play-Sever installation (Manual) worked out by J.L. and S.D. 9. Net lab-Wiki attaches and administer worked out by J.P. 10. Research to analogue ”Hacking-Games” worked out by D.L. and P.M.) 11. Gantt-Diagram worked out by F.E. 12. Image Film (2 min.) worked out by NOT DECLARED

The results of everything are described almost in this documentation.

A.2 Time management with Gantt-Diagram

The Gantt chart is a bar chart tool, which illustrate a project schedule. It illustrates in the horizontal line the start and finish time of a project. In the first column you can find the activities of the project. The constancy of an activity is visualised by the length of the bar under the time line. More length means more time. Dependencies between activities are illustrated by bachelorproject ws 07/08 SHiNE 70

arrow-connection from one bar to another and they are automatically working by the declaration of the dates of starting and ﬁnishing of an activity. The actual working procedure is displayed by a red-vertical line at the actual date. If there to many activities, the Gantt-diagram can be very fast very unclear. For more activities you should use the ”Net-plan”. Here you see the Gantt-diagram of the last planed week of working-procedure from SHiNE:

Figure 28: Gantt-Diagram

The Gantt-diagram is in German, what you can see. You will ﬁnd in the right column the last bachelorproject ws 07/08 SHiNE 71

paragraph decelerated groups and their specialisations.

This means at least the Gantt-diagram is developed from the whole sHinE group, what makes it more especial and important for everyone to see every time at which level project is.

B External presentation

B.1 Flyer, poster, handouts [dg, cs]

Our assignment was to develop two versions of posters and a ﬂyer/handout. On the one hand there had to be a poster for the faculty staﬀ and another one for the students.

We decided to go into two different directions. One way was ”less is more” and the other one was ”more is more”. For the students there had to be something eye-catching, something mysterious, something that emerges the will to catch up on this project. For the faculty staff there had to be a lot of information about the project, its goals, its setup and its benefit for their faculty.

Below there are the two diﬀerent versions for the faculty staﬀ and the students.

Figure 29: Poster used to promote the project to the faculty staﬀ

bachelorproject ws 07/08 SHiNE 72

Figure 30: Poster used to promote the project to the students bachelorproject ws 07/08 SHiNE 73

The flyers/handouts were supposed to follow the concept of the students poster. The difference was, that only the front was supposed to evoke the mysteriousness and the back should give more information about the project. The flyer is somehow a mash-up between the poster for the faculty staff and the poster for the students.

Figure 31: Front and back of ﬂyers

B.2 Website [rb, ar]

The website follows the same design rules (see styleguide) as the rest of the game. It has a contact page, a list of the team members, a summary of some project info and a statement of attention towards the hackerparagraph. The site package can be found on https://www.netzlabor.hs- bremen.de/wiki/images/c/c9/SHiNE Site.zip.

bachelorproject ws 07/08 SHiNE 74

Figure 32: Screenshot of the homepage

C 2D-Game

C.1 Script[fe, af, sg]

Script for the stories

D = stage direction, B = boss, J = janitor, Jdc = janitor (department-chief-office) DC = department chief, Sp = secretary (player-office), Sdc = secretary (department chief), L = Larry, Cc = celler - collegue, C = college (player-floor), P = player, A = announcement-voice, T = net-department-chief

Linux-Basics

D: The player is great in the oﬃce of the department-chief as a new employee. He has to speak with him. Any other NPC give him the information that he has to report to the department- chief.

DC: Hello newbie, we great you at your new work as our employee. We hope that your work will be easy for you. I have to give you the information that we are only work with Linux on our computers. I’m sorry, but I don’t have the time to give you an introduction, but ask my secretary. She will give you your next instructions.

bachelorproject ws 07/08 SHiNE 75

D: The player has to speak to the secretary. Any other NPC give him the information that he has to report to the secretary. Sdc: Hi, newbie! Your oﬃce is this ﬂoor down on you right hand. I’ve put some teaching- materials on your desk. Please read them that you can get familiar with your new work. D: The player is now free of his doing. He can explore for him accessible parts of the company. Any other NPC give him the information tell him something, but not very important. He can talk to everybody or he goes directly to the teaching-materials. Also he has the possibility to ask again The teaching-materials will tell him: Linux Basics:

- find out in which directory .log files normally would be saved - check the log files - one of this must mention a ’secret tool’ - copy this log file to your home directory - detect the ip-adress of your system - rename the log file in your home directory with your ip-adress - don’t forget the .log extension

Afterwards he has to give the accomplish-information to the teaching- materials. The player accomplished this mission and gets his gratiﬁcation! This is the player’s ﬁrst mission, which he has to accomplish, before he can do an other mission.

D: The Linux-Basics are ﬁnished now. The player has to speak with Larry to start this story- part. L: I’m angry of the DC. He prohibited me playing with the Computer while working-time and also dock my salary. But I’m really sure that he’s playing the hole time, also in this moment! Can you help me to change my salary to the origin count and nettle him while he is playing so that he notices that he also has to follow the rules? D: If he answers him that he will do this mission, the player has to connect from his desk with the computer of the dc and close the game-application. Until he hasn’t accomplished this mission, Larry will only tell him what he especially has to do: L:

- find a file on your system which contains the string ”Myrath” - modify the file in following ways: bachelorproject ws 07/08 SHiNE 76

- delete the data set of ”Bill Jobs” - change the salary for ”Steve Gates” to 100.000 - add a ”holiday” section with a value of 30 to every employee - save the changed ﬁle

D: Any other NPC tell him their Smalltalk.

After he has ﬁnished the task he has to speak with Larry again.

L: Thank you man! The DC is crying like a baby I think you want your gratiﬁcation of 800?! Here you have it!

D: The player gets his gratification and has finished the mission. From now every other FIRST- MISSION (after Linux-Basics) are available again, if they are not finished yet, the next missions after VI, ARP-Scenario, John the Ripper and Hydra also.

Hijacking

D: After the player has ﬁnished the ARP-Scenario the janitor tells now something if he talks to him!

J: Hey newbie take the phone on your desk now, if you want to have a VIP-Mission!!!

D: From now one the player is able to get a new mission by answering the phone-call.

T: Our Company has no access to the web-server anymore. Somebody seems to establish a connection to the router right now. We need a person of outstanding abilities! The intruder has to be stopped! Please, help us!

D: The player has get familiar with etercap, connect with the net and throw the invader out. While he hasn’t ﬁnished the mission and he answers the phone, the voice on the other side tell him: Please help us to ﬁnd the invader! Also all other NPS’s will tell him their Smalltalk.

When he has ﬁnished all tasks he has to answer the phone to accomplish this mission and get his gratiﬁcation.

T: Good job newbie! You got it, the server is open now.

D: The player accomplished this mission and gets his gratiﬁcation!

Domain

D: After the player ﬁnished the Linux-Basics the player get an e-mail on his Laptop. bachelorproject ws 07/08 SHiNE 77

A: Hey newbie, please come to the boss! He wants to see you. You ﬁnd him in the second ﬂoor.

D: The player has to go threw stair-case. On his way he ﬁnd an old-rotten-key, which he can take. When he reaches the chief-department, he has to go to the boss and talk to him.

B: Hi newbie, we want to make a provider-change for saving more money! I think I don’t know anymore what the configuration-specifications are, but I know there is a list containing useful records. Can you check the list and find out the records of our domain?

D: If the player says ”yes” he accepts this mission the boss will tell him: Are you ready newbie? Check the list and ﬁnd out the records of our domain! Also all other NPS’s will tell him their Smalltalk.

When he ﬁnishes this task he has to speak again with the boss.

B: Good job, boy! Now what the hell you doing still here?!

D: The player accomplished this mission and gets his gratiﬁcation!

DNS-Basics

D: After the player ﬁnished the Linux-Basics the player get an e-mail on his computer.

A: Hey newbie, please come to the boss! He wants to see you. You ﬁnd him in the second ﬂoor.

D: The player has to go threw stair-case. On his way he ﬁnd an old-rotten-key, which he can take. When he reaches the chief-department, he has to go to the boss and talk to him.

B: The Company wants to make an own Mail-server for less spam in the box. For this we need to ﬁnd out how to setup DNS-entries. Can you check the required domain-entries and put them into a list, please?

D: If the player says ”yes”he accepts this mission the boss will tell him: Are you ready newbie?! Check the required domain-entries and put them into a list! Also all other NPS’s will tell him their Smalltalk.

When he ﬁnishes this task he has to speak again with the boss.

B: Good job, boy! Now what the hell you doing still here?!

D: The player accomplished this mission and gets his gratiﬁcation!

DNS-Server

D: After the player ﬁnished the Domain or DNS-Basics he can talk to a colleague in the coﬀee- kitchen. bachelorproject ws 07/08 SHiNE 78

C: Hallo Newbie, can you do me a favour?

D: If the player answers ”yes”, he accepts the mission and the colleague goes to the elevator and waits in front of the door until the player reaches him. All other NPS’s will tell him their Smalltalk.

C: Let’s take the elevator down to the cellar!

D: The colleague has an key-card for the elevator, so the he can use the elevator with him. They reach together the cellar and the colleague talks again to him. The player is not able to leave the cellar until he ﬁnished this task.

C: The Company wants to make an own Mail-server for less spam in the box and a new web-Server. Also we need to allocate new reverse-zone and a new zone for our subnet. The ”zone-thing” you can do if you like, but if you do them, do them correctly!

D: Until he isn’t ready the colleague will say: The Mail-server and the web-Server ARE FIN- ISHED?! I DON’T THINK SO!!! When he is ready he has to speak again with him.

C: Thanks! I see you found my old-rotten-key! Give it to me and I give you my key-card for the elevator-usage.

And by the way, I warn you of telling anybody!!!

D: The player accomplished this mission and gets his gratiﬁcation!

NMAP

D: The Linux-Basics are ﬁnished now. The player has to read the ﬂyer hanging on the blackboard to start this story-part

F: The Company has notice some unallowed accesses to private data of the company in the last week. To fail to do this the company close 90 percent of all avaible ports! This measure is initialised only for security.

The net-department!

D: After he has read the ﬂyer, the colleague next to the blackboard will talk to him.

C: All my lovely pages in the internet are blocked and I can’t visit them anymore. Also I’m not able to check my emails anymore. Can you help me?

D: If the player says ”Sure, I help you” the colleague he will answer until he hasn’t ﬁnished this task: Please check out which pages I’m supposed to visit!

The mission is quite clear. The player has to use the program Nmap to ﬁnd all free ports! Until he hasn’t ﬁnished this task, he isn’t able to do any other mission and all other NPS’s will tell him their Smalltalk. bachelorproject ws 07/08 SHiNE 79

Afterwards he will speak: Thank you for your help! Here is your gratiﬁcation!

Mission accomplished!

Honeypot

D: After the player has accomplished NMAP and he didn’t go to the dc-oﬃce, he get a call from the net-administration.

T: Please come to the net-department in the cellar! I have a job for you, if you want.

D: When the player want to go their, he has to enter the elevator and choose the cellar. When player reaches the cellar, the cellar colleague (who is the net-administrator) will welcome him on the door.

Cc Hi newbie, my brother works by the competitors-company also in the as net- administrator. I want to now how good he secures his network, but I can not try it myself. He knows how I work, so he would directly now that it is me. Please can you help me?

D: If the player answers ”yes”, he accepts to do the task. If he tries to talk to the colleague he will answer until he hasn’t ﬁnished this task: Your aren’t ready with the security test, or?! Also all other NPS’s will tell him their Smalltalk.

Afterwards he will speak: Thank you for your information! Here is your gratiﬁcation! You can go back to your work, but tell anybody you helped me!

The player has accomplished the mission, gets his gratiﬁcation and can do any other mission.

snort 1

D: After the player has accomplished NMAP and he enters as next his oﬃce a secretary enter also his oﬃce.

Sp: The department-chief wants to see you. Go to the executive suite and talk to him.

D: When the player enters the oﬃce of the dc, he accepts the mission and the dc talk to him.

D: There you are! You can show me what you can. The IDS-Tool ”snort” scans the traﬃc in the internet and in the DMZ. The scanner is probably by one of the two interfaces down! Find out which interface isn’t scanning anymore and start snort there new with the right conﬁguration!

D: The player has to check in the net which Computer is a VM. While he isn’t ready the dc will say to him: You haven’t ﬁnished yet! Tell me which interface isn’t scanning anymore! Also all other NPS’s will tell him their Smalltalk bachelorproject ws 07/08 SHiNE 80

When he ﬁnishes the task and talk again to him, he will answer something else.

DC: Well done newbie! Here you have your gratiﬁcation!

D: The mission is accomplished and he get his gratiﬁcation, but now the janitor will stand in front of the door and block it.

Jdc: I am cleaning here, I don’t have time for any conversation!

D: The player has only one thing he is able to do! Speak with the dc again!

snort 2

DC: Good that you still here. I have another task for you, where you can proof your Snort skills. There is a problem in the network. The snort-rules seem to be attached incorrectly. Secure the network against Portscans.

D: The player isn’t able to choose if he want to make this mission. If he talks again with the dc while the mission isn’t ﬁnished he says: Have you secured the network against Portscans yet?! I don’t think so! Also all other NPS’s will tell him their Smalltalk

When he ﬁnishes the task and talk again to him, he will answer something else.

DC: Well done newbie! Here you have your gratiﬁcation. Now go back to work!

D: The janitor isn’t blocking the door anymore. The mission is accomplished and he gets his gratiﬁcation.

C.2 Realisation Flash-Client[cs, ju]

C.2.1 Game server interface [cs, ju]

This section gives you a detailed overview of the communication between the game server and the ﬂash game. It also contains a brief summary of the data topology and shows how the game is initialized.

The interface between the game server and the flash game has been completely rewritten. The link between them is AMFPHP which allows flash to call remote php-functions. All the following mentioned functions are flash compatible php-functions.

Basically there are four subjects for the interface: access to the object data, session handling, scenario notiﬁcation and ﬁnally skill unlocking and scoring.

Once the game is started it has to ask the game server for the objects which are located in its data base. This is done by calling the method ”getObjectData”. It returns a set of three arrays with the xml description for all objects (see ﬁgure 33). bachelorproject ws 07/08 SHiNE 81

Figure 33: data topology of the ﬂash game

The next step is handling the session data. It has to be checked whether a saved session exists and on which map the player is located. If there is no session saved the first map is used per default. Furthermore all states were set to the session state. Whenever a state is changed it is send to the game server immediately. Therefore the set methods are split up in sub methods (see figure 34 for the flash game setup). Session functions:

• getSession (states of all objects and the player)

• setSessionPlayer (saves session of the player object)

• setSessionNpc

• setSessionItem

• setSessionTriggerArea

While the active state machines are handled by the flash game the scenarios are completely processed by the game server. The flash game only unlocks the necessary skills for a certain scenario but it is started by the html based pda and ”played” with the console (and further network tools). One drawback of the topology is, that the game server has no chance to send events to the flash game. It is simply not possible e.g. the user may have closed the browser while he is playing a scenario. To provide a understandable story line it is important for the flash game to ”know” when a scenario has been completed. This problem was solved by using a notification mechanism. The game server knows very well which scenarios are completed. When the flash game is initialized it asks for a list with completed scenarios. The user could have solved more then one scenario so it is a list. Each list entry contains a variable with its notification state. If the notification is ”false” the flash game has not noticed the completion bachelorproject ws 07/08 SHiNE 82

Visual Paradigm for UML Standard Edition(Hochschule Bremen) Start of the 2D adventure

Contains XML for: Flash-Movie is loaded - NPCs - Items - TriggerAreas

load all state machines from game server (XML)

[error] show error exit

[data received]

Create state machines for each object

load last game session

[no game session exists] choose first map

[game session available]

read map id from game session

load map

show error contains the [error during loading] waypoints [map loaded]

try load path file

ignore path [not found]

[found]

create waypoint path

Needed objects are determined by the loaded map

create the objects for the map

start game loop ready

Figure 34: initialisation of the ﬂash game yet. In the next step it sends the event ”scenario completed” to its state machines and marks it as ”notiﬁed”. Through this approach the game is able to inform the state machines and the story can consider completed scenarios.

Scenario functions:

• getCompletedScenarios bachelorproject ws 07/08 SHiNE 83

• setCompletedScenarioNotiﬁcation

Finally there is a function to unlock a certain skill and the player score can be changed.

Skill/Score functions:

• unlockSkill

• changeScore (increase and decrease)

C.2.2 The tile map [cs, ju]

The chosen map editor ”Tiled” allows creating maps very easily but its got the drawback that no object placement is supported. To solve this problem we introduced a workaround with special properties that can be connected to diﬀerent map parts. This is a short introduction to the implemented propterties to create a SHiNE compatible map with the tiled editor.

Figure 35: entire tile map

Basically a tile map consists of an arbitrary number of layer (see ﬁgure 35), tileSets (see Figure 36) and tiles.

In our implementation there is a special layer type: ”object layer”. To create an object layer just put the property ”type=objects” to the layer (see ﬁgure 37). You are now allowed to place objects on this layer. bachelorproject ws 07/08 SHiNE 84

Figure 36: tileset and a layer

Figure 37: create an object layer

There are four types which can be placed on the object layer:

• npc

• items

• triggerAreas

• spawnPoints bachelorproject ws 07/08 SHiNE 85

Each type has to be conﬁgured with a property in the used tileset. Keywords-List (attention: they are case sensitive): NpcId, this has to be the global object id from the xml. TriggerId, this has to be the global object id from the xml. ItemId, this has to be the global object id from the xml.

The spawn point is a position where the player can enter a map. Whenever a map change occurs the designer has always to decide not only which map follows but also a certain spawn point. Each map got his own set of spawn point ids. To deﬁne one just put SpawnPointId to a tile and place it on the object layer.

Another important subject is the collision. It is recommended to create an extra layer to be independent from the graphical parts. With the property ”visible=false” the entire layer can be hidden. The next step is to attach a tile with the property ”‘block=true”’. Now the player is unable to overcome the blocked tiles (in ﬁgure 35 the read area is the collision layer).

C.2.3 Scene management and animations [cs]

Especially for the designer it is essential to understand certain aspects of the scene management and the animations. This is a short introduction about the graphical objects behaviour and how they can be controlled properly.

First it is necessary to understand that due to the slide depth effect of the scene, each object has to be sorted. This is done by the flash game internally. Unlike most other graphical object placements a sprite object in SHiNE is always controlled by its center-bottom (see figure 38). This is important for creating the collision area.

Figure 38: anchor of a sprite

The new adventure world of SHiNE allows npcs to walk around freely. Internally the game determines the current angle in which the object looks. If the character walks eastwards the angle is 0, if it walks southwards it is 90 and so on. The actual angle is not necessary for the designer. Important: for each angle a diﬀerent animation is needed. It is obvious that the graphic staﬀ cannot draw an animation sequence for each possible angle so the designer has to decide how many directions are supported. bachelorproject ws 07/08 SHiNE 86

Our goal was to free the designer from thinking about which animation should be used on a certain angle. The designer can draw as much sequences he wants and the ﬂash game decides which one is properly for the current angle. As in ﬁgure 39: four directions are a possible amount.

Figure 39: sprite with four diﬀerent directions

The designer just has to put the animations in the correct order and the flash game will choose the best animation. Just start with the east (or right) direction and rotate the animations clockwise. One major benefit of this approach is that it is very flexible. Especially when thinking about 3D animated objects. With a 3d object it is possible to have eight or even 16 animation directions and that can already be handled by the current implementation.

Each object has one image as its animation source. The animation source - usually a png image - must have all animation frames. The size of the object is identical to its frame size. The first animation frame gets the id ’0’ and the one on its right-hand side ’1’ and so on (like the reading direction). The id is independent from the amount of rows or columns, so reorganizing an object image has no effect as long as the id order is not mixed up (figure 40 shows an object image with its ids).

One or more animation frames can be grouped together with an animation script. The script is the description of one animation sequence. Basically the script is a string. The simplest script is the id of a certain animation: ”5” will show the animation frame with the id ’5’. More advanced eﬀects can be gained with a leading ’:’ (semicolon). Now the ﬂash game treats the string as a script and requires a certain structure:

:-,

is the id of the ﬁrst animation frame is the id of the last animation is the time each frame is shown.

The script is a loop and begins with the start frame and after the duration time elapse it shows the next until the end frame is reached (ﬁgure 41 shows an full example).

C.2.4 Pathﬁnding [cs, ju]

Like already mentiones, NPCs can walk arrount in the Gameworld, this is archived with an extra Waypoint map for every map. The waypoints are baseically coordinates that the map or waypoint creator places reasonable in the world. These Waypoints can be connected and thereby bachelorproject ws 07/08 SHiNE 87

Figure 40: complete sprite object make it possible for an npc to get from one to another waypoint. To controll the path the npc would take ist is possible to add costs to the connections (respective the way), the heigher the costs the more unlikely it is that a npc will take it. After all these waypoints and connections are set, they add up to a graph structure which can be searched by various algorythms. We decided to use the A* (spoken AStar) algorythm because it is one of the fastest with the best results, it can even return the perfect way with the right parameters. The pseudocode looks quide simple bachelorproject ws 07/08 SHiNE 88

Figure 41: full object animation description in xml

and even the theory behind it is not much more. You can think of two lists, the ﬁrst contains all points, you have already looked at, our closed list, and the second one contains all the unknown points, our open list. Now you take your statpoint and search the next reachable point that is the closes one to your goal and has the lowest costs. Afterwards you take you just found point in your as your startpoint and put it in your closed list ans start the same process again. If your next node it the node you are looking for, your have found your way. Now you have a closed list that contains all nodes that you must follow to ﬁnd your destination point. In pseudocode it would look like this:

1 function A*(start,goal)

2 var closed := the empty set

3 var q := make_queue(path(start))

4 while q is not empty

5 var p := remove_first(q)

6 var x := the last node of p

12 foreach y in successors(x)

13 enqueue(q, p, y)

14 return failure

[3]

bachelorproject ws 07/08 SHiNE 89

C.2.5 Class diagram [cs, ju]

Visual Paradigm for UML Standard Edition(Hochschule Bremen)

de.shine.ui.dialogs

de.shine.ui.graphics.tileEngine de.shine.ui.graphics.animation DialogBox -text : String This diagram shows the major concept of the Shine-Flash-Game-2D-Adventure-Clients. All Sprite de.shine.ui.input -scene : SceneManager programme start major classes are included and also the main connection between them. -sprite : Sprite the input manager is a approach to handle the TileSource Tile * 1 InputManager It is subdivided in three parts: TileLayer different input layer of the game. +DialogBox(scene : SceneManager, text : String) -tileCountX : int -dataTable : Array -controller : Array -drawBallonBorder() : void -tiles : Array -tileCountY : int +blocks() : Boolean -enabled : Boolean +getSprite() : Sprite - UI -tileWidth : int -tileCountX : int -scene : SceneManager Each object that needs to observe the global - Core -tileCountY : int inputs (mouse, keyboard) has to implement -tileHeight : int +pushController(con : IController ) - Engine -tileWidth : int Animationset combines several IController and pushed to the InputManager. -firstTileId : int * +popController(con : IController ) -tileHeight : int animation scripts to a fully pseudo 3d The InputManager dispatches the input events -tiles : Arraya +setEnable(enabled : Boolean) : void UI (GraphicEngine, user input), contains the graphical interface to the user and also input -tileDescription : Array object. Depending on the angle value it +Enabled() : Boolean to the correct IController. <> issues. +loadFromBitmap() 1 chooses the correct animationscript. +getGameMousePos() : Vector2D MapCamera IDialogBoxListener +setPointOfViewObject(povObject : ICameraObject, maxDistance : int) FlashGame Core (GameController) is a link between the UI and the Engine. The underlying programme don't need to 1 +onAbort() TileMap * -engine : GameEngine determine which animation script is the AnimatedSprite +onComplete() MapEvent -backTiles : Array AnimationScript IController -game : Game Engine (GameServerInterface, StateMachineEngine) contains the handling of the states, correct for the given view angle -animation : int +onAnswerChosen() -data : Object -frontTiles : Array +onMouseMove(event : MouseEvent) : bool +main() dispatches events. Additionally it holds the interface to the remote game server. -script : AnimationScript +onMouseUp(event : MouseEvent) : bool TileRenderer ICameraObject +onMouseDown(event : MouseEvent) : bool (the different parts can be identified by their package color) -data : TileLayer +getPoisition() : Vector2D +onKeyUp(event : KeyboardEvent) : bool +onKeyDown(event : KeyboardEvent) : bool

AnimationSet -animationScripts : Array +updateSprite(sprite : AnimatedSprite, angle : Number)

de.shine.ui.AStar de.shine.ui.graphics.scene

de.polygonal.Graph handles the entire scene GameSprite -objectSpace : ObjectSpace -sprite : AnimatedSprite SceneManager -shadow : AnimatedSprite -map : Map -currentAnimation : AnimationSet -camera : MapCamera -position : Vector2D de.shine.ui.graphics.collision -backLayer : Sprite -touchArea : IntersectionShape -gameLayer : Sprite -hitArea : IntersectionShape WaypointField IntersectShape -frontLayer : Sprite -lookDir : Number -unknown -userData : Object -guiLayer : Sprite +setPosition(v2 : Vector2D) : void +findWayFrom(startNodeId : int, endNodeId : int) : Array -sprite : Sprite +setAnimation(ani : AnimationSet) : void +IntersectShape(userData : Object) +findNodeByPos(x : int, y : int) : int -backTileRenderer : Array +setLookDir(dir : Number) : void +intersects(other : IntersectShaoe) : Boolean -frontTileRenderer : Array +getUserObject() : Object -objectSpace : ObjectSpace +getSceneSprite() : Sprite +mainLoop() +getTilesFromPoint(x : int, y : int) : Array ObjectSpace +SceneManager(map : Map) -gameSprites : Array IntersectRect IntersectCircle +getObjectSpace() : ObjectSpace de.shine.ui.sound -spriteLayer : Sprite -shape : Rectangle -positon : Vector2D -shadowLayer : Sprite -radius : Number +addGameSprite(s : GameSprite) +removeGameSprite(s : GameSprite) Currently not implemented -sortSprites() : void +summaryIntersections(sprite : GameSprite) : Array

de.shine.core.map de.shine.core.game

<> NpcInfo TriggerAreaInfo ItemInfo SpawnPoint IGuiInvoker -id : int -id : int -id : int -id : int +onNewBallonMessage(ballon : DialogBox) -position : Vector2D -shape : Rectangle -position : Vector2D -name : String Contains graphics -shapeType : int -position : Vector2D and the needed objects

TriggerArea Npc Item Player ItemState TriggerAreaState NpcState -state : TriggerAreaState -smallTalks : Array -touchText : String -animWalk : AnimationSet -collectable : Boolean -enable : Boolean -text : String -state : NpcState -state : ItemState -animStand : AnimationSet -collected : Boolean -question : String Map -guiInvoker : IGuiInvoker -walkable : Boolean -answers : Array -id : int -inventory : Boolean -animationId : int -tileMap : TileMap -infoText : String -movement : int -routingGraph : WaypointField -animationId : int -walkDest : String -spawnPoints : Array -walkble : Boolean -npcs : Array -triggerAreas : Array Game -items : Array -input : InputManager +getTileMap() : TileMap -player : Player +getNpcs() : Array -scene : SceneManager +getTriggerAreas() : Array -mapLoader : MapLoader +getItems() : Array -gameLoopSpeed : int +getSpawnPoints() : Array -paused : Boolean -objects : ObjectManager GameObject -engine : GameEngine -manager : ObjectManager +Game(engine : GameEngine) -objectId : int -startGame() : void -name : String +mainLoop() : void -engine : IGameActionListener +pause() MapLoader -sprite : GameSprite * 1 +start() ObjectManager -xml : Xml +mainLoop() -listener : IMapLoadListener +getId() : int -gameObjects : Array -activeObjects : Array +MapLoader(mapData : Xml) : void +updateState(state : State) +addListener(listener : IMapLoadListener) : void +mainLoop() +startLoading() : void +addObject(object : GameObject) : void +getObjectById(id : int) : GameObject +onNewState(id : int, state : State) : void

all interactive objects are game IMapLoadListener objects +loadMapStart(bytes : int) : void +loadMapData(bytesLoaded : int) : void +loadMapReady() : void +loadMapError(reason : String) : void IGameActionListener +talk(machineId : int) : void +touch(machineId : int) : void +action(machineId : int) : void +collision(machineId : int) : void ShineMapLoader AnotherMapLoader +answer(machineId : int, answerId : int) : void -parseMap() : void +reachDest(machineId : int) : void +trigger(machineId : int) : void

This parser is especially created for the Tiled Editor map format. Just override "parseMap" to support a new level format

de.shine.engine de.shine.engine.stateMachine

hashmap Can contain an arbitrary amount of KeyValueMap key/value pairs. The logical +addData(key : Object, value : Object) : void ItemDescription TriggerAreaDescription PlayerDescription NpcDescription correctness of the data has to be -state : State -state : State -lookAngle : Number -position : Vector2D ensured by the object that uses the -id : int -id : int -position : Vector2D -id : int state -state : State -lookAngle : Number

IGameEngineListener State EventList EventTriggerList +onStateChange(id : int, newState : StateData) -events : EventList +addEvent(eventId : int, stateId : int, triggerList : EventTriggerList = null) -triggers : Array +onPingResult(duration : int) : void -id : int +getStateByEventId(eventId : int) : int -gameTrigger : Array +onMapDataLoaded(xml : Xml) : void -name : String +getTriggersById(eventId : int) : EventTriggerList +addTrigger(trigger : EventTrigger) +onLoadStateLoaded(loadState : LoadState) : void +addData(key : Object, data : Object) +addGameTrigger(trigger : GameTrigger) : void +onError(error : String) : void +getData(key : Object) : Object +execute() : void +onEngineInited() : void +contains(key : Object) : Boolean +getEventTrigger() : Array <> GameState -mapId : int Contains the entire state of a certain -npcDescs : Array StateMachine game. EventTrigger -itemDescs : Array -states : Array GameEngine -triggerAreaDescs : Array -currentState : State -stateMachineId : int -userId : int -playerDesc : PlayerDescription -listener : IStateMachineListener -triggeredEventId : int -listener : IGameEngineListener -id : int +EventTrigger(machineId : int, eventId : int) +GameEngine(userId : int) ~allMachines : Array +ping() : void +addState(state : State) : void +getMapById(mapId : int) : void +dispatchEvent(eventId : int) : void GameTrigger +loadGameState() : void +initGameEngine() : void -listener : IGameTriggerListener +createObjectById(objectId : int) : ObjectInfo +GameTrigger(listener : IGameTriggerListener) +execute() : void IStateMachineListener +onNewState(machine : StateMachine, oldState : State, newState : State) : void +initFirstState(machine : StateMachine, state : State) : void

ObjectInfo This contains the interface to the game engine SkillTrigger ChangeScoreTrigger ChangeMusicTrigger and to the state-machine-engine. -gainedSkillId : int -scoreChange : int -newTrackName : String IGameTriggerListener +onNewSkill(newSkill : int) : void +onScoreChange(changeValue : int) : void +onChangeMusic(newTrack : String) : void

By clicking the zoom-button the diagram can be scaled up.

bachelorproject ws 07/08 SHiNE 90

D Game topoloy

D.1 Manual Net Topology installation [jl, mt, aoe]

The Topology is composed of 2 Routers, 3 Switches and 10 PC’s, which are separated in different areas. The first area is the game internet , which is the vpn environment with connections to other polytechnics. The second area is the DMZ (demilitarized zone) which is accessible from the game internet and offering services like HTTP, email, ftp and other to all game internet users. “The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network.” [4] The third area is the local LAN, which is also separated in 5 VLAN areas with different security options.

Figure 42: Game Topology

D.1.1 Activate Topology at the PC’s

The PC’s provide a dualboot installation option. With this option a user has the ability to set up a normal lab PC or a preconﬁgured PC with integrated game topology. The installation is bachelorproject ws 07/08 SHiNE 91

based on FAI - Fully Automatic Installation [5] by Thomas Lange. This installation environment gives us the power to set up every PC of the game topology on every physical PC in less then a hour, full automatic, the only interaction is to choose the wanted game PC.

After installation the PC is ready to use, the only missing step is to start the hacking game. The manual starting is owing the dual use of the PC’s, if the hacking game isn’t started the PC is usable as a lab PC, by starting the hacking game the network topology and the needed services are starting automatically.

To start the hacking game just run as root:

1 /etc/init.d/hackinggame start

D.1.2 Setting up the Network devices

The switches and routers are accessible through the console port. For the topology installation it’s necessary to connect the console port of a network device with a PC. After physically connection a remote serial console connection has to be started. A very handy tool in UNIX environments is minicom [6]. This tool is oﬀering our serial command line and we can conﬁgure the network devices.

To configure the devices it’s sufficient to copy&paste a given configuration into the window of minicon, but it could be possible that interfaces have to activate by hand. Keep in mind that some commands aren’t working at any IOS. So be carefull and look out what you are doing.

The installation of the network devices should be done by a person with higher skilled network knowledge. It could be very simple if the IOS and feature set of the cisco devices is the same as in the given base conﬁguration, but if something diﬀers problems could appear.

D.2 Manual Game server installation [sd]

D.2.1 Linux installation

Installation at HS Bremen

The Shine game is saved as package in game server (pc34 in Room 311)

To install the game:

Start the comand shell

add to vim /etc/apt/sources.list - deb http://www.nets-x.hs-bremen.de/shine/ ./

and exicute:

apt-get update - to update sources list

bachelorproject ws 07/08 SHiNE 92

apt-get install shine - to install the game

To install SHiNE at a Debian computer:

Start the comand shell add to vim /etc/apt/sources.list - deb http://www.nets-x.hs-bremen.de/shine/ ./ and exicute: apt-get update - to update sources list apt-get install shine - to install the game

To play the game local: open the web browser and type in the address line - 127.0.0.1/nets-x

To play the game in network: type in the address line of your browser the ip adress of the game server then slash and nets-x

Example: if the game server has ip address 192.68.164.10, type - 192.68.164.10/nets-x

D.2.2 Windows installation

Necessery stuﬀ:

• WAMP

• SHiNE Game with Cake PHP

• Database nets-x.sql

Download the components from this links:

• WAMP from http://www.wampserver.com/en/download.php (If the link doesnt work, ask google

• SHiNE Game from http://www.nets-x.hs-bremen.de/nets-bachelor/projekte/SHiNE

• Database nets-x.sql from http://www.nets-x.hs-bremen.de/nets-bachelor/projekte/SHiNE

Install ﬁrst the wamp server in your root folder(for example C:/wamp)

Specify the following folder as WEBROOT for WAMP - C:/wamp/www/

Open the apache conﬁg ﬁle httpd.conf

Enable the rewrite module in httpd.conf - #LoadModule rewrite module modules/mod rewrite.so bachelorproject ws 07/08 SHiNE 93

Copy the ShiNE stuff in your webroot folder - C:/wamp/www/ Open phpMyAdmin Create new empty database named nets-x Immport the datebase file nets-x.sql in the database (if the file size is biger than 2MB compress the file and import this as ZIP-file) Click of the databases privileges Set new user nets-x at localhost whit all privileges and password rtk222 To play the game local: open the web browser and type in the address line - 127.0.0.1/nets-x To play the game in network: type in the address line of your browser the ip adress of the game server then slash and nets-x Example: if the game server has ip addresss 192.68.164.10, type - 192.68.164.10/nets-x

E Scenarios

E.1 Basic scenarios [jp]

E.1.1 Console

Wiki text pwd The pwd command (“print working directory”) prints out your current directory to the console. It is useful to find out in which directory you are. After logging in to a command line you normally start in your home-directory. To have a look for where it’s placed in the directory tree of the system, type in the pwd command: userx@PC00: ~$ pwd /home/userx userx@PC00: ~$ ls The ls command lists the files of a directory. If invoked without any parameter, it shows the files of the current working directory. If you want to list files of another directory, you can use: ls /path/to/directory A short description of the most important parameters (for more information, please type in ls - -help to the command line): bachelorproject ws 07/08 SHiNE 94

-a lists all files of the directory hidden files as well -l prints out more detailed information about the files -R lists recursive all directories inside the one you have selected

The cp command is normally used to copy a ﬁle. For this purpose you have to use it like this: cp file1 file2 or cp /home/userx/file1 /path/to/file2

It is also possible to copy a list of ﬁles to one target directory: cp file1 file2 file3 /path/to/

For more information about the cp command type in cp - - help to the command line. mv

For the mv command there are two main kinds of usage:

The mv (“move”) command is as the name suggests used to move one or more files to a different place in the filesystem. To do so type in: mv /path1/file /path2/file

Another important way of using the mv command is to rename a ﬁle. For this purpose type in: mv oldname newname cat

The cat command is the easiest way to show the content of a file. To print out the whole content of a specific file to the command line, type in: cat file1 ip bachelorproject ws 07/08 SHiNE 95

The easiest way to get the ip-adress of one of your ethernet interfaces, you can use the ip command on in conjunction with the addr parameter:

ip addr

That will print out a list of information about the installed ethernet interfaces. The ip-adress itself is locatet in the line which starts with “inet ...”.

To get more information about the ip command, type in only ip without any parameter, or check the man page by typing in: man ip

Linux directory structure

A linux system contains thousands of diﬀerent directories. Here is just a short list with some of the most important ones:

/ Root directory. This directory is the top level of all other directories. /bin Common programs /boot All stuff for booting the system and the kernel. /dev device files /etc Most important system configuration files /home The home directories for all users /lib Library files /lost+found Contains files which were saved during failures. /mnt The normal mount-point for external devices like CD-ROM drives. /opt Normally contains software from third parties. /root Home-diretory of the root user /sbin Programs for system and administrator. /tmp Temporary files content will be deleted on reboot. /usr Documentation, libraries and programs for all users. /var Place for all variable files such as log files.

Shell scripts

1 #!/bin/bash

3 #external parameter

4 H_USERNAME=$CAKEUSER # Hacking game user name

5 H_PASSWORD=$CAKEPASS # must be md5 encrypted

8 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

9 exit 3; #empty username = error and quit!

bachelorproject ws 07/08 SHiNE 96

10 fi

12 #internal parameter

13 LOG_FILE=/var/log/secure.log

15 #adduser and make home dir

16 useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $?

17 cp /etc/skel/.bash_profile /home/$H_USERNAME/ || exit $?

18 cp /etc/skel/.bashrc /home/$H_USERNAME/ || exit $?

20 #make needed files

21 #secure.log

22 echo "Jan 05 14:23:01 secret tool: just made a very secret operation" > $LOG_FILE

23 echo "Jan 05 14:23:06 secret tool: just made a very secret operation" >> $LOG_FILE

24 echo "Jan 05 14:23:13 secret tool: delete some heavy stuff" >> $LOG_FILE

25 echo "Jan 05 14:23:15 secret tool: don’t tell anybody about this special operation" >> $LOG_FILE

27 #change dir and file permissions

28 chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $?

29 chmod 744 /var/log/secure.log || exit $?

Listing 1: Setup-Script

1 #!/ bin /sh

3 #external parameter

4 H_USERNAME=$CAKEUSER # Hacking game user name

6 RENAMEDFILE=/home/$H_USERNAME/$(ifconfig eth1 | awk /eth1/’{next}//{split( $0,a,":");split(a[2],a," ");print a[1];exit}’).log

9 if [ -f "$RENAMEDFILE" ]; then

Listing 2: Evaluation-Script

1 #!/ bin /sh

3 H_USERNAME=$CAKEUSER

bachelorproject ws 07/08 SHiNE 97

5 rm /var/log/secure.log > /dev/null

7 RC =0

8 deluser --remove-home $H_USERNAME || RC=$? > /dev/null

9 exit $RC

Listing 3: Cleanup-Script

E.1.2 Vi

Wiki text

ﬁnd

With the find command you are able to search through a directory and recursive to all of the directories which it contains to find files which matches special criteria. The find command offers more than 50 parameters so it’s a good advice to have a look at the man page for detailed information.

Some practical usages:

Find the ﬁle xyz in the entire ﬁle system: find / -type f -name xyz -print

Print names of all directories in the ﬁle system: find / -type d -print

The print statement in the above-named examples cause that the system prints out the path to each found entry relative to the searched directory.

grep

The grep command is used to find lines in special files which matches a given expression. For example: If you have a logfile which contains several lines about a xyz-event you can type in:

grep xyz-event /path/to/logfile.log

Now grep will print all lines to the console which contains the string “xyz-event”.

Some helpful parameters for the grep command:

-v Prints all lines which do not match the given expression. -l Prints only the ﬁle name of matching ﬁles. Not the entire lines itself.

bachelorproject ws 07/08 SHiNE 98

-c Prints number of matching lines. -n Prints the line numbers of the matching lines. -i Makes the search non-case-sensitive. -r grep will search recursive through all ﬁles in the given directory and all sub-directories.

Another awesome possibility of using grep is the combination with the find command. With these two commands it is possible to search a string in all files on the system (or some explicit file types as well): find . -exec grep -l xyz-event ’{}’’;’

This line will search the string “xyz-event” in all ﬁles in the ﬁle system.

Vi/Vim

Vi was the standard editor for text ﬁles in an unix environment for many years. Since 1991 there is an improved version of this editor: Vim. The Vim editor is nearly 100% downward compatible to the original Vi and bring a lot of improvements. The usage of this kind of editors is very complex, but there is a excellent way to learn how to use it: Only type in vimtutor in your command line this program will guide you to the world of Vim.

To look up the most important commands, here is a short list:

Switch to input mode: i Save & quit: :wq Quit without saving: :q! Save: :w Save as...: :w ﬁlename Undo: u Switch to edit mode: ESC i Switch to command mode: ESC : Cancel the current command: ESC Jump to next word: w Jump to previous word: b Jump to start of line: o Jump to end of line: $ One page forward: ˆf One page backward: ˆb Delete next character: x Delete previous character: X Delete next word: de bachelorproject ws 07/08 SHiNE 99

Delete previous word: db Delete current line: dd Delete up to lines end: d$ Deﬁne selection: v Cut out selection: d Copy selection: y Paste selection: p Help: :help

Shell scripts

1 #!/bin/bash

3 #external parameter

4 H_USERNAME=$CAKEUSER # Hacking game user name

5 H_PASSWORD=$CAKEPASS # must be md5 encrypted

7 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then

8 exit 3; #empty username = error and quit!

9 fi

11 #internal parameter

12 CHANGEFILE=/usr/share/employees

14 #adduser and make home dir

15 useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $?

16 cp /etc/skel/.bash_profile /home/$H_USERNAME/ || exit $?

17 cp /etc/skel/.bashrc /home/$H_USERNAME/ || exit $?

19 #make needed files

20 # employees

21 echo "" > $CHANGEFILE

22 echo " " >> $CHANGEFILE

23 echo " 122" >> $CHANGEFILE

24 echo " Heiko" >> $CHANGEFILE

25 echo " Meyer" >> $CHANGEFILE

26 echo " 12.000" >> $CHANGEFILE

27 echo " " >> $CHANGEFILE

28 echo " " >> $CHANGEFILE

29 echo " 123" >> $CHANGEFILE

30 echo " Dieter" >> $CHANGEFILE

31 echo " Machielsky" >> $CHANGEFILE

32 echo " 14.000" >> $CHANGEFILE

33 echo " " >> $CHANGEFILE

34 echo " " >> $CHANGEFILE

bachelorproject ws 07/08 SHiNE 100

35 echo " 125" >> $CHANGEFILE

36 echo " Mathilde" >> $CHANGEFILE

37 echo " Brehmer" >> $CHANGEFILE

38 echo " 23.900" >> $CHANGEFILE

39 echo " " >> $CHANGEFILE

40 echo " " >> $CHANGEFILE

41 echo " 126" >> $CHANGEFILE

42 echo " Holger" >> $CHANGEFILE

43 echo " Schmidt" >> $CHANGEFILE

44 echo " 11.000" >> $CHANGEFILE

45 echo " " >> $CHANGEFILE

46 echo " " >> $CHANGEFILE

47 echo " 128" >> $CHANGEFILE

48 echo " Max" >> $CHANGEFILE

49 echo " Dax" >> $CHANGEFILE

50 echo " 29.000" >> $CHANGEFILE

51 echo " " >> $CHANGEFILE

52 echo " " >> $CHANGEFILE

53 echo " 129" >> $CHANGEFILE

54 echo " Susanne" >> $CHANGEFILE

55 echo " Feudel" >> $CHANGEFILE

56 echo " 18.230" >> $CHANGEFILE

57 echo " " >> $CHANGEFILE

58 echo " " >> $CHANGEFILE

59 echo " 134" >> $CHANGEFILE

60 echo " Myrath" >> $CHANGEFILE

61 echo " Staglos" >> $CHANGEFILE

62 echo " 14.200" >> $CHANGEFILE

63 echo " " >> $CHANGEFILE

64 echo " " >> $CHANGEFILE

65 echo " 135" >> $CHANGEFILE

66 echo " Mike" >> $CHANGEFILE

67 echo " Doode" >> $CHANGEFILE

68 echo " 17.300" >> $CHANGEFILE

69 echo " " >> $CHANGEFILE

70 echo " " >> $CHANGEFILE

71 echo " 136" >> $CHANGEFILE

72 echo " Jens" >> $CHANGEFILE

73 echo " Kalusche" >> $CHANGEFILE

74 echo " 11.300" >> $CHANGEFILE

75 echo " " >> $CHANGEFILE

76 echo " " >> $CHANGEFILE

77 echo " 137" >> $CHANGEFILE

78 echo " Bill" >> $CHANGEFILE

79 echo " Jobs" >> $CHANGEFILE

80 echo " 89.000" >> $CHANGEFILE

bachelorproject ws 07/08 SHiNE 101

81 echo " " >> $CHANGEFILE

82 echo " " >> $CHANGEFILE

83 echo " 138" >> $CHANGEFILE

84 echo " Steve" >> $CHANGEFILE

85 echo " Gates" >> $CHANGEFILE

86 echo " 1" >> $CHANGEFILE

87 echo " " >> $CHANGEFILE

88 echo " " >> $CHANGEFILE

89 echo " 140" >> $CHANGEFILE

90 echo " George" >> $CHANGEFILE

91 echo " Tree" >> $CHANGEFILE

92 echo " 800" >> $CHANGEFILE

93 echo " " >> $CHANGEFILE

94 echo " " >> $CHANGEFILE

95 echo " 142" >> $CHANGEFILE

96 echo " Hans-Georg" >> $CHANGEFILE

97 echo " Schneider" >> $CHANGEFILE

98 echo " 23.280" >> $CHANGEFILE

99 echo " " >> $CHANGEFILE

100 echo " " >> $CHANGEFILE

101 echo " 143" >> $CHANGEFILE

102 echo " Melanie" >> $CHANGEFILE

103 echo " Dreist" >> $CHANGEFILE

104 echo " 14.500" >> $CHANGEFILE

105 echo " " >> $CHANGEFILE

106 echo " " >> $CHANGEFILE

107 echo " 144" >> $CHANGEFILE

108 echo " Beate" >> $CHANGEFILE

109 echo " Heide" >> $CHANGEFILE

110 echo " 21.200" >> $CHANGEFILE

111 echo " " >> $CHANGEFILE

112 echo " " >> $CHANGEFILE

113 echo " 145" >> $CHANGEFILE

114 echo " Matthias" >> $CHANGEFILE

115 echo " Koehler" >> $CHANGEFILE

116 echo " 19.300" >> $CHANGEFILE

117 echo " " >> $CHANGEFILE

118 echo "" >> $CHANGEFILE

119

120 #change dir and file permissions

121 chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $?

122 chmod 777 $CHANGEFILE || exit $?

Listing 4: Setup-Script

1 #!/ bin /sh

bachelorproject ws 07/08 SHiNE 102

3 #external parameter

4 H_USERNAME=$CAKEUSER # Hacking game user name

7 CHANGEFILE=/usr/share/employees

9 HOLIDAY=$(grep -c ’holiday’ $CHANGEFILE) #muss 15 sein

10 BILL=$(grep -c ’Bill’ $CHANGEFILE) # muss 0 sein

11 TOP=$(grep -c ’100.000’ $CHANGEFILE) # muss 1 sein

13 if [ "$HOLIDAY" -eq 15 ]; then

14 if [ "$BILL" -eq 0 ]; then

15 if [ "$TOP" -eq 1 ]; then

Listing 5: Evaluation-Script

1 #!/ bin /sh

3 H_USERNAME=$CAKEUSER

5 rm /usr/share/employees > /dev/null

7 RC =0

8 deluser --remove-home $H_USERNAME || RC=$? > /dev/null

9 exit $RC

Listing 6: Cleanup-Script

E.2 Man-in-the-middle scenarios

E.2.1 ARP-Spooﬁng [rb]

Wiki text

Address Resolution Protocol From Wikipedia, the free encyclopedia [7]

In computer networking, the Address Resolution Protocol (ARP) is the standard method for ﬁnding a host’s hardware address when only its network layer address is known.

ARP is not an IP-only or Ethernet-only protocol; it can be used to resolve many diﬀerent network-layer protocol addresses to hardware addresses, although, due to the overwhelming

bachelorproject ws 07/08 SHiNE 103

prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses. It is also used for IP over other LAN technologies, such as Token Ring, FDDI, or IEEE 802.11, and for IP over ATM. ARP is used in four cases of two hosts communicating: 1. When two hosts are on the same network and one desires to send a packet to the other 2. When two hosts are on different networks and must use a gateway/router to reach the other host 3. When a router needs to forward a packet for one host through another router 4. When a router needs to forward a packet from one host to the destination host on the same network The first case is used when two hosts are on the same physical network (that is, they can directly communicate without going through a router). The last three cases are the most used over the Internet as two computers on the internet are typically separated by more than 3 hops. In the first case, you would have two hosts on the same LAN segment, A and B. If, for example, Host A wants to send an IPv4 packet to Host B, Host A must already have an IPv4 address for Host B (the network layer address). However, in order to be able to send the packet on the LAN to Host B, Host A must also have a data link layer address, i.e. a MAC address, for Host B. If it doesn’t already know that MAC address, it would send an ARP request to ask for that MAC address, in the hopes of getting a reply from Host B, or another host on the network, giving that MAC address. In the second case, for the same example, hosts A and B would be on different network segments, but there would be a router, on the same LAN segment as Host A, which is either on the same network segment as Host B, or on the same network segment as another router that is on the same network segment as Host B, or on the same network segment as another router that is on the same network segment as yet another router that is on the same segment as Host B, and so on. Host A would send the IPv4 packet not to Host B, but to the first of those routers; it would look up Host B in its routing table to determine the IPv4 address of the appropriate router. It would then, if it doesn’t already know the MAC address of that router, use ARP to determine that MAC address. The third case is similar to the second case; the router would look up Host B in its routing table to determine the IPv4 address of the next router to which it should send the packet and, if it doesn’t already know the MAC address for the router, use ARP to determine that MAC address. The fourth case is similar to the first case; the router has determined that Host B is on the same LAN segment, and, if it doesn’t already know Host B’s MAC address, will use ARP to determine that MAC address. ARP is defined in RFC 826. It is a current Internet Standard, STD 37. ARP spoofing From Wikipedia, the free encyclopedia [8] Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet network which may allow an at- bachelorproject ws 07/08 SHiNE 104

tacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or ”spoofed”, ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway. ARP Spoofing attacks can be run from a compromised host, a Jack Box, or a hacker’s machine that is connected directly onto the target Ethernet segment. Application ARP is a Layer 3 protocol. Both ARP request and ARP reply can be broadcast traffic. As such, it is not designed to allow for any ID validation on the transaction. While ARP Spoofing can occur in the course of ARP transactions, creating a race condition, the more common utilization is the distribution of unsolicited ARP responses which are cached by the clients creating the ARP Cache Poison scenario. Defenses The only method of completely preventing ARP spoofing is the use of static, non-changing ARP entries (each entry maps a MAC address to corresponding IP address). However, this is not practical on a large network, due to the large overhead of keeping ARP tables up to date. Therefore another method, such as DHCP snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, Extreme Networks and Allied Telesis. Detection is another avenue for defending against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. Checking for the existence of MAC address cloning may also provide a clue as to the presence of ARP spoofing, though there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query the a MAC address for its associated IP address(es). If more than one IP address is returned, MAC cloning is present. Legitimate usage ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address. bachelorproject ws 07/08 SHiNE 105

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over a defective server and transparently offer redundancy.

History

One of the earliest articles on ARP spooﬁng was written by Yuri Volobuev in ARP and ICMP redirection games

ARP Spooﬁng Tools

Arpspoof (part of the DSniﬀ suite of tools), Arpoison, Cain and Abel, Ettercap, and netcut are some of the tools that can be used to carry out ARP poisoning attacks.

MAC address

From Wikipedia, the free encyclopedia [9]

In computer networking a Media Access Control address (MAC address) or Ethernet Hardware Address (EHA) or hardware address or adapter address is a quasi-unique identifier attached to most network adapters (NICs Network Interface Card). It is a number that acts like a name for a particular network adapter, so, for example, the network cards (or built-in network adapters) in two different computers will have different names, or MAC addresses, as would an Ethernet adapter and a wireless adapter in the same computer, and as would multiple network cards in a router. However, it is possible to change the MAC address on most of today’s hardware, often referred to as MAC spoofing.

Most layer 2 network protocols use one of three numbering spaces managed by the IEEE: MAC- 48, EUI-48, and EUI-64, which are designed to be globally unique. Not all communications protocols use MAC addresses, and not all protocols require globally unique identiﬁers. The IEEE claims trademarks on the names ”EUI-48” and ”EUI-64” (”EUI” stands for Extended Unique Identiﬁer).

MAC addresses, unlike IP addresses and IPX addresses, are not divided into ”host” and ”network” portions. Therefore, a host cannot determine from the MAC address of another host whether that host is on the same layer 2 network segment as the sending host or a network segment bridged to that network segment.

ARP is commonly used to convert from addresses in a layer 3 protocol such as Internet Protocol (IP) to the layer 2 MAC address. On broadcast networks, such as Ethernet, the MAC address allows each host to be uniquely identiﬁed and allows frames to be marked for speciﬁc hosts. It thus forms the basis of most of the layer 2 networking upon which higher OSI Layer protocols are built to produce complex, functioning networks.

Notational conventions

The standard (IEEE 802) format for printing MAC-48 addresses in human-readable media is six groups of two hexadecimal digits, separated by hyphens (-) in transmission order, e.g. 01-23-45- 67-89-ab. This form is also commonly used for EUI-64. Other conventions include six groups of bachelorproject ws 07/08 SHiNE 106

Figure 43: Quelle: http://upload.wikimedia.org/wikipedia/commons/9/94/MAC-48 Ad- dress.svg

two separated by colons (:), e.g. 01:23:45:67:89:ab; or three groups of four hexadecimal digits separated by dots (.), e.g. 0123.4567.89ab; again in transmission order.

Address details

The original IEEE 802 MAC address comes from the original Xerox Ethernet addressing scheme. This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC addresses.

All three numbering systems use the same format and diﬀer only in the length of the iden- tiﬁer. Addresses can either be ”universally administered addresses” or ”locally administered addresses.”

A universally administered address is uniquely assigned to a device by its manufacturer; these are sometimes called ”burned-in addresses” (BIA). The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI). The following three (MAC-48 and EUI-48) or five (EUI-64) octets are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100; EUI-64s are not expected to run out in the foreseeable future.

A locally administered address is assigned to a device by a network administrator, overriding the burned-in address. Locally administered addresses do not contain OUIs.

Universally administered and locally administered addresses are distinguished by setting the second least signiﬁcant bit of the most signiﬁcant byte of the address. If the bit is 0, the address is universally administered. If it is 1, the address is locally administered. The bit is 0 in all

bachelorproject ws 07/08 SHiNE 107

OUIs. For example, 02-00-00-00-00-01. The most signiﬁcant byte is 02h. The binary is 00000010 and the second least signiﬁcant bit is 1. Therefore, it is a locally administered address.

If the least significant bit of the most significant byte is set to a 0, the packet is meant to reach only one receiving NIC. This is called unicast. If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast.

MAC-48 and EUI-48 addresses are usually shown in hexadecimal format, with each octet separated by a dash or colon. An example of a MAC-48 address would be ”00-08-74-4C-7F-1D”. If you cross-reference the ﬁrst three octets with IEEE’s OUI assignments,[3] you can see that this MAC address came from Dell Computer Corp. The last three octets represent the serial number assigned to the adapter by the manufacturer.

The following technologies use the MAC-48 identiﬁer format:

* Ethernet * 802.11 wireless networks * Bluetooth * IEEE 802.5 token ring * most other IEEE 802 networks * FDDI * ATM (switched virtual connections only, as part of an NSAP address) * Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)

The distinction between EUI-48 and MAC-48 identiﬁers is purely semantic: MAC-48 is used for network hardware; EUI-48 is used to identify other devices and software. (Thus, by deﬁnition, an EUI-48 is not in fact a ”MAC address”, although it is syntactically indistinguishable from one and assigned from the same numbering space.)

Note: The IEEE now considers the label MAC-48 to be an obsolete term which was previously used to refer to a speciﬁc type of EUI-48 identiﬁer used to address hardware interfaces within existing 802-based networking applications and should not be used in the future. Instead, the term EUI-48 should be used for this purpose.

EUI-64 identiﬁers are used in:

* FireWire * IPv6 (as the low-order 64 bits of a unicast network address when temporary addresses are not being used) * ZigBee / 802.15.4 wireless personal-area networks

The IEEE has built in several special address types to allow more than one Network Interface Card to be addressed at one time:

* Packets sent to the broadcast address, all one bits, are received by all stations on a local area network. In hexadecimal the broadcast address would be ”FF:FF:FF:FF:FF:FF”. * Packets sent to a multicast address are received by all stations on a LAN that have been conﬁgured to receive packets sent to that address. * Functional addresses identify one of more Token Ring NICs that provide a particular service, deﬁned in IEEE 802.5.

These are ”group addresses”, as opposed to ”individual addresses”; the least signiﬁcant bit of the ﬁrst octet of a MAC address distinguishes individual addresses from group addresses. That bit is set to 0 in individual addresses and 1 in group addresses. Group addresses, like individual addresses, can be universally administered or locally administered. bachelorproject ws 07/08 SHiNE 108

In addition, the EUI-64 numbering system encompasses both MAC-48 and EUI-48 identifiers by a simple translation mechanism. To convert a MAC-48 into an EUI-64, copy the OUI, append the two octets ”FF-FF”, and then copy the organization-specified part. To convert an EUI- 48 into an EUI-64, the same process is used, but the sequence inserted is ”FF-FE”. In both cases, the process can be trivially reversed when necessary. Organizations issuing EUI-64s are cautioned against issuing identifiers that could be confused with these forms. The IEEE policy is to discourage new uses of 48-bit identifiers in favor of the EUI-64 system.

IPv6one of the most prominent standards that uses EUI-64applies these rules inconsistently. Due to an error in the appendix to the speciﬁcation of IPv6 addressing, it is standard practice to extend MAC-48 addresses (such as IEEE 802 MAC address) to EUI-64 using ”FF-FE” rather than ”FF-FF.”

Individual address block

An Individual Address Block comprises a 24-bit OUI managed by the IEEE Registration Au- thority, followed by 12 IEEE-provided bits (identifying the organization), and 12 bits for the owner to assign to individual devices. An IAB is ideal for organizations requiring fewer than 4097 unique 48-bit numbers (EUI-48).[4]

Bit-reversed notation

The standard transmission order notation for MAC addresses, as seen in the output of the ifconﬁg command for example, is also called canonical format.

However, since IEEE 802.3 (Ethernet) and IEEE 802.4 (Token Bus) send the bits over the wire with least significant bit first, while IEEE 802.5 (Token Ring) and IEEE 802.6 send the bits over the wire with most significant bit first, confusion may arise where an address in the latter scenario is represented with bits reversed from the canonical representation. So for instance, an address whose canonical form is 12-34-56-78-9A-BC would be transmitted over the wire as bits 01001000 00101100 01101010 00011110 01011001 00111101 in the standard transmission order (least significant bit first). But for Token Ring networks, it would be transmitted as bits 00010010 00110100 01010110 01111000 10011010 10111100 in most significant bit first order. If care is not taken to translate correctly and consistently to the canonical representation, the latter might be displayed as 482C6A1E593D, which could cause confusion. This would be referred to as ”Bit-reversed order”, ”Non-canonical form”, ”MSB format”, ”IBM format”, or ”Token Ring format” as explained by RFC 2469. Canonical form is preferred.

Shell scripts

1 #!/bin/bash

3 # external parameter

4 gamers=$CAKE1 #group for sudo right

5 mainfolder=$CAKE2 #mainfolder for backup and scripts (normal / tmp / arp )

bachelorproject ws 07/08 SHiNE 109

6 host_spoofer=$CAKE3 #host on which the automatik ettercap arpspoof is located (the drone)

7 host_spoofer_user=$CAKE4 #temp user at the spoofing host

8 host_spoofer_pw=$CAKE5 #the users cleartext password

9 script_spoofer=$CAKE6 #PATH to the scrip (normal /home/ $host_spoofer_user/automaticARPSpoof

10 host_user=$CAKE7 #the IP Address on the spoofed host

12 # internal parameter

13 backdir=$mainfolder/back #backup directory for changed files

14 scriptdir=$mainfolder/scripts #script directory for needed scripts

15 undo=$mainfolder/undo #what ever was changed should could be restored

16 timeafterarp=60 #spoofing the user start after this time ( seconds )

17 spoofingtime=180 #time the host is spoofed ( seconds )

19 #undo file for simple restoring

20 mkdir $mainfolder || exit 1

21 echo "#!/bin/bash" > $undo || exit 1

22 chmod +x $undo || exit 1

23 echo "folder=$mainfolder" >> $undo || exit 1

25 #install sudo for using priviliges commands if it isn’t installed

26 stat /usr/bin/sudo > /dev/null 2&>1

27 if [ "$?" == "1" ]; then

28 aptitude install sudo -y > /dev/null 2&>1 || exit 1

29 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1

30 fi

32 #install expect for password required login if it isn’t installed

33 stat /usr/bin/expect > /dev/null 2&>1

34 if [ "$?" == "1" ]; then

35 aptitude install expect -y > /dev/null 2&>1 || exit 1

36 echo "aptitude purge expect -y /dev/null 2&>1 || exit 1" >> $undo || exit 1

37 fi

39 #make the directorys

40 mkdir $backdir || exit 1

41 mkdir $scriptdir || exit 1

43 #save the default sudo file

44 cp /etc/sudoers $backdir/sudoers || exit 1

45 echo "cp $backdir/sudoers /etc/sudoers" >> $undo || exit 1

bachelorproject ws 07/08 SHiNE 110

47 #add a group for the gamer

48 groupadd $gamers || exit 1

49 echo "groupdel $gamers" >> $undo || exit 1

50 echo %$gamers ALL=/usr/sbin/arp >> /etc/sudoers || exit 1

52 #replace the arp command !! we need it for usage !!

53 mv /usr/sbin/arp $backdir/arp || exit 1

54 echo "mv $backdir/arp /usr/sbin/arp" >> $undo || exit 1

56 ### functions ###

58 #script builder needs $mylist and $TARGET_AND_LOCATION

59 scriptbuild()

60 {

61 for i in "${mylist[@]}"; do

62 echo $i >> $TARGET_AND_LOCATION || exit 1

63 done

64 }

65 ### end functions ###

67 ## cheating the arp command

69 #make the own arp script

70 TARGET_AND_LOCATION=$scriptdir/arpThis

71 mylist=("echo used \$@ >> $scriptdir/checkfile")

72 scriptbuild

74 #append the default arp command

75 echo $backdir/arp \$@ >>$TARGET_AND_LOCATION || exit 1

76 # link arp to cheated arp

77 ln -s $scriptdir/arp /usr/sbin/arp || exit 1

78 #change rights

79 chmod +x $TARGET_AND_LOCATION || exit 1

81 #make ssh-connection with password required login to start the script

82 TARGET_AND_LOCATION=$scriptdir/autospoof

83 mylist=("#!/usr/bin/expect -f" "log_user 0" "set timeout -1" "spawn ssh $host_spoofer_user@$host_spoofer $script_spoofer $host_user $spoofingtime" "match_max 100000" "expect \"*(yes/no)*\"" "send -- yes \r" "expect \"*?assword:*\"" "send -- \"$host_spoofer_pw\r\"" "send -- \"\r\"" "expect eof")

84 scriptbuild

85 chmod +x $TARGET_AND_LOCATION || exit 1

87 #make backgroundspoof

bachelorproject ws 07/08 SHiNE 111

88 TARGET_AND_LOCATION=$scriptdir/backgroundscript

89 mylist=("#!/bin/bash" "while [ a=1 ]" "do" "if [ \"grep used $scriptdir/ checkfile\" ];" "then" "break" "fi" "sleep 5" "done" "sleep $timeafterarp" "$scriptdir/autospoof")

90 scriptbuild

91 chmod +x $TARGET_AND_LOCATION || exit 1

93 exit 0

Listing 7: Setup Environment

1 #!/bin/bash

3 # external parameter

4 mainfolder=$CAKE1

5 $mainfolder/undo

6 rm -rf $mainfolder || exit 1

7 exit 0

Listing 8: Cleanup Environment

1 #!/bin/bash

3 #external parameter

4 USERNAME=$CAKEUSER # Hacking game user name

5 PASSWORD=$CAKEPASS # must be md5 encrypted

6 gamers=$CAKE1 #group for sudo right

7 mainfolder=$CAKE2 #mainfolder for backup and scripts

9 #internal parameter

10 backscript=$mainfolder/scripts/backgroundscript

11 timeafterarp=3

13 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

14 exit 1; #empty username = error and quit!

15 fi

17 #adduser and make home dir

18 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $gamers > /dev/null 2>&1 || exit 1

19 #cp /etc/skel/.bash_profile /home/ $USERNAME/

20 #cp /etc/skel/.bashrc /home/ $USERNAME/

22 #modify user .bashrc

23 echo "$backscript &" >> /home/$USERNAME/.bashrc || exit $?

24 exit 0

Listing 9: Setup user

bachelorproject ws 07/08 SHiNE 112

1 #!/bin/bash

3 #external parameter

4 USERNAME=$CAKEUSER # Hacking game user name

5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

6 exit 0

Listing 10: Cleanup user

1 #!/bin/bash

3 #external parameter

4 USERNAME=$CAKEUSER # Hacking game user name

5 PASSWORD=$CAKEPASS # must be md5 encrypted

6 GROUP=$CAKE1 #group for sudo right

7 mainfolder=$CAKE2 # optional

8 #spoofscript= $CAKE3 #optional

10 spoofscript=/home/$USERNAME/automaticARPSpoof

11 undo=$mainfolder/undo

13 #internal parameter

15 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

16 exit 1; #empty username = error and quit!

17 fi

19 #undo file for simple deinstalling

20 mkdir $mainfolder || exit 1

21 echo "#!/bin/bash" > $undo || exit 1

22 chmod +x $undo || exit 1

23 echo "folder=$mainfolder" >> $undo || exit 1

25 #install sudo for using priviliges commands if it isn’t istalled yet

26 stat /usr/bin/sudo > /dev/null 2&>1

27 if [ "$?" == "1" ]; then

28 aptitude install sudo -y > /dev/null 2&>1 || exit 1

29 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1

30 fi

32 #install ettercap

33 stat /usr/sbin/ettercap > /dev/null 2>&1

34 if [ "$?" == "1" ]; then

35 aptitude install ettercap -y > /dev/null 2&>1 || exit 1

bachelorproject ws 07/08 SHiNE 113

36 echo "aptitude purge ettercap -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1

37 fi

39 #save the default sudo file

40 cp /etc/sudoers $mainfolder/sudoers || exit 1

41 echo "cp $mainfolder/sudoers /etc/sudoers " >> $undo || exit 1

43 #add a group for the gamer

44 groupadd $GROUP || exit 1

45 echo "groupdel $GROUP" >> $undo || exit 1

46 echo %$GROUP ALL=NOPASSWD: /usr/sbin/ettercap, /bin/kill >> /etc/sudoers || exit 1

49 #adduser and make home dir

50 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP || exit 1

51 #cp /etc/skel/.bash_profile /home/ $USERNAME/

52 #cp /etc/skel/.bashrc /home/ $USERNAME/

54 #script builder needs $mylist and $TARGET_AND_LOCATION

55 scriptbuild()

56 {

57 for i in "${mylist[@]}"; do

58 echo $i >> $TARGET_AND_LOCATION || exit 1

59 done

60 }

62 #make backgroundpoof

63 TARGET_AND_LOCATION=$spoofscript

64 mylist=("#/bin/bash" ’if ((${#@}<2));’ then "echo Not enough arguments USAGE: IP Time" "exit 3" fi ’time=$2’ ’ip=$1’ "echo ARP Poisening start" ’sudo ettercap -Tq -Q -M arp //$ip >etter_outputi > /dev/null &’ ’if [ $? -eq 0 ]’ then ’ etterPID=$!’ ’sleep $time&& sudo kill -9 $etterPID’ else ’ echo "ARP Poisening isnt started"’ "exit 1" fi "echo ARP Poisening end" "exit 0")

65 scriptbuild

66 chmod +x $spoofscript || exit 1

67 exit 0

Listing 11: Setup drone

1 #!/bin/bash

3 # external parameter

4 mainfolder=$CAKE2

5 USERNAME=$CAKEUSER # Hacking game user name

bachelorproject ws 07/08 SHiNE 114

6 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

7 $mainfolder/undo || exit 1

8 rm -rf $mainfolder > /dev/null 2&>1 || exit 1

9 exit 0

Listing 12: Cleanup drone

E.2.2 Hijacking[rb]

Wiki text

Telnet

From Wikipedia, the free encyclopedia [10]

TELNET (TELecommunication NETwork) is a network protocol used on the Internet or local area network (LAN) connections. It was developed in 1969 beginning with RFC 15 and standardized as IETF STD 8, one of the ﬁrst Internet standards.

The term telnet also refers to software which implements the client part of the protocol. TEL- NET clients have been available on most Unix systems for many years and are available for virtually all platforms. Most network equipment and OSs with a TCP/IP stack support some kind of TELNET service server for their remote conﬁguration (including ones based on Windows NT). Because of security issues with TELNET, its use has waned as it is replaced by the use of SSH for remote access.

”To telnet” is also used as a verb meaning to establish or use a TELNET or other interactive TCP connection, as in, ”To change your password, telnet to the server and run the passwd command”.

Most often, a user will be telneting to a Unix-like server system or a simple network device such as a switch. For example, a user might ”telnet in from home to check his mail at school”. In doing so, he would be using a telnet client to connect from his computer to one of his servers. Once the connection is established, he would then log in with his account information and execute operating system commands remotely on that computer, such as ls or cd.

On many systems, the client may also be used to make interactive raw-TCP sessions. It is commonly believed that a telnet session which does not include an IAC (character 255) is functionally identical. This is not the case however due to special NVT (Network Virtual Terminal) rules such as the requirement for a bare CR (ASCII 13) to be followed by a NULL (ASCII 0).

Protocol details

TELNET is a client-server protocol, based on a reliable connection-oriented transport. Typically this is TCP port 23, although TELNET predates TCP/IP and was originally run on NCP.

bachelorproject ws 07/08 SHiNE 115

Initially, TELNET was an ad-hoc protocol with no official definition [1]. Essentially, it used an 8-bit channel to exchange 7-bit ASCII data. Any byte with the high bit set was a special TELNET character. On March 5th, 1973, a meeting was held at UCLA [2] where ”New TELNET” was defined in two NIC documents: TELNET Protocol Specification, NIC #15372, and TELNET Option Specifications, NIC #15373. The protocol has many extensions, some of which have been adopted as Internet standards. IETF standards STD 27 through STD 32 define various extensions, most of which are extremely common. Other extensions are on the IETF standards track as proposed standards. Security When TELNET was initially developed in 1969, most users of networked computers were in the computer departments of academic institutions, or at large private and government research facilities. In this environment, security was not nearly as much of a concern as it became after the bandwidth explosion of the 1990s. The rise in the number of people with access to the Internet, and by extension, the number of people attempting to crack other people’s servers made encrypted alternatives much more necessary. Experts in computer security, such as SANS Institute, and the members of the comp.os.linux.security newsgroup recommend that the use of TELNET for remote logins should be discontinued under all normal circumstances, for the following reasons: * TELNET, by default, does not encrypt any data sent over the connection (including passwords), and so it is often practical to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access to a router, switch, hub or gateway located on the network between the two hosts where TELNET is being used can intercept the packets passing by and obtain login and password information (and whatever else is typed) with any of several common utilities like tcpdump and Wireshark. * Most implementations of TELNET have no authentication to ensure that communication is carried out between the two desired hosts and not intercepted in the middle. * Commonly used TELNET daemons have several vulnerabilities discovered over the years. These security-related shortcomings have seen the usage of the TELNET protocol drop rapidly, especially on the public Internet, in favor of the ssh protocol, first released in 1995. SSH provides much of the functionality of telnet, with the addition of strong encryption to prevent sensitive data such as passwords from being intercepted, and public key authentication, to ensure that the remote computer is actually who it claims to be. As has happened with other early Internet protocols, extensions to the TELNET protocol provide TLS security and SASL authentication that address the above issues. However, most TELNET implementations do not support these extensions; and there has been relatively little interest in implementing these as SSH is adequate for most purposes. The main advantage of TLS-TELNET would be the ability to use certificate-authority signed server certificates to authenticate a server host to a client that does not yet have the server key stored. In SSH, there bachelorproject ws 07/08 SHiNE 116

is a weakness in that the user must trust the ﬁrst session to a host when it has not yet acquired the server key.

Man In the Middle

From Wikipedia, the free encyclopedia [11]

In cryptography, the man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM) is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, the owner of a public wireless access point can in principle conduct MITM attacks on the users).

A man-in-the-middle attack can only be successful when the attacker can impersonate each endpoint to the satisfaction of the other. Most cryptographic protocols include some form of endpoint authentication speciﬁcally to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certiﬁcation authority.

The need for an additional transfer over a secure channel

With the exception of the Interlock Protocol, all cryptographic systems that are secure against MITM attacks require an additional exchange or transmission of information over some kind of secure channel. Many key agreement methods with diﬀerent security requirements for the secure channel have been developed.

Example of a successful MITM attack against public-key encryption

Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to eavesdrop on the conversation, or possibly deliver a false message to Bob. To get started, Alice must ask Bob for his public key. If Bob sends his public key to Alice, but Mallory is able to intercept it, a man-in- the-middle attack can begin. Mallory sends a forged message to Alice that claims to be from Bob, but includes Mallory’s public key. Alice, believing this public key to be Bob’s, then encrypts her message with Mallory’s key and sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message, keeps a copy, and reenciphers it (after alteration if desired) using the public key Bob originally sent to Alice. When Bob receives the newly enciphered message, he will believe it came from Alice.

This example shows the need for Alice and Bob to have some way to ensure that they are truly using each other’s public keys, rather than the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key technology. Fortunately, there are a variety of techniques that help defend against MITM attacks.

Defenses against the attack

Various defenses against MITM attacks use authentication techniques that are based on: bachelorproject ws 07/08 SHiNE 117

* Public key infrastructures * Stronger mutual authentication * Secret keys (high information entropy secrets) * Passwords (low information entropy secrets) * Other criteria, such as voice recognition or other biometrics * Off-the-Record Messaging for instant messenging The integrity of public keys must generally be assured in some manner, but need not be secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a Certificate Authority, whose public key is distributed through a secure channel (for example, with a web browser or OS installation). Public keys can also be verified by a web of trust that distributes public keys through a secure channel (for example by face-to-face meetings). See key agreement for a classification of protocols that use various forms of keys and passwords to prevent man-in-the-middle attacks. MITM in quantum cryptography MITM attacks are a potential problem in quantum cryptography as well. Recently, hybrid protocols (classical + quantum) have been proposed to deal with it, especially for the three- stage quantum cryptography protocol. Beyond cryptography MITM should be seen as a general problem resulting from the presence of intermediate parties acting as proxy for clients on either side. If they are trustworthy and competent, all may be well; if they are not, nothing will be. How can one distinguish the cases? By acting as proxy and appearing as the trusted client to each side, the intermediate attacker can carry out much mischief, including various attacks against the confidentiality or integrity of the data passing through it. A notable non-cryptographic man-in-the-middle attack was perpetrated by one version of a Belkin wireless network router in 2003. Periodically, it would take over an HTTP connection being routed through it: it would fail to pass the traffic on to destination, but instead itself respond as the intended server. The reply it sent, in place of the web page the user had requested, was an advertisement for another Belkin product. After an outcry from technically- literate users, this ’feature’ was removed from later versions of the router’s firmware . Another example of a non-cryptographic man-in-the-middle attack is the ”Turing porn farm.” Brian Warner says this is a ”conceivable attack” that spammers could use to defeat CAPTCHAs. The spammer sets up a pornographic web site where access requires that the user solves the CAPTCHAs in question. However, Jeff Atwood points out that this attack is merely theoretical – there is no evidence that any spammer has ever built a Turing porn farm”. However, as reported in an October, 2007 news story[6] while perhaps not being a farm as such, spammers have indeed built a Windows game in which users type in CAPTCHAs acquired from the Yahoo webmail service, and are rewarded with pornographic pictures. This allows the spammers to create temporary free email accounts with which to send out spam. MITM Implementation Examples bachelorproject ws 07/08 SHiNE 118

* dsniff - A tool for SSL MITM attacks * Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning * PacketCreator - A tool for LAN based MITM attacks * Ettercap - A tool for LAN based MITM attacks * Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks * AirJack - A tool that demonstrates 802.11 based MITM attacks * wsniff - A tool for 802.11 HTTP/HTTPS based MITM attacks

Ettercap

From http://ettercap.sourceforge.net/ [12]

Short Description:

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Interface: All this feature are integrated with a easy-to-use and pleasureful ncurses/gtk interfaces.

Running Ettercap:

* You need to select a user interface (no default) using -T for Text only, -C for the Ncurses based GUI, or -G for the nice GTK2 interface.

Using Ettercap getting connection -¿ sniﬃng

The attacker is not able to see the connection because the switch is only forwarding the pakets to the targeted address. To see all connections in the network the attacker starts Ettercap with the command : ettercap -T -i eth1 -M arp // //

* the ﬁrst parameter is the output mode, in this case it is text. * with ’i’ the interface is described, on which every attack is handled. Default is eth0. * ’M’ means an man in the middle attack based on ’arp’ for all ’// //’, with ’/a.b.c.d/port /a.b.c.d/port’ it is possible to deﬁne direct hosts to attack

Ettercap now starts for every possible IP address in the network an arp-request to ﬁnd out which addresses are in the network and which are active (ﬁgure: Host-Test). To every active IP address are now send faked arp-replys so that all packets will be send over the MAC-address of the attacker.

Control Connection and plant packets

With the use of filters it is now possible to log packets or to plant them. Therefore a filter has to be created and compiled. A detailed description of creating and using a filter are in the manual ’etterfilter’ of Ettercap. This is an example of a filter that logs every telnet connection: bachelorproject ws 07/08 SHiNE 119

# Loggen if( ip.proto == TCP ) if( tcp.src == 23 —— tcp.dst == 23) log(DECODED.data, ”./telnet.log”);

The collected data is written into telnet.log. The filter itself is saved beneath the name filter.txt and is compiled with the following command into filter.ef : etterfilter filter.txt -o filter.ef

Using this function the command ’ettercap -F ﬁlter.ef’ has to be set. By restarting Ettercap all data from a TCP-stream over the port 23 is logged: ettercap -T -i eth1 -F ﬁlter.ef -M arp // //

Alternatively it is possible to run Ettercap as an daemon and to log the data directly : ettercap -D -L /home/stud/log.log

Filtering gives a lot of possibilities to search a stream and to insert data.

End attack

By ending an attack with Ettercap every Connection will be released and the connected host is directed by a re-ARP to the original MAC, so that in the ARP-cache of the hosts is now again the correct connection.

Session Hijacking

From Wikipedia, the free encyclopedia [13]

The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer (see HTTP cookie theft).

Analysis

Many web sites allow users to create and manage their own accounts, logging in using a username and password (which may or may not be encrypted during transit) or other authentication method. In order that the user does not have to re-enter their username and password on every page to maintain their session, many web sites use session cookies: a token of information issued by the server and returned by the user’s web browser to conﬁrm its identity.

If an attacker is able to steal this cookie, they can make requests themselves as if they were the genuine user, gaining access to privileged information or changing data. If this cookie is a persistent cookie, then the impersonation can continue for a considerable period of time. Of course, session hijacking is not limited to the web; any protocol in which state is maintained using a key passed between two parties is vulnerable, especially if it’s not encrypted. other nodes and the access point. bachelorproject ws 07/08 SHiNE 120

* Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user’s computer or the server. * Cross-site scripting, where the attacker tricks the user’s computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations. Prevention Methods to prevent session hijacking include: * Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks. * Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in. * Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. * Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session. * Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web). Use of SecurID card, or other token based secondary authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session. Shell scripts

1 #!/bin/bash

3 # external parameter

4 GROUP=$CAKE1 #group for sudo right

5 mainfolder=$CAKE2 #mainfolder for changes

6 backdir=$mainfolder/back #backup directory for changed files

7 scriptdir=$mainfolder/scripts #script directory for needed scripts

8 undo=$mainfolder/undo #what ever was changed should could be restored

10 #undo file for simple restoring

11 mkdir $mainfolder || exit 1

12 echo "#!/bin/bash" > $undo || exit 1

13 chmod +x $undo || exit 1

14 echo "folder=$mainfolder" >> $undo || exit 1

bachelorproject ws 07/08 SHiNE 121

16 #install sudo for using priviliges commands if it isn’t installed

17 stat /usr/bin/sudo > /dev/null 2&>1

18 if [ "$?" == "1" ]; then

19 aptitude install sudo -y > /dev/null 2&>1 || exit 1

20 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1

21 fi

23 #install ettercap for password required login if it isn’t installed

24 stat /usr/sbin/ettercap > /dev/null 2&>1

25 if [ "$?" == "1" ]; then

26 aptitude install ettercap -y > /dev/null 2&>1 || exit 1

27 echo "aptitude purge ettercap -y /dev/null 2&>1 || exit 1" >> $undo || exit 1

28 fi

30 #make the directorys

31 mkdir $backdir || exit 1

32 mkdir $scriptdir || exit 1

34 #save the default sudo file

35 cp /etc/sudoers $backdir/sudoers || exit 1

36 echo "cp $backdir/sudoers /etc/sudoers" >> $undo || exit 1

38 #add a group for the gamer

39 groupadd $GROUP || exit 1

40 echo "groupdel $GROUP" >> $undo || exit 1

41 echo %$GROUP ALL=/usr/sbin/ettercap >> /etc/sudoers || exit 1

43 exit 0

Listing 13: Setup Environment

1 #!/bin/bash

3 # external parameter

4 mainfolder=$CAKE1

5 $mainfolder/undo

6 rm -rf $mainfolder || exit 1

7 exit 0

Listing 14: Cleanup Environment

1 #!/bin/bash

3 #external parameter

bachelorproject ws 07/08 SHiNE 122

4 USERNAME=$CAKEUSER # Hacking game user name

5 PASSWORD=$CAKEPASS # must be md5 encrypted

6 GROUP=$CAKE1 #group for sudo right

8 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

9 exit 1; #empty username = error and quit!

10 fi

12 #adduser and make home dir

13 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1

14 #cp /etc/skel/.bash_profile /home/ $USERNAME/

15 #cp /etc/skel/.bashrc /home/ $USERNAME/

17 exit 0

Listing 15: Setup User

1 #!/bin/bash

3 #external parameter

4 USERNAME=$CAKEUSER # Hacking game user name

5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

6 exit 0

Listing 16: Cleanup User

1 #!/bin/bash

3 # external parameter

4 user=$CAKE1 #user name for telnet

5 password=$CAKE2 #telnet password

6 IP_TELNET_SERVER=$CAKE3 #the telnet server ip (router dmz)

7 mainfolder=$CAKE5 #the mainfolder for backups (normal /tmp/ drone )

9 #internal parameter

10 telnethost=linux #choose linux or cisco as telnet host

11 interface=eth0 #the interface which should be spoofed ( for arpwatch)

13 # internal parameter

14 backdir=$mainfolder/back # backup directory for changed files

15 scriptdir=$mainfolder/scripts # script directory for needed scripts

16 undo=$mainfolder/undo

18 #undo file for simple deinstalling

bachelorproject ws 07/08 SHiNE 123

19 mkdir $mainfolder || exit 1

20 echo "#!/bin/bash" > $undo || exit 1

21 chmod +x $undo || exit 1

22 echo "folder=$mainfolder" >> $undo || exit 1

24 #make the directorys

25 mkdir $backdir || exit 1

26 mkdir $scriptdir || exit 1

29 #install arpwatch if it isn’t istalled

30 stat /etc/init.d/arpwatch > /dev/null 2&>1

31 if [ "$?" == "1" ]; then

32 aptitude install arpwatch -y > /dev/null 2&>1 || exit 1

33 echo "aptitude purge arpwatch -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1

34 else

35 echo "cp $backdir/arpwatch,conf /etc/arpwatch.conf || exit 1" >> $undo || exit 1

37 fi

39 #install expect for password required login

40 stat /usr/bin/expect > /dev/null 2&>1

41 if [ "$?" == "1" ]; then

42 aptitude install expect -y > /dev/null 2&>1 || exit 1

43 echo "aptitude purge expect -y /dev/null 2&>1 || exit 1" >> $undo || exit 1

44 fi

46 cp /etc/arpwatch.conf $backdir/arpwatch.conf || exit 1

47 echo "$interface -a -N -m arp@noreport" >> /etc/arpwatch.conf || exit 1

48 /etc/init.d/arpwatch restart > /dev/null 2&>1 || exit 1

50 #script builder needs $mylist and $TARGET_AND_LOCATION

51 scriptbuild()

52 {

53 for i in "${mylist[@]}"; do

54 echo $i >> $TARGET_AND_LOCATION || exit 1

55 done

56 }

57 ### end functions ###

59 #make Background scripts

60 TARGET_AND_LOCATION=$scriptdir/autotelnetlogin

61 if [ "$telnethost" == "linux" ]; then

bachelorproject ws 07/08 SHiNE 124

62 mylist=("#!/usr/bin/expect -f" "set timeout -1" "log_user 0" " spawn telnet $IP_TELNET_SERVER" "match_max 100000" ’expect "*? ogin:*"’ "send -- \"$user\r\"" ’expect "*?assword:*"’ "send -- \"$password\r\"" ’send -- "\r"’ ’send -- "who\r"’ "expect eof ")

63 fi

65 if [ "$telnethost" == "cisco" ]; then

66 mylist=("#!/usr/bin/expect -f" "log_user 0" "set timeout -1" " spawn telnet $IP_TELNET_SERVER" "match_max 100000" "expect \"*?assword:*\"" "send -- \"$password\r\"" "expect \"*>*\"" " send -- \"show ssh\r\"" "expect \"*>*\"" "send -- \"exit\r\"" "send -- \"\r\"" "expect eof")

67 fi

68 scriptbuild

69 chmod +x $TARGET_AND_LOCATION || exit 1

71 TARGET_AND_LOCATION=$scriptdir/backgroundcheck

72 mylist=("#!/bin/bash" "count=1" "while [ i=1 ]" ’do’ ’arpchange=‘tail -n 5 /var/log/syslog | grep "changed ethernet address"‘’ ’if [ "$arpchange " != "" ];’ ’then’ ’let "count++"’ "$scriptdir/autotelnetlogin" ’fi’ " sleep 30" ’if [ $count -eq 5 ];’ ’then’ ’$i=2’ ’fi’ ’done’)

73 scriptbuild

74 chmod +x $TARGET_AND_LOCATION || exit 1

76 #start the backgroundcheck script

77 nohup $scriptdir/backgroundcheck &

78 #kill the backgroundprocess at cleanup

79 echo "kill -9 $! > /dev/null 2&>1 || exit 1" >> $undo

81 exit 0

Listing 17: Setup Drone

1 #!/bin/bash

3 # external parameter

4 mainfolder=/tmp/drone

5 $mainfolder/undo || exit 1

6 rm -rf $mainfolder > /dev/null 2&>1 || exit 1

7 exit 0

Listing 18: Cleanup Drone

bachelorproject ws 07/08 SHiNE 125

E.2.3 SSL-Cracking [aoe]

Wiki text Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same. The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom it is communicating. The next level of securityin which both ends of the ”conversation” are sure with whom they are communicatingis known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients unless TLS-PSK or TLS-SRP are used, which provide strong mutual authentication without needing to deploy a PKI. A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection’s security. * The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions. * From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision. * The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server’s public encryption key. The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding. * In order to generate the session keys used for the secure connection, the client encrypts a random number with the server’s public key, and sends the result to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. * From the random number, both parties generate key material for encryption and decryption. This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes. If any one of the above steps fails, the TLS handshake fails, and the connection is not created. [14] bachelorproject ws 07/08 SHiNE 126

Shell scripts

1 #!/bin/bash

3 # external parameter

4 gamers=sslgamer #group for sudo right

5 mainfolder=/tmp/ssl #mainfolder for backup and scripts (normal / tmp / arp )

7 # internal parameter

8 backdir=$mainfolder/back #backup directory for changed files

9 scriptdir=$mainfolder/scripts #script directory for needed scripts

10 undo=$mainfolder/undo #what ever was changed should could be restored

12 #undo file for simple restoring

13 mkdir $mainfolder || exit 1

14 echo "#!/bin/bash" > $undo || exit 1

15 chmod +x $undo || exit 1

16 echo "folder=$mainfolder" >> $undo || exit 1

18 #install sudo for using priviliges commands if it isn’t installed

19 stat /usr/bin/sudo > /dev/null 2&>1

20 if [ "$?" == "1" ]; then

21 aptitude install sudo -y > /dev/null 2&>1 || exit 1

22 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1

23 fi

25 #install expect for password required login if it isn’t installed

26 stat /usr/bin/expect > /dev/null 2&>1

27 if [ "$?" == "1" ]; then

28 aptitude install expect -y > /dev/null 2&>1 || exit 1

29 echo "aptitude purge expect -y /dev/null 2&>1 || exit 1" >> $undo || exit 1

30 fi

32 #install sniffing required login if it isn’t installed

33 stat /usr/sbin/webmitm > /dev/null 2&>1

34 if [ "$?" == "1" ]; then

35 aptitude install dsniff -y > /dev/null 2&>1 || exit 1

36 echo "aptitude purge dsniff -y /dev/null 2&>1 || exit 1" >> $undo || exit 1

37 fi

39 #install ettercap

40 stat /usr/sbin/ettercap > /dev/null 2>&1

bachelorproject ws 07/08 SHiNE 127

41 if [ "$?" == "1" ]; then

42 aptitude install ettercap -y > /dev/null 2&>1 || exit 1

43 echo "aptitude purge ettercap -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1

44 fi

46 #install tcpdump

47 stat /usr/sbin/tcpdump > /dev/null 2>&1

48 if [ "$?" == "1" ]; then

49 aptitude install tcpdump -y > /dev/null 2&>1 || exit 1

50 echo "aptitude purge tcpdump -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1

51 fi

53 #install ssldump

54 stat /usr/sbin/ssldump > /dev/null 2>&1

55 if [ "$?" == "1" ]; then

56 aptitude install ssldump -y > /dev/null 2&>1 || exit 1

57 echo "aptitude purge ssldump -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1

58 fi

60 #make the directorys

61 mkdir $backdir || exit 1

62 mkdir $scriptdir || exit 1

64 #save the default sudo file

65 cp /etc/sudoers $backdir/sudoers || exit 1

66 echo "cp $backdir/sudoers /etc/sudoers" >> $undo || exit 1

68 #add a group for the gamer

69 groupadd $gamers || exit 1

70 echo "groupdel $gamers" >> $undo || exit 1

71 echo %$gamers ALL=/usr/sbin/arp, /usr/sbin/ssldump, /usr/sbin/tcpdump, / usr/sbin/webmitm, /usr/sbin/msgsnarf, /usr/sbin/webspy, /usr/sbin/ tcpnice, /usr/sbin/sshow, /usr/sbin/filesnarf, /usr/sbin/dnsspoof, / usr/sbin/tcpkill, /usr/sbin/dsniff, /usr/sbin/macof, /usr/sbin/sshmitm , /usr/sbin/arpspoof, /usr/sbin/urlsnarf, /usr/sbin/mailsnarf, /usr/ sbin/ettercap > /etc/sudoers || exit 1

73 echo 1 > /proc/sys/net/ipv4/ip_forward || exit 1

76 exit 0

Listing 19: setup env

bachelorproject ws 07/08 SHiNE 128

1 #!/bin/bash

3 #external parameter

4 USERNAME=$CAKEUSER # Hacking game user name

5 PASSWORD=$CAKEPASS # must be md5 encrypted

6 GROUP=$CAKE1 #group for sudo right

8 mainfolder=/tmp/ssl

9 undo=$mainfolder/undo

11 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

12 exit 1; #empty username = error and quit!

13 fi

15 #adduser and make home dir

16 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1

17 #cp /etc/skel/.bash_profile /home/ $USERNAME/

18 #cp /etc/skel/.bashrc /home/ $USERNAME/

20 #after ettercap start the forward is broken : the user should could fix it

21 chown $USERNAME:$GROUP /proc/sys/net/ipv4/ip_forward || exit 1

22 echo "chown root:root /proc/sys/net/ipv4/ip_forward" >> $undo || exit 1

24 exit 0

Listing 20: setup user

1 #!/bin/bash

3 # internal parameter

4 mainfolder=/tmp/ssl

5 backdir=$mainfolder/back #backup directory for changed files

6 scriptdir=$mainfolder/scripts #script directory for needed scripts

7 undo=$mainfolder/undo #what ever was changed should could be restored

9 #undo file for simple restoring

10 mkdir $mainfolder || exit 1

11 echo "#!/bin/bash" > $undo || exit 1

12 chmod +x $undo || exit 1

13 echo "folder=$mainfolder" >> $undo || exit 1

14 #apache2 ssl support

15 mkdir -p /etc/apache2/ssl/ || exit 1

16 echo "rm -rf /etc/apache2/ssl/" >> $undo || exit 1

17 cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

bachelorproject ws 07/08 SHiNE 129

18 echo "rm /etc/apache2/sites-available/ssl" >> $undo || exit 1

19 ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

20 echo ’-----BEGIN RSA PRIVATE KEY-----

21 MIICXgIBAAKBgQCpono+cSOkpJ/G/sxjWCNvmZcW5SKHpqjMPTwBKBeLqFxFDYcR

22 viu0itQZdj5/W2PeJqiTLy+jNubHI0KhiXusiMcjZEdWHa5ibpprYxFVUndBILfk

23 i7/fI9+pnlJM4AVRpyspg+cnjMGcaFO7HGhg48S1PgthseLmWrkoQ9w9nQIDAQAB

24 AoGBAIj3e6S3TYQ+uBPA397G57XQWcJOuJa25kwilTSJ3pkRE49d4NVeq4NXJPJ6

25 GvRSIkzZAfv1eY1bYvMfcUlk7MmNlli4WqnhAPtiyuy2bx/UY+6LukZInCTGLG3M

26 bjN6BZsz6ONnuChuCpOmHCZseSLYp4NQd+6OU9GoF1KjL2WxAkEA29AwPQ5eKzvh

27 zZVIOH5kCsJpFBWPoT0R+tLeRmHrNxmi9lVk37ayTxMK8QmoyLcdHJUxibV9L6bA

28 8I4D4E22twJBAMWPkDc1tOpTP35A9HvtnMFjq3wTMubSirwsTG7GD3Qzvb0kYH6r

29 QuqmVfALD46A6KmztEbPYrUx8rHwLzuf+ksCQQDO65sNTsIs1rEIMxgKPkh0rG/4

30 PRe5A+EyCWC+Rp0CgHqcguRzh+swbs+k+Z/OWjnoVzWL2bHfsoz7peRWOTHfAkAv

31 UxOV1hyvYR+9i6vFIAdD4C9M+oBgAKFRMD9i7bj3+gkCjPs8fKP797pwVQX1+fVB

32 6ZVOvREFHKDpdQKrgsf/AkEAirH3IUiJgHjxZysOtz7aqa7YQ3a6MQL0WAzDrAOn

33 Ow4nA+kuY6d1Cl6HVqblPw3RiTkVVXSLSJPTVsv7jLtWCw==

34 -----ENDRSAPRIVATEKEY-----

35 -----BEGINCERTIFICATE-----

36 MIIDrjCCAxegAwIBAgIJAJ+FD8ULidqPMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD

37 VQQGEwJERTEPMA0GA1UECBMGQlJFTUVOMQ8wDQYDVQQHEwZCUkVNRU4xFzAVBgNV

38 BAoTDmhzLWJyZW1lbi5nYW1lMQ8wDQYDVQQLEwZuZXRzLXgxIjAgBgNVBAMTGWRt

39 ei1zZXJ2ZXIuaHMtYnJlbWVuLmdhbWUxGDAWBgkqhkiG9w0BCQEWCXRlc3RAdGVz

40 dDAeFw0wODAzMTYyMDIzNTRaFw0wODA0MTUyMDIzNTRaMIGXMQswCQYDVQQGEwJE

41 RTEPMA0GA1UECBMGQlJFTUVOMQ8wDQYDVQQHEwZCUkVNRU4xFzAVBgNVBAoTDmhz

42 LWJyZW1lbi5nYW1lMQ8wDQYDVQQLEwZuZXRzLXgxIjAgBgNVBAMTGWRtei1zZXJ2

43 ZXIuaHMtYnJlbWVuLmdhbWUxGDAWBgkqhkiG9w0BCQEWCXRlc3RAdGVzdDCBnzAN

44 BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqaJ6PnEjpKSfxv7MY1gjb5mXFuUih6ao

45 zD08ASgXi6hcRQ2HEb4rtIrUGXY+f1tj3iaoky8vozbmxyNCoYl7rIjHI2RHVh2u

46 Ym6aa2MRVVJ3QSC35Iu/3yPfqZ5STOAFUacrKYPnJ4zBnGhTuxxoYOPEtT4LYbHi

47 5lq5KEPcPZ0CAwEAAaOB/zCB/DAdBgNVHQ4EFgQUzcoc307Z6Z6su3wlQx5GNN6x

48 Aq8wgcwGA1UdIwSBxDCBwYAUzcoc307Z6Z6su3wlQx5GNN6xAq+hgZ2kgZowgZcx

49 CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCUkVNRU4xDzANBgNVBAcTBkJSRU1FTjEX

50 MBUGA1UEChMOaHMtYnJlbWVuLmdhbWUxDzANBgNVBAsTBm5ldHMteDEiMCAGA1UE

51 AxMZZG16LXNlcnZlci5ocy1icmVtZW4uZ2FtZTEYMBYGCSqGSIb3DQEJARYJdGVz

52 dEB0ZXN0ggkAn4UPxQuJ2o8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB

53 gQBbjKcX68SWkZakS4SEM4eBD4XzpacDxRTOa9196m+xBdlatptq2D2J8sXgtveM

54 5nPSrZDEk8YluJQumCVau8VWp9j4Ymh1k3FosWKFkb9kKQOX0K8pb1WwR/jJ+4UM

55 EXGHw2vBknXUFeoyd9AO7XYnRa+DVI3576h7D5lLe/pzxQ==

56 -----ENDCERTIFICATE-----

57 ’ > /etc/apache2/ssl/apache.pem || exit 1

58 echo "rm /etc/apache2/ssl/apache.pem" >> $undo || exit 1

59 cp /etc/apache2/sites-available/default $backdir/apachedefault || exit 1

60 echo "cp $backdir/apachedefault /etc/apache2/sites-available/default" >> $undo || exit 1

61 sed ’s/VirtualHost \*/VirtualHost \*:80/g’ /etc/apache2/sites-available/ default > /etc/apache2/sites-available/default.tmp || exit 1

bachelorproject ws 07/08 SHiNE 130

62 mv /etc/apache2/sites-available/default.tmp /etc/apache2/sites-available/ default || exit 1

63 sed ’s/VirtualHost \*/VirtualHost \*:443/g’ /etc/apache2/sites-available/ ssl | sed -e ’2a\\tSSLEngine ON\n\tSSLCertificateFile /etc/apache2/ssl /apache.pem’ > /etc/apache2/sites-available/ssl.tmp || exit 1

64 mv /etc/apache2/sites-available/ssl.tmp /etc/apache2/sites-available/ssl || exit 1

65 echo "Listen 443" >> /etc/apache2/ports.conf || exit 1

66 echo "sed ’s/Listen 443//g’ /etc/apache2/ports.conf > /etc/apache2/ports. conf.tmp || exit 1" >> $undo || exit 1

67 echo "mv /etc/apache2/ports.conf.tmp /etc/apache2/ports.conf" >> $undo || exit 1

68 a2enmod ssl > /dev/null 2&>1 || exit 1

69 echo "a2dismod ssl > /dev/null 2&>1 || exit 1" >> $undo || exit 1

70 apache2ctl restart > /dev/null 2&>1 || exit 1

71 echo "apache2ctl restart > /dev/null 2&>1 || exit 1" >> $undo || exit 1

Listing 21: setup drone DM

1 #!/bin/bash

3 # internal parameter

4 mainfolder=/tmp/drone #mainfolder for backup and scripts

5 scriptdir=$mainfolder/scripts #script directory for needed scripts

6 undo=$mainfolder/undo #what ever was changed should could be restored

8 #script builder needs $mylist and $TARGET_AND_LOCATION

9 scriptbuild()

10 {

11 for i in "${mylist[@]}"; do

12 echo $i >> $TARGET_AND_LOCATION || exit 1

13 done

14 }

15 ### end functions ###

17 #make Background scripts

18 TARGET_AND_LOCATION=$scriptdir/autowget

19 mylist=("#!/bin/bash" "cd $mainfolder" "while [ i=1 ]" ’do’ ’wget https:// dmz-sever.hs-bremen.game/homepage --no-check-certificate’ "sleep 20" ’ done ’)

20 scriptbuild

21 chmod +x $TARGET_AND_LOCATION || exit 1

23 #start the backgroundcheck script

24 nohup $scriptdir/autowget &

25 #kill the backgroundprocess at cleanup

bachelorproject ws 07/08 SHiNE 131

26 echo "kill -9 $! > /dev/null 2&>1 || exit 1" >> $undo

Listing 22: setup drone

1 #!/bin/bash

3 ip_userhost=$CAKE1 #ip where the user played

4 echo ‘ping -c 3 www.netzlabor.hs-bremen.de‘ > tmp || exit 1

5 if [ "grep $ip_userhost tmp" ]; then

6 wget https://dmz-sever.hs-bremen.game/homepage --no-check- certificate || exit 1

7 if [ "stat index*" ]; then

8 exit 2

9 fi

10 exit 3

11 fi

12 exit 0

Listing 23: evaluation

1 #!/bin/bash

3 # external parameter

4 mainfolder=/tmp/ssl

5 $mainfolder/undo

6 rm -rf $mainfolder || exit 1

7 exit 0

Listing 24: cleanup env

1 #!/bin/bash

3 #external parameter

4 USERNAME=$CAKEUSER # Hacking game user name

5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

6 exit 0

Listing 25: cleanup user

1 #!/bin/bash

3 # external parameter

4 mainfolder=/tmp/drone

5 $mainfolder/undo || exit 1

6 rm -rf $mainfolder > /dev/null 2&>1 || exit 1

7 exit 0

Listing 26: cleanup drone

bachelorproject ws 07/08 SHiNE 132

1 #!/bin/bash

3 # internal parameter

4 mainfolder=/tmp/ssl

5 $mainfolder/undo

6 rm -rf $mainfolder || exit 1

7 exit 0

Listing 27: cleanup drone DMZ

E.3 Passwort Hacking [ts]

E.3.1 John the Ripper

Wiki text

John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (11 architecture-specific flavors of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, au- todetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others.

Sample output

Here is a sample output in a Debian GNU/Linux environment. root@0[john-1.6.37]# cat pass.txt user:AZl.zWwxIh15Q root@0[john-1.6.37]# john -w:password.lst pass.txt Loaded 1 password hash (Traditional DES [24/32 4K]) example (user) guesses: 1 time: 0:00:00:00 100% c/s: 752 trying: 12345 - pookie

Attack types

One of the modes John can use is the dictionary attack. It takes text string samples (usually from a ﬁle, called a wordlist, containing words found in a dictionary), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John’s single attack

bachelorproject ws 07/08 SHiNE 133

mode, which modiﬁes an associated plaintext (such as a username with an encrypted password) and checks the variations against the encrypted hashes.

John also oﬀers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently-used characters ﬁrst. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it does take a long time (for all practical purposes, forever) to run.

Usage of John

To use John, you just need to supply it a password file and the desired options. If no mode is specified, john will try ”single” first, then ”wordlist” and finally ”incremental”. Once John finds a password, it will be printed to the terminal and saved into a file called /john.pot. John will read this file when it restarts so it doesn’t try to crack already done passwords. To see the cracked passwords, use john -show passwd Important: do this under the same directory where the password was cracked (when using the cronjob, /var/lib/john), otherwise it won’t work. While cracking, you can press any key for status, or Ctrl+C to abort the session, saving point information to a file ( /restore by default). By the way, if you press Ctrl+C twice John will abort immediately without saving. The point information is also saved every 10 minutes (configurable in the configuration file, /john.ini ) in case of a crash. To continue an interrupted session, run: john -restore

Options

All the options recognized by john start with a single dash (‘-’). A summary of options is included below.

-external:MODE

Enables an external mode, using external functions deﬁned in /john.ini’s [List.External:MODE] section.

-format:NAME

Allows you to override the ciphertext format detection. Currently, valid format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when cracking or with ’-test’. Note that John can’t crack password ﬁles with diﬀerent ciphertext formats at the same time.

-groups:[-]GID[,..]

Tells John to load users of the speciﬁed group(s) only.

-incremental[:MODE]

Enables the incremental mode, using the speciﬁed /john.ini deﬁnition (section [Incremen- tal:MODE], or [Incremental:All] by default).

-makechars:FILE

bachelorproject ws 07/08 SHiNE 134

Generates a charset file, based on character frequencies from /john.pot, for use with the incremental mode. The entire /john.pot will be used for the charset file unless you specify some password files. You can also use an external filter() routine with this option.

-restore[:FILE]

Continues an interrupted cracking session, reading point information from the speciﬁed ﬁle ( /restore by default).

-rules

Enables wordlist rules, that are read from [List.Rules:Wordlist].

-salts:[-]COUNT

This feature sometimes allows to achieve better performance. For example you can crack only some salts using ’-salts:2’ faster, and then crack the rest using ’-salts:-2’. Total cracking time will be about the same, but you will get some passwords cracked earlier.

-savemem:LEVEL

You might need this option if you don’t have enough memory, or don’t want John to aﬀect other processes too much. Level 1 tells John not to waste memory on login names, so you won’t see them while cracking. Higher levels have a performance impact: you should probably avoid using them unless John doesn’t work or gets into swap otherwise.

-session:FILE

Allows you to specify another point information ﬁle’s name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one.

-shells:[-]SHELL[,..]

This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so ’-shells:csh’ will match both ’/bin/csh’ and ’/usr/bin/csh’, while - shells:/bin/csh’ will only match ’/bin/csh’.

-show

Shows the cracked passwords in a convenient form. You should also specify the password ﬁles. You can use this option while another John is cracking, to see what it did so far.

-single

Enables the ”single crack” mode, using rules from [List.Rules:Single].

-status[:FILE]

Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option.

-stdin bachelorproject ws 07/08 SHiNE 135

These are used to enable the wordlist mode (reading from stdin).

-stdout[:LENGTH]

When used with a cracking mode, except for ”single crack”, makes John print the words it generates to stdout instead of cracking. While applying wordlist rules, the signiﬁcant password length is assumed to be LENGTH, or unlimited by default.

-test

Benchmarks all the enabled ciphertext format crackers, and tests them for correct operation at the same time.

-users:[-]LOGIN—UID[,..]

Allows you to ﬁlter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren’t listed).

-wordﬁle:FILE

These are used to enable the wordlist mode, reading words from FILE.

Modes

John can work in the following modes:

Wordlist

John will simply use a ﬁle with a list of words that will be checked against the passwords. See RULES for the format of wordlist ﬁles.

Single crack

In this mode, john will try to crack the password using the login/GECOS information as passwords.

Incremental

This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES ﬁle in john’s documentation, including how to deﬁne your own cracking methods.

Files

/etc/john/john.conf is where you conﬁgure how john will behave.

/etc/john/john-mail.msg has the message sent to users when their paswords are successfully cracked.

/etc/john/john-mail.conf is used to conﬁgure how john will send messages to users that had their passwords cracked. [15] [16] bachelorproject ws 07/08 SHiNE 136

Shell scripts Player setup script

#external parameter H_USERNAME=$CAKEUSER # Hacking game user name H_PASSWORT=$CAKEPASS # must be md5 encrypted if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi

#adduser and make home dir useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $? cp /etc/skel/.bash_profile /home/$H_USERNAME/ || exit $? cp /etc/skel/.bashrc /home/$H_USERNAME/ || exit $?

#create mypass file (fake unshadowed passw) passw=$(echo $(date +%S)$(date +%M)$(date +%w)) pass=$( perl -e "print crypt($passw,’xy’);") puser="root"$(echo $(date +%M)) echo "$puser:$pass:1019:100::/home/$puser:/bin/bash"> / home/$H_USERNAME/john/mypass || exit $?

>> $BACKGROUND_EVAL echo "echo The unshadowed passwd is also located there and named" >> $BACKGROUND_EVAL echo "echo mypass. Good luck!" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_EVAL echo "do" >> $BACKGROUND_EVAL echo "if (cat /home/$H_USERNAME/john/john.pot | grep "$pass" >> /dev/null); then" >> $BACKGROUND_EVAL echo "RUNNING=0" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "sleep 3" >> $BACKGROUND_EVAL echo "done" >> $BACKGROUND_EVAL echo "echo done >> done" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo You discovered the password for user $puser." >> $BACKGROUND_EVAL echo "echo Your task is done." >> $BACKGROUND_EVAL echo "echo You will be logged out in 10 seconds." >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "sleep 10" >> $BACKGROUND_EVAL echo "killall -u $H_USERNAME sshd" >> $BACKGROUND_EVAL

#change owner chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $? chown $H_USERNAME:$H_USERNAME $BACKGROUND_EVAL || exit $? chmod u+x $BACKGROUND_EVAL || exit $? chmod o+x /home/$H_USERNAME/ || exit $? chmod o+x /tmp/$H_USERNAME/ || exit $?

#modify user .bashrc echo "$BACKGROUND_EVAL &" >> /home/$H_USERNAME/.bashrc || exit $?

Evaluation script

#/bin/sh bachelorproject ws 07/08 SHiNE 138

H_USERNAME=$CAKEUSER if (cat /home/$H_USERNAME/done | grep done); then exit 0; else exit 1; fi

Player cleanup script

#!/bin/sh H_USERNAME=$CAKEUSER

RC=0 deluser -q --remove-home $H_USERNAME || RC=$? rm -r /tmp/$H_USERNAME || RC=$? exit $RC

E.3.2 Cron John

Wiki text cron is a time-based scheduling service in Unix-like computer operating systems. The name is derived from Greek chronos, meaning time. cron has been recreated several times in its history. cron is driven by a crontab, a configuration file that specifies shell commands to run periodically on a given schedule.

Usage

Generally, the schedules modified by crontab are enacted by a daemon, crond, which runs constantly in the background and checks once a minute to see if any of the scheduled jobs need to be executed. If so, it executes them. These jobs are generally referred to as cron jobs. A job is executed when the time/date specification fields all match the current time and date, with the exception that either the ”day of month” field (3) or the ”day of week” field (5) must match the current day, even though the other of the two fields doesn’t match the current day. crontab syntax

The crontab files are where the lists of jobs and other instructions to the cron daemon are kept. Users can have their own individual crontab files and often there is a systemwide crontab file (usually in /etc or a subdirectory of /etc) which is also used but can only be edited by the system administrator(s). Each line of a crontab file represents a job and follows a particular bachelorproject ws 07/08 SHiNE 139

format as a series of fields, separated by spaces and/or tabs. Each field can have a single value or a series of values. Operators There are several ways of specifying multiple date/time values in a field: * The comma (’,’) operator specifies a list of values, for example: ”1,3,4,7,8” * The dash (’-’) operator specifies a range of values, for example: ”1-6”, which is equivalent to ”1,2,3,4,5,6” * The asterisk (’*’) operator specifies all possible values for a field. For example, an asterisk in the hour time field would be equivalent to ’every hour’ (subject to matching other specified fields). There is also an operator which some extended versions of cron support, the slash (’/’) operator (called ”step”), which can be used to skip a given number of values. For example, ”*/3” in the hour time field is equivalent to ”0,3,6,9,12,15,18,21”; ”*” specifies ’every hour’ but the ”/3” means only those hours divisible by 3. Fields

Each of the patterns from the first five fields may be either * (an asterisk), which matches all legal values, or a list of elements separated by commas. Some implementations of cron (eg. that in the popular 4th BSD edition, written by Paul Vixie and included in Debian Linux distributions including Ubuntu) insert a username into the format as the sixth field, as whom the specified job will be run (subject to user existence in /etc/passwd and allowed permissions), but only in the system crontabs (/etc/crontab and /etc/cron.d/*), not in others which are each assigned to a single user to configure. The seventh (or sixth if no user field is part of the format) and subsequent fields (i.e., the rest of the line) specify the command to be run. For ”day of the week” (field 5), both 0 and 7 are considered Sunday, though some versions of Unix such as AIX do not list ”7” as acceptable in the man page. Sample of a crontab

#M H D M W Command 5 * * * * /usr/bin/message.sh */5 * * * * /usr/bin/message.sh 59 23 * * 0 cp /var/log/messages /log/backup/messages 0 0 * * * cp /var/log/syslog /log/backup/syslog 20,30 1 * * 1-5 /usr/bin/work.sh bachelorproject ws 07/08 SHiNE 140

The first command (first line) always starts 5 minutes after every full hour, the second every 5 minutes, the third once a week, saturdays at 23.59h pm, the fourth every day at 00.00h and the fifth mondays to fridays at 01.20h and 01.30h. A job is executed when the time/date specification fields all match the current time and date. There is one exception: if both ”day of month” and ”day of week” are restricted (not ”*”), then either the ”day of month” field (3) or the ”day of week” field (5) must match the current day (even though the other of the two fields need not match the current day). [17] [18] Shell scripts Player setup script

#!/bin/sh

#adduser and make home dir useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $? cp /etc/skel/.bash_profile /home/$H_USERNAME/ cp /etc/skel/.bashrc /home/$H_USERNAME/

#copy needed files #put john.tar in the deployment field to have it deployed by game engine (not implemented yet) cp -r /root/john-1.7.0.2/run /home/$H_USERNAME || exit $? mv /home/$H_USERNAME/run /home/$H_USERNAME/john || exit $? echo > /home/$H_USERNAME/john/mypass USERCRON=/var/spool/cron/crontabs/$H_USERNAME echo > $USERCRON

#background_eval mkdir -p /tmp/$H_USERNAME || exit $? BACKGROUND_EVAL=/tmp/$H_USERNAME/background_eval echo > /home/$H_USERNAME/crontab2 bachelorproject ws 07/08 SHiNE 141

echo "#!/bin/sh" > $BACKGROUND_EVAL echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_EVAL echo "RUNNING=1" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The cronjob should be scheduled for every saturday 10pm." >>$BACKGROUND_EVAL echo "echo The john executable is located in home/$H_USERNAME/john." >> $BACKGROUND_EVAL echo "echo The unshadowed passwd is also located there and named" >> $BACKGROUND_EVAL echo "echo mypass. Good luck setting up the cronjob!" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_EVAL echo "do" >> $BACKGROUND_EVAL echo "if ( cat /home/$H_USERNAME/crontab | grep -w \"00 ** 22 ** \\* ** \\* ** 1 ** /home/$H_USERNAME/john/john ** /home/$H_USERNAME/john/mypass\" >> /dev/null); then" >> $BACKGROUND_EVAL echo "RUNNING=0" >> $BACKGROUND_EVAL echo "else" >> $BACKGROUND_EVAL echo "if ( cat /home/$H_USERNAME/crontab | grep \" ** \" >> /dev/null); then" >> $BACKGROUND_EVAL echo "if !( cmp /home/$H_USERNAME/crontab /home/$H_USERNAME/crontab2 >> /dev/null); then" >> $BACKGROUND_EVAL echo "cp /home/$H_USERNAME/crontab /home/$H_USERNAME/crontab2" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The cronjob was not set up correct!" >> $BACKGROUND_EVAL echo "if !( cat /home/$H_USERNAME/crontab | grep \"00 ** 22 ** \\* ** \\* ** 1\" >> /dev/null); then" >> $BACKGROUND_EVAL echo "echo The part with the time is wrong." >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "if !( cat /home/$H_USERNAME/crontab | grep -w \"/home/$H_USERNAME/john/john ** /home/$H_USERNAME/john/mypass\" >> /dev/null); then" >> $BACKGROUND_EVAL echo "echo The part with the command is wrong." >> $BACKGROUND_EVAL bachelorproject ws 07/08 SHiNE 142

echo "fi" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "sleep 3" >> $BACKGROUND_EVAL echo "done" >> $BACKGROUND_EVAL echo "echo done >> done" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo $H_USERNAME, you correctly set up the cronjob." >> $BACKGROUND_EVAL echo "echo Your task is done." >> $BACKGROUND_EVAL echo "echo You will be logged out in 10 seconds." >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "sleep 10" >> $BACKGROUND_EVAL echo "killall -u $H_USERNAME sshd" >> $BACKGROUND_EVAL

#Background copy of user’s crontab with root rights BACKGROUND_COPY=/tmp/$H_USERNAME/BACKGROUND_COPY.sh echo "#!/bin/sh" > $BACKGROUND_COPY echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_COPY echo "RUNNING=1" >> $BACKGROUND_COPY RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_COPY echo "do" >> $BACKGROUND_COPY echo "cp /var/spool/cron/crontabs/$H_USERNAME /home/$H_USERNAME/crontab" >> $BACKGROUND_COPY echo "chown $H_USERNAME:$H_USERNAME /home/$H_USERNAME/crontab" >> $BACKGROUND_COPY echo "sleep 2" >> $BACKGROUND_COPY echo "done" >> $BACKGROUND_COPY

#change owner bachelorproject ws 07/08 SHiNE 143

chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $? chown $H_USERNAME:$H_USERNAME $BACKGROUND_EVAL || exit $? chmod u+x $BACKGROUND_EVAL || exit $? chmod o+x /home/$H_USERNAME/ || exit $? chmod o+x /tmp/$H_USERNAME/ || exit $? chmod u+x $BACKGROUND_COPY || exit $? chown $H_USERNAME:$H_USERNAME $USERCRON

#modify user .bashrc echo "$BACKGROUND_EVAL &" >> /home/$H_USERNAME/.bashrc || exit $? /tmp/$H_USERNAME/BACKGROUND_COPY.sh &

Evaluation script

#/bin/sh H_USERNAME=$CAKEUSER if (cat /home/$H_USERNAME/done | grep done); then exit 0; else exit 1; fi

Player cleanup script

#!/bin/sh H_USERNAME=$CAKEUSER

RC=0 deluser -q --remove-home $H_USERNAME || RC=$? killall BACKGROUND_COPY.sh || RC=$? rm -r /tmp/$H_USERNAME || RC=$? rm -f /var/spool/cron/crontabs/$H_USERNAME || RC=$? exit $RC

bachelorproject ws 07/08 SHiNE 144

E.3.3 Hydra

Wiki text

Hydra was a software project developed by ”The Hacker’s Choice” (THC) that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of diﬀerent services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords.

The list of supported services includes: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA.

How to use

When installed on the machine start a shell and simply type ”hydra” to get an overview of the possible switches.

Restoring an aborted/crashed session

When hydra is aborted with Control-C, killed or crashs, it leavs a ”hydra.restore” file behind which contains all necessary information to restore the session. This session file is written every 5 minutes. NOTE: if you are cracking parallel hosts (-M option), this feature doesnt work, and is therefore disabled! NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. from little indian to big indian, or from solaris to aix)

[19] [20]

Shell scripts

Setup script

#!/bin/sh

#external parameter H_USERNAME=$CAKE1 # Hacking game user name H_PASSWORT=$CAKE2 # must be md5 encrypted if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi

#adduser and make home dir useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $? cp /etc/skel/.bash_profile /home/$H_USERNAME/ bachelorproject ws 07/08 SHiNE 145

cp /etc/skel/.bashrc /home/$H_USERNAME/

#add root user with random number (root##) passw=rex pass=$( perl -e "print crypt($passw,’xy’);") puser="root"$(echo $(date +%S)$(date +%M)) echo $puser > /home/$H_USERNAME/user useradd -m $puser -p $pass -s /bin/bash || exit $? echo > /home/$H_USERNAME/ftpuser

#create dictionary file echo cat>> /home/$H_USERNAME/dic.txt echo doggy >> /home/$H_USERNAME/dic.txt echo pass >> /home/$H_USERNAME/dic.txt echo rantanplan >> /home/$H_USERNAME/dic.txt echo lucky >> /home/$H_USERNAME/dic.txt echo felix >> /home/$H_USERNAME/dic.txt echo garfield >> /home/$H_USERNAME/dic.txt echo lassy >> /home/$H_USERNAME/dic.txt echo password >> /home/$H_USERNAME/dic.txt echo bark >> /home/$H_USERNAME/dic.txt echo john >> /home/$H_USERNAME/dic.txt echo candy >> /home/$H_USERNAME/dic.txt echo rex >> /home/$H_USERNAME/dic.txt

#background_eval mkdir -p /tmp/$H_USERNAME || exit $? BACKGROUND_EVAL=/tmp/$H_USERNAME/background_eval echo "#!/bin/sh" > $BACKGROUND_EVAL echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_EVAL echo "RUNNING=1" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The login you have to find the password for is $puser. You" >> $BACKGROUND_EVAL echo "echo have to execute hydra from your home directory and use the" >> $BACKGROUND_EVAL echo "echo -o switch with the filename ftpuser. for the evaluation" >> $BACKGROUND_EVAL bachelorproject ws 07/08 SHiNE 146

echo "echo script to work properly. Good luck!" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_EVAL echo "do" >> $BACKGROUND_EVAL echo "if (cat /home/$H_USERNAME/ftpuser | grep "$passw" >> /dev/null); then" >> $BACKGROUND_EVAL echo "RUNNING=0" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "sleep 3" >> $BACKGROUND_EVAL echo "done" >> $BACKGROUND_EVAL echo "echo done >> done" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo You discovered the password for the ftp login of user $puser." >> $BACKGROUND_EVAL echo "echo Your task is done." >> $BACKGROUND_EVAL echo "echo You will be logged out in 10 seconds." >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "sleep 10" >> $BACKGROUND_EVAL echo "killall -u $H_USERNAME sshd" >> $BACKGROUND_EVAL

#modify user .bashrc echo "$BACKGROUND_EVAL &" >> /home/$H_USERNAME/.bashrc || exit $?

Evaluation script

#/bin/sh H_USERNAME=$CAKE1 bachelorproject ws 07/08 SHiNE 147

if (cat /home/$H_USERNAME/done | grep done); then exit 0; else exit 1; fi

Cleanup script

#!/bin/sh H_USERNAME=$CAKE1

RC=0 puser=$(cat /home/$H_USERNAME/user) deluser -q --remove-home $puser || RC=$? deluser -q --remove-home $H_USERNAME || RC=$? rm -r /tmp/$H_USERNAME || RC=$? exit $RC

E.4 Honeyd [pm]

Wiki text hping hping is a TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send ﬁles between a covered channel, and many other features.

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuﬀ you can do using hping[21]:

• Firewall testing

• Advanced port scanning

• Network testing, using diﬀerent protocols, TOS, fragmentation

• Manual path MTU discovery

• Advanced traceroute, under all the supported protocols bachelorproject ws 07/08 SHiNE 148

• Remote OS ﬁngerprinting

• Remote uptime guessing

• TCP/IP stacks auditing

• hping can also be useful to students that are learning TCP/IP.

For more info see also Linux man page: man hping

Shell scripts Cleanup environment - honeyd host

#!/bin/bash

#external parameter USERNAME=$CAKEUSER # Hacking game user name PASSWORD=$CAKEPASS # must be md5 encrypted GROUP=$CAKE1

USERNAME=honey # Hacking game user name PASSWORD=honeyd GROUP=honeyplayer # default group for sudo rights configured in setup_env if [ $(echo $USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi

#adduser and make home dir useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1 #cp /etc/skel/.bash_profile /home/$USERNAME/ #cp /etc/skel/.bashrc /home/$USERNAME/ exit 0

Shell script - Cleanup environment - player host

#!/bin/bash

#external parameter honeyplayer=$CAKE1 honeyplayer=honeyplayer

bachelorproject ws 07/08 SHiNE 149

BACKUP=/tmp/backup

# delete tool hping aptitude purge hping -y > /dev/null 2>1 || exit 1 aptitude purge hping3 -y > /dev/null 2>1 || exit 1

# delete groups groupdel $honeyplayer > /dev/null 2>1 || exit 1

# backup sudoers cp $BACKUP/sudoers /etc/sudoers > /dev/null 2>1 || exit 1

# delete scenario backup files and /etc/bind rm -rf $BACKUP > /dev/null 2>1 || exit 1 exit 0

Shell script - Cleanup user

#!/bin/bash USERNAME=$CAKEUSER USERNAME=honey deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1 exit 0

Shell script - Setup user environment

#!/bin/bash

# external parameter honeyplayer=$CAKE1 honeyplayer=honeyplayer # group for gamers

# internal parameter BACKUP=/tmp/backup

# make backupdir mkdir $BACKUP > /dev/null 2>&1 || exit 1

bachelorproject ws 07/08 SHiNE 150

# adding group and sudorights for hping & nmap # save sudoers file cp /etc/sudoers $BACKUP/sudoers > /dev/null 2>&1 || exit 1 groupadd honeyplayer echo %$GROUP ALL=/usr/sbin/hping >> /etc/sudoers echo %$GROUP ALL=/usr/sbin/hping >> /etc/sudoers echo %$GROUP ALL=/usr/sbin/hping3 >> /etc/sudoers echo %$GROUP ALL=/usr/bin/nmap >> /etc/sudoers

# install the hping tool aptitude install hping2 -y > /dev/null 2>&1 || exit 1 aptitude install hping3 -y > /dev/null 2>&1 || exit 1 exit 0

Shell script - Setup user environment

#!/bin/bash

HONEYDPLAYER=honeyplayer BACKDIR=/tmp/fsadsad HONEYDDEFAULT=/etc/default/honeyd HONEYDCONF=/etc/honeypot/honeydconf HONEYDFINGERP=/etc/honeypot/nmap.prints INTERFACE=eth1

#virtual pcs HONEY1=10.0.1.11 HONEY2=10.0.1.12 HONEY3=10.0.1.14 HONEY4=10.0.1.15 HONEY5=10.0.1.17 HONEY6=10.0.1.18

#installing of farpd and honeyd aptitude install farpd -y > /dev/null 2>&1 || exit 1 aptitude install honeyd -y > /dev/null 2>&1 || exit 1 cp /etc/default/honeyd $BACKDIR > /dev/null 2>&1 || exit 1 rm $HONEYDDEFAULT > /dev/null 2>&1 || exit 1 bachelorproject ws 07/08 SHiNE 151

#making of Honeyd default confing echo "RUN=\"yes\"" > $HONEYDDEFAULT echo "INTERFACE=\"eth1\"" >> $HONEYDDEFAULT echo "NETWORK=10.0.1.5/24" >> $HONEYDDEFAULT

#making of Honeyd confing echo "create windows" > $HONEYDCONF echo "set windows personality \"Microsoft Windows NT 4.0 Server SP5-SP6\"" >> $HONEYDCONF echo "set windows uptime 1728650" >> $HONEYDCONF echo "set windows maxfds 35" >> $HONEYDCONF echo "#For a complex IIS server" >> $HONEYDCONF echo "add windows tcp port 80 \"perl /scripts/iis-0.95/iisemul8.pl\"" >> $HONEYDCONF echo "add windows tcp port 139 open" >> $HONEYDCONF echo "add windows tcp port 137 open" >> $HONEYDCONF echo "add windows udp port 137 open" >> $HONEYDCONF echo "add windows udp action reset" >> $HONEYDCONF echo "set windows default tcp action reset" >> $HONEYDCONF

echo "route $HONEY1 link $HONEY1/32" >> $HONEYDCONF echo "route $HONEY2 link $HONEY2/32" >> $HONEYDCONF echo "route $HONEY3 link $HONEY3/32" >> $HONEYDCONF echo "route $HONEY4 link $HONEY4/32" >> $HONEYDCONF echo "route $HONEY5 link $HONEY5/32" >> $HONEYDCONF echo "route $HONEY6 link $HONEY6/32" >> $HONEYDCONF echo "bind $HONEY1 windows" >> $HONEYDCONF echo "bind $HONEY2 windows" >> $HONEYDCONF echo "bind $HONEY3 windows" >> $HONEYDCONF echo "bind $HONEY4 windows" >> $HONEYDCONF echo "bind $HONEY5 windows" >> $HONEYDCONF echo "bind $HONEY6 windows" >> $HONEYDCONF

#starting of honeyd and farpd honeyd -i $INTERFACE -f $HONEYDCONF -p $HONEYDFINGERP > /dev/null 2>&1 || exit 1 farpd -i $INTERFACE $HONEY1-$HONEY2 $HONEY3-$HONEY4 $HONEY5-$HONEY6 > /dev/null 2>&1 || exit 1 exit 0

Shell script - Setup user

#!/bin/bash bachelorproject ws 07/08 SHiNE 152

#external parameter USERNAME=$CAKEUSER # Hacking game user name PASSWORD=$CAKEPASS # must be md5 encrypted GROUP=$CAKE1

E.5 Monitoring Tools [cg]

E.5.1 Cacti

Wiki Text

What is Cacti?

Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, Cacti handles the data gathering. There is also SNMP support for those used to creating traﬃc graphs with MRTG[22].

Data Sources To handle data gathering, you can feed Cacti the paths to any external script/command along with any data that the user will need to ”ﬁll in”, Cacti will then gather this data in a cronjob and populate round robin archives. All administrative information are stored in a MySQL database.

Data Sources can also be created, which correspond to actual data on the graph. For instance, if a user would want to graph the ping times to a host, you could create a data source utilizing bachelorproject ws 07/08 SHiNE 153

a script that pings a host and returns it’s value in milliseconds. After defining options for RRDTool such as how to store the data you will be able to define any additional information that the data input source requires, such as a host to ping in this case. Once a data source is created, it is automatically maintained at five minute intervals.

Graphs Once one or more data sources are deﬁned, an RRDTool graph can be created using the data. Cacti allows you to create almost any imaginable RRDTool graph using all of the standard RRDTool graph types and consolidation functions. A color selection area and automatic text padding function also aid in the creation of graphs to make the process easier.

Not only can you create RRDTool based graphs in Cacti, but there are many ways to display them. Along with a standard ”list view” and a ”preview mode”, which resembles the RRDTool frontend, there is a ”tree view”, which allows you to put graphs onto a hierarchical tree for organizational purposes.

Templating Lastly, Cacti is able to scale to a large number of data sources and graphs through the use of templates. This allows the creation of a single graph or data source template which deﬁnes any graph or data source associated with it. Host templates enable you to deﬁne the capabilities of a host so Cacti can poll it for information upon the addition of a new host.[22] Basic Principles

Cacti is a Monitoring Solution. As such, operation may be divided into three diﬀerent tasks[23]:

Data Retrieval First task is to retrieve data. Cacti will do so using its Poller. The Poller will be executed from the operating system’s scheduler, e.g. crontab for Unix ﬂavored OSes.

In current IT installations, you’re dealing with lots of devices of diﬀerent kind, e.g. servers, network equipment, appliances and the like. To retrieve data from remote targets/hosts, Cacti will mainly use the Simple Network Management Protocol SNMP. Thus, all devices capable of using SNMP will be eligible to be monitored by Cacti. Later on, we demonstrate how to extend Cacti’s capabilities of retrieving data to scripts, script queries and more.

Data Storage There are lots of different approaches for this task. Some may use an (SQL) database, others flat files. Cacti uses rrdtool to store data. RRD is the Acronym for Round Robin Database. RRD is a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average). It stores the data in a very compact way that will not expand over time, and it can create beautiful graphs. This keeps storage requirements at bay.

Data Presentation One of the most appreciated features of rrdtool is the built-in graphing function. This comes in useful when combining this with some commonly used webserver. Such, it is possible to access bachelorproject ws 07/08 SHiNE 154

the graphs from merely any browser on any plattform. Graphing can be done in very diﬀerent ways. It is possible, to graph one or many items in one graph. Autoscaling is supported and logarithmic y-axis as well. You may stack items onto another and print pretty legends denoting characteristics such as minimum, average, maximum and lots more.

Basic Usage

Cacti is mainly used to monitor the load (network bandwidth, CPU load) of diﬀerent network components or other IT-systems within an environment. A common usage is to query network switch or router interfaces via SNMP to monitor network traﬃc. Furthermore Cacti is also capable of displaying environmental conditions like temperature, air humidity and many more.

Cacti is sometimes used by web hosting providers (especially dedicated server, virtual private server and colocation providers) to display bandwidth statistics for their customers.[24]

Getting Cacti started

Cacti provides a webinterface which can be easily accessed by:

1 http://localhost/cacti/

As a result of this the user is asked for username and password:

1 username:guest password:cacti

Cacti has two users by default: the ”admin” user who has full rights and the user ”guest” with only rights to view graphs.

In addition user based management allows administrators to create users and assign diﬀerent levels of permissions to the Cacti interface. Permissions can be speciﬁed per-graph for each user, making Cacti suitable for co location situations. Each user can keep their own graph settings for varying viewing preferences[25].

The webinterface of Cacti lists all devices like routers, switches and host PCs in a tree view on the left-hand side. The tree view allow users to put graphs into a hierarchical order to manage and organize a large number of graphs easily.

By default Cacti shows all graphs of the last day. This option may be changed to custom settings. Either could the user use presets or he can deﬁne a speciﬁc time period.

bachelorproject ws 07/08 SHiNE 155

Analysis

All graphs in Cacti look basically like this:

Router NAT is the name of the network device, Fa 0/0.1 means that Fast Ethernet access 0/0.1 is monitored. The x-axis displays the time period (here the standart preset is the last day) and the y-axis shows how many bits per second were received (the green part) and sent (the blue curve). The constant display of data indicates that nothing speciﬁc is going on in the network only the devices were sending queries via SNMP.

The following graph is perhaps a little bit more interesting:

It collects data of the interface eth1 and shows a graph of the host Pluto. Until 4 pm there is no activity but then the suddenly rising blue curve indicates that data is sent and quite a lot (over 60 Mbit per second). Also the CPU Usage can be an indicator what is going on or the number of ssh connections on Port 22.

bachelorproject ws 07/08 SHiNE 156

The way the data takes via the net can be followed by looking at the speciﬁc interfaces of the routers and switches.

Here, data was sent from a host in a vlan to the DMZ Zone. Data via the routers is always received on Fa 0/0 and will be sent on Fa 0/1 due to the net topology. This example shows us that a comprehension and knowledge of the topology map can be very helpful.

Please keep in mind that the poller for data retrieval in Cacti is starting to collect data at five minutes intervals. So it can take at most five minutes to see the traffic data.

Installation Very helpful for setting up and for receiving further information on Cacti is the following url: http://docs.cacti.net/node/8, which includes the Cacti manual and Cacti howtos. Network lab (http://www.nwlab.net/tutorials/cacti/cacti-tutorial.html) provides also a good tutorial for installing Cacti but in German.

RRDtool

RRDtool is short cut for Round Robin Database tool and was written for Linux and Windows by Tobi Oetiker as a replacement for MRTG (Multi Router Traﬃc Grapher) and it is licensed under the GNU GPL.

It is designed to handle time series data like network bandwidth, temperatures, CPU load etc. The data is stored in a round-robin database so that system storage footprint remains constant over time[26].

The advantage of RRDs compared to relational databases results in storing more present data with a higher temporal resolution than older ones. Older Data will be restored by current ones. As a result of this a fast database with a constant size is created. In addition the user is allowed to decide on his own on the speciﬁc period and the resolution of the measured data which will be stored in so called RRAs (Round Robin Archives)[27].

RRDtool can be used to write your custom monitoring shell scripts or create whole applications using its Perl, Python, Ruby, TCL or PHP bindings[28] and it also includes tools to extract RRD data in a graphical format.

bachelorproject ws 07/08 SHiNE 157

SNMP

The Simple Network Management Protocol (SNMP)[29] forms part of the internet protocol suite as deﬁned by the Internet Engineering Task Force (IETF). SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects. SNMP exposes management data in the form of variables on the managed systems, which describe the system conﬁguration. These variables can then be queried (and sometimes set) by managing applications.

Overview and basic concepts

In typical SNMP usage, there are a number of systems to be managed, and one or more systems managing them. A software component called an agent (see below) runs on each managed system and reports information via SNMP to the managing systems. Essentially, SNMP agents expose management data on the managed systems as variables (such as ”free memory”, ”system name”, ”number of running processes”, ”default route”). The managing system can retrieve the information through the GET, GETNEXT and GETBULK protocol operations or the agent will send data without being asked using TRAP or INFORM protocol operations. Management systems can also send conﬁguration updates or controlling requests through the SET protocol operation to actively manage a system. Conﬁguration and control operations are used only when changes are needed to the network infrastructure. The monitoring operations are usually performed on a regular basis. The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Infor- mation Bases (MIBs).

SNMP basic components

An SNMP-managed network consists of three key components:

• Managed devices

• Agents

• Network-management systems (NMSs)

A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be any type of device including, but not limited to, routers and access servers, switches and bridges, hubs, IP telephones, computer hosts, or printers. bachelorproject ws 07/08 SHiNE 158

An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. A network management system (NMS) executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs may exist on any managed network.

Usage examples

• Monitoring device uptimes (sysUpTimeInstance)

• Inventory of OS versions (sysDescr)

• Collect interface information (ifName, ifDescr, ifSpeed, ifType, ifPhysAddr)

• Measuring network interface throughput (ifInOctets, ifOutOctets)

• Querying a remote ARP cache (ipNetToMedia)

Shell scripts The player setup script should always be executed on the Cacti server ramses.

1 #!/bin/bash

3 #external parameter

4 H_USERNAME=$CAKEUSER # Hacking game user name

5 H_PASSWORT=$CAKEPASS # must be md5 encrypted

7 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then

8 exit 3; #empty username = error and quit!

9 fi

11 #add user and make home dir

12 useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash >/dev/null 2>&1 || exit 1

13 cp /etc/skel/.bash_profile /home/$USERNAME/ >/dev/null 2>&1 || exit 1

14 cp /etc/skel/.bashrc /home/$USERNAME/ >/dev/null 2>&1 || exit 1

16 #change file permission

17 chown -R $D_USERNAME:$D_USERNAME /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1

19 exit 0

Listing 28: player setup

bachelorproject ws 07/08 SHiNE 159

1 #!/bin/bash

3 #external parameter

4 H_USERNAME=$CAKEUSER

6 #delete user

7 deluser --remove-home $H_USERNAME >/dev/null 2>&1 || exit 1

9 exit 0

Listing 29: player cleanup

The drone setup script should be executed both on Pluto and DMZ Server(or any other systems). For the transfer of the trafficfile via scp without password query, an authentification via private and public key is needed.

Therefore the cactiScenario keys.tar ﬁle (which can be downloaded on https://www.netzlabor.hs-bremen.de/wiki/index.php/Basisszenario Cacti) has to be put on the game engine in the var/www/nets-x/packages/cactiScenario keys.tar folder and also in the software deployment ﬁeld next to the drone setup script in the game authoring admin interface.

The cactiScenario keys.tar ﬁle contains the ssh keys for the drone user, which were created by

1 ssh-keygen -t rsa -b 2048

and also a data file authorized keys which contains the content of the public key in order to allow authentification by public and private key (Normally this data file will be needed only for target system).

1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

To ensure a ssh/scp connection without interaction of the user, the data ﬁle ssh conﬁg in /etc/ssh/ should be adapted in a way that strict host key checking will be supressed.

1 #drone setup script

2 #should be executed both on PC03 and PC01

4 #!/bin/bash

6 #internal parameter

7 D_USERNAME=uXtInVw #hardcoded username

8 D_PASSWORT=’30b0f6fca3f5bf514d28a568df75ae13’ #cleartext:netzlabor

bachelorproject ws 07/08 SHiNE 160

9 D_KEYS=cactiScenario_keys.tar

11 #add user and make home dir

12 useradd -m $D_USERNAME -p $D_PASSWORT -s /bin/bash -d /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1

13 cp /etc/skel/.bash_profile /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1

14 cp /etc/skel/.bashrc /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1

16 #untar keys to user home directory

17 tar -xf /tmp/$D_KEYS -C /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1

19 #change file permission

20 chown -R $D_USERNAME:$D_USERNAME /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1

22 exit 0

Listing 30: drone setup

Since it is allowed to execute more than one script on each script stack, the traﬃc setup script is executed together with the drone setup script, but on level 2. This script is executed as drone and only on host pluto.

1 #should be executed on PC03

3 #!/bin/bash

5 #internal parameter

6 D_USERNAME=uXtInVw

7 D_TARGET=$CAKE1 #IP DMZ_Server

8 D_TRAFFIC=trafficfile

10 #create new trafficfile

11 su $D_USERNAME -c "dd bs=1M count=100 if=/dev/zero of=/home/$D_USERNAME/ $D_TRAFFIC >/dev/null 2>&1 || exit 1;

13 #change file permission

14 chown $D_USERNAME:$D_USERNAME /home/$D_USERNAME/$D_TRAFFIC >/dev/null 2>&1 || exit 1;

16 #file will be copied to target (will be stopped by cleanup script)

17 while [ true ];do

18 scp /home/$D_USERNAME/$D_TRAFFIC $D_USERNAME@$D_TARGET:/home/ $D_USERNAME/ >/dev/null 2>&1 || exit 1

19 done "

bachelorproject ws 07/08 SHiNE 161

21 exit 0

Listing 31: traﬃc setup

Evaluation will be handled by string evaluation. In this case the name of the employee (drone) is:

1 Pluto

Listing 32: evaluation string

The drone cleanup script should be executed both on Pluto and DMZ Server.

1 #!/bin/bash

3 D_USERNAME=uXtInVw

4 D_KEYS=cactiScenario_keys.tar

6 if [ "‘hostname‘" = "PC03" ]; then

7 #kill all processes running by drone

8 killall -u $D_USERNAME >/dev/null 2>&1 || exit 1

9 fi

11 #delete user

12 deluser --remove-home $D_USERNAME >/dev/null 2>&1 || exit 1

14 #delete keys

15 rm /tmp/$D_KEYS >/dev/null 2>&1 || exit 1

17 exit 0

Listing 33: drone cleanup

Integration FAI [mt]

All relevant preparations for integrating Cacti in the fully automatic installation can be found on https://www.netzlabor.hs-bremen.de/wiki/index.php/Cacti ”Integration in FAI”.

E.5.2 Ntop

Integration FAI [cg]

Please refer to https://www.netzlabor.hs-bremen.de/wiki/index.php/Ntop ”Integration FAI” for information concerning the preparation of ntop for FAI.

bachelorproject ws 07/08 SHiNE 162

E.6 IDS scenarios [jl]

E.6.1 Run snort

Wiki text Wiki article for scenario run snort. snort The Intrusion Detection System (IDS) snort scannes the whole traffic on one network interface for data or events that are defined in its configuration. If one of the rules in this configuration matches an event or data on the network traffic an alert file is written which can be evaluated. This file is located at /var/log/snort/alert. To run snort enter the following

snort -c <> -i <> -D

The parameter -c defines the configuration file to use. By default this is /etc/snort/snort.conf but you can use any other valid file. The interface to scan on is defined with -i parameter. If you want to run snort in background use parameter -D else omit it.

Shell scripts

1 #!/ bin /sh

2 H_GROUPNAME=$CAKE1

3 H_INTERFACE=$CAKE2

5 #locale variables

6 H_GROUPFOLDER=’/tmp/’$H_GROUPNAME

7 H_SUDOERS=’/etc/sudoers’

9 #kill running snorts

10 killall -s SIGKILL snort >/dev/null

11 #folder for caching

12 mkdir $H_GROUPFOLDER >/dev/null

13 #create group, which is allowed to run snort

14 groupadd -g 1000 $H_GROUPNAME -f >/dev/null

15 #backup files

16 cp $H_SUDOERS $H_GROUPFOLDER >/dev/null

17 #define sudoers

18 echo ’Defaults env_reset’ > $H_SUDOERS

19 echo ’Cmnd_Alias SNORT = /usr/sbin/snort’ >> $H_SUDOERS

20 echo ’root ALL=(ALL) ALL’ >> $H_SUDOERS

21 echo ’%’$H_GROUPNAME’ ALL = SNORT’ >> $H_SUDOERS

23 #start one snort on correct interface

24 if [ $H_INTERFACE = "eth2" ]; then

25 snort -c /etc/snort/snort.conf -D -i eth3 >/dev/null

26 else

bachelorproject ws 07/08 SHiNE 163

27 snort -c /etc/snort/snort.conf -D -i eth2 >/dev/null

28 fi

29 #save snort PID

30 pidof snort > $H_GROUPFOLDER’/pid’

Listing 34: environment setup

1 #!/ bin /sh

2 H_GROUPNAME=$CAKE1

3 H_GROUPFOLDER=’/tmp/’$H_GROUPNAME

4 H_SUDOERS=’/etc/sudoers’

6 groupdel $H_GROUPNAME >/dev/null

7 cp $H_GROUPFOLDER’/sudoers’ $H_SUDOERS >/dev/null

8 rm -r $H_GROUPFOLDER >/dev/null

9 killall -s SIGKILL snort >/dev/null

10 snort -c /etc/snort/snort.conf -D -i eth2 >/dev/null

11 snort -c /etc/snort/snort.conf -D -i eth3 >/dev/null

12 exit 0

Listing 35: environment cleanup

1 #!/ bin /sh

2 H_GROUPNAME=$CAKE1

3 H_USERNAME=$CAKEUSER

4 H_PASSWORD=$CAKEPASS

6 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then

7 exit 3; #empty username = error and quit!

8 fi

10 useradd -m $H_USERNAME -p $H_PASSWORD -g $H_GROUPNAME -s /bin/bash|| exit $?

11 cp /etc/skel/.bash_profile /home/$H_USERNAME >/dev/null

12 cp /etc/skel/.bashrc /home/$H_USERNAME >/dev/null

13 mkdir /tmp/$H_USERNAME >/dev/null

14 exit 0

Listing 36: player setup

1 #!/ bin /sh

2 H_USERNAME=$CAKEUSER

3 RC =0

5 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then

6 exit 3; #empty username = error and quit!

7 fi

bachelorproject ws 07/08 SHiNE 164

9 pkill -KILL -u $H_USERNAME

10 rm -r /tmp/$H_USERNAME >/dev/null || RC=$?

11 deluser --remove-home $H_USERNAME >/dev/null || RC=$?

12 exit $RC

Listing 37: player cleanup

1 #!/ bin /sh

2 function checkpid {

3 H_CONF_FLAG=0

4 H_INFC_FLAG=0

5 H_VALID =1

6 H_SNORT_CONFIG=’/etc/snort/snort.conf’

8 for j in $( ps -ef | grep snort | grep $1 ); do

9 if [ $H_CONF_FLAG -eq 1 ]; then

10 if [ "$j" != $H_SNORT_CONFIG ]; then

11 H_VALID =0

12 fi

13 H_CONF_FLAG=2

14 fi

15 if [ $H_INFC_FLAG -eq 1 ]; then

16 if [ "$j" != $2 ]; then

17 H_VALID =0

18 fi

19 H_INFC_FLAG=2

20 fi

21 if [ "$j" = "-c" ]; then

22 if [ $H_CONF_FLAG -eq 0 ]; then

23 H_CONF_FLAG=1

24 fi

25 fi

26 if [ "$j" = "-i" ]; then

27 if [ $H_INFC_FLAG -eq 0 ]; then

28 H_INFC_FLAG=1

29 fi

30 fi

31 done

32 if [ $H_VALID -eq 1 ]; then

33 exit 0

34 fi

35 }

37 H_INTERFACE=$CAKE2

39 #locale variables

bachelorproject ws 07/08 SHiNE 165

40 H_PID=$(cat /tmp/snorters/pid)

42 for i in $( pidof snort ); do

43 if [ "$i" != "$H_PID" ]; then

44 checkpid $i $H_INTERFACE

45 fi

46 done

47 exit 2

Listing 38: evaluation

E.6.2 Snort rule

Wiki text Wiki article for scenario snort rule. snort rule There can be defined individual rules for the Intrusion Detection System (IDS) snort. This is done by creating a file containing one or several valid rules and including them into the the configuration file you are using. A rule must at least have the following parameters:

action protocol source-IP source-port direction target-IP target-port

The common parameter for action is alert which implies that the defined alert file should be written on fitting scan. All the other parameters can be filled with the key any. This e.g. for source-IP implies that any source-IP could trigger an alert for this rule. At least one of the parameters should not be any so that not all of the traffic on the network interface triggers an alert. Valid values for parameter direction are -> , <- or <> . To implement the new rule to the snort configuration add the following line to config file:

1 include <>

2 e.g. include /etc/snort/rules/myRule.rules

Now snort can be restarted to publish the new rule.

E.7 DNS [mt]

E.7.1 DNS Basics

Wiki text Under [30] is a very good open Source DNS explanation. The copyright is licensed under a Creative Commons License, so we shouldn’t have problems to integrate this Guide into the Game Wiki. This Document contains everything about DNS, the DNS Structure and the tools, we need for assisting the Shine user. DSN Cause of the complexity of this guide, i just

bachelorproject ws 07/08 SHiNE 166

point out the table of contents here. Integrating this guide to the gamewiki by copy&paste it from the online source or from this document is likely the same eﬀort.

DNS for Rocket Scientists Quelle: DNS for Rocket Scientists [30]

This Open Source Guide is about DNS and (mostly) BIND 9.x on Linux (Fedora Core), BSD’s (FreeBSD, OpenBSD and NetBSD) and Windows (Win 2K, XP, Server 2003). It is meant for newbies, Rocket Scientist wannabees and anyone in between.

This Guide was born out of our ﬁrst attempts a number of years ago at trying to install a much needed DNS service on an early Redhat Linux system. We completed the DNS ’rite of passage’ and found it a pretty unedifying and pointless experience.

Health Warning: This is still a work-in-progress. If you ﬁnd errors don’t grumble - tell us. Look at our to do list and if you want to contribute something please do so.

Overview

• 1. Boilerplate and Terminology 1.1 Objectives and Scope 1.2 How to read this Guide 1.3 Terminology and Conventions used 1.4 Acknowledgements 1.5 Copyright and License

• 2. DNS - Overview 2.1 A brief History of Name Servers 2.2 DNS Concepts & Implementation 2.2.1 DNS Overview 2.2.2 Domains and Delegation 2.2.3 DNS Organization and Structure 2.2.4 DNS System Components 2.2.5 Zones and Zone Files 2.2.6 DNS Queries 2.2.6.1 Recursive Queries 2.2.6.2 Iterative Queries 2.2.6.3 Inverse Queries 2.2.7 Zone Updates 2.2.7.1 Full Zone Transfer (AXFR) bachelorproject ws 07/08 SHiNE 167

2.2.7.2 Incremental Zone Transfer (IXFR) 2.2.7.3 Notify (NOTIFY) 2.2.7.4 Dynamic Zone Updates 2.2.7.5 Alternative Dynamic DNS Approaches 2.3 DNS Security Overview 2.3.1 Security Threats 2.3.2 Security Types 2.3.3 Local Security 2.3.4 Server-Server (TSIG Transactions) 2.3.5 Server-Client (DNSSEC)

• 3. DNS Reverse Mapping 3.1 Reverse Mapping Overview 3.2 IN-ADDR.ARPA Files 3.3 Reverse Map Delegation

• 4. DNS Types 4.1 Master (a.k.a. Primary) DNS Server 4.2 Slave (Secondary) DNS Server 4.3 Caching (a.k.a. hint) DNS Server 4.4 Forwarding (a.k.a. Proxy, Client, Remote) DNS Server 4.5 Stealth (a.k.a. DMZ or Split) DNS Server 4.6 Authoritative Only DNS Server

• Section 2 - Get Something Running

• 5. BIND (Berkeley Internet Name Daemon) Installing on FreeBSD (4.x and 5.x+) Installing on Linux (Fedora Core 2) Installing on Windows (NT 4.0 and Windows 2000) BIND Command Line

• 6. DNS Sample Conﬁgurations 6.1 Sample Conﬁguration Overview 6.1.1 Zone File Naming Convention 6.2 Master (Primary) DNS bachelorproject ws 07/08 SHiNE 168

6.3 Slave (Secondary) DNS 6.4 Caching only DNS 6.5 Forwarding (a.k.a. Proxy, Client, Remote) DNS 6.6 Stealth (a.k.a. Split or DMZ) DNS 6.7 Authoritative Only DNS 6.8 Views based Authoritative Only DNS

• Section 3 Mind Numbing Details

• 7. BIND named.conf Parameters named.conf format, structure and overview named.conf required zone ﬁles named.conf acl section (statements) named.conf controls section (statements) named.conf include section (statements) named.conf key section (statements) named.conf logging section (statements) named.conf server section (statements) named.conf trusted-keys section (statements) named.conf views section (statements) named.conf zone section (statements)

• 8. DNS Resource Records Zone File Format DNS Binary Record Formats List of Record Types A - IPv4 Address Record A6 - IPv6 Address Record CNAME - Host Alias Record DNAME - Delegate Reverse Name Record HINFO - System Information Record KEY - DNSSEC Public Key Record MX - Mail Exchanger Record NS - Name Server Record NXT - DNSSEC Content Record bachelorproject ws 07/08 SHiNE 169

PTR - Pointer Record SIG - DNSSEC Signature Record SOA - Start of Authority Record SRV - Services Record TXT - Text Record Section 4 DNS Operations

• Chapter 9 DNS HowTos HOWTO - DNS Round Robin or Load Balancing HOWTO - support http://domain.com HOWTO - Configure Sub-domains (a.k.a. subzones) HOWTO - Delegate a sub-domain (a.k.a. subzone) HOWTO - Configure mail fail-over HOWTO - Delegate Reverse Subnet Maps HOWTO Fix SOA RR serial numbers HOWTO - Define an SPF record HOWTO Install BIND 9 on Fedora Core 2 (Linux) HOWTO Install BIND 9 on FreeBSD HOWTO Install BIND 9 on Windows HOWTO Create a DNSBL (email black list) HOWTO Close your DNS (to protect against DoS attacks and Cache Poisoning)

• Chapter 10 Diagnostics and Tools 10.1 Introduction 10.2 nslookup 10.3 dig

• Chapter 11 Trouble and Error Messages Work in progress

• Chapter 12 BIND APIs Work in progress

• Section 5 DNS Security

bachelorproject ws 07/08 SHiNE 170

• Chapter 13 DNS Security 13.1 DNS Security Overview 13.1.1 Security Threats 13.1.2 Security Types 13.1.3 Local Security 13.1.4 Server-Server (TSIG Transactions) 13.1.5 Server-Client (DNSSEC)

• Section 6 DNS Bits and Bytes

• Chapter 15 DNS Message Formats 15.1 Overview Generic Format 15.2 The Message Header 15.3 The DNS Question 15.4 The DNS Answer 15.5 Domain Authority 15.6 Additional Information

• Appendices: Resources

• Appendix A: DNS & BIND Notes and Explanations

• Appendix B: Domains and Registration

• Appendix C: DNS Alternate Software and Resources

• Appendix D: DNS and Relevant RFCs

Shell scripts

1 #!/bin/bash

3 #external parameter

4 # USERNAME = $CAKEUSER # Hacking game user name

5 # PASSWORD = $CAKEPASS # must be md5 encrypted

6 # DOMAIN = $CAKE1 # Domain to check

7 # REVERSE = $CAKE2 # IP for Reverse Check

9 USERNAME=tester # Hacking game user name

10 PASSWORD=lxSigVD0RJEAM # must be md5 encrypted

11 DOMAIN=hs-bremen.de # Domain to check

12 REVERSE=213.148.129.10 # IP for Reverse Check

bachelorproject ws 07/08 SHiNE 171

14 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

15 exit 1; #empty username = error and quit!

16 fi

18 #internal parameter

19 BACKGROUND_SCRIPT=/tmp/$USERNAME/background_script

20 TODO_FILE=/home/$USERNAME/todo

22 # functions

23 #script builder needs $mylist and $TARGET_AND_LOCATION

24 scriptbuild()

25 {

26 for i in "${mylist[@]}"; do

27 echo $i >> $TARGET_AND_LOCATION

28 done

29 }

31 #chmodder needs $mylist and $newrights

32 chmodder ()

33 {

34 for i in "${mylist[@]}"; do

35 chmod $newrights $i > /dev/null 2>&1 || exit 1

36 done

37 }

39 #dirmaker needs $mylist

40 dirmaker ()

41 {

42 for i in "${mylist[@]}"; do

43 mkdir -p $i > /dev/null 2>&1 || exit 1

44 done

45 }

46 ##end functions

48 #adduser and make home dir

49 useradd -m $USERNAME -p $PASSWORD -s /bin/bash > /dev/null 2>&1 || exit 1

50 #cp /etc/skel/.bash_profile /home/ $USERNAME/ > /dev/null 2>&1 || exit 1

51 #cp /etc/skel/.bashrc /home/ $USERNAME/ > /dev/null 2>&1 || exit 1

54 #add needed dirs

55 mylist=(/tmp/$USERNAME)

56 dirmaker

58 #make needed files

59 TARGET_AND_LOCATION=$TODO_FILE

bachelorproject ws 07/08 SHiNE 172

60 mylist=(’# Hello User’ ’# You start with scenario dns’ ’# This scenario should show you, which records are stored in the dns.’ ’# The records you have to find out are given in the table below.’ "# For your challenge you’re allowed to use tools like ’nslookup’ and ’dig’." ’# Feel Free to choose your prefered one.’ ’# For more informations about these tools use the man command like "man dig"’ ’#’ ’# 1) start the commadline’ "# 2) find your tool for dns query’s" ’# 3) start the query for the given domain’ ’# 4) find out the records given in the table below’ ’# 5) replace ????? with your answer’ ’# 6) save the document’ ’# 7) wait for a response’ ’#’ "# Please don’t change anything else in this document" ’#’ ’#’)

61 scriptbuild

63 echo -e "Domain : \t\t\t $DOMAIN" >> $TARGET_AND_LOCATION

64 echo -e "A : \t\t\t ?????" >> $TARGET_AND_LOCATION

65 echo -e "MX : \t\t\t ?????" >> $TARGET_AND_LOCATION

66 echo -e "PTR $REVERSE: \t ?????" >> $TARGET_AND_LOCATION

68 #make Background_script

70 TARGET_AND_LOCATION=$BACKGROUND_SCRIPT

71 mylist=("#!/bin/bash" "todo=$TODO_FILE" ’lastAccess=‘stat $todo -c%x‘’ ’ lastMod=‘stat $todo -c%y‘’ ’while [ "‘stat $todo -c%x‘" == " $lastAccess" ]’ ’do’ ’sleep 10’ ’echo "You have to read $todo"’ ’done ’ ’while [ checker=1 ]’ ’do’ ’while [ "‘stat $todo -c%y‘" == " $lastMod" ]’ ’do’ ’sleep 10’ ’done’ ’echo "we check your work"’ ’ lastMod=‘stat $todo -c%y‘’ ’declare -a todoList’ ’declare -a entryList ’)

72 scriptbuild

73 #something difficult to insert

74 echo ’todoList=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}//g\’’| awk -F: ’\’{print ’$1’}\’’‘)’ >> $TARGET_AND_LOCATION

75 echo ’entryList=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}//g\’’| awk -F: ’\’{print ’$2’}\’’‘)’ >> $TARGET_AND_LOCATION

77 mylist=(’entrys=${#todoList[@]}’ ’domain=${entryList[0]}’ ’verifier=0’ ’ for ((a=1; a

79 scriptbuild

bachelorproject ws 07/08 SHiNE 173

81 #change dir and file permissions

82 chown -R $USERNAME:$USERNAME /home/$USERNAME/ > /dev/null 2>&1 || exit 1

83 chown $USERNAME:$USERNAME $BACKGROUND_SCRIPT > /dev/null 2>&1 || exit 1

84 chmod u+x $BACKGROUND_SCRIPT > /dev/null 2>&1 || exit 1

86 #modify user .bashrc

87 echo "$BACKGROUND_SCRIPT &" >> /home/$USERNAME/.bashrc || exit 1

88 exit 0

Listing 39: Setup

1 #!/bin/bash

2 # USERNAME = $CAKEUSER

3 USERNAME=tester

4 rm -r /tmp/$USERNAME > /dev/null 2>&1 || exit 1

5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

6 exit 0

Listing 40: Cleanup

1 #!/bin/bash

2 # user = $CAKEUSER

3 user=tester

4 todo=/home/$user/todo

5 declare -a todoList

6 declare -a entryList

7 todoList=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}//g’| awk -F: ’{print $1}’‘) || exit 1

8 entryList=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}//g’| awk -F: ’{print $2}’‘) || exit 1

9 entrys =${#todoList[@]}

10 domain=${entryList[0]}

11 verifier =0

12 for ((a=1; a

13 do

14 if [ "${todoList[$a]}" == "${todoList[$a]#PTR}" ]; then

15 check=‘dig ${todoList[$a]} $domain | grep ${entryList[$a ]}‘

16 else

17 check=‘dig -x "${todoList[$a]#PTR}" | grep ${entryList[$a ]}‘

18 fi

19 if [ "$check" == "" ]; then

20 #echo "Fault with Record ${ todoList [$a ]} Entry ${entryList[$a ]}."

21 let "verifier++"

22 fi

bachelorproject ws 07/08 SHiNE 174

23 done

24 if [ "$verifier" -eq 0 ]; then

25 #echo "finished."

26 exit 2

27 else

28 #echo "not finished"

29 exit 3

30 fi

31 exit 1

Listing 41: Evaluation

E.7.2 DNS Server manipulation

Wiki text

Bind Conﬁguration From Section6 [31]

Introduction

Here is a sprint through DNS. It is in no way meant to explain the intricacies of DNS as well as a book (like DNS and BIND by OReilly publishing). It is however, meant to get you running DNS quickly with a rudimentary knowledge of how it all works.

Many of these conﬁgurations will run on Bind 8 as well. However they have not been tested. If you can I highly suggest running version 9 for the following reasons:

* Bind9 has a number of security enhancements over Bind8. * Bind9 and its tools have full support of IPv6. * It comes with the current stable version of FreeBSD (5.3 at the time of this writing).

Enabling Named

You’ll want to enable bind in your /etc/rc.conf so that the startup script will know you want it:

named enable=”YES” named chrootdir=”/var/named” named chroot autoupdate=”YES”

Chrooting Bind9

You may ask, Why should I chroot Bind?. First and foremost you need to assume that there is a possibility that someone will hack your services somehow. If you set up a chroot for Bind in the manner described below youll have a server running as nonroot in its own sandbox so if someone does break in, the worst theyll be able to do is manipulate the files in the directory your bind server is confined to. For this reason you may wish to back up your zone files at some point.

If you’re running the latest FreeBSD the below is really not needed. The startup script will do everything for you with the exception of making a named.conf and named.root. So what you’ll want to do is make a working named.conf in /var/named/etc/namdb/named.conf and do:

bachelorproject ws 07/08 SHiNE 175

1 cp /usr/src/etc/namedb/named.root /var/named/etc/namedb/named.root

From here we can activate the startup script and assuming your named.conf is good (which can be checked with named-checkconf) you can start named with

1 /etc/rc.d/named start

Creating the chroot envirnonment (deprecated) If you’re letting the startup script create your chroot environment as above this section can be skipped. Continue on to Finishing Touches. Youll ﬁrst need to create the directories for your chrooted environment by doing the following:

1 mkdir -p /var/named/dev /var/named/etc /usr/named/var/run

Next youll need to place the appropriate ﬁles into the dirs you just created:

1 cp /etc/named/named.root /var/named/named.root

2 cp /etc/localtime /var/named/etc/localtime

If you have any existing conf or zone ﬁles youll want to move them into /var/named as well. Be sure to change the directory option in your existing named.conf (see below). Since Bind will be in its own nearly autonomous environment youll need to make some device entries as well by doing the following:

1 mknod /var/named/dev/null c 2 2

2 mknod /var/named/dev/random c 2 3

And last, well have to let Bind own all the ﬁles and directories we created

1 chown -R bind:bind /var/named/*

Finishing Touches Okay so the environment is created, now we just have to set up syslog and /etc/rc.conf.

1 /etc/rc.d/syslogd stop

2 /etc/rc.d/syslogd start

The syslogd script will detect that you are running named, and that it needs to add an additional socket. This will restart syslogd with an additional logging socket in /var/named/dev. Be sure that syslogd is running in your /etc/rc.conf if its not already: syslogd enable=”YES” Setting up Bind9 for IPv4 Ill show you how to set up a bind server for a NAT and Internet server. Of course if you dont wish this to be visible on the Internet you can choose to have it blocked via ﬁrewall. Many of

bachelorproject ws 07/08 SHiNE 176

you will probably be doing bind9 setups for the standard v4 addresses. This may not be the most helpful tutorial out there, Im only giving a background for Ipv6 setups if you know how to set up IPv4 bind feel free to skip this. Also Ill assume you are using the chrooted environment as explained above so take that into consideration. Setting up rndc The rndc tool is useful for controlling named locally or remotely, some of its functions can give you useful stats as well. Its worth setting up. So heres how. Run rndc-confgen -a. This will drop the ﬁle rndc.key into /etc/namedb/. Youll notice the key looks something like this:

1 key "rndc-key" {

2 algorithm hmac-md5;

3 secret "5CKK3LlNDdkxshC5gmnzYQ==";

4 };

Place the key in your /var/named/etc/namedb/named.conf. Itll work if you put the rndc spec- iﬁcations at the head of the ﬁle like this:

1 controls {

2 inet 127.0.0.1 allow { localhost; } keys { rndc-key; };

3 };

4 key "rndc-key" {

5 algorithm hmac-md5;

6 secret "5CKK3LlNDdkxshC5gmnzYQ==";

7 };

This allows only the localhost to have access to controlling named with rndc, this however, can be modiﬁed. Place the key in your /etc/rndc.conf. Here is a sample of this ﬁle with the above sample key.

1 options {

2 default-server localhost;

3 default-key "rndc-key";

4 };

6 server localhost {

7 key "rndc-key";

8 };

10 key "rndc-key" {

11 algorithm hmac-md5;

12 secret "5CKK3LlNDdkxshC5gmnzYQ==";

13 };

Start named or killall -HUP named for the changes to take effect if you have named set up already. If not, then they will take effect when you do start named after it has been configured. Setting up the named.conf

bachelorproject ws 07/08 SHiNE 177

First youll need a conﬁg ﬁle. Ill attempt to run through this and explain by example how it was done on Section 6 Networks so that you may learn and adopt it to your own needs. Set up options on your /etc:

1 Options {

2 directory "/";

3 listen-on { 1.2.3.4; };

4 recursion no; #Make it so people can only look up records on this host

5 version "";

6 pid-file "/var/run/named/pid";

7 rrset-order {

8 class IN type A name "www.example.com" order random;

9 };

10 };

This well set up your main directory as the chrooted directory. Since named is chrooted, its root is /var/namedb/ if you set it up from the example. Explanation of options

• Don’t set recursion no; if you’re setting up dns for an intranet.

• version ””; will make it so hackers can’t probe what version you’re using, making you a less likely target.

• rrset-order is how you set up round robin dns. If you want round robin dns for all multiple A records in your zones you can simply do this:

1 rrset-order {

2 order random;

3 };

Other choices besides random include cyclic, and ﬁxed Set up your zone info:

1 zone "." {

2 type hint ;

3 file "named.root";

4 };

5 zone "section6.net" {

6 type master;

7 file "zones/db.section6.net";

8 notify yes ;

9 allow-transfer { 216.7.11.132; 64.71.191.27; 212.100.224.176; 66.37.215.46; };

10 };

11 zone "0.0.10.in-addr.arpa" {

12 type master;

13 file "zones/db.0.0.10.in-addr.arpa";

bachelorproject ws 07/08 SHiNE 178

14 };

15 zone "89.67.45.123.in-addr.arpa" {

16 type master;

17 file "zones/db.13.180.230.12.in-addr.arpa";

18 };

19 // Provide a reverse mapping for the loopback address 127.0.0.1

20 zone "localhost" {

21 type master;

22 file "zones/db.localhost";

23 };

24 zone "0.0.127.in-addr.arpa" {

25 type master;

26 file "zones/db.0.0.127.in-addr.arpa";

27 notify no;

28 };

Okay so thats a lot. Basically we have the root hints file, a mandatory file for looking up DNS unknowns, and one forward zone: section6.net which show name to address mappings. We have 2 address to name mappings, one for our private net 10.0.0.0/24 and one for our outside IP, 123.45.67.89. Notice the format of these zones, itll become more clear later. We also have the mandatory zone files for localhost, our computer which are localhost and 127.0.0.1. Youll notice that section6.net is the only one with notify yes¡tt¿ and ¡tt¿allow transfer options. notify yes says to notify the transfer hosts upon any changes. We have notify no set on a majority of the zones as they are for internal use only.allow transfer specfies the hosts allowed to transfer your information to theirs. The Zone Files For each defined zone in your named.conf youll need a corrosponding zone file detailing the forward or reverse info for that zone. Below is a sample IPv4 forward zone file for section6.lan. The file name, according to named.conf is db.section6.lan.

1 $ORIGIN section6.net.

2 $TTL 1d

3 section6.net. IN SOA syndie.section6.net. root.syndie.section6.net. (

4 1 ; Serial

5 10800 ; Refresh after 3 hours

6 3600 ;Retryafter1hour

7 604800 ; Expire after 1 week

8 86400 ) ; Minimum TTL of 1 day

10 IN NS syndie.section6.net.

11 ;

12 section6.net IN MX 10 syndie.section6.net.

13 ;

14 @ INA 10.0.0.1

15 localhost IN A 127.0.0.1

16 syndie INA 10.0.0.1

bachelorproject ws 07/08 SHiNE 179

17 vpn INA 10.0.0.2

18 schism INA 10.0.0.5

19 test INA 10.0.0.20

20 ganymede IN A 10.0.0.42

21 web INA 10.0.0.99

22 gabrielle IN A 10.0.0.242

23 ;

24 hades INCNAME syndie

25 ns INCNAME syndie

26 mail INCNAME syndie

27 ftp INCNAME ganymede

Youll notice a few things here. The $ORIGIN bascially tells named which domain to tack onto the records so we dont have to write the whole thing out each time. The . at the end of the domain is important if you forget it things will break. There are 2 strings after SOA (Start of Authority). One tells who the SOA is for the domain, the other names the contact (root.syndie.section6.lan = [email protected]). A records point to IPs, CNAMEs are essentially aliases for A records. Part of good practice in to not have a CNAME pointing to another CNAME. The MX record tells mail exchangers to to send mail to for that domain. The number after it is the priority, 1 being highest. Now for an example of a reverse zone ﬁle. This is for the zone 0.0.10.in-addr.arpa.

1 $TTL 1d

2 0.0.10.in-addr.arpa. IN SOA syndie.section6.net. root.syndie.section6.net. (

3 1 ; Serial

4 10800 ; Refresh after 3 hours

5 3600 ; Retry after 1 hour

6 604800 ; Expire after 1 week

7 86400 ) ; Minimum TTL of 1 day

9 @ IN NS syndie.section6.net.

11 1 IN PTR syndie.section6.net.

12 2 IN PTR vpn.antithesist.net.

13 5 IN PTR schism.section6.net.

14 20 IN PTR test.section6.net.

15 42 IN PTR ganymede.section6.net.

16 99 IN PTR web.section6.net.

17 242 IN PTR gabrielle.section6.net.

Many of the declarations here are the same as was in the forward ﬁle. All the records here are PTR records. Since you have 0.0.10.in-addr.arpa deﬁned (which translates to 10.0.0.x). You just need to put the x value for each of the addresses. Again, don’t forget the . at the end of each full domain name or it wont work. Setting up Bind9 for IPv6

bachelorproject ws 07/08 SHiNE 180

First of all, if youre really hating this tutorial and you want to read something else on setting up BIND for IPv6 you can read This document. Some additional notes about IPv6 DNS. There are 2 competing formats for A style records in IPv6: AAAA and A6. Since I have yet to see an A6 record in the wild Ill refer you to the above mentioned document if you wish to set it up. I will, however, detail how to set up the 2 formats for reverse DNS (nibble and bitstream). IPv6 zones in the named.conf I have set up my IPv6 forward records in the same zone file that the IPv4 records are located, this works but some may not want to do this. You can create a subdomain to differentiate you IPv4 and IPv6 records, but there is no harm in making both records in the same file, or even 2 identical names each pointing to one IPv6 and one IPv4 record. It has worked alright for me so far. Here is the IPv6 specific information as appeneded to my named.conf example above.

1 // IPv6 zone files

2 // ======

3 //

4 // First, load the zone for the IPv6 loopback address.

5 //

6 //The new current way of reverse (Bitstream)

7 zone "\[x0000000000000000/64].ip6.arpa" {

8 type master;

9 file "zones/db.0000:0000:0000:0000.ip6.arpa";

10 allow-transfer {none;};

11 };

12 //The old (depreciated) reverse (Nibble format)

13 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {

14 type master;

15 file "zones/db.0000:0000:0000:0000.ip6.int";

16 allow-transfer {none;};

17 };

18 zone "\[x200104701f000222/64].ip6.arpa" {

19 type master;

20 file "zones/db.2001.470.1f00:222.ip6.arpa";

21 };

22 zone "2.2.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.int" {

23 type master;

24 file "zones/db.2001.470.1f00:222.ip6.int";

25 };

As you can see I have the first 4 groups of 16 bits (also known as a /64 since 16 * 4 = 64) defined in the zone files. The first two entries define my localhost, the second 2 define my public address range 2001.470.1f00.222/64. Most of this part of the file is fairly self explanatory. Shell scripts

1 #!/bin/bash

2 #

bachelorproject ws 07/08 SHiNE 181

3 # Szenario DNS Server

4 #

5 # short manual

6 # File operations in /etc/bind/* /etc/resolv.conf | all allowed to group $dnsgamers

7 # configuration backup in $backdir

8 # zone files for default dns-server.hs-bremen.game includes

9 #

11 # external parameter

12 #dnsgamers= $CAKE1

13 dnsgamers=dnsgamers # group for gamers

15 # internal parameter or a zone out of cake

16 backdir=/tmp/bkdsds

17 # dns zones

18 rootDNS=194.94.24.34 #IP Address Root DNS Server this case uses dns.hs- bremen .de

19 mainzone=hs-bremen.game #realm of the game zone

20 servermainzone=dmz-server.$mainzone # name of DNS Server

21 dmzzone=1.0.10.in-addr.arpa

22 managementzone=10.20.172.in-addr.arpa

23 preludezone=20.20.172.in-addr.arpa

24 workerzone=30.20.172.in-addr.arpa

25 serverzone=40.20.172.in-addr.arpa

26 guestzone=50.20.172.in-addr.arpa

27 # record options

28 ttl =604800

29 retry=86400

30 expire=2419200

32 # make backupdir

33 mkdir $backdir > /dev/null 2>&1 || exit 1

35 # adding group and sudorights for bind interaction

36 # save sudoers file

37 cp /etc/sudoers $backdir/sudoers > /dev/null 2>&1 || exit 1

38 groupadd $dnsgamers > /dev/null 2>&1 || exit 1

39 echo %$dnsgamers ALL=/etc/init.d/bind9 >> /etc/sudoers || exit 1

41 # install the dnsserver bind9 without interaction

42 aptitude install bind9 -y > /dev/null 2>&1 || exit 1

45 # save bind default in /tmp

46 cd $backdir && tar cf bind.bak.tar /etc/bind > /dev/null 2>&1 || exit 1

bachelorproject ws 07/08 SHiNE 182

48 # save resolv.conf

49 cp /etc/resolv.conf $backdir/ > /dev/null 2>&1 || exit 1

51 # bind configuration with default bind config hs-bremen.game

52 #

53 # configuration of /etc/bind/named.conf.options

54 #

55 # create temp file

56 cp /etc/bind/named.conf.options /etc/bind/named.conf.options.tmp > /dev/ null 2>&1 || exit 1

58 #search for string forwarders and uncomment | search for 0.0.0.0 and uncomment | replace 0.0.0.0 with $rootDNS | search close of sequenz forwarders and uncomment | write to file

59 sed ’/forwarders {/s/\/\///g’ /etc/bind/named.conf.options.tmp | sed ’ /0.0.0.0/s/\/\///g’ | sed "s/0.0.0.0/$rootDNS/" | sed ’/\/\/ };/s /\/\///g’ > /etc/bind/named.conf.options || exit 1

60 #delete tmp file

61 rm /etc/bind/named.conf.options.tmp > /dev/null 2>&1 || exit 1

63 #

64 # configuration of default zones hs-bremen.game

65 #

67 #Target is always the same

68 TARGET_AND_LOCATION=/etc/bind/named.conf.local

70 #zoneadd needs $mylist and $TARGET_AND_LOCATION

71 zoneadd ()

72 {

73 mylist=("zone \"$zone\"{" "\\t type master;" "\\t file \"/etc/bind/zone. $zone\";" "allow-query {any;};" ’};’)

74 for i in "${mylist[@]}"; do

75 echo -e $i >> $TARGET_AND_LOCATION || exit 1

76 done

77 }

79 #recordbuilder

80 # needs for soa : ttl retry expire servermainzone

81 # needs for filefunctions : zone

82 # needs for records : recordlist

83 recordbuilder()

84 {

85 file=/etc/bind/zone.$zone

86 #make new zonefile with soa

bachelorproject ws 07/08 SHiNE 183

87 echo -e "\$TTL \t $ttl" > $file || exit 1

88 echo -e "@ \t IN \t SOA \t $servermainzone. \t root.localhost. (" >> $file || exit 1

89 echo -e "\t \t \t ‘date +%F | sed ’s/-//g’‘1 \t; Serial YYYYMMDDVersion" >> $file || exit 1

90 echo -e "\t \t \t $ttl \t ; Refresh" >> $file || exit 1

91 echo -e "\t \t \t $retry \t \t; Retry" >> $file || exit 1

92 echo -e "\t \t \t $expire \t; Expire" >> $file || exit 1

93 echo -e "\t \t \t $ttl ) \t; Negative Cache TTL" >> $file || exit 1

94 if [ "${zone}" == "${mainzone}" ]; then

95 addpoint="" #point for PTR break in Reverse Lookup

96 echo -e "\t \t \t IN \t NS \t $servermainzone." >> $file || exit 1

97 else

98 addpoint="."

99 echo -e "@ \t \t IN \t NS \t $servermainzone." >> $file || exit 1

100 fi

101 echo -e ";\$ORIGIN \t $mainzone" >> $file || exit 1

102 for i in "${recordlist[@]}"; do

103 echo -e $i$addpoint >> $file || exit 1

104 done

105 }

106

107 # zone game main

108 zone=$mainzone

109 zoneadd

110 # add Records

bachelorproject ws 07/08 SHiNE 184

roadwarrior18\t IN\t A\t 172.20.30.50" "roadwarrior19\t IN\t A\t 172.20.30.51" "roadwarrior20\t IN\t A\t 172.20.30.52" "merkur\t\t IN\t A\t 172.20.30.60" "erde\t\ t IN\t A\t 172.20.30.61" "mars\t\t IN\t A\t 172.20.30.62 " "jupiter\t\t IN\t A\t 172.20.30.63" "saturn\t\t IN \t A\t 172.20.30.64" "neptun\t\t IN\t A\t 172.20.30.65" "phobos\t\t IN\t A\t 172.20.30.66" "deimo\t \t IN\t A\t 172.20.30.67""kallisto\t IN\t A\t 172.20.30.68" "uranus\t\t IN\t A\t 172.20.30.69" " deutschland\t IN\t A\t 172.20.40.51" "holland\t\t IN\t A\t 172.20.40.52" ’$GENERATE 126-254 roadwarrior$ IN A 172.20.30.$’)

112 recordbuilder

113

114

115 # zone DMZ

116 zone=$dmzzone

117 zoneadd

118 recordlist=("3\t\t IN\t PTR\t dmz-server.hs-bremen.game")

119 recordbuilder

120

121 # zone Management

122 zone=$managementzone

123 zoneadd

124 recordlist=("3\t\t IN\t PTR\t zeus.hs-bremen.game")

125 recordbuilder

126

127 # zone Prelude

128 zone=$preludezone

129 zoneadd

130 recordlist=("131\t\t IN\t PTR\t ramses.hs-bremen.game" "132\t\t IN\t PTR\t cleopatra.hs-bremen.game")

131 recordbuilder

132

133

134 # zone Worker

135 zone=$workerzone

136 zoneadd

bachelorproject ws 07/08 SHiNE 185

hs-bremen.game" "41\t IN\t PTR\t roadwarrior9.hs-bremen.game " "42\t IN\t PTR\t roadwarrior10.hs-bremen.game" "43\t IN\t PTR\t roadwarrior11.hs-bremen.game" "44\t IN\t PTR\t roadwarrior12.hs-bremen.game" "45\t IN\t PTR\t roadwarrior13.hs-bremen.game" "46\t IN\t PTR\t roadwarrior14. hs-bremen.game" "47\t IN\t PTR\t roadwarrior15.hs-bremen.game " "48\t IN\t PTR\t roadwarrior16.hs-bremen.game" "49\t IN \t PTR\t roadwarrior17.hs-bremen.game" "50\t IN\t PTR\t roadwarrior18.hs-bremen.game" "51\t IN\t PTR\t roadwarrior19. hs-bremen.game" "52\t IN\t PTR\t roadwarrior20.hs-bremen.game " "60\t IN\t PTR\t merkur.hs-bremen.game" "61\t IN\t PTR\t erde.hs-bremen.game" "62\t IN\t PTR\t mars.hs-bremen .game" "63\t IN\t PTR\t jupiter.hs-bremen.game" "64\t IN\t PTR\t saturn.hs-bremen.game" "65\t IN\t PTR\t neptun.hs- bremen.game" "66\t IN\t PTR\t phobos.hs-bremen.game" "67\t IN\t PTR\t deimo.hs-bremen.game" "68\t IN\t PTR\t kallisto.hs-bremen.game" "69\t IN\t PTR\t uranus.hs-bremen.game" ’$GENERATE 126-254 $ PTR roadwarrior$.hs-bremen.game’)

138 recordbuilder

139

140 # zone Server

141 zone=$serverzone

142 zoneadd

143 recordlist=("51\t IN\t PTR\t deutschland.hs-bremen.game" "52\t IN\t PTR\t holland.hs-bremen.game")

144 recordbuilder

145

146 # zone Guest

147 zone=$guestzone

148 zoneadd

149 recordlist=()

150 recordbuilder

151

152 # change rights in /etc/bind

153 chown -R bind:$dnsgamers /etc/bind

154 chmod g+w /etc/bind/* > /dev/null 2>&1 || exit 1

155 chmod g+w /etc/bind > /dev/null 2>&1 || exit 1

156

157 # to allow user changes in resolv.conf

158 chown root:$dnsgamers /etc/resolv.conf > /dev/null 2>&1 || exit 1

159 chmod g+w /etc/resolv.conf > /dev/null 2>&1 || exit 1

160

161 # make the nameserver work for localhost

162 echo search $mainzone > /etc/resolv.conf || exit 1

163 echo nameserver localhost >> /etc/resolv.conf || exit 1

164

bachelorproject ws 07/08 SHiNE 186

165 # save the default game configuration

166

167 # save bind default in /tmp

168 cd $backdir && tar cf bind.game.bak.tar /etc/bind > /dev/null 2>&1 || exit 1

169

170 # save resolv.conf

171 cp /etc/resolv.conf $backdir/resolv.game.conf > /dev/null 2>&1 || exit 1

172

173 # restart the nameserver

174 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1

175

176 exit 0

Listing 42: Setup Environment

1 #!/bin/bash

3 #external parameter

4 #dnsgamers= $CAKE1

5 dnsgamers=dnsgamers

7 backdir=/tmp/bkdsds

9 # delete nameserver bind

10 aptitude purge bind9 -y > /dev/null 2>&1 || exit 1

12 # delete groups and sudo rights

13 groupdel $dnsgamers > /dev/null 2>&1 || exit 1

15 # backup resolv.conf/sudoers

16 cp $backdir/resolv.conf /etc/resolv.conf > /dev/null 2>&1 || exit 1

17 cp $backdir/sudoers /etc/sudoers > /dev/null 2>&1 || exit 1

19 # delete szenario backup files and /etc/bind

20 rm -rf $backdir > /dev/null 2>&1 || exit 1

21 rm -rf /etc/bind > /dev/null 2>&1 || exit 1

23 exit 0

Listing 43: Cleanup Environment

1 #!/bin/bash

3 backdir=/tmp/bkdsds

5 #external parameter

bachelorproject ws 07/08 SHiNE 187

6 # USERNAME = $CAKEUSER

7 # PASSWORD = $CAKEPASS

8 # GROUP = $CAKE1

10 USERNAME=gamer # Hacking game user name

11 PASSWORD=AJhEqbz7CCzbE # must be md5 encrypted (password=test)

12 GROUP=dnsgamers # default group for sudo rights configured in setup_env

14 #parameter for usertask

15 TODO_FILE=/home/$USERNAME/todo

16 # zone = $CAKE2

17 # mailIP = $CAKE3

18 # wwwIP = $CAKE4

19 # netIP = $CAKE5

21 zone=hs-bremen.game # zone for the task

22 mailIP=10.0.1.100 # the new mailserver ip

23 wwwIP=10.0.1.101 # the new wwwserver ip

24 netIP=172.20.66 # the new zone net with ptr for IP $netIP .1

26 # levels

27 # level 1 = insert the mailserver and the wwwserver

28 # level 2 = level 1 and insert the complete reverse for the netIP

29 # level 3 = level 2 and insert the new zone

30 # level = $CAKE6

31 level =3

33 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

34 exit 1; #empty username = error and quit!

35 fi

37 #adduser and make home dir

38 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1

39 #cp /etc/skel/.bash_profile /home/ $USERNAME/

40 #cp /etc/skel/.bashrc /home/ $USERNAME/

42 #make default bind.game config from default configuration and restart nameserver

43 rm -rf /etc/bind/* > /dev/null 2>&1 || exit 1

44 cd / && tar xf $backdir/bind.game.bak.tar > /dev/null 2>&1 || exit 1

45 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1

48 #script builder needs $mylist and $TARGET_AND_LOCATION

49 scriptbuild()

bachelorproject ws 07/08 SHiNE 188

50 {

51 for i in "${mylist[@]}"; do

52 echo $i >> $TARGET_AND_LOCATION || exit 1

53 done

54 }

55 TARGET_AND_LOCATION=$TODO_FILE

56 mylist=(’# Hello User’ ’# You start with scenario dns-server’ ’# This scenario schould show you how to work with the dns server bind’ ’# You have to manipulate some records given below’ ’#’ ’# Please keep in mind to start / stop or reload services it could be required used the privileged user mode’ ’# For security reasons you don’t have the superusers password, but you are allowed to use the sudo command’ ’#’ ’ ’ ’Tasklist (only DNS Settings)’ "(1) You have to implement the required settings for the new mailserver (IP: $mailIP Name: mail)" "(2) Integrate the www Server at IP $wwwIP ")

57 scriptbuild

58 if [ "$level" -gt 1 ]; then

59 mylist=("(3) The Net 172.20.50.XXX is reserved for guests. Please complete the zonefile with PTR records like guest.$zone . Complete the whole Class C net ( where XXX starts with 1 ends with 254 )")

60 scriptbuild

61 fi

62 if [ "$level" -gt 2 ]; then

63 mylist=("(4) Insert a new zone for net $netIP.0 /24 and place a PTR Record for IP $netIP.1 with \"users.$zone\"" )

64 scriptbuild

65 fi

67 chown root:$GROUP $TODO_FILE > /dev/null 2>&1 || exit 1

68 chmod u-w,g-w,o-w $TODO_FILE > /dev/null 2>&1 || exit 1

70 exit 0

Listing 44: Setup User

1 #!/bin/bash

2 # USERNAME = $CAKEUSER

3 USERNAME=gamer

4 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

5 exit 0

Listing 45: Cleanup User

1 #!/bin/bash

3 #external parameter

bachelorproject ws 07/08 SHiNE 189

4 level =3

5 score =1500

6 dnsserver=localhost # server for dns checks

7 zone=hs-bremen.game # zone for the task

8 mailIP=10.0.1.100 # the new mailserver ip

9 wwwIP=10.0.1.101 # the new wwwserver ip

10 netIP=172.20.66 # the new zone net with ptr for IP $netIP .1

11 ptrNET=172.20.50 # net for guest ptr

12 dmzzone=1.0.10.in-addr.arpa

13 guestzone=50.20.172.in-addr.arpa

15 #check if bind is working for zone

16 if [ "‘dig $zone @$dnsserver | grep SOA‘" ]; then

17 echo dnsserver works for zone $zone > /dev/null

18 if [ "‘dig $zone | grep SOA‘" ]; then

19 echo dnsserver is working for localhost > /dev/null

20 else

21 # echo dnsserver dont work for localhost

22 let "score-=$score/10" # -10% scorepoints

23 fi

25 else

26 # echo dnsserver dont work for $zone

27 score =0

28 exit 3

29 fi

31 # checkversion needs $file $expectedversion

32 checkversion()

33 {

34 #check if version is changed (default Version is 1,date is today)

35 datestring=‘date +%F | sed ’s/-//g’‘

36 version=‘grep $datestring $file | sed ’s/\s//g’‘

37 version=${version%;*n}

38 version=${version:${#datestring}}

39 if [ "$version" == "$expectedversion" ]; then

40 echo $file version OK > /dev/null

41 else

42 echo $file version not OK > /dev/null

43 echo version $version expected $expectedversion > /dev/ null

45 let "score-=$score/10" # -10% scorepoints

46 fi

47 }

bachelorproject ws 07/08 SHiNE 190

49 #check level 1

50 #if level1 isn’t finished player don’t get any points

52 #version has to be changed in $zone , $dmzzone

53 file=/etc/bind/zone.$zone

54 expectedversion=2

55 checkversion

56 file=/etc/bind/zone.$dmzzone

57 expectedversion=2

58 checkversion

60 # check MX

61 if [ "‘dig mx $zone @$dnsserver | grep mail | grep MX‘" ]; then

62 if [ "‘dig mail.$zone @$dnsserver | grep $mailIP‘" ]; then

63 #echo A Record for MX OK

64 if [ "‘dig -x $mailIP @$dnsserver | grep mail‘" ]; then

65 echo PTR Record for MX OK > /dev/null

66 else

67 echo PTR Record for MX not OK > /dev/null

68 score =0

69 exit 3

70 fi

71 else

72 echo A Record for MX not OK > /dev/null

74 exit 3

75 fi

76 echo mx OK > /dev/null

77 else

78 score =0

79 echo mx not OK > /dev/null

80 exit 3

81 fi

82 # check www

83 if [ "‘dig www.$zone @$dnsserver | grep $wwwIP‘" ]; then

84 echo www OK > /dev/null

85 else

86 echo www not OK > /dev/null

87 score =0

88 exit 3

89 fi

91 #check level 2

93 #version has to be changed in $guestzone

94 file=/etc/bind/zone.$guestzone

bachelorproject ws 07/08 SHiNE 191

95 expectedversion=2

96 checkversion

98 # we check the whole net

99 if [ "$level" -gt 1 ]; then

100 true =1

101 for ((x=1; x<255 ; x++))

102 do

103 test=‘dig -x $ptrNET.$x @$dnsserver | grep guest$x‘

104 if [ "$test" ]; then

105 # check ending

106 if [ "$test" == "${test%guest$x.$zone.}" ]; then

107 true =0

108 fi

109 fi

110 done

111 if [ "$true" -lt 1 ]; then

112 echo PTR guests not OK > /dev/null

113 exit 3

114 else

115 echo PTR guests OK > /dev/null

116 fi

117 fi

118

119 #check level 3

120

121 #version has to be 1 cause of new zone

122 #version isnt checked

123

124 if [ "$level" -gt 2 ]; then

125 if [ "‘dig -x $netIP.1 @$dnsserver | grep user‘" ]; then

126 echo new net $netIP OK > /dev/null

127 else

128 echo new net $netIP not OK > /dev/null

129 exit 3

130 fi

131 fi

132 exit 2

Listing 46: Evaluation

E.7.3 DNS-Spooﬁng

Wiki text

DNS Spooﬁng

bachelorproject ws 07/08 SHiNE 192

From securesphere.net [32] Overview : What is DNS Spoofing ? DNS Spoofing is the art of making a DNS entry to point to an another IP than it would be supposed to point to. To understand better, let’s see an example. You’re on your web browser and wish to see the news on www.cnn.com, without to think of it, you just enter this URL in your address bar and press enter. Now, what’s happening behind the scenes ? Well... basically, your browser is going to send a request to a DNS Server to get the matching IP address for www.cnn.com, then the DNS server tells your browser the IP address of CNN, so your browser to connect to CNN’s IP address and display the content of the main page. Hold on a minute... You get a message saying that CNN’s web site has closed because they don’t have anymore money to pay for their web site. You’re so amazed, you call and tell that to your best friend on the phone, of course he’s laughing at you, but to be sure, he goes to CNN web site to check by himself. You are surprised when he tells you he can see the news of the day as usual and you start to wonder what’s going on. Are you sure you are talking to the good IP address ? Let’s check. You ask your friend to fire up his favorite DNS resolving tool (or simply ping) and to give you the IP address he’s getting for www.cnn.com. Once you got it, you put it in your browser URL bar : http://212.153.32.65 You feel ridiculous and frustrated when you see CNN’s web page with its daily news. Well you’ve just been the witness of a DNS hijacking scenario. You’re wondering what happened, did the DNS Server told you the wrong IP address ? Maybe... At least this is the most obvious answer coming to our mind. In fact there are two techniques for accomplishing this DNS hijacking. Let’s see the first one, the ”DNS ID Spoofing” technique. - A) DNS Cache Poisoning As you can imagine, a DNS server can’t store information about all existing names/IP on the net in its own memory space. That’s why DNS server have a cache, it enables them to keep a DNS record for a while. In fact, A DNS Server has the records only for the machines of the domain it has the authority, if it needs to know about machines out of his domain, it has to send a request to the DNS Server which handles these machines and since it doesn’t want to ask all the time about records, it can store in its cache the replies returned by other DNS servers. Now let’s see how someone could poison the cache of our DNS Server. An attacker his running is own domain (attacker.net) with his own hacked DNS Server (ns.attacker.net) Note that I said hacked DNS Server because the attacker customized the records in his own DNS server, for instance one record could be www.cnn.com=81.81.81.81 bachelorproject ws 07/08 SHiNE 193

1) The attacker sends a request to your DNS Server asking it to resolve www.attacker.net 2) Your DNS Server is not aware of this machine IP address, it doesn’t belongs to his domain, so it needs to asks to the responsible name server. 3) The hacked DNS Server is replying to your DNS server, and at the same time, giving all his records (including his record concerning www.cnn.com) Note : this process is called a zone transfer. 4) The DNS server is not ”poisoned”. The attacker got his IP, but who cares, his goal was not to get the IP address of his web server but to force a zone transfer and make your DNS server poisoned as long as the cache will not be cleared or updated. 5) Now if you ask your DNS server, about www.cnn.com IP address it will give you 172.50.50.50, where the attacker run his own web server. Or even simple, the attacker could just run a bouncer forwarding all packets to the real web site and vice versa, so you would see the real web site, but all your traffic would be passing through the attacker’s web site. - B) DNS ID Spoofing We saw that when a machine X wants to communicate with a machine Y, the former always needs the latter IP address. However in most of cases, X only has the name of Y, in that case, the DNS protocol is used to resolve the name of Y into its IP address. Therefore, a DNS request is sent to a DNS Server declared at X, asking for the IP address of the machine Y. Meanwhile, the machine X assigned a pseudo random identification number to its request which should be present in the answer from the DNS server. Then when the answer from the DNS server will be received by X, it will just have to compare both numbers if they’re the same, in this case, the answer is taken as valid, otherwise it will be simply ignored by X. Does this concept is safe ? Not completely. Anyone could lead an attack getting this ID number. If you’re for example on LAN, someone who runs a sniffer could intercept DNS requests on the fly, see the request ID number and send you a fake reply with the correct ID number... but with the IP address of his choice. Then, without to realize it, the machine X will be talking to the IP of attacker’s choice thinking it’s Y. By the way, the DNS protocol relies on UDP for requests (TCP is used only for zone transferts), which means that it is easy to send a packet coming from a fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn’t provide a minimum of protection against IP spoofing). Nevertheless, there are some limitations to accomplish this attack. In my example above, the attacker runs a sniffer, intercept the ID number and replies to his victim with the same ID number and with a reply of his choice. In the other hand, even if the attacker intercepted your request, it will be transmitted to the DNS Server anyway which will also reply to the request (unless the attacker is blocking the request at the gateway or carry out ARP cache poisoning which would make the attack possible on a switched network by the way). bachelorproject ws 07/08 SHiNE 194

That means that the attacker has to reply BEFORE the real DNS server, which means that to succeed this attack, the attacker MUST be on the same LAN so to have a very quick ping to your machine, and also to be able to capture your packets.

Practical example

To see yourself how to hijack a connection from a machine on your local area network, we can do the followings :

First step : Poison the ARP cache of the victim’s machine

Second step : Now, outgoing packets of the target will be redirected to your host, but you have to forward the traﬃc to the real gateway.

Third step : We then use a DNS spooﬁng tool like dnsspoof a tool that greatly help to carry out DNS ID Spooﬁng.

Shell scripts

1 #!/bin/bash

2 #

3 # Szenario DNS Server

4 #

5 # short manual

6 # File operations in /etc/bind/* /etc/resolv.conf | all allowed to group $dnsgamers

7 # configuration backup in $backdir

8 # zone files for default dns-server.hs-bremen.game includes

9 #

11 # external parameter

12 #dnsgamers= $CAKE1

13 dnsgamers=dnsgamers # group for gamers

15 # internal parameter or a zone out of cake

16 backdir=/tmp/bkdsds

17 # dns zones

18 rootDNS=194.94.24.34 #IP Address Root DNS Server this case uses dns.hs- bremen .de

19 mainzone=hs-bremen.game #realm of the game zone

20 servermainzone=dmz-server.$mainzone # name of DNS Server

21 dmzzone=1.0.10.in-addr.arpa

22 managementzone=10.20.172.in-addr.arpa

23 preludezone=20.20.172.in-addr.arpa

24 workerzone=30.20.172.in-addr.arpa

25 serverzone=40.20.172.in-addr.arpa

26 guestzone=50.20.172.in-addr.arpa

27 # record options

28 ttl =604800

bachelorproject ws 07/08 SHiNE 195

29 retry=86400

30 expire=2419200

32 # make backupdir

33 mkdir $backdir > /dev/null 2>&1 || exit 1

35 # adding group and sudorights for bind interaction

36 # save sudoers file

37 cp /etc/sudoers $backdir/sudoers > /dev/null 2>&1 || exit 1

38 groupadd $dnsgamers > /dev/null 2>&1 || exit 1

39 echo %$dnsgamers ALL=/etc/init.d/bind9 >> /etc/sudoers || exit 1

41 # install the dnsserver bind9 without interaction

42 aptitude install bind9 -y > /dev/null 2>&1 || exit 1

45 # save bind default in /tmp

46 cd $backdir && tar cf bind.bak.tar /etc/bind > /dev/null 2>&1 || exit 1

48 # save resolv.conf

49 cp /etc/resolv.conf $backdir/ > /dev/null 2>&1 || exit 1

51 # bind configuration with default bind config hs-bremen.game

52 #

53 # configuration of /etc/bind/named.conf.options

54 #

55 # create temp file

56 cp /etc/bind/named.conf.options /etc/bind/named.conf.options.tmp > /dev/ null 2>&1 || exit 1

58 #search for string forwarders and uncomment | search for 0.0.0.0 and uncomment | replace 0.0.0.0 with $rootDNS | search close of sequenz forwarders and uncomment | write to file

60 #delete tmp file

61 rm /etc/bind/named.conf.options.tmp > /dev/null 2>&1 || exit 1

63 #

64 # configuration of default zones hs-bremen.game

65 #

67 #Target is always the same

68 TARGET_AND_LOCATION=/etc/bind/named.conf.local

bachelorproject ws 07/08 SHiNE 196

70 #zoneadd needs $mylist and $TARGET_AND_LOCATION

71 zoneadd ()

72 {

73 mylist=("zone \"$zone\"{" "\\t type master;" "\\t file \"/etc/bind/zone. $zone\";" "allow-query {any;};" ’};’)

74 for i in "${mylist[@]}"; do

75 echo -e $i >> $TARGET_AND_LOCATION || exit 1

76 done

77 }

79 #recordbuilder

80 # needs for soa : ttl retry expire servermainzone

81 # needs for filefunctions : zone

82 # needs for records : recordlist

83 recordbuilder()

84 {

85 file=/etc/bind/zone.$zone

86 #make new zonefile with soa

87 echo -e "\$TTL \t $ttl" > $file || exit 1

88 echo -e "@ \t IN \t SOA \t $servermainzone. \t root.localhost. (" >> $file || exit 1

89 echo -e "\t \t \t ‘date +%F | sed ’s/-//g’‘1 \t; Serial YYYYMMDDVersion" >> $file || exit 1

90 echo -e "\t \t \t $ttl \t ; Refresh" >> $file || exit 1

91 echo -e "\t \t \t $retry \t \t; Retry" >> $file || exit 1

92 echo -e "\t \t \t $expire \t; Expire" >> $file || exit 1

93 echo -e "\t \t \t $ttl ) \t; Negative Cache TTL" >> $file || exit 1

94 if [ "${zone}" == "${mainzone}" ]; then

95 addpoint="" #point for PTR break in Reverse Lookup

96 echo -e "\t \t \t IN \t NS \t $servermainzone." >> $file || exit 1

97 else

98 addpoint="."

99 echo -e "@ \t \t IN \t NS \t $servermainzone." >> $file || exit 1

100 fi

101 echo -e ";\$ORIGIN \t $mainzone" >> $file || exit 1

102 for i in "${recordlist[@]}"; do

103 echo -e $i$addpoint >> $file || exit 1

104 done

105 }

106

107 # zone game main

108 zone=$mainzone

109 zoneadd

bachelorproject ws 07/08 SHiNE 197

110 # add Records

111 recordlist=("dmz-server \t IN\t A \t 10.0.1.3" "zeus \t\t IN \t A \t 172.20.10.3" "ramses\t\t IN\t A\t 172.20.20.131" "cleopatra\t IN\t A\t 172.20.20.132" "pluto\ t\t IN\t A\t 172.20.30.21""venus\t\t IN\t A\t 172.20.30.22" "roadwarrior1\t IN\t A\t 172.20.30.33" " roadwarrior2\t IN\t A\t 172.20.30.34" "roadwarrior3\t IN\t A\t 172.20.30.35" "roadwarrior4\t IN\t A\t 172.20.30.36" "roadwarrior5\t IN\t A\t 172.20.30.37" " roadwarrior6\t IN\t A\t 172.20.30.38" "roadwarrior7\t IN\t A\t 172.20.30.39" "roadwarrior8\t IN\t A\t 172.20.30.40" "roadwarrior9\t IN\t A\t 172.20.30.41" " roadwarrior10\t IN\t A\t 172.20.30.42" "roadwarrior11\t IN\t A\t 172.20.30.43" "roadwarrior12\t IN\t A\t 172.20.30.44" "roadwarrior13\t IN\t A\t 172.20.30.45" " roadwarrior14\t IN\t A\t 172.20.30.46" "roadwarrior15\t IN\t A\t 172.20.30.47" "roadwarrior16\t IN\t A\t 172.20.30.48" "roadwarrior17\t IN\t A\t 172.20.30.49" " roadwarrior18\t IN\t A\t 172.20.30.50" "roadwarrior19\t IN\t A\t 172.20.30.51" "roadwarrior20\t IN\t A\t 172.20.30.52" "merkur\t\t IN\t A\t 172.20.30.60" "erde\t\ t IN\t A\t 172.20.30.61" "mars\t\t IN\t A\t 172.20.30.62 " "jupiter\t\t IN\t A\t 172.20.30.63" "saturn\t\t IN \t A\t 172.20.30.64" "neptun\t\t IN\t A\t 172.20.30.65" "phobos\t\t IN\t A\t 172.20.30.66" "deimo\t \t IN\t A\t 172.20.30.67""kallisto\t IN\t A\t 172.20.30.68" "uranus\t\t IN\t A\t 172.20.30.69" " deutschland\t IN\t A\t 172.20.40.51" "holland\t\t IN\t A\t 172.20.40.52" ’$GENERATE 126-254 roadwarrior$ IN A 172.20.30.$’)

112 recordbuilder

113

114

115 # zone DMZ

116 zone=$dmzzone

117 zoneadd

118 recordlist=("3\t\t IN\t PTR\t dmz-server.hs-bremen.game")

119 recordbuilder

120

121 # zone Management

122 zone=$managementzone

123 zoneadd

124 recordlist=("3\t\t IN\t PTR\t zeus.hs-bremen.game")

125 recordbuilder

126

127 # zone Prelude

bachelorproject ws 07/08 SHiNE 198

128 zone=$preludezone

129 zoneadd

130 recordlist=("131\t\t IN\t PTR\t ramses.hs-bremen.game" "132\t\t IN\t PTR\t cleopatra.hs-bremen.game")

131 recordbuilder

132

133

134 # zone Worker

135 zone=$workerzone

136 zoneadd

137 recordlist=("21\t IN\t PTR\t pluto.hs-bremen.game" "22\t IN \t PTR\t venus.hs-bremen.game" "33\t IN\t PTR\t roadwarrior1.hs-bremen.game" "34\t IN\t PTR\t roadwarrior2. hs-bremen.game" "35\t IN\t PTR\t roadwarrior3.hs-bremen.game " "36\t IN\t PTR\t roadwarrior4.hs-bremen.game" "37\t IN\t PTR\t roadwarrior5.hs-bremen.game" "38\t IN\t PTR\t roadwarrior6.hs-bremen.game" "39\t IN\t PTR\t roadwarrior7.hs-bremen.game" "40\t IN\t PTR\t roadwarrior8. hs-bremen.game" "41\t IN\t PTR\t roadwarrior9.hs-bremen.game " "42\t IN\t PTR\t roadwarrior10.hs-bremen.game" "43\t IN\t PTR\t roadwarrior11.hs-bremen.game" "44\t IN\t PTR\t roadwarrior12.hs-bremen.game" "45\t IN\t PTR\t roadwarrior13.hs-bremen.game" "46\t IN\t PTR\t roadwarrior14. hs-bremen.game" "47\t IN\t PTR\t roadwarrior15.hs-bremen.game " "48\t IN\t PTR\t roadwarrior16.hs-bremen.game" "49\t IN \t PTR\t roadwarrior17.hs-bremen.game" "50\t IN\t PTR\t roadwarrior18.hs-bremen.game" "51\t IN\t PTR\t roadwarrior19. hs-bremen.game" "52\t IN\t PTR\t roadwarrior20.hs-bremen.game " "60\t IN\t PTR\t merkur.hs-bremen.game" "61\t IN\t PTR\t erde.hs-bremen.game" "62\t IN\t PTR\t mars.hs-bremen .game" "63\t IN\t PTR\t jupiter.hs-bremen.game" "64\t IN\t PTR\t saturn.hs-bremen.game" "65\t IN\t PTR\t neptun.hs- bremen.game" "66\t IN\t PTR\t phobos.hs-bremen.game" "67\t IN\t PTR\t deimo.hs-bremen.game" "68\t IN\t PTR\t kallisto.hs-bremen.game" "69\t IN\t PTR\t uranus.hs-bremen.game" ’$GENERATE 126-254 $ PTR roadwarrior$.hs-bremen.game’)

138 recordbuilder

139

140 # zone Server

141 zone=$serverzone

142 zoneadd

143 recordlist=("51\t IN\t PTR\t deutschland.hs-bremen.game" "52\t IN\t PTR\t holland.hs-bremen.game")

144 recordbuilder

145

146 # zone Guest

bachelorproject ws 07/08 SHiNE 199

147 zone=$guestzone

148 zoneadd

149 recordlist=()

150 recordbuilder

151

152 # change rights in /etc/bind

153 chown -R bind:$dnsgamers /etc/bind

154 chmod g+w /etc/bind/* > /dev/null 2>&1 || exit 1

155 chmod g+w /etc/bind > /dev/null 2>&1 || exit 1

156

157 # to allow user changes in resolv.conf

158 chown root:$dnsgamers /etc/resolv.conf > /dev/null 2>&1 || exit 1

159 chmod g+w /etc/resolv.conf > /dev/null 2>&1 || exit 1

160

161 # make the nameserver work for localhost

162 echo search $mainzone > /etc/resolv.conf || exit 1

163 echo nameserver localhost >> /etc/resolv.conf || exit 1

164

165 # save the default game configuration

166

167 # save bind default in /tmp

168 cd $backdir && tar cf bind.game.bak.tar /etc/bind > /dev/null 2>&1 || exit 1

169

170 # save resolv.conf

171 cp /etc/resolv.conf $backdir/resolv.game.conf > /dev/null 2>&1 || exit 1

172

173 # restart the nameserver

174 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1

175

176 exit 0

Listing 47: Setup Environment

1 #!/bin/bash

3 #external parameter

4 #dnsgamers= $CAKE1

5 dnsgamers=dnsgamers

7 backdir=/tmp/bkdsds

9 # delete nameserver bind

10 aptitude purge bind9 -y > /dev/null 2>&1 || exit 1

12 # delete groups and sudo rights

13 groupdel $dnsgamers > /dev/null 2>&1 || exit 1

bachelorproject ws 07/08 SHiNE 200

15 # backup resolv.conf/sudoers

16 cp $backdir/resolv.conf /etc/resolv.conf > /dev/null 2>&1 || exit 1

17 cp $backdir/sudoers /etc/sudoers > /dev/null 2>&1 || exit 1

19 # delete szenario backup files and /etc/bind

20 rm -rf $backdir > /dev/null 2>&1 || exit 1

21 rm -rf /etc/bind > /dev/null 2>&1 || exit 1

23 exit 0

Listing 48: Cleanup Environment

1 #!/bin/bash

3 backdir=/tmp/bkdsds

5 #external parameter

6 # USERNAME = $CAKEUSER # Hacking game user name

7 # PASSWORD = $CAKEPASSWORD # must be md5 encrypted (password=test)

8 #dnsserver= $CAKE1 # IP Address of this host

9 #spoofingName= $CAKE2

10 #spoofingIP= $CAKE3

11 # GROUP = $CAKE4 # default group for sudo rights configured in setup_env

12 USERNAME=gamer # Hacking game user name

13 PASSWORD=AJhEqbz7CCzbE # must be md5 encrypted (password=test)

14 GROUP=dnsgamers # default group for sudo rights configured in setup_env

16 #parameter for usertask

17 TODO_FILE=/home/$USERNAME/todo

18 zone=hs-bremen.game # zone for the task

19 spoofingName=heise.de # Zone to spoof

20 spoofingIP=10.0.1.4 # manupulated IP

22 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then

23 exit 1; #empty username = error and quit!

24 fi

26 #adduser and make home dir

27 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1

28 #cp /etc/skel/.bash_profile /home/ $USERNAME/

29 #cp /etc/skel/.bashrc /home/ $USERNAME/

31 #make default bind.game config from default configuration and restart nameserver

32 rm -rf /etc/bind > /dev/null 2>&1 || exit 1

bachelorproject ws 07/08 SHiNE 201

33 cd / && tar xf $backdir/bind.game.bak.tar > /dev/null 2>&1 || exit 1

34 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1

37 #script builder needs $mylist and $TARGET_AND_LOCATION

38 scriptbuild()

39 {

40 for i in "${mylist[@]}"; do

41 echo $i >> $TARGET_AND_LOCATION || exit 1

42 done

43 }

44 TARGET_AND_LOCATION=$TODO_FILE

45 mylist=(’# Hello User’ ’# You start with scenario dns-spoofing’’# You have to manipulate some records given below’ ’#’ ’# Please keep in mind to start / stop or reload services it could be required used the privileged user mode’ ’# For security reasons you dont have the superusers password, but you are allowed to use the sudo command’ ’#’ ’ ’ ’Tasklist (only DNS Settings)’)

47 scriptbuild

48 mylist=("(1) Insert a new zone for $spoofingName and add the www and mx records to $spoofingIP" )

49 scriptbuild

51 chown root:$GROUP $TODO_FILE > /dev/null 2>&1 || exit 1

52 chmod u-w,g-w,o-w $TODO_FILE > /dev/null 2>&1 || exit 1

54 exit 0

Listing 49: Setup User

1 #!/bin/bash

2 # USERNAME = $CAKEUSER

3 USERNAME=gamer

4 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1

5 exit 0

Listing 50: Cleanup User

1 #!/bin/bash

3 #external parameter

5 #dnsserver= $CAKE1 # server for dns checks

6 #spoofingName= $CAKE2 # zone to spoof

7 #spoofingIP= $CAKE3

8 score =1500

bachelorproject ws 07/08 SHiNE 202

9 dnsserver=localhost # server for dns checks

10 spoofingName=heise.de # zone to spoof

11 spoofingIP=10.0.1.4

13 #check if bind is working for zone

14 if [ "‘dig $spoofingName @$dnsserver | grep SOA‘" ]; then

15 echo dnsserver works for zone $spoofingName

16 if [ "‘dig $spoofingName | grep SOA‘" ]; then

17 echo dnsserver is working for localhost >/dev/null

18 else

19 echo dnsserver dont work for localhost >/dev/null

21 let "score-=$score/10" # -10% scorepoints

22 fi

24 else

25 echo dnsserver dont work for $spoofingName >/dev/null

27 score =0

28 exit 3

29 fi

31 # check MX

32 if [ "‘dig mx $spoofingName @$dnsserver | grep mail | grep MX‘" ]; then

33 if [ "‘dig mail.$spoofingName @$dnsserver | grep $spoofingIP‘" ]; then

34 echo A Record for MX OK >/dev/null

36 else

37 echo A Record for MX not OK >/dev/null

39 score =0

40 exit 3

41 fi

42 echo mx OK >/dev/null

44 else

45 score =0

46 echo mx not OK >/dev/null

47 exit 3

48 fi

50 # check www

51 if [ "‘dig www.$spoofingName @$dnsserver | grep $spoofingIP‘" ]; then

52 echo www OK >/dev/null

53 else

bachelorproject ws 07/08 SHiNE 203

54 echo www not OK >/dev/null

55 score =0

56 exit 3

57 fi

58 exit 2

Listing 51: Evaluation

E.7.4 Domain

Wiki text Quelle: DNS for Rocket Scientists [33] Domain name From Wikipedia, the free encyclopedia

The term domain name has multiple related meanings:

1. * A name that identiﬁes a computer or computers on the Internet. These names appear as a component of a Web site’s URL, e.g. en.wikipedia.org. This type of domain name is also called a hostname.

2. * The product that domain name registrars provide to their customers. These names are often called registered domain names.

3. * Names used for other purposes in the Domain Name System (DNS), for example the special name which follows the @ sign in an email address, or the Top-level domain names like .com, or the names used by the Session Initiation Protocol (VoIP), or DomainKeys.

4. * They are sometimes colloquially (and incorrectly) referred to by marketers as ”web addresses”.

This article will primarily discuss registered domain names. See the Domain Name System article for technical discussions about general domain names and the hostname article for further information about the most common type of domain name.

Overview

The most common types of domain names are hostnames that provide more memorable names to stand in for numeric IP addresses. They allow for any service to move to a diﬀerent location in the topology of the Internet (or an intranet), which would then have a diﬀerent IP address.

By allowing the use of unique alphabetical addresses instead of numeric ones, domain names allow Internet users to more easily ﬁnd and communicate with web sites and other server-based services. The ﬂexibility of the domain name system allows multiple IP addresses to be assigned to a single domain name, or multiple domain names to be assigned to a single IP address. This means that one server may have multiple roles (such as hosting multiple independent Web sites),

bachelorproject ws 07/08 SHiNE 204

or that one role can be spread among many servers. One IP address can also be assigned to several servers, as used in anycast and hijacked IP space.

Hostnames are restricted to the ASCII letters ”a” through ”z” (case-insensitive), the digits ”0” through ”9”, and the hyphen, with some other restrictions. Registrars restrict the domains to valid hostnames, since, otherwise, they would be useless. The Internationalized domain name (IDN) system has been developed to bypass the restrictions on character allowances in hostnames, making it easier for users of non-English alphabets to use the Internet. The underscore character is frequently used to ensure that a domain name is not recognized as a hostname, for example with the use of SRV records, although some older systems, such as NetBIOS did allow it. Due to confusion and other reasons, domain names with underscores in them are sometimes used where hostnames are required.

Examples

The following example illustrates the diﬀerence between a URL (Uniform Resource Locator) and a domain name:

URL: http://www.example.net/index.html Domain name: www.example.net Registered domain name: example.net

As a general rule, the IP address and the server name are interchangeable. For most Internet services, the server will not have any way to know which was used. However, the explosion of interest in the Web means that there are far more Web sites than servers. To accommodate this, the hypertext transfer protocol (HTTP) specifies that the client tells the server which name is being used. This way, one server with one IP address can provide different sites for different domain names. This feature goes under the name virtual hosting and is commonly used by Web hosts.

For example, as referenced in RFC 2606 (Reserved Top Level DNS Names), the server at IP address 192.0.34.166 handles all of the following sites:

• example.com

• www.example.com

• example.net

• www.example.net

• example.org

• www.example.org

When a request is made, the data corresponding to the hostname requested is served to the user.

Top-level domains bachelorproject ws 07/08 SHiNE 205

Every domain name ends in a top-level domain (TLD) name, which is always either one of a small list of generic names (three or more characters), or a two-character territory code based on ISO-3166 (there are few exceptions and new codes are integrated case by case). Top-level domains are sometimes also called ﬁrst-level domains.

The generic top-level domain (gTLD) extensions are:

Generic top-level domains

Unsponsored

.biz .com .edu .gov .info .int .mil .name .net .org