Documentation of SHiNE
bachelorproject ws 07/08
March 31, 2008 Abstract
SHiNE - Security and Hacking in Network Environments is a students Bachelor project based on the Master project NetS-X. The target of this project is an implementation of a learning environment, which leads the user through network specific problems and security tasks.
2 Contents
1 Objectives [ar, rb] 7
2 Competitor analysis [dl, pm] 7
2.1 Overview ...... 7
2.2 Applied security laboratory ...... 8
2.3 Tele-Lab IT-Security ...... 8
2.4 Cyber Ciege ...... 8
3 2D-Game 8
3.1 Description of 2D Game[cs] ...... 8
3.2 Overall story [fe, af, sg] ...... 9
3.3 Sequence chart[fe, af, sg] ...... 10
3.4 Integration items/characters in overall story [sg, fe, af] ...... 11
3.5 In-Game assistance [sg, fe, af] ...... 13
3.6 Behavior NPCs (Implementation XML)[sg, fe, af] ...... 13
3.7 Realisation Flash-Client[cs, ju] ...... 14
3.7.1 Implementation ...... 15
3.7.2 State Machine ...... 16
3.7.3 Gameobjects(NPCs, items, trigger areas) ...... 18
3.7.4 Tile editor ...... 19
3.7.5 Waypoint editor [dl] ...... 20
4 Description of Game Topology [ts] 22
5 Scenarios 23
5.1 Basic scenarios [jp] ...... 23
5.1.1 Console ...... 23
5.1.2 Vi ...... 25
5.2 Man-in-the-middle scenarios ...... 26
5.2.1 ARP-Spoofing [rb] ...... 26
5.2.2 Hijacking[rb] ...... 29
3 5.2.3 SSL-Cracking [aoe] ...... 31
5.3 Passwort Hacking [ts] ...... 32
5.3.1 John the Ripper ...... 32
5.3.2 Cron John ...... 33
5.3.3 Hydra ...... 34
5.4 Honeyd [pm] ...... 35
5.4.1 honeypot detection ...... 35
5.5 Monitoring Tools [cg] ...... 37
5.5.1 Cacti ...... 37
5.6 IDS scenarios [jl] ...... 39
5.6.1 Run snort ...... 39
5.6.2 Create snort rule ...... 40
5.7 DNS [mt] ...... 42
5.7.1 DNS Basics ...... 42
5.7.2 DNS Server manipulation ...... 43
5.7.3 DNS-Spoofing ...... 44
5.7.4 Domain ...... 46
5.8 Learning scenarios [ts] ...... 47
5.8.1 LDAP ...... 47
5.8.2 RADIUS ...... 47
6 Overall System Conventions and Design [ar, dg, sd, tr] 48
6.1 Conventions ...... 48
6.1.1 Overall Systemconcept [ar, sd, tr] ...... 48
6.1.2 Overall Designconcept [ar, dg, sd, tr] ...... 49
6.1.3 Namefinding [ar] ...... 52
6.1.4 Styleguide [dg] ...... 52
6.1.5 Rights [tr] ...... 58
6.2 Webinterface [ar, dg, sd, tr] ...... 60
6.2.1 Login / Registration [dg] ...... 61
6.2.2 PDA-Screens [ar, sd] ...... 61
4 6.2.3 Administration Screen [master] ...... 63
6.3 2D Gamedesign ...... 64
6.3.1 The Flashgame Graphics [tr, ar] ...... 64
6.3.2 The Characters [dg, mf] ...... 64
6.4 Implementation MVCs in CakePHP [sd] ...... 65
7 Overall Gameplay-Improvements [af, sg, tr] 66
7.1 Enhancements in Communications ...... 66
7.2 Improvements to the game itself ...... 66
7.3 Missions ...... 67
7.4 Graphics ...... 67
7.5 Real world and 2D-Game relationship ...... 68
7.6 Content creation for the 2D-Game ...... 68
A Capability planning[fe] 68
A.1 Personnel planning ...... 68
A.2 Time management with Gantt-Diagram ...... 69
B External presentation 71
B.1 Flyer, poster, handouts [dg, cs] ...... 71
B.2 Website [rb, ar] ...... 73
C 2D-Game 74
C.1 Script[fe, af, sg] ...... 74
C.2 Realisation Flash-Client[cs, ju] ...... 80
C.2.1 Game server interface [cs, ju] ...... 80
C.2.2 The tile map [cs, ju] ...... 83
C.2.3 Scene management and animations [cs] ...... 85
C.2.4 Pathfinding [cs, ju] ...... 86
C.2.5 Class diagram [cs, ju] ...... 89
5 D Game topoloy 90 D.1 Manual Net Topology installation [jl, mt, aoe] ...... 90 D.1.1 Activate Topology at the PC’s ...... 90 D.1.2 Setting up the Network devices ...... 91 D.2 Manual Game server installation [sd] ...... 91 D.2.1 Linux installation ...... 91 D.2.2 Windows installation ...... 92
E Scenarios 93 E.1 Basic scenarios [jp] ...... 93 E.1.1 Console ...... 93 E.1.2 Vi ...... 97 E.2 Man-in-the-middle scenarios ...... 102 E.2.1 ARP-Spoofing [rb] ...... 102 E.2.2 Hijacking[rb] ...... 114 E.2.3 SSL-Cracking [aoe] ...... 125 E.3 Passwort Hacking [ts] ...... 132 E.3.1 John the Ripper ...... 132 E.3.2 Cron John ...... 138 E.3.3 Hydra ...... 144 E.4 Honeyd [pm] ...... 147 E.5 Monitoring Tools [cg] ...... 152 E.5.1 Cacti ...... 152 E.5.2 Ntop ...... 161 E.6 IDS scenarios [jl] ...... 162 E.6.1 Run snort ...... 162 E.6.2 Snort rule ...... 165 E.7 DNS [mt] ...... 165 E.7.1 DNS Basics ...... 165 E.7.2 DNS Server manipulation ...... 174 E.7.3 DNS-Spoofing ...... 191 E.7.4 Domain ...... 203
6 SHiNE 7
1 Objectives [ar, rb]
The objective target of the SHiNE project is to fill out the base system of the NetS-X project, with scenarios, a game story and a playable game as well as a continuous design. Referring to the NetS-X project the primary objectives of the implemented system are:
• development of an innovative learning environment in form of an interactive game incor- porating an already existing real world network infrastructure.
• conveyance of both theoretical knowledge and practical skills about information and net- work security issues.
• teaching aspects of ethical hacking for the purpose of increasing security in computer networks.
• creating a fun atmosphere and competition between teams situated in remote locations using a game topology of similar design.
Furthermore the learning environment is split into three parts, which are finally implemented by the Masters group, and on which SHiNE was set up. The first one is the game, which is the starting place for every player. There the player receives orders, which he has to complete in a real network environment. This is the most difference between a network game in the common sense and our network learning environment. We let the player not just play a hacking or security game, we let him design and test a real network implementation. This network environment is the second base of SHiNE. It is lean against a normal business environment with different network zones, a DMZ, two Firewalls and the whole stuff located in a network topology. And again, this topology is a real topology, the player has to interact with real Linux servers and Cisco routers as hardware components and with services like LDAP, RADIUS, APACHE, BIND, CACTI, SNORT, KERBEROS and many more. Furthermore the player has to use tools for network and security testing. The third base of SHiNE is a wiki with informations about the tools, services, hardware, and some guides how to use this tools. This part is not just a passive part, the wiki is interactive. Players can add articles, for example if they found out an other way to test a given problem.
2 Competitor analysis [dl, pm]
2.1 Overview
We tried to take a look at a wide spectrum of network and ”hacking” projects. So we decided to focus on one game and two other projects. As a conclusion we can say that SHiNE is a bachelorproject ws 07/08 SHiNE 8
modern technique to teach network-security. Here we can say that it is a kind of edutainment. That means a mixture of education and entertainment and it belongs to the genre of serious gaming. Here you can find the complete presentation as pdf-file: https://www.netzlabor.hs- bremen.de/wiki/index.php/Recherche zu %C3%A4hnlichen %22Hacker-Spielen%22
2.2 Applied security laboratory
This is a university-project where two students work in groups. They have to plan and realize a complete network system. At the end of the semester, some professionals from the economy visit the university and tell the students how their daily works looks like.
2.3 Tele-Lab IT-Security
Tele lab gives users different aspects of IT-security on the basis of exercises in line with standard usage. The user can complete all exercises in a realistic environment, without endangering the own or other computers. During the training Tele-lab-IT-Security gives the user advices. Before the user begins with the practical exercises, he receives basic informations about the appropriate topic with the most important tools.
2.4 Cyber Ciege
This is an innovative game/tool to teach network environment and network security. It is especially for training and education of the US-government and military. Meanwhile it is used as a trainingtool in universities. This project was sponsored by the US-Navy and other educational institutions. One team of the developers come from ”Rivermind”, the developer of ”Medal of Honor”. The player has a 3D-View like in ”The Sims” and he has to buy and install network environment. He also has to manage collegues and make them satisfied by keeping the network connection alive.
3 2D-Game
3.1 Description of 2D Game[cs]
The 2D game is the first screen a SHiNE player will see. By using the mouse the player can walk around and is able to talk with none playing characters (npcs). He also may pick up items and use them. It is an interactive game world and simulates an office with co workers, bosses and other typical staff. The idea is to guide the player in a network company and provide the opportunity to gain knowledge that is necessary for real tasks. With several ingame information and links to the game wiki he will gain skills and escorted by the story line npcs will give him bachelorproject ws 07/08 SHiNE 9
tasks to solve. These problems or scenarios are not part of the 2D game and will be played with real tools in a real network environment. A special monitoring mechanism observes the actions of the player in the network and if he fullfill a required task the game will be informed. Back in the virtual 2D office he will be rewarded with score and the story line goes on and new tasks will be accessible.
3.2 Overall story [fe, af, sg]
An overall story is precondition for a good learning achievement in a learning game, but a bad structured story can also demotivate the player, e.g. the player gets his missions in the story with the tasks and has to accomplish one by one without any other information or action. The player has to be lead through a suitable storyline, which motivates him to complete the upcom- ing tasks to go on.
To create a good story you need to determine some preconditions. To declare these precondi- tions we had to brainstorm.
It was predetermined that the game must be played in a company that is concerned with any kind of network security, be it a department or the whole company that is concerned of this subject. After defining the preconditions we created a coarse story environment. We had the idea to play within an intelligence service like the BND in Germany or the CIA in the USA. The leading thought behind that advisement was that the tutors could easily implement aggressive or defensive scenarios in the game and the storyline. But after a consultation with the whole project group we discarded that idea, because of political causes and replaced it with an ordinary network-security-company.
Because of the current discussion about protection of data privacy and the observation of citi- zens in terms of computer observation with a Trojan we had the idea that this might be already true.
The state is collecting massive amounts of data and perishes under that. To deal with this amount of data they ordered this network-security-company to handle it. Because of this more work the company had to employ more clerks and trainees. The player plays the part of a trainee. Continuative the player realizes after a short amount of time, that his supervisors have fraudulent intents. This offers a wide range for aggressive scenarios and perhaps a moral conflict because of the law. Later in the game the player could get in contact with the hacker scene, which is operating against the methods of the network-security-company. This offers a wide range of aggressive und defensive scenarios and maybe an interesting and motivating turn for the player. bachelorproject ws 07/08 SHiNE 10
For more detailed stories to several senarios please refer to script C.1.
3.3 Sequence chart[fe, af, sg]
The sequence Chart is an overview of the several chapters of the story. A Chapter consists of obtaining the skill and completing the scenario. To be able to create a continuous story, first it was necessary to know in which order the skills are obtained and the scenarios are played. To realize this, we needed an exchange of information with the whole scenario group for getting whose conceptions and a part of the master group for getting whose file reports. We had a discussion of the complexity of the scenarios and the relation between every single scenario to find an order of all given scenarios. The player can’t play a scenario until he unlocks the preconditioned skills. Basically the order of the chapters and the split-up in traces are completely based on the preconditions of the scenarios.
The result of this discussion was the sequence Chart. The description of it is very simple. Every box represents a story part. Also they are (-), (*) and (-) which describe if the story part a scenario (-), a learningscenario (*) and/or a skill (-) is. The arrows between the boxes describe the relationship between every box. The colors of the arrows have no matter. The player starts
Figure 1: Sequence Chart with a given task, where he has to get familiar with the basics of Linux. As soon as the player accomplish the task there are five possible story parts avaible for the player. He is almost free bachelorproject ws 07/08 SHiNE 11
in his decision, which story part he chooses. But if he has chosen one he has to accomplish it before he start the next one. Also he has to regard the constriction for each story part, which means that for some scenarios have to be finished until other scenarios can be played, e.g. the scenario DNS Spoofing can be played only if the scenarios DNS server manipulation, Hydra and DHCP are finished. This system allows the player to choose between different tasks, without the risk to get to deep into one subject without especial previous knowledge!
3.4 Integration items/characters in overall story [sg, fe, af]
Beside of many nameless colleagues there are some special characters who accompany the player through the story. They provide the player with background information and guide him through the story. Following fixed NPCs are already implemented:
Department chief: Description or specification: The department chief is a harshly, egoistic person. He is always busy and has no time for the player. He also takes all the credit for things that his staff has achieved.
Function: The DC is the one person a loyal player should work for, but because of the DCs egoistic character the player should have no problem to work for anybody else then the DC.
Janitor: Description or specification: The janitor is a very angry guy who seems not to like his work although he’s doing it very good. The only thing he seems to like less than his work are other people and so he hates the player character from the very beginning and the player won’t be able to change that. So if he doesn’t want to see the player as a friend, why shouldn’t the player have a little fun angering the janitor? ;)
Function: There is no learning aim in getting in contact with the janitor at all. He just gives the game a little more realism. He won’t help the player. But maybe he can be helpful for the player without wanting it?
The Geek: Description or specification: A guy nobody wants as a friend. He knows everything better and will tell everybody if you tell him about your problems. However he really knows a lot, but to get information will have a high prize: Unpopularity.
Function: Although he is at the moment not integrated we have to say that the Geek was one of the earliest ideas for in game character. If you have any problems with a scenario, he’s the bachelorproject ws 07/08 SHiNE 12
one who can help you. But asking him will bring you the anger of your other colleagues. Right now it’s sorrowfully to complex to integrate an NPC in Shine who can help you whatever you need, but maybe one day somebody will implement him and write all his clever helpings down.
Secretary: Description or specification: A nice and sexy woman. She helps wherever she can and seems to like the player. She is always busy but never too busy to give any help she can give. To have her as a friend might be a good idea.
Function: The secretary is the second voice of the DC. She is the one you would always help, if help is needed. And so will she. She gives the most orders of the DC to the player, whenever the DC has no time. She helps the player if she can and as a vision it might be a later goal of the game to date her. But to date her you have to show her first, what a tough and hardworking guy you are. And please don’t talk to the Geek. He is so *** she won’t date you if she would know about it.
Larry: Description or specification: That nice young guy seems to be a little rebel. He doesn’t like the DC and will do whatever he can to annoy him. On the other hand he seems to be a very clever guy and to help him could be profitable. He does anything but working. Look at the coffee machine first if you look for him.
Function: Larry gives the player a chance to be a bit of a rebel. Larry always wants the player to help him to annoy the DC. By time he could even become a connection to a hacker society inside Shine, which wants to get rid of the DC because he is playing a foul game.
Flyer: Description or specification: Just hanging around the whole day you can find the flyer on a wall near the kitchen. Maybe it offers important information, maybe it doesn’t.
Function: To give the game a little more realism the player can ”talk” to the flyer to get a new job to do. If there is anything important to do the flyer might give that info to the player if he just takes a look. This makes the player believe he is looking for a job himself and isn’t only the stupid learning-game playing guy who has to do what the next colleague says.
Elevator access card: Description or specification: a card for using the elevator. It’s made of plastic and holds a chip. What else you expected?
bachelorproject ws 07/08 SHiNE 13
Function: To give the game a more RPG-like style there is a card which allows the player to use the elevator instead of going stairs. To get it you must help some an NPC. Using the elevator may bring the player to floors he couldn’t reach by taking the stairs. As a vision the building could have an endless number of floors, but to get there he first needs to find the access cards with clearance for a new number of those floors. And before getting a new access card the player has to fulfill some special scenarios. So each floor could act as a new difficulty level.
3.5 In-Game assistance [sg, fe, af]
To support the player inside the 2D-Game we planned to realize a special NPC on a fixed position, beside the common assistance by the normal NPCs. This special NPC should come in the metaphor of a geek. The player can visit this NPC every time he wants. This geek helps the player for free with common information and hints. This information is also available in the wiki, but more detailed. The player can also ask for precise information to solve a special task, but he has to pay with his gotten points for this information. So the player should think about it, if he really wants to pay for this information, because he hasn’t unlimited points. There was also a sympathy-system planed, where the player could earn sympathy-points from a female employee with every successful accomplished task. If the player asks the geek for concrete help he will lose one sympathy point by the female employee. The target of this system is to affect the player not to ask too often for help. He shall try to reach and keep a positive relationship to the secretary and see how this relationship could evolve.
3.6 Behavior NPCs (Implementation XML)[sg, fe, af]
To achieve the wanted storyline main theme of Shine there was a need of coordination between the great numbers of NPCs by using their implementable abilities. Needles to say the plot so far features that much complexity that while implementation of a new plot it is useful to also create new NPCs as often as possible because they can become integrated more easy than adjusting already existing ones. Detailed technical information about an NPC’s xml structure shouldn’t become described at this point again. Much more interesting might be to have a little look on already existing NPCs of Shine and the motivation for their special way of implementation:
First of all every single NPC should get his own characteristic way of talking. How do you want the NPC to come over to the player? Is it a friendly one, or a direct one? Is he/she shy, or is he/she annoying the player? The way of talking should become implemented already at the beginning of the NPC’s implementation via placing in the so called Smalltalk-chapter. Because an NPC can have as many Smalltalk’s as you want it to have (they will randomly appear in game, whenever the NPC is being talked without having any important information to tell the player) this point of implementation should be used. This technique will also help other pro- grammers to easily figure out each existing NPC’s way of talking and maybe also its fads and bachelorproject ws 07/08 SHiNE 14
tics by consulting the Smalltalk-chapter. Some examples:
The department chief is a very directly talking character. He talks short-timed and dictatorially. So he personates the selfish supervisor who seems to believe that he has to show is subordinates his higher position to become accredited. That behavior should quickly make him the last person the player wants meet very often in game. Another example may be the secretary. Whenever she comes across she is friendly and helpfully, sometimes she is even flirting a bit or leaves her desk to meet the player to bring information to him. She seems to be a woman doing her job very assiduously and taking charge of the whole bureau. Maybe she is also afraid of not becoming accepted because she is the bureau’s bad guy’s assistant.
Basically the implementation of a new NPC is not the problem. The real problem might be the faultless matching of different NPCs with each other as a part of a more complex plot. The given implementation format makes the programmer to take care of what a new NPC shall do, for example if that NPC may be able to react differently on different situations. At this point any programmer may be strongly reminded of writing up sequence charts. This is elementarily important for the clarity. To show the described implementation problems in the Shine game itself you may remember the sequence chart of Shine’s main storyline. Watching it you should easily notice the great number of story chapters implying diverse foregoing chapters. According to this the involved NPCs have to become actualized correctly after the ending of each chapter and mustn’t accidently become set to an already passed state. This special case added to the possible case of an NPC able to give more than one job to the player at the same time, what maybe has been triggered by the situation of passing the storyline in some unusual but possible way brings a multiple of complexities and so the need of additional complementation of diverse NPC states. Inferentially the present format of the NPCs is good for quick add-ons and elementarily very functional. But if you want to implement a storyline which is just a little bit complex, this undertaking requires detailed planning.
3.7 Realisation Flash-Client[cs, ju]
This section is about the implementation of the flash game and surrounding interfaces. It gives an overview about the new features and how they were implemented. The first step was our decision to rewrite the entire flash game. The team came up with several requirements which could not be fulfilled by the previous implementation. Our goal was to create an interactive environment that provides more then just a link between the different scenarios. We introduced a complete new graphics engine with a slide depth simulation, sprite animations and compatibility to a tile editor. This enables the designer to create huge worlds with different areas and animated objects. With the implementation of the state-machine-engine the game becomes fully interactive. There are three object types which represents e.g. none playing characters (npc), items or doors. Each object contains a state machine and thus it can bachelorproject ws 07/08 SHiNE 15
be completely controlled by the game designer. The user changes the world with his individual interactions and so he dives deeper into the game experience. As a result of this the world gets much more interesting and less static. The npcs are able to walk along a path which can be created with a waypoint-editor. This allows pathfinding and an exact movement controlling.
We improved the integration of external tasks ”in the real world”. Now the npc-objects can unlock the skills for a certain task. So the user is able to gain them by communicating with ingame characters. We developed an interface between Flash and JavaScript so the browser based pda menu can be opened from the game directly without annoying popup windows.
To ensure that closing the browser will not effect the current game state, the state-machine- engine is connected to the remote game server and all changes are saved immediately to its database. The position of the player and the walking npcs are being saved as well.
Finally the flash game is designed as a game engine. It only interpretates external data like maps, object-state-machines and waypoint maps. As a result of this the game content and even the graphics can be exchange completely without the need of changing the actual game code.
3.7.1 Implementation
The implementation of the flash game can be subdivided into four major components (see figure 2).
Figure 2: major components
The graphic engine is responsible for the presentation of the game. It handles user input, determines collisions, organize the scene, manage path finding, provides the dialog boxes and supports the animation script. For the user input we introduced a hierarchical manager do delegate the mouse/keyboard inputs to the right game component. This is done in order to prevent that a mouse click is notified by more then one input object (for instance the player itself and the open talk dialog). The collision is done with simple geometrical intersection tests. Each object contains one rectangle and whenever the collision rectangle of two objects overlap the engine detects a collision. Through the slide perspective view of the game it is necessary to bachelorproject ws 07/08 SHiNE 16
sort the visible sprites by its vertical position. The animation script allows the designer to define nearly any kind of animation. The perspective and the view angle of the object are managed by the animation set principle. Each object got his own bitmap with all its animation frames. The animation script/set defines under which circumstances which animation frame is used. An detailed description can be found in the appendix ”scene management and animations”.
The game controller is the link between the other components and controls the entire game. It loads the map, create objects (npcs, triggerareas and items), handles map switches and delegates messages from the game server to the graphics engine.
Game server interface is the interface to the remote game server (written in CakePHP). It supports functions for scoring, exchanging the game state, unlocking skills and scenario organi- sation. The detailed interface description can be found in the appendix ”Game server interface”. The state machine engine is nested in the game server interface and runs fully within the flash game. In further implementation it may be relocated to the game server. To ease this step we hid it behind the game server interface. Nevertheless it provides the core controlling of the game. All state machines are grouped here and it supports functions to dispatch events and query states. (For further studies of the game architecture see the ”class diagram of the flash game” in the appendix)
3.7.2 State Machine
State machines are a wildly spread approach in the informatics and enables us to describe simple behaviors for the objects (e.g. NPCs, Items). The statemachine could be called the Gamelogic. Statemachines, also called ”‘Finite state machines”’ are a concept of solving logical problems. We used them to have an easy and scriptable behavior for every interacable object in our game. Our Statemachine consists of 3 main object types. First the States. A state is the description of every changable attribute that belongs to a specifig game object. For example the attributes
• visible
• collision
• active would be a good start for a Statemachine called Pitfall. The Statemachine holds several of These States with the menioned attributes but different values. The second part are so caled ”‘connections”’ betwen states, they define to which states the current state can change. These connections have different conditions on wich they react, eg. State ”‘Disabled”’ has a connection to state ”‘Active”’ where the attributes for the state ”‘Disabled”’ are visble, no collision, inactive (normally these would be variable types but readable values are used for illustration) and for ”‘Active”’ it would be not visible, has collision, active . Now the new connection, lets call it ”‘Activate”’ waits for an Event, maybe ”‘Trigger”’. If the Statemachine is in the State bachelorproject ws 07/08 SHiNE 17
”‘Disabled”‘ and receives the Event ”‘Trigger”’ it would change into the state ”‘Active”’ because our connection between ”‘Disabled”’ and ”‘Active”’ is waiting for the event ”‘Trigger”’. If you imagine the Pitfall in a game the State ”‘Disabled”’ would mean everybody can see it and walk over it without anything happening. Now after activating it, maybe by a switch, nobody could see it but if someonle would walk over it he would fall in. What happens is quite simple, after Triggering the state from ”‘Disabled”’ to ”‘Active”’ our object associatet to the game machine got an collision area and if someone runs over it the game would get the response ”‘Oh look, someone walked on out pitfall, do something”’ and had to react in a propper way, maybe let the player die. But out pitfall can only be Acitvated, because there is no connection from the State ”‘Activate”’ to ”‘Disabled”’. If we create one that waits for the same ”‘Trigger”’ Event, we could switch out Pitfall on and off. To extend the example we add a connection from ”‘Active”’ to a new state called ”‘Released”’ that waits for the event ”‘Collision”’. Collision would be triggerd if someone walks on our pitfall and it is activated. After someone walked on out pitfall it would be disabled and could not be enabled again, because there is no connection back from ”‘Released”’, it is a one-way state. It is also possible to automaticly dispatch events to other statemachines if you change a state. The switch to enable and disable out pitfall does exactly that. It is a state machine with two states, on and off, and with two connections that wait on the playerevent ”‘Action”’. If the player uses his action key on his keybord and thus triggering the action event at out switch statemachine, it changes in the next state and because both states wait for the same event it is an endless on, off, on, off loop. So when the swich changes its state it sends the event ”‘Trigger”’ to out pitfall state machine which waits exactly for this events. You can also make several connections that are waiting on different triggers to create a more complex behavior. The possibilities are almost endless.
bachelorproject ws 07/08 SHiNE 18
3.7.3 Gameobjects(NPCs, items, trigger areas)
There are three main types of game objects in our game, NPCs, Items and Trigger Areas. All these objects have a statemachine working in the background to controll their behaviour; but with different parameters. If you compare NPCs with Items there are several differences, eg. you can use talk events on NPCs but not on items, a Statemachine for items dont now this event and will ignore it. It is even impossible to script items that react to talk events because of the predefines xsd structures that forbid to do so.
The NPC (no player character) is a computer controlled character and has the most interaction and controll possibilities of all game types. It can talk with you, ask you questions and wait for a correct answer (even multiple choice is possible). If it has nothing to do it can walk arround and will stop if you want to talk to him and tell you something random if there is no real text to say. It can search specific (way)points in the map and walk to them or do nothing at all. Npcs can react on following events:
• talk (the player talks to the npc)
• touch (the player comes near the npc)
• action (the player presses the action buttion on his keyboard and is near the npc)
• collision (the player hits the npc)
• correctAnswer (the player gives the correct answer(s))
• answer (the player gives a not correct answer)
• reachDest (the npc reaced his desired waypoint)
• triggerEvent (the npc got an event from another statemachine)
• globalEvent (event that every statemachine gets)
An item represents a gameobject that is either lieing arround on the floor, collected and in the playerinventory or is removed from the game wich means it is not lying arround nor is it in the player inventory. These items if in the inventory can be used to open doors, repairing switches, bringing a cup of coffee to your boss or gaining access to a computers etc.. In contrast to npcs they are passive objects that dont do anything on their own until the player interacts with them. Items can react to the following events:
• touch (the player comes near the npc)
• action (the player presses the action buttion on his keyboard and is near the npc)
• collision (the player hits the npc) bachelorproject ws 07/08 SHiNE 19
• triggerEvent (the npc got an event from another statemachine)
• globalEvent (event that every statemachine gets)
The Triggerarea is not realy an object the player can use or see, it is more a scripting help for the content builders. Trigger areas have the shape of an rectangle of any size and are invisible. Their only purpose is to send ”‘Trigger”’ Events to other statemachines if the player move on them. They cant do anything more and are only used if something should automaticly happen if the player enters a special area. For exapmple you could place a Triggerarea on en entrance of a room that swiches the light on if the player enters the room (and therefore walks on the trigger area). Triggerareas can react to the following events:
• collision (the player hits the npc)
• triggerEvent (the npc got an event from another statemachine)
• globalEvent (event that every statemachine gets)
3.7.4 Tile editor
One of the key decisions of recreating the Flash Game was to use the ”Tiled” Editor for creating the 2D world. It is a free editor (GNU license) which allows the designer to create any kind of 2D tile map and it is written in Java. Thus it can be used on any common operating system. The code is well commented and can be expanded for further requirements. It uses multiple layers to simulate different height. One of the major features of the editor is the possibility to customize all components of the map. The whole map, each layer and each tile can be appended with key value pairs (properties) to configure the map for our goals. The result is a short XML file that can be read by the flash game and is the main definition of a certain area (e.g. a burro, the cellar or the entrance). On the one hand it is the tool to design the layers with the tile graphics and the graphical overview of a map and on the other hand it enables the designer to put the objects on the map and define collisions. Normally the editor does’t support placing game objects in the world. To achieve this goal the map designer can put a certain property for a layer (e.g. type=objects) and now the flash game treats the whole layer as an object placement layer. Instead of drawing the placed tiles the flash game reads the property of each tile and depending on its configuration the flash game loads an NPC, TriggerArea, Item or a SpawnPoint. The collision for a tile can be defined by the property ”block=true”. For further documentation of creating a map look at the appendix ”the tile map”.
bachelorproject ws 07/08 SHiNE 20
3.7.5 Waypoint editor [dl]
Overview
Name: Waypoint-Editor Created by: Daniel Lueers Size: 76 kb Runnable on: Windows, Mac, Unix Output-Filetype: XML Used program-language: Java 6.0
Description Waypoints could be set with the tiled-editor, but the option to connect the waypoints with each other is very complicated and there are no visual connections. So we decided to assign one person with developing our own waypoint editor for our special requirements. The programmer has respected special attention to the usability. So every important option is directly positioned on the main screen. There is no searching needed to find any feature. When a user works the first time with the program, he will directly know what to do. There are also tooltips for the most function, which tell the user whatfor the function is, or how to use it. The waypoint editor can be used in later projects which need waypoints.
Main functions
Auto-Create-Connection-Function The ”auto-create-connection”-function is very useful for fast working. By setting a waypoint, a connection will automatically be set from the last waypoint to the current waypoint.
Add-Additional-Connections-Function Furthermore, you can add additional connections between any waypoints. There is no limit for setting connections to one waypoint.
Rename-Function The waypoints have automatically names. For example ”Waypoint-Nr.1”. But there is the ”rename-function” for renaming the waypoints. There is no limit for the amount of letters for a name.
Set-Connection-Weight-Function With the ”Set-connection-weight”-function you are in position to give the waypoints weights.
bachelorproject ws 07/08 SHiNE 21
The higher a weighting the sooner a NPC will walk along that connection.
Delete-Function Of course there is a ”delete”-function for removing waypoints and/or connections.
Wireframes In the view-menu the user finds an option to enable two different kind of wireframes. The first one shows the user a 25x25-pixel sized wireframe. The second wireframe splits the screen into 50x50 pixel-sized squares. With this wireframe it is very easy to set a waypoint on the correct position by the first time.
Auto-Position-Function The ”auto-position”-function runs in the background and it is not possible to disable it, because it would not make sense to disable it. The function calculates on every mouseclick which 50x50- square the user meant with his click and sets the waypoint on the right position. With the help of this function you can work very fast with the program.
Drag-and-Drop Sometimes you don’t want that the program calculates a ”perfect” position for you. For this the developer implemented a ”drag-and-drop”-function. So the user can click on a waypoint and while his mouse is down, he can drag the waypoint back and forth. The connections that belong to the dragging waypoint will be recalculated in real time. Thats a reason for the very liquid and fast workflow. Every change the user makes will be directly visualized.
Drag-and-Drop for map-files This feature allows the user to drag a map-file into the program. The program knows what to do with a map-file and calls automatically the appropriate methods so the user doesn’t have to use the implemented File-Chooser. Load-Map-Function The ”load-maps”-function is for loading maps. It was very difficult to implement that, because the tiled-editor creates an xml-file where some informations are stored bitwise. For example the information which tile has its position. This information looks like
< dataencoding = ”base64”/ > EQAAAAAARAAAAEQAAAAAARAAAAA < /data >
The programmer had to implement a Base64-Decoder, which was very difficult and needed much time.
Load-and-Save-Waypoints-Function The user can save his work. Then the normal XML-File will be generated. He is also able to bachelorproject ws 07/08 SHiNE 22
load such a XML-File to continue his work later. Responsible for this function is the java-class Pathload.java.
Technical details The program is developed with Java 6.0. It works under Windows, Mac OS and Unix systems. It has the same look and feel like the system and it is a stand alone software. It is independent from other programs like e.g. Internet Explorer. It consists of 17 classes. The code is documented and very thoroughly, so any programmer who wants to continue developing shouldn’t have any big problems to work with that code.The developer has used the model-view-controller pattern. If any data changed the gui will currently update. That’s i.a. a reason for the stability and speed of the waypoint editor. The programmer created a XML-Generator to save the path and for creating the xml-file, which will be read from the game. The path-loader is for loading saved path(xml)-files so you can continue your work later.
4 Description of Game Topology [ts]
The topology clones a fictive company’s network. Almost everything that is to be found in today’s networks is implemented. The network consists of three different areas: the (Game) Internet, the DMZ (Demilitarised Zone) and the LAN (Local Are Network) which itself is divided into severeal VLANs (Virtual LANs). The Internet and the DMZ are connected by a firewalled router as are the DMZ and the LAN. Inside every area a switch connects the machines.
There are a lot of security features implemented in the topology. Honeypots in the Game Internet and the DMZ are placed to lure attackers into attacking them instead of the real network/clients. Honeypots are virtual networks/clients that look very attractive. So it’s likely attackers will attack them. There are also IDSs (Intrusion Detection Systems) and Monitoring Tools. ntop/cacti are used for monitoring whereas Snort, Samhain and Prelude implement intrusion detection.
The Game Internet consists of 3 machines. The first is the OpenVPN Server. It allows users from the real internet to connect to the game and topology. The second is the game server and the third is the game engine server. It has a direct communication channel to the LAN, so that players and the game engine can access machines behind the firewalls.
The DMZ consists of 2 machines. The first is the honeypot and the second the DMZ server which acts as DNS server, FTP Server, mail server and internet server.
The LAN consists of several machines divided into several VLANs. The IDSs and monitoring tools are hosted on machines there. The Snort machine is connected to every switch via a layer 2 (see OSI layer model) link so that it is able to monitor and control the whole network traffic.
bachelorproject ws 07/08 SHiNE 23
Figure 3: The Topology
5 Scenarios
5.1 Basic scenarios [jp]
5.1.1 Console
In-Game name of scenario
Practice makes perfect
Learning target
For the whole game and nearly all of the following scenarios the player needs knowledge of using a linux system. Even though most users will have some linux experience as well as there is a need for a basic linux scenario to explain the very primary commands on a linux command line. The user should also learn, how to navigate through the file system and how a linux file system looks like. Another basic knowledge which should be communicated to is user, is how he can get information about his own system. Summarized there are three learning targets in this scenario: bachelorproject ws 07/08 SHiNE 24
• basic commands on a Linux command line
• Navigation through the file system / file handling
• getting information about the own system (e.g. ip-adress)
Problem and task
The player has a list of serveral tasks in this first scenario:
• find the directory where log files normally would be
• copy the file in own home-directory
• get the ip-adress of the own system
• rename the file: ip-adress as new filename
Order from boss
• find out in which directory log files normally would be saved
• check the log files as one of this must mention a ”secret tool”
• copy this log file to your home directory
• detect the ip-adress of your system
• rename the log file in your home directory with your ip-adress but don’t forget the .log extension
In-Game assistance non specific
Wiki
For player assistance there are many information about the basic linux commands in the wiki. (See E.1.1 on page 93)
Precondition Skills
This is the very first scenario which every player has to play. Therefore there are no pre- conditions for the user skills. A player without any linux experience should be able to solve this scenario as well as a linux pro.
Precondition Scenarios
Like the preconditions for user skills here are no preconditions for other scenarios too. This one is the very first. bachelorproject ws 07/08 SHiNE 25
Precondition Environment
This scenario runs on a single machine and doesn’t effect any serious system configuration. Therefore there are no special preconditions for the environment. Only a normal installed linux system, to which the player has access as a normal user, is needed.
Implementation framework
The scenario was implemented as a set of linux shell-scripts. Due to the framework implementa- tion there are several scripts for setting up the target linux system, evaluating the players result and cleaning up the system afterwards.
5.1.2 Vi
In-Game name of scenario
Nobody is playing
Learning target
A Linux system has almost thousands of configuration files. This would be normally text-files. Therefor a player needs knowledge of how to modify a text-file in a linux command line. For this purpose the editor Vi is the all-time favorite. This scenario will train the user in handling a newer and better version of this editor called Vim. But modify configuration files is not the only thing, the player needs knowledge about how to find a special file in the entire system. After this scenario, he should know this. In summary there are these two learning targets:
• search files with a special expression
• basic usage of the Vi/Vim editor
Problem and task
The player needs a few steps to achieve this scenario:
• get information about the usage of Vi/Vim (Wiki ->vimtutor)
• self-educated training of Vim commands
• find a file with a special string inside
• modify this file in various ways
Order from boss
• find a file on your system which contains the string ”Myrath” bachelorproject ws 07/08 SHiNE 26
• modify the file in following ways:
- delete the data set of ”Bill Jobs”
- change the salary for ”Steve Gates” to 100.000
- add a ”holiday” section with a value of 30 to every employee
• save the changed file
In-Game assistance non specific
Wiki
There are serveral information about searching a file in a linux system and the usage of the Vim editor in the wiki. (See E.1.2 on page 97)
Precondition Skills
The player needs only skills in basic Linux practise.
Precondition Scenarios
For this scenario the player has to complete the Linux basics scenario first. So this should be the second scenario and another cornerstone for the further way of learning.
Precondition Environment
This scenario runs on a single machine and doesn’t effect any serious system configuration. Therefore there are no special preconditions for the environment. Only a normal installed linux system, to which the player has access as a normal user, is needed.
Implementation framework
The scenario was implemented as a set of linux shell-scripts. Due to the framework implementa- tion there are several scripts for setting up the target linux system, evaluating the players result and cleaning up the system afterwards.
5.2 Man-in-the-middle scenarios
5.2.1 ARP-Spoofing [rb]
In-Game name of scenario Whom’s th’MAC?!
Learning target
• Knowledge of MAC Addresses
• Knowledge of ARP bachelorproject ws 07/08 SHiNE 27
• understand Spoofing
Problem and task The Player has to find out how to use the arp command. His task is to show if something is wrong in the network and an attacker is spoofing the net. Therefor him is given the hint to use the arp command and the manual for this commandline tool. He has to find out
• which devices are connected with his computer
• the mapping of IP addresses and MAC addresses
• which host is spoofing
Order from boss “There is something wrong in the network please check the connections” In-Game assistance the man pages Wiki
• arp E.2.1
• mac E.2.1
• arp spoofing E.2.1
Precondition Skills
• linux basics
• arp
Precondition Scenarios
• linux basics
Precondition Environment This szenario is a single player szenario. It is located in the DMZ and the arp spoofing could have influences on other players. Implementation framework This scenario uses the hosts DMZ-Server and DMZ-HoneyD. In this scenario one host is used as the users host, the other is the automatic spoofer. If the user is using the arp command the spoofer will be informed and spoof the host for a given time. The user should see the changes in the arp table before spoofing, while spoofing and after spoofing. To give the user a chance to see the correct arp table, the spoofing is started after a short break after using the arp command. Changes in the environment while gameplay Host user bachelorproject ws 07/08 SHiNE 28
Figure 4: Scenario ARP Location
• replacing the arp command at the users host to know when the user is using the arp command, and to time the spoofing
• add a group with sudo rights for using the arp program
• installation of expect for automatic remote connection
• add backup directory and undo scripts
• add the user into group with partitial sudo rights
Figure 5: Scenario ARP sequence
bachelorproject ws 07/08 SHiNE 29
Host Drone
• install sudo and ettercap if it isn’t
• add a spoofing user
• add a spoofingscript which spoofes the users ip if started
5.2.2 Hijacking[rb]
In-Game name of scenario Intruders!
Learning target
• Knowledge of TCP
• 3 Way Handshake
• Knowledge about ARP-Spoofing and poisoning
• man in the middle attacks
• poor security of telnet
Problem and task The user has to find out how to start a man in the middle attack.
Order from boss
In-Game assistance linux manuals
Wiki
• telnet E.2.2
• ettercap E.2.2
• man in the middle E.2.2
• session hijacking E.2.2
Precondition Skills
• telnet
• mitm
• spoofing
• ettercap bachelorproject ws 07/08 SHiNE 30
• arp
Precondition Scenarios
• linux basics
• mitm arp
Precondition Environment
This szenario is a single player szenario. It is located in the DMZ and the arp spoofing could have influences on other players.
Implementation framework
Changes in the environment while gameplay
Host User
• installation of ettercap and sudo if it isn’t installed
• add a group with sudo rights for ettercap usage
• add the user to this group
Host Drone
• installation of arpwatch and expect if it isn’t installed
• add a script for automatic telnet login
• add a backgound check if this host is being spoofed
If the drone is spoofed, the automatic telnet script will be login to a telnet server for 5 times, to give the user 5 chances to see the password. This password is the needed string for string evaluation in the gameengine.
bachelorproject ws 07/08 SHiNE 31
Figure 6: Scenario ARP sequence
5.2.3 SSL-Cracking [aoe]
In-game name of scenario Bugging operations
Learning target The user should learn about the dangers of Man in the Middle attacks and how difficult it is to recognize them even within a secure SSL request. To achieve this goal he has to learn how to set up a Man in the Middle attack against a SSL connection. Within this large topic the user also has to get know the function of SSL and SSL certificates, the way of forwarding network packages, how DNS works and how it can be used together with webproxies for emulating a website.
Problem and task SSL communication to webserver is always encoded and under normal conditions impossible to read from a third person. Therefore it is mainly used at security relevant requests such as online banking or payment.
For sniffing the traffic made to a SSL server as a third person, the user has to reroute the whole traffic of the targeted PC over his own Computer using a ARP-Spoofing attack. Now all traffic can be read by him, but the SSL traffic is still not readable due its encryption. To change this the user has to make the attacked Computer believe that the targeted SSL server is on the users computer using DNS spoofing to map the webaddress to his own local IP address. Now all requests for the targeted SSL server will end at the users computer. Because the content of the SSL webserver is not on the players computer it will only be an empty website. The user has to load the content from the real SSL server using a web proxy into his faked webserver. The attacked PC now sees the website like he used to see it, but he is accessing it through the users bachelorproject ws 07/08 SHiNE 32
computer. Now a new SSL certificate can be written and given to the attacked computer. With this new certificate the traffic can be decrypted and read.
Order from boss An employee communicates with a suspicious SSL webserver. The boss assumes espionage by the employee. Because of this, the user has to decrypt the traffic of the employee and report it to the boss.
Wiki The user will be supported by articles in the wiki concerning ARP-Spoofing, Man-in-the- middle Attacks and SSL.
Precondition Skills
The user needs the Skills: DNS, DNS Server Manipulation, mitm, ARP, Spoofing, SSL, Sniffing, Proxys
Precondition Scenarios
The user should have completed the Hijacking Scenario as well as the DNS-Spoofing scenarios.
Precondition Environment
The Scenario can only be played by one person at time.
Implementation framework
The setup scripts of this scenario will startup a SSL webserver in the Game Internet, start a task at the attacked computer which checks the webserver every 20 seconds and install all needed tools at the players PC.
The validation script will check if the traffic of the attacked computer has been read.
The cleanup scripts will shutdown the SSL webserver and the task at the attacked compute.r It also removes all special tools for this scenario from the players PC.
5.3 Passwort Hacking [ts]
5.3.1 John the Ripper
In-Game name of scenario Security Gap
Learning target
• selection of safe passwords
• difference between dictionary and brute force attack
Problem and task the player has te check the company’s password hashes for weak passwords
Order from boss bachelorproject ws 07/08 SHiNE 33
In-Game assistance None
Wiki
See E.3.1.
Precondition Skills
• basic Linux knowledge
• vi
• /etc/shadow
• Secure passwords
• MD5
Precondition Scenarios
VI
Precondition Environment access to /etc/shadow and /etc/passwd
Implementation framework
See E.3.1.
5.3.2 Cron John
In-Game name of scenario
A matter of routine
Learning target automation of recurring tasks with cron/crontab
Problem and task the player has to set a weekly recurring attack on the password hashes by using john and cron
Order from boss
In-Game assistance
Wiki
See E.3.2.
Precondition Skills
• basic Linux knowledge bachelorproject ws 07/08 SHiNE 34
• vi
• /etc/shadow
• MD5
• Secure passwords
• John the Ripper
Precondition Scenarios
• VI
• John the Ripper
Precondition Environment access to /etc/shadow and /etc/passwd
Implementation framework
See E.3.2.
5.3.3 Hydra
In-Game name of scenario
Your secrets are our secrets
Learning target
Using Hydra for a dictionary attack
Problem and task
The player has to find out the password of a login for an FTP-Server
Order from boss
In-Game assistance
Wiki
See E.3.3.
Precondition Skills
• basic Linux knowledge
• vi
• /etc/shadow bachelorproject ws 07/08 SHiNE 35
• Secure passwords
• MD5
Precondition Scenarios
VI
Precondition Environment
A set up FTP-Server
Implementation framework
See E.3.3.
5.4 Honeyd [pm]
5.4.1 honeypot detection
In-Game name of scenario
Spooky spook
Learning target The player learns with this Scenario what are at all Honeypots and how low interaction honeypots to detect. The second training aim is how to use the tools Hping, which the player uses as main tool.
Problem and task On one of the Computers in the network topology, for example PC2, the program Honeyd will be installed. It allows to set up and run multiple virtual hosts on a computer network. The player has to scan the network and find out which hosts are virtual. Then he has to compare IP’s of the hosts with string in game engine.
Order from boss The boss tells the player that his brother works in a competitor’s company. He works there as network administrator and he secures his network with honeypots. The player has to help honeypots to detect. He makes it not alone because the brother knows how he works.
In-Game assistance Boss Secret solution: Sending an ICMP packet that contains the word e.g. Security to a Honeypot will result in no packet loss. And ethereal/Wireshark will show that the response packet contains the same that we have send [1]:
#hping2 -1 -d 5 -E testpacket.txt -c 1 10.0.0.20 bachelorproject ws 07/08 SHiNE 36
HPING 10.0.0.20 (eth0 10.0.0.20): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): Success Warning: can’t disable memory paging! len=46 ip=10.0.0.20 ttl=64 id=3471 icmp_seq=0 rtt=1.2 ms
--- 10.0.0.20 hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss roundtrip min/avg/max = 1.2/1.2/1.2 ms
But if we are now sending a packet that contains a shellcode, so we will get no response or we will get a packet that contains a different content:
#hping2 -1 -d 45 -E shellcode.txt -c 1 10.0.0.20 HPING 10.0.0.20 (eth0 10.0.0.20): icmp mode set, 28 headers + 45 data bytes [main] memlockall(): Success Warning: can’t disable memory paging! --- 10.0.0.20 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss roundtrip min/avg/max = 0.0/0.0/0.0 ms
Wiki
• hping E.4
Precondition Skills
• nmap
• sudo
Precondition Scenarios
• linux basics
• nmap
• vi
Precondition Environment
• DMZ HONEYD host with installed honeyd and farpd application which emulates small network topolgy
• host with installed hping application bachelorproject ws 07/08 SHiNE 37
• installed sudo command
Implementation framework This scenario is single player. Only one player can play it at once. The honeyd server used for the scenario in the current topology is PC02 DMZ HONEYD. During the scenario player cannot play on DMZ HONEYD. He muss to play on another host(for example PC01 DMZ - SSERVER). The following CAKE variables are needed for the scenario:
• GROUP - can be any alphanumeric string that is valid as an unix group name
• USERNAME - can be any alphanumeric string that is valid as an unix user name
• PASSWORD - a valid unix user password
To setup the scenario on honeyd host run setup env honeyd server and then on player host run setup usr and setup env . After the player enter the right string into game engine the scenario will be finished. To cleanup user and honeyd enviroment run: cleanup usr cleanup - env usr and cleanup env honeyd server .
5.5 Monitoring Tools [cg]
5.5.1 Cacti
In-Game name of scenario
Sneaking suspicion
Learning target
• Get to know Cacti
• Understanding of graphical display of traffic data
Problem and task
An employee copies a large amount of data via the net. These are internal company data which he is going to misappropriate. The player has to find out the hostname of the computer which causes the traffic so that the corresponding employee can be found out.
Order from boss
The boss has got an anonymous tip saying that someone of his fellow employees will try to abstract internal company data via the net. Due to the fact that he won’t give himself away by saying anything and because he has got no evidence, he asks you to pay especially close attention to exceedingly high data traffic via the net. bachelorproject ws 07/08 SHiNE 38
Story after successful completion of Scenario: The boss has certainly taken the person in question to task. In doing so he discoverd that the concerning employee only wanted to sent the latest very large catalogue of products to a customer.
In-Game assistance
None
Wiki
• Cacti E.5.1
• RRDtool E.5.1
• SNMP E.5.1
Precondition Skills
• Basic linux knowledge
• Basics of network/topology
• Router konfiguration
• ACLs
Precondition Scenarios
• Linux basics
• Knowlegde of Topology
• Router konfiguration
• Router ACLs
Precondition Environment
• Routers, switches and host PCs with an installed and configured SNMP agent
• Properly configured routers and switches enabling SNMP-queries by the cacti server
• A cacti server which collects and monitors the data
bachelorproject ws 07/08 SHiNE 39
Implementation framework First of all it was thought of implementing a scenario which should provide a comparison with normal daily traffic to unusual high traffic. But this was not possible due to the fact that the date of the Round Robin Databases could not be manipulated by data traffic recorded previously[2]. So it’s been decided to implement the current solution with the advantage of showing the traffic data at runtime.
Because Cacti is installed on Ramses in the topology, the player should always play this sce- nario on PC4. Therefore a nxclient connection must be established before the scenario could be started and the player could get access to Cacti via the webbrowser.
The cacti scenario is a single player scenario with drone but it can also be played together with other scenarios at the same time (which made it perhaps a little more difficult to discover the traffic created by shell script). The drone user could be set up on any PCs in the topology. But due to the story it would make more sense if the traffic is sent from a host PC in a vlan to a PC in the DMZ Zone. For testing the scripts they were executed on Pluto and DMZ Server.
5.6 IDS scenarios [jl]
5.6.1 Run snort
First steps to get to know and learn to use the Intrusion Detection System snort In-Game name of scenario The restart helper Learning target The Player learns how to run a pre-configured snort on the correct network interface with the a valid configuration file. Problem and task On the computer which scans the whole network traffic snort is down on one of the interfaces. The Player is supposed to log into this machine and find out which interface isn’t scanned anymore. Then he has to restart snort on this interface using the correct configuration file. Order from boss The boss tells the player that some traffic in the company network doesn’t seem to be scanned anymore. The person who normally is maintaining the snort machine is busy at the moment, so the player should determine why this is the case and fix the problem. The player is given the login data for this machine. In-Game assistance none Wiki The wiki article needed for this scenario can be found on page 162 in section E.6.1 bachelorproject ws 07/08 SHiNE 40
Precondition Skills
• sudo
Precondition Scenarios
• linux basics
Precondition Environment
• machine with several network interface cards
• application snort with correctly setup configuration
• installed sudo command
Implementation framework This scenario is single player with a dedicated machine, so only one player can play it at once and the machine it is played on is locked until the scenario is finished. The client used for the scenario in the current topology is PC16 CLEOPATRA. The following CAKE variables are needed for the scenario
• H GROUPNAME - can be any alphanumeric string that is valid as an unix group name
• H USERNAME - can be any alphanumeric string that is valid as an unix user name
• H PASSWORD - a valid unix user password in its hashed way like in /etc/shadow
• H INTERFACE - one of the interfaces snort is scanning on. Currently either eth2 or eth3
To setup the scenario run environment and then player setup scripts. After the player assigns the scenario to be finished the evaluation script is run. If the script returns ’0’ the player has accomplished the scenario. Otherwise - with a return code greater than ’0’ - the player didn’t complete his task correctly. To cleanup the environment run environment and then player cleanup scripts.
5.6.2 Create snort rule
Create own rules for the Intrusion Detection System snort
In-Game name of scenario Rule for tool
bachelorproject ws 07/08 SHiNE 41
Learning target The player should be able to create own scanning rules for snort an implement them into the configuration.
Problem and task The network traffic scanner snort isn’t setup sufficiently so that some attacks aren’t detected. The Player is supposed to solve this issue by creating a new rule. Therefor he has to log on the snort machine, create a new file containing the fitting rule and include this rule to the configuration. After the rule was created correctly the player has to restart all running snort instances.
Order from boss A new thread was detected and the company has to be protected against it as soon as possible. The boss instructs the player to bring the IDS up to date and gives him information about the protocol, scanned target port, scanned target IP and possible source IP.
In-Game assistance none
Wiki The wiki article needed for this scenario can be found on page 165 in section E.6.2
Precondition Skills
• sudo
• vi or similar editor
Precondition Scenarios
• linux basics
• run snort
Precondition Environment
• machine with several network interface cards
• application snort with correctly setup configuration
• installed sudo command
Implementation framework This scenario is single player with a dedicated machine, so only one player can play it at once and the machine it is played on is locked until the scenario is finished. The client used for the scenario in the current topology is PC16 CLEOPATRA. The following CAKE variables are needed for the scenario bachelorproject ws 07/08 SHiNE 42
• H GROUPNAME - can be any alphanumeric string that is valid as an unix group name
• H USERNAME - can be any alphanumeric string that is valid as an unix user name
• H PASSWORD - a valid unix user password in its hashed way like in /etc/shadow
• H PROTOCOL - protocol for the scan (can be any )
• H TARGET PORT - the port which is scanned
• H TARGET IP - the scanned IP (can be any )
• H SOURCE IP - the scanning IP (can be any )
The scenario is setup by running the environment and the player setup scripts. After the player assigns to be finished the evaluation script is run. Only if this returns ’0’ the player has succeeded else he has to go on with the scenario. When he has finished successfully environment and player cleanup scripts are run.
5.7 DNS [mt]
5.7.1 DNS Basics
In-Game name of scenario The new mailserver
Learning target
• comprehension of the DNS tree and stored records like A-Records, NS-Records, MX- Records, PTR-Records.
• comprehension of the mapping: IP addresses and names
Problem and task
The player has to find out some records of a domain. To complete this task he has to fill a out a given document which has included a recordlist.
Order from boss
Please check the given list in your home directory and fill it out.
In-Game assistance linux manual for the programs dig/nslookup
Wiki
• DNS E.7.1 bachelorproject ws 07/08 SHiNE 43
Precondition Skills
• linux basics
• DNS
Precondition Scenarios
• linux basics
Precondition Environment a nameserver which stores the asked records Implementation framework First of all the user is set up at the target maschine. Him is given an automatic generated list which includes his task an the records he have to search. After searching the records the user has to fill out the document. For assisting a background script is implemented, which show hints which records aren’t correct, after writing the document file.
5.7.2 DNS Server manipulation
In-Game name of scenario Payback! Learning target
• How to use the nameserver bind.
• How to store records at the nameserver.
• How to build a dns zone.
Problem and task The uses has to append a dns zone. This task is splitted in 3 parts. level 1 : insert a mailserver and a wwwserver level 2 : insert the reverse zone for a given subnet level 3 : insert a new zone for a subnet Order from boss Please append our DNS Server with some records. In-Game assistance linux manual for bind Wiki bachelorproject ws 07/08 SHiNE 44
• DNS E.7.1
• Bind E.7.2
Precondition Skills
• linux basics
• domain basics
• dns basics
Precondition Scenarios
• linux basics
• dns basics
• domain
Precondition Environment package support for bind9
Implementation framework
In the environment script the dns server of hs-bremen.game is cloned and started at the target maschine. This maschine could be every maschine in the environment, cause the server the user has to change is completely separated from the infrastructure (So the user don’t influences other player, he just block his own maschine if he made something wrong)
After preparing the environment the user is set up at the target maschine and he get a document in his home folder with the task he has to implement ( 1,2 or all of the 3 tasks depends on the chosen difficulty ). To do his task he has the rights to inter operat with the nameserver bind in any way. Him is given the full admin level for this service by granting sudo rights for all needed files.
After finishing the evaluation script is questioning the local DNS server and the records will be verified.
5.7.3 DNS-Spoofing
In-Game name of scenario The recruiter
Learning target
• Become more familiar with the DNS System. bachelorproject ws 07/08 SHiNE 45
• Get the context of the functionality of DNS delegation.
Problem and task The player has to manipulate the DNS server for the whole gamenet, with a given zone record. Order from boss In-Game assistance linux manual for bind Wiki
• DNS E.7.1
• Bind E.7.2
• DNS Spoofing E.7.3
Precondition Skills
• linux basics
• domain basics
• dns basics
• dns server
Precondition Scenarios
• linux basics
• domain basics
• dns basics
• dns server
Precondition Environment package support for bind9 Implementation framework In the environment script the dns server of hs-bremen.game is cloned and started at the target maschine. This maschine could be every maschine in the environment, cause the server the user has to change is completely separated from the infrastructure (So the user don’t influences other player, he just block his own maschine if he made something wrong) The user will be set up at the local maschine and the users task is given in a document in the users home directory. The user has to set up the new zone at the DNS server. After finishing, the evaluation script is questioning the local DNS server and the records will be verified. bachelorproject ws 07/08 SHiNE 46
5.7.4 Domain
In-Game name of scenario New provider wanted
Learning target
• What is a domain ?
• Which records are stored by a registrar ?
• How can you see this records ?
Problem and task
The player has to find out same specific records for a domain and have to complete a given recordlist in his home folder.
Order from boss
In-Game assistance linux manual for the program whois given hints in the console
Wiki
• Domain E.7.4
Precondition Skills
• linux basics
Precondition Scenarios
Precondition Environment
Internet connection, cause whois queries only make sense with a registrar.
Implementation framework
The implementation is differed in 3 Parts, first the user is set up at the target maschine, then the script automatic generates a list of records which the user has to append, depending on the given top level domain from the game engine.
The third part is setting up a background script, which gives hints if the user isn’t working like expected. (It shows the hint which file the user has to read to get instructions, later it informs the user if his task is done right, and if not, where he made a mistake)
The game engine hand out the user and password and the given domain, the script generates the specific tasks by it’s own. bachelorproject ws 07/08 SHiNE 47
5.8 Learning scenarios [ts]
5.8.1 LDAP
In-Game name of scenario Learnings, what else?
Learning target
• directory service
• username and password
• rights
Problem and task the player has to learn what LDAP is
Order from boss
In-Game assistance
Wiki
Precondition Skills
• basics of network and topology
• OSI
• TCP & UDP protocol internals
Precondition Scenarios topology
Precondition Environment none
Implementation framework
5.8.2 RADIUS
In-Game name of scenario More learnings
Learning target
RADIUS is a client-server protocol for authentication, authorization, accounting for dial-up to a network
Problem and task bachelorproject ws 07/08 SHiNE 48
the player has to learn what radius is
Order from boss
In-Game assistance
Wiki
Precondition Skills
• basics of network and topology
• OSI
• TCP & UDP protocol internals
• LDAP
Precondition Scenarios
• topology
• LDAP
Precondition Environment none
Implementation framework
6 Overall System Conventions and Design [ar, dg, sd, tr]
6.1 Conventions
6.1.1 Overall Systemconcept [ar, sd, tr]
The overall goal of the SHiNE system is to immerse the user in a modern, user-friendly game, while educating the user in the topics of network security. To accomplish this immersion, we use a typical roleplaying/adventure perspective with a point and click interface to which most gamers are already accustomed. Adobe Flash was used to build the gameworld, wherein the user gathers information and tasks. For some of these tasks, the user has to use real tools in his desktop environment to complete them.
The PDA acts as a central device for all game-relevant information and bundles corresponding functionalities into compact views. The goal here was to avoid scattering of information and provide quick access to all relevant data from within the game without ”leaving” it. Therefore the PDA buttons in the game’s menu bar bring the corresponding PDA screen into view, while the bachelorproject ws 07/08 SHiNE 49
game is still running in the background. The user can view the tasks he got (button ”tasks”) and find information on them in the wiki. Or he could view his current ranking and details (button ”players”) and his competitors details in the same screen.
Administrative tasks are accessible via a tab (if the user has admin privileges) and use the same frame as the game. The admin views share only the general look (colors, fonts) with the rest of the game, partly because the admin has no need for them and mostly because of the limited space the frame offers. Some tasks normal users can do are available in the pda views though, like editing wiki articles or the players data.
6.1.2 Overall Designconcept [ar, dg, sd, tr]
The general look is heavily influenced by recent web 2.0 styles with mirror effects and color gradients for buttons, tabs, logo and typography. Nice colorful buttons with a ”shine” effect when hovered, complement this to a modern and user-friendly look. A few of the icons used are in part from the crystal project icon package (http://www.everaldo.com/crystal/).
Colors: Monochrome green and black as dominant colors plus their variants (gray, light green) are used to create the feeling of a hacker” environment. See the styleguide for specific color values.
Fonts: While the web 2.0 ”rules” say we should use relatively big font-sizes, we had to com- promise in the PDA views because of the limited space. So 12px for headlines and 10px for text will suffice. Verdana is the font used for all html.
Buttons:
Menu buttons: backgrounds passive state, hovered state
Dimensions: 39x39px
Font: 9px Myriad Pro, 25 character spacing, #a0a0a0
Figure 7: Menu buttons: passive state
Figure 8: Menu buttons: hovered state
bachelorproject ws 07/08 SHiNE 50
Skillset icons:
Dimensions: 32x32px
Background: Gradient: #101010 bottom, #515151 top
Foreground icon: dropshadow 134 5px distance, 5px size
Figure 9: Skillset icons
Tooltips:
To save space and offer additional info, we use tooltips where possible. For example as a description text on the skill icons.
Usage:
A modified version of a javascript from dhtmlgoodies.com is used to display the tooltips, which must be included in the header of the html files.
In the html body we need a placeholder div for the tooltip, its layout is described in the css. bachelorproject ws 07/08 SHiNE 51
To add a tooltip to a link or button, use a mouseover action:
Figure 10: A tooltip
bachelorproject ws 07/08 SHiNE 52
6.1.3 Namefinding [ar]
The original name ”NetS-X” - short for ”NetSecurity-eXperience” - wasn’t liked by everybody. Complicated spelling and strange results in google search lead to the conclusion that we needed a better name for the project. Thus, we had a voting in the netzlabor wiki, which ended on 06.11.2007. Several candidates were proposed and everybody had the chance to allocate every name a value (– for the worst to ++ for the best).
The results with positive values were:
• SHiNE (Security and Hacking in Network Environments) +6
• Password: Backdoor +3
• SkyNet +3
• NetWars +2
The full results can be found at: https://www.netzlabor.hs-bremen.de/wiki/index.php/Namefinding
6.1.4 Styleguide [dg]
This section shows and explains the different logos and their respective use throughout the project, the layout of the webinterface and the other graphical elements, such as fonts and colors, which are described in detail further down.
Logos:
The first requirement of the logo, the CI of the project, was its recognizability. It had to resemble the style of gameplay and the name of the game, thus the first thing to do was to find an appropriate color-scheme for the whole game, which is described under the Color-Scheme section and something to illustrate the projects name. We decided to use a sunrise-like shine effect to accomplish this requirement and used a small reflection underneath the SHiNE writing to create the illusion of some kind of horizon to support the sunrise metaphor.
The next page shows some figures with a short description of the usage of the particular logos.
bachelorproject ws 07/08 SHiNE 53
Figure 11: Single logo graphic used in posters and flyers.
Figure 12: Header logo graphic used for the webinterface as standard logo graphic.
bachelorproject ws 07/08 SHiNE 54
Figure 13: Textual footer graphic used for the webinterface as footer logo graphic.
Figure 14: Different styles of the textual footer logo. To be used as letterhead.
bachelorproject ws 07/08 SHiNE 55
Typography:
Our goal was to use the least amount of fonts possible to keep a straight and clean image throughout the design process. It was obligatory that the fonts used were easy to read, nice to look at and above all sans-serif. For this purpose we decided to use the following font-faces.
Figure 15: The Myriad Pro font.
Myriad Pro has been used for the logo as well as for all texts that are embedded in the graphics. It has been chosen, because it is a modern, serious and professional looking font, which is sans-serif and easy to read.
Figure 16: The Verdana font.
Verdana has been used for the login-box and throughout the Wiki. It is a widely used and good readable font, thus it has been chosen for this purposes.
bachelorproject ws 07/08 SHiNE 56
Color-scheme:
One of the most difficult tasks during the design process was to elaborate a simple but impressive and interesting color-scheme. Below the results are shown. It is obvious, that the theme of the game is clear, due to the choice of colors. We decided to use strong and more darker green and gray colors, mostly used in gradients. This is supposed to evoke the feeling of getting into the hacking / security / IT materia.
Figure 17: The color-scheme of SHiNE
bachelorproject ws 07/08 SHiNE 57
Screen layout:
The following graphics show how the screen layout is devised. It shows the main screen of the game as it appears in the browser, with the sizes (in pixels) of the different areas for the logos box and the flash game. The next images show the login screen and the register screen as well as the main screen of a logged in member.
Figure 18: Main screen view with size overlays.
Figure 19: Login view
bachelorproject ws 07/08 SHiNE 58
Figure 20: Registration view
Figure 21: Main view of logged in member
6.1.5 Rights [tr]
Tutors and administrators have more rights in SHiNE than players do, due to the roles they have to play in the game. The admin has to keep the technical things up, while the tutor has to take care of the players and the flow of the game. While the tutor is the one to ask if you have
bachelorproject ws 07/08 SHiNE 59
problems playing the game because you do not understand the mechanisms of it, the admin is the one to call if something’s broken or not working.
The rights everybody has are described below.
Everybody may create a new player-character (PC) and thus become a player.
Each player may:
• change his player-character’s profile.
• prepare articles for the WiKi. These articles have to be accepted by a tutor or admin to be included into the Wiki.
• play tests.
• propose new tests, that have to be accepted by a tutor or admin to be included into the game.
• play scenarios.
• play the 2D-Game.
Each tutor may:
• do everything, a player may do.
• write articles for the Wiki or either accept or reject articles for the Wiki, that have been prepared by a player.
• create and delete scenarios.
• invent or delete tests.
• add or delete skills.
• delete player characters.
• edit a players profile except the character’s name.
• grant or remove tutor’s rights to players.
Each admin is allowed to do the same a tutor is allowed to do.
bachelorproject ws 07/08 SHiNE 60
6.2 Webinterface [ar, dg, sd, tr]
The web interface consists of
• the login and registration screen
• the pda screens
• some administration pages.
All off these are displayed in the center frame as html pages, written in Cake PHP, spiced with some ajax and javascript, based on a mysql database.
The layout is optimized for a 1024x768 screen resolution and the Mozilla Firefox browser, with a windows taskbar and statusbars visible. No scrolling should be necessary to view the page content.
The flash game and the pda are visibile in the center frame, which has a size of 720x450px.
Figure 22: Flash game interface
Our goal was, again, to minimize the number of pages to get information or to do things like editing player data. Also, to keep the player ”in” the game by integrating all the information he needs (PDA) and the flashmovie into a single frame. The player shouldn’t have to visually leave the game except for solving the desktop scenarios. bachelorproject ws 07/08 SHiNE 61
6.2.1 Login / Registration [dg]
These are basic pages for registering a new character (not players) and logging these into the game. The player can choose a unique nickname for his character, which will be directly available after creation. After logging in, the flash game starts and the character is placed whereever it left the game with all its states and attributes restored.
6.2.2 PDA-Screens [ar, sd]
Though html, the PDA and the information it presents are ”part” of the flash game. We can call its pages from within the game menu and see them directly in the same frame.
The goal was to streamline the visual appearance of the different views, so that we had the same look and feel for every functionality. So we have selection lists on the left, sortable with tabs, and a ”details” view on the right with integrated ”edit” functionality when possible.
When the game loads, the PDA is placed in a div container behind the flash game using the z-index. This way we avoid loading the PDA content everytime we call it and avoid the even longer loading times of the flashmovie if we had to switch the html pages. Upon access, the pda div is displayed above the flash movie by changing its z-index with javascript (the flash movie’s z-index property can’t be changed). PDA content is in part changed via AJAX.
The PDA screens are as follows:
Players: This view shows a list of selectable entrys of every player on the left, ordered by score or by name. On the right side it shows details about the selected player like rank, name, score and unlocked skills. The Player’s character is selected by default and some of its data (i.e. name) can be edited directly by the player using the ”edit” button.
Tasks: This view contains a list of all playable and finished scenarios and tasks. On the right side the details of the selected scenario are shown. A scenario can be started from either within the Flashgame or the Tasks-screen.
Wiki: Contains a listing of Wiki-topics on the left. On the right the wikitext of the selected topic is shown, including an edit option. Using the ”Add” Button, the player can submit a wiki article, which has to be approved by an admin.
Technical Details:
The stylesheet used for the pda is the pda.css (www/nets-x/app/webroot/css in most cases).
Images used in the pda can be found in the app/webroot/img/pda directory.
The PDA as such is contained in the ”pda” wrapper container (div id=pda). The second enclosing div tag handles the appearance of the following divs, for example div class=”player” changes the content of the header div accordingly (which needs to be empty). As we have tabs only on the left side, they are handled separately (div class tabs). bachelorproject ws 07/08 SHiNE 62
Figure 23: Players-screen
Figure 24: Tasks-screen
bachelorproject ws 07/08 SHiNE 63
Figure 25: Wiki-screen
The left and right container share the same class, but get their positioning by adding another class (right/left).
The navigation menu is stored in a class=”nav” container, using an unsorted list and giving each list item a class (wiki, exit etc.). In order for the tooltips to work, we need the tooltip.js linked in the header and a div id=tooltip container next to the opening body tag.
The PHP Code, the so-called views, for the PDA are stored in the app/views folders. They handle the data presentation using controllers without having direct database access.
6.2.3 Administration Screen [master]
The administration pages are accessible via the administration-tab if the user has the required privileges. As administrator, the user has the following options:
Scenario administration: Add, edit and delete scenarios
Game administration: Add a Non-Player-Character (NPC), Start state-machine editor
Administration: User administration, i.e. edit and delete Player characters
Wiki administration: Approve and publish or decline Wiki-articles
Assessment-test administration:Approve and publish or decline tests bachelorproject ws 07/08 SHiNE 64
6.3 2D Gamedesign
6.3.1 The Flashgame Graphics [tr, ar]
The flashgame graphic is made up of several tiles, each 50 by 50 pixels in size and drawn by hand in Adobe Photoshop and the Gimp. Some of the larger objects, like tables and walls, are made up of two or more tiles.
All the tiles of the game are included in a single graphics-file (*.png), called the tileset, that is bound into the game. The game refers to the single tiles by their position respective position and size inside the tileset.
Figure 26: Tileset
6.3.2 The Characters [dg, mf]
There are several characters in the game and each of these is made up of an animation sequence of 12 images. These images were drawn using Pixen (a pixelbased imageeditor for Mac) and Adobe Photoshop.
Each character comes with all his animation-images in a single graphics-file (*.png), that is used as a sprite in the flashgame. The Figure below shows the player’s character and all his animation images. The carachter is drawn from front, back, left and right.
bachelorproject ws 07/08 SHiNE 65
Figure 27: PC & NPCs
6.4 Implementation MVCs in CakePHP [sd]
The game engine is implemented in CakePHP and uses the MVC-concept (model-view-controller). In the MVC-concept input, processing, and output of an application are separated from each other.
Models: php-files are stored in the /app/models -folder and served to database access.
Controller: PHP-files are stored in the /app/controllers -folder. They are responsible for the logic. In the controllers the functions are stored, which are called via url in the address bar in the browser.
Views: PHP(ctp)-files are stored in /app/views. They present the game interaction. The views load a default layout stored in /app/views/layouts.
The naming convention in SHiNE(derived from the naming convention of CakePHP):
Models: Model class names are singular. Model filenames use a lower-case underscored syntax.
Examples: content.php, players scenario.php
Controllers: Controller class names are plural. Controller file names use a lower-case under- scored syntax. Controller file names also end with ” controller”’.
Examples: wiki controller.php, players controller.php.
bachelorproject ws 07/08 SHiNE 66
Views: Views are named after the actions they display. Name the view file after action name, in lowercase.
Examples:wiki controler::index() expects a view in app/view/wiki/index.ctp
We have four important types of classes:
Player-related classes for management of player data and validation of username and password.
Flash game-related classes for communication between flash game and webinterface.
Scenario-related classes for scenario relevant actions ”add”, ”edit” and ”delete scenario” for admin and ”show” and ”play scenario” for player.
Wiki-related classes for wiki administration.
7 Overall Gameplay-Improvements [af, sg, tr]
In this section we discuss some ideas, that would improve the game for the players.
A Mission Tracker could be displayed in the upper right corner of the flashgame, to show the player if a new skill was attained or to inform him or her of some new mission that could be played, etc.
7.1 Enhancements in Communications
In this section we take a look at some improvements of the game, that would help the players to better get into communication with each other.
An eMail-button could be added to the PDA-Buttons in the panel at the bottom of the flashgame. Players could use this button to open some editor to write an send a written message (like an eMail) to one or more of the other players in the game. Incoming eMails could be listed and displayed in this place as well.
A chat-button could also be added to the game. Due to the fact, that several players could be around in the game at the same time, this would improve the communication between them.
7.2 Improvements to the game itself
Make use of Virtual Machines (VMWare, Virtual PC, Virtual Box, etc.). It could improve the game a lot, if the Machines, where the players have to use their ’real guns’ to play the missions, would be virtual machines. Thus, the software and state of the machine could be previously prepared and no setup or cleanup scripts would be needed. All the needed software and tools for the actually played mission could be installed on the machine, that could be run on any operating system. bachelorproject ws 07/08 SHiNE 67
These virtual machines can not be damaged, even if the user would change some of it’s settings. Next time the machine is loaded, it has returned to its original configuration.
Sympathy-system The player earns for every succesfull accomplished scenario one or more sympathy-points from a female employee. The more sympathy-points he has the better is his relationship to the female employee. This would give the game a little more depth, because the player would try to keep a good relationship to the female employee to see how the relationship goes on.
An oppertunity to import auto-presentations. Tutors could create special auto-presentations to teach the player easier in specific subjects. This would be a good alternative to the Wiki.
Oppertunity to choose a special role. As soon as there are some more scenarios realised it would be possible to create a special game environment for several roles, e.g. the hacker-scene, the network-security-employee, etc. to give the player some variety. This would also open up the oppertunity to create several versions of the same scenario with some differences.
7.3 Missions
There could always be new missions included into the game. While on the first hand it could bring more depth and colour to the game, it could also include newer, advanced technologies into the game. Teamwork-missions: It would be nice, if there would be missions included into the game, where two or even more players have to work together on a single mission to find the solution. It would even be possible to include missions, where the players had to work in teams and to try to beat the other team(s).
7.4 Graphics
If you think about a sequel to the game, you should make some changes and improvements to the graphics, because that’s the first thing a player will notice. But there are also some improvements, that have some more functionality. A Player’s items should be visible on his character, if possible. While some pocket-thing like a coin would not be visible, some fancy clothing, bags or devices (like a labtop or a vacuum-cleaner) should be shown. Different character images for the player to choose from, when he creates a new character. This would make the game more personal for the player. Several different tilesets for the flashgame graphics, that would give some different looks to the environment where the players walk around. This would make everything a little funnier. bachelorproject ws 07/08 SHiNE 68
7.5 Real world and 2D-Game relationship
To keep the relationship between the 2D-Game and the real world in the players mind it would be helpful to login some NPCs on real machines in the network. If the player checks up the userprocesses he will recognize some names of the NPCs and is reminded of the 2D-Game.
7.6 Content creation for the 2D-Game
All 2D-Game related objects like Maps, NPCs, etc. should be created through one single Editor. This would reduce the complexity for the tutors and the creation of new content would be much faster.
A Capability planning[fe]
A.1 Personnel planning
The personel planning was arranged in on weekend at a trip to Cuxhaven. First we found out which topics we had for the whole project. We found seven big topics ”Scenarios”, ”2D- Game”, ”Webinterface”, ”Authoring Gateway”, ”Rule and Rights”, ”Tutorialimplementation” and ”Wiki”. Every person had to choose than one of the first three topics, which he likes to work on it. Afterwards the last four topics where combined with the first three one. ”2D-Game”with ”Rule and Rights” and ”Tutorialimplementation” and ”Webinterface” with ”Authoring Gate- way” and ”Wiki”. ”Scenarios” we let stay alone. Now we had three big groups and every group had his functuality:
Group 1: Scenarios
a) Researching: scenarios, hacking situation and tools b) Implementation of the scenarios c) Remote desktop d) Regard content connection to the Wiki and the quizzes
Group 2: 2D-Game
a) Concept: including help functions, time pressure and personalisation b) Interaction implementation c) Graphics and Design in/of the 2D-World d) Map-Editor e) Playing with active help f) Self-assessment
Group 3: Webinterface bachelorproject ws 07/08 SHiNE 69
a) Usability and Navigation b) Design c) Corporate Design d) Interface: Administrator, Author and Player e) Wiki: 1. Functionality, Searching and Editing f) Wrapping and Metaphor
The following persons took the following group:
1. Group 1: M. Toepfer, A. von Oehsen, R. Brauer, T. Schroeder, J. Leins, J. Panten, P. Meyer, C. Gaisser
2. Group 2: S. Graul, F. El-Khatib, A. Fink, J. Urbschat, C. Schnackenberg, D. Luers
3. Group 3: D. Gieseler, A. Rossner, M. Friedrich, T. Rosenberger, S. Deltchev
But this wasn’t the whole work! Everybody was also a multiple job holder. We got some extra jobs, which have to work out:
1. Objectives, making-of, Contact worked out by R.B. and A.R. 2. Editorial Record, Standard format and dates worked out by C.G. 3. Sheet-Design (Flyer, Poster, Handouts) worked out by 4. Play - concept and further development (Vision-Concept, Manual) worked out by T.R., S.G. and A.F. 5. Source Administration (Code, Manuals, Docs, Protocols) worked out by J.U. 6. HW-Access Topology - ”plugging” worked out by T.S. 7. Net Topology installation (Manual) worked out by M.T. and A 8. Game-Play-Sever installation (Manual) worked out by J.L. and S.D. 9. Net lab-Wiki attaches and administer worked out by J.P. 10. Research to analogue ”Hacking-Games” worked out by D.L. and P.M.) 11. Gantt-Diagram worked out by F.E. 12. Image Film (2 min.) worked out by NOT DECLARED
The results of everything are described almost in this documentation.
A.2 Time management with Gantt-Diagram
The Gantt chart is a bar chart tool, which illustrate a project schedule. It illustrates in the horizontal line the start and finish time of a project. In the first column you can find the ac- tivities of the project. The constancy of an activity is visualised by the length of the bar under the time line. More length means more time. Dependencies between activities are illustrated by bachelorproject ws 07/08 SHiNE 70
arrow-connection from one bar to another and they are automatically working by the declaration of the dates of starting and finishing of an activity. The actual working procedure is displayed by a red-vertical line at the actual date. If there to many activities, the Gantt-diagram can be very fast very unclear. For more activities you should use the ”Net-plan”. Here you see the Gantt-diagram of the last planed week of working-procedure from SHiNE:
Figure 28: Gantt-Diagram
The Gantt-diagram is in German, what you can see. You will find in the right column the last bachelorproject ws 07/08 SHiNE 71
paragraph decelerated groups and their specialisations.
This means at least the Gantt-diagram is developed from the whole sHinE group, what makes it more especial and important for everyone to see every time at which level project is.
B External presentation
B.1 Flyer, poster, handouts [dg, cs]
Our assignment was to develop two versions of posters and a flyer/handout. On the one hand there had to be a poster for the faculty staff and another one for the students.
We decided to go into two different directions. One way was ”less is more” and the other one was ”more is more”. For the students there had to be something eye-catching, something mysterious, something that emerges the will to catch up on this project. For the faculty staff there had to be a lot of information about the project, its goals, its setup and its benefit for their faculty.
Below there are the two different versions for the faculty staff and the students.
Figure 29: Poster used to promote the project to the faculty staff
bachelorproject ws 07/08 SHiNE 72
Figure 30: Poster used to promote the project to the students bachelorproject ws 07/08 SHiNE 73
The flyers/handouts were supposed to follow the concept of the students poster. The difference was, that only the front was supposed to evoke the mysteriousness and the back should give more information about the project. The flyer is somehow a mash-up between the poster for the faculty staff and the poster for the students.
Figure 31: Front and back of flyers
B.2 Website [rb, ar]
The website follows the same design rules (see styleguide) as the rest of the game. It has a contact page, a list of the team members, a summary of some project info and a statement of attention towards the hackerparagraph. The site package can be found on https://www.netzlabor.hs- bremen.de/wiki/images/c/c9/SHiNE Site.zip.
bachelorproject ws 07/08 SHiNE 74
Figure 32: Screenshot of the homepage
C 2D-Game
C.1 Script[fe, af, sg]
Script for the stories
D = stage direction, B = boss, J = janitor, Jdc = janitor (department-chief-office) DC = de- partment chief, Sp = secretary (player-office), Sdc = secretary (department chief), L = Larry, Cc = celler - collegue, C = college (player-floor), P = player, A = announcement-voice, T = net-department-chief
Linux-Basics
D: The player is great in the office of the department-chief as a new employee. He has to speak with him. Any other NPC give him the information that he has to report to the department- chief.
DC: Hello newbie, we great you at your new work as our employee. We hope that your work will be easy for you. I have to give you the information that we are only work with Linux on our computers. I’m sorry, but I don’t have the time to give you an introduction, but ask my secretary. She will give you your next instructions.
bachelorproject ws 07/08 SHiNE 75
D: The player has to speak to the secretary. Any other NPC give him the information that he has to report to the secretary. Sdc: Hi, newbie! Your office is this floor down on you right hand. I’ve put some teaching- materials on your desk. Please read them that you can get familiar with your new work. D: The player is now free of his doing. He can explore for him accessible parts of the company. Any other NPC give him the information tell him something, but not very important. He can talk to everybody or he goes directly to the teaching-materials. Also he has the possibility to ask again The teaching-materials will tell him: Linux Basics:
- find out in which directory .log files normally would be saved - check the log files - one of this must mention a ’secret tool’ - copy this log file to your home directory - detect the ip-adress of your system - rename the log file in your home directory with your ip-adress - don’t forget the .log extension
Afterwards he has to give the accomplish-information to the teaching- materials. The player accomplished this mission and gets his gratification! This is the player’s first mission, which he has to accomplish, before he can do an other mission.
VI
D: The Linux-Basics are finished now. The player has to speak with Larry to start this story- part. L: I’m angry of the DC. He prohibited me playing with the Computer while working-time and also dock my salary. But I’m really sure that he’s playing the hole time, also in this moment! Can you help me to change my salary to the origin count and nettle him while he is playing so that he notices that he also has to follow the rules? D: If he answers him that he will do this mission, the player has to connect from his desk with the computer of the dc and close the game-application. Until he hasn’t accomplished this mission, Larry will only tell him what he especially has to do: L:
- find a file on your system which contains the string ”Myrath” - modify the file in following ways: bachelorproject ws 07/08 SHiNE 76
- delete the data set of ”Bill Jobs” - change the salary for ”Steve Gates” to 100.000 - add a ”holiday” section with a value of 30 to every employee - save the changed file
D: Any other NPC tell him their Smalltalk.
After he has finished the task he has to speak with Larry again.
L: Thank you man! The DC is crying like a baby I think you want your gratification of 800?! Here you have it!
D: The player gets his gratification and has finished the mission. From now every other FIRST- MISSION (after Linux-Basics) are available again, if they are not finished yet, the next missions after VI, ARP-Scenario, John the Ripper and Hydra also.
Hijacking
D: After the player has finished the ARP-Scenario the janitor tells now something if he talks to him!
J: Hey newbie take the phone on your desk now, if you want to have a VIP-Mission!!!
D: From now one the player is able to get a new mission by answering the phone-call.
T: Our Company has no access to the web-server anymore. Somebody seems to establish a connection to the router right now. We need a person of outstanding abilities! The intruder has to be stopped! Please, help us!
D: The player has get familiar with etercap, connect with the net and throw the invader out. While he hasn’t finished the mission and he answers the phone, the voice on the other side tell him: Please help us to find the invader! Also all other NPS’s will tell him their Smalltalk.
When he has finished all tasks he has to answer the phone to accomplish this mission and get his gratification.
T: Good job newbie! You got it, the server is open now.
D: The player accomplished this mission and gets his gratification!
Domain
D: After the player finished the Linux-Basics the player get an e-mail on his Laptop. bachelorproject ws 07/08 SHiNE 77
A: Hey newbie, please come to the boss! He wants to see you. You find him in the second floor.
D: The player has to go threw stair-case. On his way he find an old-rotten-key, which he can take. When he reaches the chief-department, he has to go to the boss and talk to him.
B: Hi newbie, we want to make a provider-change for saving more money! I think I don’t know anymore what the configuration-specifications are, but I know there is a list containing useful records. Can you check the list and find out the records of our domain?
D: If the player says ”yes” he accepts this mission the boss will tell him: Are you ready newbie? Check the list and find out the records of our domain! Also all other NPS’s will tell him their Smalltalk.
When he finishes this task he has to speak again with the boss.
B: Good job, boy! Now what the hell you doing still here?!
D: The player accomplished this mission and gets his gratification!
DNS-Basics
D: After the player finished the Linux-Basics the player get an e-mail on his computer.
A: Hey newbie, please come to the boss! He wants to see you. You find him in the second floor.
D: The player has to go threw stair-case. On his way he find an old-rotten-key, which he can take. When he reaches the chief-department, he has to go to the boss and talk to him.
B: The Company wants to make an own Mail-server for less spam in the box. For this we need to find out how to setup DNS-entries. Can you check the required domain-entries and put them into a list, please?
D: If the player says ”yes”he accepts this mission the boss will tell him: Are you ready newbie?! Check the required domain-entries and put them into a list! Also all other NPS’s will tell him their Smalltalk.
When he finishes this task he has to speak again with the boss.
B: Good job, boy! Now what the hell you doing still here?!
D: The player accomplished this mission and gets his gratification!
DNS-Server
D: After the player finished the Domain or DNS-Basics he can talk to a colleague in the coffee- kitchen. bachelorproject ws 07/08 SHiNE 78
C: Hallo Newbie, can you do me a favour?
D: If the player answers ”yes”, he accepts the mission and the colleague goes to the elevator and waits in front of the door until the player reaches him. All other NPS’s will tell him their Smalltalk.
C: Let’s take the elevator down to the cellar!
D: The colleague has an key-card for the elevator, so the he can use the elevator with him. They reach together the cellar and the colleague talks again to him. The player is not able to leave the cellar until he finished this task.
C: The Company wants to make an own Mail-server for less spam in the box and a new web-Server. Also we need to allocate new reverse-zone and a new zone for our subnet. The ”zone-thing” you can do if you like, but if you do them, do them correctly!
D: Until he isn’t ready the colleague will say: The Mail-server and the web-Server ARE FIN- ISHED?! I DON’T THINK SO!!! When he is ready he has to speak again with him.
C: Thanks! I see you found my old-rotten-key! Give it to me and I give you my key-card for the elevator-usage.
And by the way, I warn you of telling anybody!!!
D: The player accomplished this mission and gets his gratification!
NMAP
D: The Linux-Basics are finished now. The player has to read the flyer hanging on the blackboard to start this story-part
F: The Company has notice some unallowed accesses to private data of the company in the last week. To fail to do this the company close 90 percent of all avaible ports! This measure is initialised only for security.
The net-department!
D: After he has read the flyer, the colleague next to the blackboard will talk to him.
C: All my lovely pages in the internet are blocked and I can’t visit them anymore. Also I’m not able to check my emails anymore. Can you help me?
D: If the player says ”Sure, I help you” the colleague he will answer until he hasn’t finished this task: Please check out which pages I’m supposed to visit!
The mission is quite clear. The player has to use the program Nmap to find all free ports! Until he hasn’t finished this task, he isn’t able to do any other mission and all other NPS’s will tell him their Smalltalk. bachelorproject ws 07/08 SHiNE 79
Afterwards he will speak: Thank you for your help! Here is your gratification!
Mission accomplished!
Honeypot
D: After the player has accomplished NMAP and he didn’t go to the dc-office, he get a call from the net-administration.
T: Please come to the net-department in the cellar! I have a job for you, if you want.
D: When the player want to go their, he has to enter the elevator and choose the cellar. When player reaches the cellar, the cellar colleague (who is the net-administrator) will welcome him on the door.
Cc Hi newbie, my brother works by the competitors-company also in the as net- administrator. I want to now how good he secures his network, but I can not try it myself. He knows how I work, so he would directly now that it is me. Please can you help me?
D: If the player answers ”yes”, he accepts to do the task. If he tries to talk to the colleague he will answer until he hasn’t finished this task: Your aren’t ready with the security test, or?! Also all other NPS’s will tell him their Smalltalk.
Afterwards he will speak: Thank you for your information! Here is your gratification! You can go back to your work, but tell anybody you helped me!
The player has accomplished the mission, gets his gratification and can do any other mission.
snort 1
D: After the player has accomplished NMAP and he enters as next his office a secretary enter also his office.
Sp: The department-chief wants to see you. Go to the executive suite and talk to him.
D: When the player enters the office of the dc, he accepts the mission and the dc talk to him.
D: There you are! You can show me what you can. The IDS-Tool ”snort” scans the traffic in the internet and in the DMZ. The scanner is probably by one of the two interfaces down! Find out which interface isn’t scanning anymore and start snort there new with the right configuration!
D: The player has to check in the net which Computer is a VM. While he isn’t ready the dc will say to him: You haven’t finished yet! Tell me which interface isn’t scanning anymore! Also all other NPS’s will tell him their Smalltalk bachelorproject ws 07/08 SHiNE 80
When he finishes the task and talk again to him, he will answer something else.
DC: Well done newbie! Here you have your gratification!
D: The mission is accomplished and he get his gratification, but now the janitor will stand in front of the door and block it.
Jdc: I am cleaning here, I don’t have time for any conversation!
D: The player has only one thing he is able to do! Speak with the dc again!
snort 2
DC: Good that you still here. I have another task for you, where you can proof your Snort skills. There is a problem in the network. The snort-rules seem to be attached incorrectly. Secure the network against Portscans.
D: The player isn’t able to choose if he want to make this mission. If he talks again with the dc while the mission isn’t finished he says: Have you secured the network against Portscans yet?! I don’t think so! Also all other NPS’s will tell him their Smalltalk
When he finishes the task and talk again to him, he will answer something else.
DC: Well done newbie! Here you have your gratification. Now go back to work!
D: The janitor isn’t blocking the door anymore. The mission is accomplished and he gets his gratification.
C.2 Realisation Flash-Client[cs, ju]
C.2.1 Game server interface [cs, ju]
This section gives you a detailed overview of the communication between the game server and the flash game. It also contains a brief summary of the data topology and shows how the game is initialized.
The interface between the game server and the flash game has been completely rewritten. The link between them is AMFPHP which allows flash to call remote php-functions. All the following mentioned functions are flash compatible php-functions.
Basically there are four subjects for the interface: access to the object data, session handling, scenario notification and finally skill unlocking and scoring.
Once the game is started it has to ask the game server for the objects which are located in its data base. This is done by calling the method ”getObjectData”. It returns a set of three arrays with the xml description for all objects (see figure 33). bachelorproject ws 07/08 SHiNE 81
Figure 33: data topology of the flash game
The next step is handling the session data. It has to be checked whether a saved session exists and on which map the player is located. If there is no session saved the first map is used per default. Furthermore all states were set to the session state. Whenever a state is changed it is send to the game server immediately. Therefore the set methods are split up in sub methods (see figure 34 for the flash game setup). Session functions:
• getSession (states of all objects and the player)
• setSessionPlayer (saves session of the player object)
• setSessionNpc
• setSessionItem
• setSessionTriggerArea
While the active state machines are handled by the flash game the scenarios are completely processed by the game server. The flash game only unlocks the necessary skills for a certain scenario but it is started by the html based pda and ”played” with the console (and further network tools). One drawback of the topology is, that the game server has no chance to send events to the flash game. It is simply not possible e.g. the user may have closed the browser while he is playing a scenario. To provide a understandable story line it is important for the flash game to ”know” when a scenario has been completed. This problem was solved by using a notification mechanism. The game server knows very well which scenarios are completed. When the flash game is initialized it asks for a list with completed scenarios. The user could have solved more then one scenario so it is a list. Each list entry contains a variable with its notification state. If the notification is ”false” the flash game has not noticed the completion bachelorproject ws 07/08 SHiNE 82
Visual Paradigm for UML Standard Edition(Hochschule Bremen) Start of the 2D adventure
Contains XML for: Flash-Movie is loaded - NPCs - Items - TriggerAreas
load all state machines from game server (XML)
[error] show error exit
[data received]
Create state machines for each object
load last game session
[no game session exists] choose first map
[game session available]
read map id from game session
load map
show error contains the [error during loading] waypoints [map loaded]
try load path file
ignore path [not found]
[found]
create waypoint path
Needed objects are determined by the loaded map
create the objects for the map
start game loop ready
Figure 34: initialisation of the flash game yet. In the next step it sends the event ”scenario completed” to its state machines and marks it as ”notified”. Through this approach the game is able to inform the state machines and the story can consider completed scenarios.
Scenario functions:
• getCompletedScenarios bachelorproject ws 07/08 SHiNE 83
• setCompletedScenarioNotification
Finally there is a function to unlock a certain skill and the player score can be changed.
Skill/Score functions:
• unlockSkill
• changeScore (increase and decrease)
C.2.2 The tile map [cs, ju]
The chosen map editor ”Tiled” allows creating maps very easily but its got the drawback that no object placement is supported. To solve this problem we introduced a workaround with special properties that can be connected to different map parts. This is a short introduction to the implemented propterties to create a SHiNE compatible map with the tiled editor.
Figure 35: entire tile map
Basically a tile map consists of an arbitrary number of layer (see figure 35), tileSets (see Figure 36) and tiles.
In our implementation there is a special layer type: ”object layer”. To create an object layer just put the property ”type=objects” to the layer (see figure 37). You are now allowed to place objects on this layer. bachelorproject ws 07/08 SHiNE 84
Figure 36: tileset and a layer
Figure 37: create an object layer
There are four types which can be placed on the object layer:
• npc
• items
• triggerAreas
• spawnPoints bachelorproject ws 07/08 SHiNE 85
Each type has to be configured with a property in the used tileset. Keywords-List (attention: they are case sensitive): NpcId, this has to be the global object id from the xml. TriggerId, this has to be the global object id from the xml. ItemId, this has to be the global object id from the xml.
The spawn point is a position where the player can enter a map. Whenever a map change occurs the designer has always to decide not only which map follows but also a certain spawn point. Each map got his own set of spawn point ids. To define one just put SpawnPointId to a tile and place it on the object layer.
Another important subject is the collision. It is recommended to create an extra layer to be independent from the graphical parts. With the property ”visible=false” the entire layer can be hidden. The next step is to attach a tile with the property ”‘block=true”’. Now the player is unable to overcome the blocked tiles (in figure 35 the read area is the collision layer).
C.2.3 Scene management and animations [cs]
Especially for the designer it is essential to understand certain aspects of the scene management and the animations. This is a short introduction about the graphical objects behaviour and how they can be controlled properly.
First it is necessary to understand that due to the slide depth effect of the scene, each object has to be sorted. This is done by the flash game internally. Unlike most other graphical object placements a sprite object in SHiNE is always controlled by its center-bottom (see figure 38). This is important for creating the collision area.
Figure 38: anchor of a sprite
The new adventure world of SHiNE allows npcs to walk around freely. Internally the game determines the current angle in which the object looks. If the character walks eastwards the angle is 0, if it walks southwards it is 90 and so on. The actual angle is not necessary for the designer. Important: for each angle a different animation is needed. It is obvious that the graphic staff cannot draw an animation sequence for each possible angle so the designer has to decide how many directions are supported. bachelorproject ws 07/08 SHiNE 86
Our goal was to free the designer from thinking about which animation should be used on a certain angle. The designer can draw as much sequences he wants and the flash game decides which one is properly for the current angle. As in figure 39: four directions are a possible amount.
Figure 39: sprite with four different directions
The designer just has to put the animations in the correct order and the flash game will choose the best animation. Just start with the east (or right) direction and rotate the animations clockwise. One major benefit of this approach is that it is very flexible. Especially when thinking about 3D animated objects. With a 3d object it is possible to have eight or even 16 animation directions and that can already be handled by the current implementation.
Each object has one image as its animation source. The animation source - usually a png image - must have all animation frames. The size of the object is identical to its frame size. The first animation frame gets the id ’0’ and the one on its right-hand side ’1’ and so on (like the reading direction). The id is independent from the amount of rows or columns, so reorganizing an object image has no effect as long as the id order is not mixed up (figure 40 shows an object image with its ids).
One or more animation frames can be grouped together with an animation script. The script is the description of one animation sequence. Basically the script is a string. The simplest script is the id of a certain animation: ”5” will show the animation frame with the id ’5’. More advanced effects can be gained with a leading ’:’ (semicolon). Now the flash game treats the string as a script and requires a certain structure:
:
The script is a loop and begins with the start frame and after the duration time elapse it shows the next until the end frame is reached (figure 41 shows an full example).
C.2.4 Pathfinding [cs, ju]
Like already mentiones, NPCs can walk arrount in the Gameworld, this is archived with an extra Waypoint map for every map. The waypoints are baseically coordinates that the map or waypoint creator places reasonable in the world. These Waypoints can be connected and thereby bachelorproject ws 07/08 SHiNE 87
Figure 40: complete sprite object make it possible for an npc to get from one to another waypoint. To controll the path the npc would take ist is possible to add costs to the connections (respective the way), the heigher the costs the more unlikely it is that a npc will take it. After all these waypoints and connections are set, they add up to a graph structure which can be searched by various algorythms. We decided to use the A* (spoken AStar) algorythm because it is one of the fastest with the best results, it can even return the perfect way with the right parameters. The pseudocode looks quide simple bachelorproject ws 07/08 SHiNE 88
Figure 41: full object animation description in xml
and even the theory behind it is not much more. You can think of two lists, the first contains all points, you have already looked at, our closed list, and the second one contains all the unknown points, our open list. Now you take your statpoint and search the next reachable point that is the closes one to your goal and has the lowest costs. Afterwards you take you just found point in your as your startpoint and put it in your closed list ans start the same process again. If your next node it the node you are looking for, your have found your way. Now you have a closed list that contains all nodes that you must follow to find your destination point. In pseudocode it would look like this:
1 function A*(start,goal)
2 var closed := the empty set
3 var q := make_queue(path(start))
4 while q is not empty
5 var p := remove_first(q)
6 var x := the last node of p
7 if x in closed
8 continue
9 if x = goal
10 return p
11 add x to closed
12 foreach y in successors(x)
13 enqueue(q, p, y)
14 return failure
[3]
bachelorproject ws 07/08 SHiNE 89
C.2.5 Class diagram [cs, ju]
Visual Paradigm for UML Standard Edition(Hochschule Bremen)
de.shine.ui.dialogs
de.shine.ui.graphics.tileEngine de.shine.ui.graphics.animation DialogBox -text : String This diagram shows the major concept of the Shine-Flash-Game-2D-Adventure-Clients. All Sprite de.shine.ui.input -scene : SceneManager programme start major classes are included and also the main connection between them. -sprite : Sprite the input manager is a approach to handle the TileSource Tile * 1 InputManager It is subdivided in three parts: TileLayer different input layer of the game. +DialogBox(scene : SceneManager, text : String) -tileCountX : int -dataTable : Array -controller : Array -drawBallonBorder() : void -tiles : Array -tileCountY : int +blocks() : Boolean -enabled : Boolean +getSprite() : Sprite - UI -tileWidth : int -tileCountX : int -scene : SceneManager Each object that needs to observe the global - Core -tileCountY : int inputs (mouse, keyboard) has to implement -tileHeight : int +pushController(con : IController ) - Engine -tileWidth : int Animationset combines several IController and pushed to the InputManager. -firstTileId : int * +popController(con : IController ) -tileHeight : int animation scripts to a fully pseudo 3d The InputManager dispatches the input events -tiles : Arraya +setEnable(enabled : Boolean) : void UI (GraphicEngine, user input), contains the graphical interface to the user and also input -tileDescription : Array object. Depending on the angle value it +Enabled() : Boolean to the correct IController. <
AnimationSet -animationScripts : Array +updateSprite(sprite : AnimatedSprite, angle : Number)
de.shine.ui.AStar de.shine.ui.graphics.scene
de.polygonal.Graph handles the entire scene GameSprite -objectSpace : ObjectSpace -sprite : AnimatedSprite SceneManager -shadow : AnimatedSprite -map : Map -currentAnimation : AnimationSet -camera : MapCamera -position : Vector2D de.shine.ui.graphics.collision -backLayer : Sprite -touchArea : IntersectionShape -gameLayer : Sprite -hitArea : IntersectionShape WaypointField IntersectShape -frontLayer : Sprite -lookDir : Number -unknown -userData : Object -guiLayer : Sprite +setPosition(v2 : Vector2D) : void +findWayFrom(startNodeId : int, endNodeId : int) : Array -sprite : Sprite +setAnimation(ani : AnimationSet) : void +IntersectShape(userData : Object) +findNodeByPos(x : int, y : int) : int -backTileRenderer : Array +setLookDir(dir : Number) : void +intersects(other : IntersectShaoe) : Boolean -frontTileRenderer : Array +getUserObject() : Object -objectSpace : ObjectSpace +getSceneSprite() : Sprite +mainLoop() +getTilesFromPoint(x : int, y : int) : Array ObjectSpace +SceneManager(map : Map) -gameSprites : Array IntersectRect IntersectCircle +getObjectSpace() : ObjectSpace de.shine.ui.sound -spriteLayer : Sprite -shape : Rectangle -positon : Vector2D -shadowLayer : Sprite -radius : Number +addGameSprite(s : GameSprite) +removeGameSprite(s : GameSprite) Currently not implemented -sortSprites() : void +summaryIntersections(sprite : GameSprite) : Array
de.shine.core.map de.shine.core.game
<
TriggerArea Npc Item Player ItemState TriggerAreaState NpcState -state : TriggerAreaState -smallTalks : Array -touchText : String -animWalk : AnimationSet -collectable : Boolean -enable : Boolean -text : String -state : NpcState -state : ItemState -animStand : AnimationSet -collected : Boolean -question : String Map -guiInvoker : IGuiInvoker -walkable : Boolean -answers : Array -id : int -inventory : Boolean -animationId : int -tileMap : TileMap -infoText : String -movement : int -routingGraph : WaypointField -animationId : int -walkDest : String -spawnPoints : Array -walkble : Boolean -npcs : Array -triggerAreas : Array Game -items : Array -input : InputManager +getTileMap() : TileMap -player : Player +getNpcs() : Array -scene : SceneManager +getTriggerAreas() : Array -mapLoader : MapLoader +getItems() : Array -gameLoopSpeed : int +getSpawnPoints() : Array -paused : Boolean -objects : ObjectManager GameObject -engine : GameEngine -manager : ObjectManager +Game(engine : GameEngine) -objectId : int -startGame() : void -name : String +mainLoop() : void -engine : IGameActionListener +pause() MapLoader -sprite : GameSprite * 1 +start() ObjectManager -xml : Xml +mainLoop() -listener : IMapLoadListener +getId() : int -gameObjects : Array -activeObjects : Array +MapLoader(mapData : Xml) : void +updateState(state : State) +addListener(listener : IMapLoadListener) : void +mainLoop() +startLoading() : void +addObject(object : GameObject) : void +getObjectById(id : int) : GameObject +onNewState(id : int, state : State) : void
all interactive objects are game IMapLoadListener objects +loadMapStart(bytes : int) : void +loadMapData(bytesLoaded : int) : void +loadMapReady() : void +loadMapError(reason : String) : void IGameActionListener +talk(machineId : int) : void +touch(machineId : int) : void +action(machineId : int) : void +collision(machineId : int) : void ShineMapLoader AnotherMapLoader +answer(machineId : int, answerId : int) : void -parseMap() : void +reachDest(machineId : int) : void +trigger(machineId : int) : void
This parser is especially created for the Tiled Editor map format. Just override "parseMap" to support a new level format
de.shine.engine de.shine.engine.stateMachine
hashmap Can contain an arbitrary amount of KeyValueMap key/value pairs. The logical +addData(key : Object, value : Object) : void ItemDescription TriggerAreaDescription PlayerDescription NpcDescription correctness of the data has to be -state : State -state : State -lookAngle : Number -position : Vector2D ensured by the object that uses the -id : int -id : int -position : Vector2D -id : int state -state : State -lookAngle : Number
IGameEngineListener State EventList EventTriggerList +onStateChange(id : int, newState : StateData) -events : EventList +addEvent(eventId : int, stateId : int, triggerList : EventTriggerList = null) -triggers : Array +onPingResult(duration : int) : void -id : int +getStateByEventId(eventId : int) : int -gameTrigger : Array +onMapDataLoaded(xml : Xml) : void -name : String +getTriggersById(eventId : int) : EventTriggerList +addTrigger(trigger : EventTrigger) +onLoadStateLoaded(loadState : LoadState) : void +addData(key : Object, data : Object) +addGameTrigger(trigger : GameTrigger) : void +onError(error : String) : void +getData(key : Object) : Object +execute() : void +onEngineInited() : void +contains(key : Object) : Boolean +getEventTrigger() : Array <
ObjectInfo This contains the interface to the game engine SkillTrigger ChangeScoreTrigger ChangeMusicTrigger and to the state-machine-engine. -gainedSkillId : int -scoreChange : int -newTrackName : String IGameTriggerListener +onNewSkill(newSkill : int) : void +onScoreChange(changeValue : int) : void +onChangeMusic(newTrack : String) : void
By clicking the zoom-button the diagram can be scaled up.
bachelorproject ws 07/08 SHiNE 90
D Game topoloy
D.1 Manual Net Topology installation [jl, mt, aoe]
The Topology is composed of 2 Routers, 3 Switches and 10 PC’s, which are separated in different areas. The first area is the game internet , which is the vpn environment with connections to other polytechnics. The second area is the DMZ (demilitarized zone) which is accessible from the game internet and offering services like HTTP, email, ftp and other to all game internet users. “The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network.” [4] The third area is the local LAN, which is also separated in 5 VLAN areas with different security options.
Figure 42: Game Topology
D.1.1 Activate Topology at the PC’s
The PC’s provide a dualboot installation option. With this option a user has the ability to set up a normal lab PC or a preconfigured PC with integrated game topology. The installation is bachelorproject ws 07/08 SHiNE 91
based on FAI - Fully Automatic Installation [5] by Thomas Lange. This installation environment gives us the power to set up every PC of the game topology on every physical PC in less then a hour, full automatic, the only interaction is to choose the wanted game PC.
After installation the PC is ready to use, the only missing step is to start the hacking game. The manual starting is owing the dual use of the PC’s, if the hacking game isn’t started the PC is usable as a lab PC, by starting the hacking game the network topology and the needed services are starting automatically.
To start the hacking game just run as root:
1 /etc/init.d/hackinggame start
D.1.2 Setting up the Network devices
The switches and routers are accessible through the console port. For the topology installation it’s necessary to connect the console port of a network device with a PC. After physically connection a remote serial console connection has to be started. A very handy tool in UNIX environments is minicom [6]. This tool is offering our serial command line and we can configure the network devices.
To configure the devices it’s sufficient to copy&paste a given configuration into the window of minicon, but it could be possible that interfaces have to activate by hand. Keep in mind that some commands aren’t working at any IOS. So be carefull and look out what you are doing.
The installation of the network devices should be done by a person with higher skilled network knowledge. It could be very simple if the IOS and feature set of the cisco devices is the same as in the given base configuration, but if something differs problems could appear.
D.2 Manual Game server installation [sd]
D.2.1 Linux installation
Installation at HS Bremen
The Shine game is saved as package in game server (pc34 in Room 311)
To install the game:
login at debian game server - user: stud, pw: rtk222
Start the comand shell
add to vim /etc/apt/sources.list - deb http://www.nets-x.hs-bremen.de/shine/ ./
and exicute:
apt-get update - to update sources list
bachelorproject ws 07/08 SHiNE 92
apt-get install shine - to install the game
To install SHiNE at a Debian computer:
Login as admin
Start the comand shell add to vim /etc/apt/sources.list - deb http://www.nets-x.hs-bremen.de/shine/ ./ and exicute: apt-get update - to update sources list apt-get install shine - to install the game
To play the game local: open the web browser and type in the address line - 127.0.0.1/nets-x
To play the game in network: type in the address line of your browser the ip adress of the game server then slash and nets-x
Example: if the game server has ip address 192.68.164.10, type - 192.68.164.10/nets-x
D.2.2 Windows installation
Necessery stuff:
• WAMP
• SHiNE Game with Cake PHP
• Database nets-x.sql
Download the components from this links:
• WAMP from http://www.wampserver.com/en/download.php (If the link doesnt work, ask google
• SHiNE Game from http://www.nets-x.hs-bremen.de/nets-bachelor/projekte/SHiNE
• Database nets-x.sql from http://www.nets-x.hs-bremen.de/nets-bachelor/projekte/SHiNE
Install first the wamp server in your root folder(for example C:/wamp)
Specify the following folder as WEBROOT for WAMP - C:/wamp/www/
Open the apache config file httpd.conf
Enable the rewrite module in httpd.conf - #LoadModule rewrite module modules/mod rewrite.so bachelorproject ws 07/08 SHiNE 93
Copy the ShiNE stuff in your webroot folder - C:/wamp/www/ Open phpMyAdmin Create new empty database named nets-x Immport the datebase file nets-x.sql in the database (if the file size is biger than 2MB compress the file and import this as ZIP-file) Click of the databases privileges Set new user nets-x at localhost whit all privileges and password rtk222 To play the game local: open the web browser and type in the address line - 127.0.0.1/nets-x To play the game in network: type in the address line of your browser the ip adress of the game server then slash and nets-x Example: if the game server has ip addresss 192.68.164.10, type - 192.68.164.10/nets-x
E Scenarios
E.1 Basic scenarios [jp]
E.1.1 Console
Wiki text pwd The pwd command (“print working directory”) prints out your current directory to the console. It is useful to find out in which directory you are. After logging in to a command line you normally start in your home-directory. To have a look for where it’s placed in the directory tree of the system, type in the pwd command: userx@PC00: ~$ pwd /home/userx userx@PC00: ~$ ls The ls command lists the files of a directory. If invoked without any parameter, it shows the files of the current working directory. If you want to list files of another directory, you can use: ls /path/to/directory A short description of the most important parameters (for more information, please type in ls - -help to the command line): bachelorproject ws 07/08 SHiNE 94
-a lists all files of the directory hidden files as well -l prints out more detailed information about the files -R lists recursive all directories inside the one you have selected
cp
The cp command is normally used to copy a file. For this purpose you have to use it like this: cp file1 file2 or cp /home/userx/file1 /path/to/file2
It is also possible to copy a list of files to one target directory: cp file1 file2 file3 /path/to/
For more information about the cp command type in cp - - help to the command line. mv
For the mv command there are two main kinds of usage:
The mv (“move”) command is as the name suggests used to move one or more files to a different place in the filesystem. To do so type in: mv /path1/file /path2/file
Another important way of using the mv command is to rename a file. For this purpose type in: mv oldname newname cat
The cat command is the easiest way to show the content of a file. To print out the whole content of a specific file to the command line, type in: cat file1 ip bachelorproject ws 07/08 SHiNE 95
The easiest way to get the ip-adress of one of your ethernet interfaces, you can use the ip command on in conjunction with the addr parameter:
ip addr
That will print out a list of information about the installed ethernet interfaces. The ip-adress itself is locatet in the line which starts with “inet ...”.
To get more information about the ip command, type in only ip without any parameter, or check the man page by typing in: man ip
Linux directory structure
A linux system contains thousands of different directories. Here is just a short list with some of the most important ones:
/ Root directory. This directory is the top level of all other directories. /bin Common programs /boot All stuff for booting the system and the kernel. /dev device files /etc Most important system configuration files /home The home directories for all users /lib Library files /lost+found Contains files which were saved during failures. /mnt The normal mount-point for external devices like CD-ROM drives. /opt Normally contains software from third parties. /root Home-diretory of the root user /sbin Programs for system and administrator. /tmp Temporary files content will be deleted on reboot. /usr Documentation, libraries and programs for all users. /var Place for all variable files such as log files.
Shell scripts
1 #!/bin/bash
2
3 #external parameter
4 H_USERNAME=$CAKEUSER # Hacking game user name
5 H_PASSWORD=$CAKEPASS # must be md5 encrypted
6
7
8 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then
9 exit 3; #empty username = error and quit!
bachelorproject ws 07/08 SHiNE 96
10 fi
11
12 #internal parameter
13 LOG_FILE=/var/log/secure.log
14
15 #adduser and make home dir
16 useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $?
17 cp /etc/skel/.bash_profile /home/$H_USERNAME/ || exit $?
18 cp /etc/skel/.bashrc /home/$H_USERNAME/ || exit $?
19
20 #make needed files
21 #secure.log
22 echo "Jan 05 14:23:01 secret tool: just made a very secret operation" > $LOG_FILE
23 echo "Jan 05 14:23:06 secret tool: just made a very secret operation" >> $LOG_FILE
24 echo "Jan 05 14:23:13 secret tool: delete some heavy stuff" >> $LOG_FILE
25 echo "Jan 05 14:23:15 secret tool: don’t tell anybody about this special operation" >> $LOG_FILE
26
27 #change dir and file permissions
28 chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $?
29 chmod 744 /var/log/secure.log || exit $?
Listing 1: Setup-Script
1 #!/ bin /sh
2
3 #external parameter
4 H_USERNAME=$CAKEUSER # Hacking game user name
5
6 RENAMEDFILE=/home/$H_USERNAME/$(ifconfig eth1 | awk /eth1/’{next}//{split( $0,a,":");split(a[2],a," ");print a[1];exit}’).log
7
8
9 if [ -f "$RENAMEDFILE" ]; then
10 exit 2;
11 else
12 exit 3;
13 fi
Listing 2: Evaluation-Script
1 #!/ bin /sh
2
3 H_USERNAME=$CAKEUSER
4
bachelorproject ws 07/08 SHiNE 97
5 rm /var/log/secure.log > /dev/null
6
7 RC =0
8 deluser --remove-home $H_USERNAME || RC=$? > /dev/null
9 exit $RC
Listing 3: Cleanup-Script
E.1.2 Vi
Wiki text
find
With the find command you are able to search through a directory and recursive to all of the directories which it contains to find files which matches special criteria. The find command offers more than 50 parameters so it’s a good advice to have a look at the man page for detailed information.
Some practical usages:
Find the file xyz in the entire file system: find / -type f -name xyz -print
Print names of all directories in the file system: find / -type d -print
The print statement in the above-named examples cause that the system prints out the path to each found entry relative to the searched directory.
grep
The grep command is used to find lines in special files which matches a given expression. For example: If you have a logfile which contains several lines about a xyz-event you can type in:
grep xyz-event /path/to/logfile.log
Now grep will print all lines to the console which contains the string “xyz-event”.
Some helpful parameters for the grep command:
-v Prints all lines which do not match the given expression. -l Prints only the file name of matching files. Not the entire lines itself.
bachelorproject ws 07/08 SHiNE 98
-c Prints number of matching lines. -n Prints the line numbers of the matching lines. -i Makes the search non-case-sensitive. -r grep will search recursive through all files in the given directory and all sub-directories.
Another awesome possibility of using grep is the combination with the find command. With these two commands it is possible to search a string in all files on the system (or some explicit file types as well): find . -exec grep -l xyz-event ’{}’’;’
This line will search the string “xyz-event” in all files in the file system.
Vi/Vim
Vi was the standard editor for text files in an unix environment for many years. Since 1991 there is an improved version of this editor: Vim. The Vim editor is nearly 100% downward compatible to the original Vi and bring a lot of improvements. The usage of this kind of editors is very complex, but there is a excellent way to learn how to use it: Only type in vimtutor in your command line this program will guide you to the world of Vim.
To look up the most important commands, here is a short list:
Switch to input mode: i Save & quit: :wq Quit without saving: :q! Save: :w Save as...: :w filename Undo: u Switch to edit mode: ESC i Switch to command mode: ESC : Cancel the current command: ESC Jump to next word: w Jump to previous word: b Jump to start of line: o Jump to end of line: $ One page forward: ˆf One page backward: ˆb Delete next character: x Delete previous character: X Delete next word: de bachelorproject ws 07/08 SHiNE 99
Delete previous word: db Delete current line: dd Delete up to lines end: d$ Define selection: v Cut out selection: d Copy selection: y Paste selection: p Help: :help
Shell scripts
1 #!/bin/bash
2
3 #external parameter
4 H_USERNAME=$CAKEUSER # Hacking game user name
5 H_PASSWORD=$CAKEPASS # must be md5 encrypted
6
7 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then
8 exit 3; #empty username = error and quit!
9 fi
10
11 #internal parameter
12 CHANGEFILE=/usr/share/employees
13
14 #adduser and make home dir
15 useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $?
16 cp /etc/skel/.bash_profile /home/$H_USERNAME/ || exit $?
17 cp /etc/skel/.bashrc /home/$H_USERNAME/ || exit $?
18
19 #make needed files
20 # employees
21 echo "" > $CHANGEFILE
22 echo "
23 echo "
24 echo "
25 echo "
26 echo "
27 echo " " >> $CHANGEFILE
28 echo "
29 echo "
30 echo "
31 echo "
32 echo "
33 echo " " >> $CHANGEFILE
34 echo "
bachelorproject ws 07/08 SHiNE 100
35 echo "
36 echo "
37 echo "
38 echo "
39 echo " " >> $CHANGEFILE
40 echo "
41 echo "
42 echo "
43 echo "
44 echo "
45 echo " " >> $CHANGEFILE
46 echo "
47 echo "
48 echo "
49 echo "
50 echo "
51 echo " " >> $CHANGEFILE
52 echo "
53 echo "
54 echo "
55 echo "
56 echo "
57 echo " " >> $CHANGEFILE
58 echo "
59 echo "
60 echo "
61 echo "
62 echo "
63 echo " " >> $CHANGEFILE
64 echo "
65 echo "
66 echo "
67 echo "
68 echo "
69 echo " " >> $CHANGEFILE
70 echo "
71 echo "
72 echo "
73 echo "
74 echo "
75 echo " " >> $CHANGEFILE
76 echo "
77 echo "
78 echo "
79 echo "
80 echo "
bachelorproject ws 07/08 SHiNE 101
81 echo " " >> $CHANGEFILE
82 echo "
83 echo "
84 echo "
85 echo "
86 echo "
87 echo " " >> $CHANGEFILE
88 echo "
89 echo "
90 echo "
91 echo "
92 echo "
93 echo " " >> $CHANGEFILE
94 echo "
95 echo "
96 echo "
97 echo "
98 echo "
99 echo " " >> $CHANGEFILE
100 echo "
101 echo "
102 echo "
103 echo "
104 echo "
105 echo " " >> $CHANGEFILE
106 echo "
107 echo "
108 echo "
109 echo "
110 echo "
111 echo " " >> $CHANGEFILE
112 echo "
113 echo "
114 echo "
115 echo "
116 echo "
117 echo " " >> $CHANGEFILE
118 echo "" >> $CHANGEFILE
119
120 #change dir and file permissions
121 chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $?
122 chmod 777 $CHANGEFILE || exit $?
Listing 4: Setup-Script
1 #!/ bin /sh
2
bachelorproject ws 07/08 SHiNE 102
3 #external parameter
4 H_USERNAME=$CAKEUSER # Hacking game user name
5
6
7 CHANGEFILE=/usr/share/employees
8
9 HOLIDAY=$(grep -c ’holiday’ $CHANGEFILE) #muss 15 sein
10 BILL=$(grep -c ’Bill’ $CHANGEFILE) # muss 0 sein
11 TOP=$(grep -c ’
12
13 if [ "$HOLIDAY" -eq 15 ]; then
14 if [ "$BILL" -eq 0 ]; then
15 if [ "$TOP" -eq 1 ]; then
16 exit 2;
17 fi
18 fi
19 fi
20
21 exit 3;
Listing 5: Evaluation-Script
1 #!/ bin /sh
2
3 H_USERNAME=$CAKEUSER
4
5 rm /usr/share/employees > /dev/null
6
7 RC =0
8 deluser --remove-home $H_USERNAME || RC=$? > /dev/null
9 exit $RC
Listing 6: Cleanup-Script
E.2 Man-in-the-middle scenarios
E.2.1 ARP-Spoofing [rb]
Wiki text
Address Resolution Protocol From Wikipedia, the free encyclopedia [7]
In computer networking, the Address Resolution Protocol (ARP) is the standard method for finding a host’s hardware address when only its network layer address is known.
ARP is not an IP-only or Ethernet-only protocol; it can be used to resolve many different network-layer protocol addresses to hardware addresses, although, due to the overwhelming
bachelorproject ws 07/08 SHiNE 103
prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses. It is also used for IP over other LAN technologies, such as Token Ring, FDDI, or IEEE 802.11, and for IP over ATM. ARP is used in four cases of two hosts communicating: 1. When two hosts are on the same network and one desires to send a packet to the other 2. When two hosts are on different networks and must use a gateway/router to reach the other host 3. When a router needs to forward a packet for one host through another router 4. When a router needs to forward a packet from one host to the destination host on the same network The first case is used when two hosts are on the same physical network (that is, they can directly communicate without going through a router). The last three cases are the most used over the Internet as two computers on the internet are typically separated by more than 3 hops. In the first case, you would have two hosts on the same LAN segment, A and B. If, for example, Host A wants to send an IPv4 packet to Host B, Host A must already have an IPv4 address for Host B (the network layer address). However, in order to be able to send the packet on the LAN to Host B, Host A must also have a data link layer address, i.e. a MAC address, for Host B. If it doesn’t already know that MAC address, it would send an ARP request to ask for that MAC address, in the hopes of getting a reply from Host B, or another host on the network, giving that MAC address. In the second case, for the same example, hosts A and B would be on different network segments, but there would be a router, on the same LAN segment as Host A, which is either on the same network segment as Host B, or on the same network segment as another router that is on the same network segment as Host B, or on the same network segment as another router that is on the same network segment as yet another router that is on the same segment as Host B, and so on. Host A would send the IPv4 packet not to Host B, but to the first of those routers; it would look up Host B in its routing table to determine the IPv4 address of the appropriate router. It would then, if it doesn’t already know the MAC address of that router, use ARP to determine that MAC address. The third case is similar to the second case; the router would look up Host B in its routing table to determine the IPv4 address of the next router to which it should send the packet and, if it doesn’t already know the MAC address for the router, use ARP to determine that MAC address. The fourth case is similar to the first case; the router has determined that Host B is on the same LAN segment, and, if it doesn’t already know Host B’s MAC address, will use ARP to determine that MAC address. ARP is defined in RFC 826. It is a current Internet Standard, STD 37. ARP spoofing From Wikipedia, the free encyclopedia [8] Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet network which may allow an at- bachelorproject ws 07/08 SHiNE 104
tacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or ”spoofed”, ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim’s default gateway. ARP Spoofing attacks can be run from a compromised host, a Jack Box, or a hacker’s machine that is connected directly onto the target Ethernet segment. Application ARP is a Layer 3 protocol. Both ARP request and ARP reply can be broadcast traffic. As such, it is not designed to allow for any ID validation on the transaction. While ARP Spoofing can occur in the course of ARP transactions, creating a race condition, the more common utilization is the distribution of unsolicited ARP responses which are cached by the clients creating the ARP Cache Poison scenario. Defenses The only method of completely preventing ARP spoofing is the use of static, non-changing ARP entries (each entry maps a MAC address to corresponding IP address). However, this is not practical on a large network, due to the large overhead of keeping ARP tables up to date. Therefore another method, such as DHCP snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, Extreme Networks and Allied Telesis. Detection is another avenue for defending against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. Checking for the existence of MAC address cloning may also provide a clue as to the presence of ARP spoofing, though there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query the a MAC address for its associated IP address(es). If more than one IP address is returned, MAC cloning is present. Legitimate usage ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address. bachelorproject ws 07/08 SHiNE 105
ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over a defective server and transparently offer redundancy.
History
One of the earliest articles on ARP spoofing was written by Yuri Volobuev in ARP and ICMP redirection games
ARP Spoofing Tools
Arpspoof (part of the DSniff suite of tools), Arpoison, Cain and Abel, Ettercap, and netcut are some of the tools that can be used to carry out ARP poisoning attacks.
MAC address
From Wikipedia, the free encyclopedia [9]
In computer networking a Media Access Control address (MAC address) or Ethernet Hardware Address (EHA) or hardware address or adapter address is a quasi-unique identifier attached to most network adapters (NICs Network Interface Card). It is a number that acts like a name for a particular network adapter, so, for example, the network cards (or built-in network adapters) in two different computers will have different names, or MAC addresses, as would an Ethernet adapter and a wireless adapter in the same computer, and as would multiple network cards in a router. However, it is possible to change the MAC address on most of today’s hardware, often referred to as MAC spoofing.
Most layer 2 network protocols use one of three numbering spaces managed by the IEEE: MAC- 48, EUI-48, and EUI-64, which are designed to be globally unique. Not all communications protocols use MAC addresses, and not all protocols require globally unique identifiers. The IEEE claims trademarks on the names ”EUI-48” and ”EUI-64” (”EUI” stands for Extended Unique Identifier).
MAC addresses, unlike IP addresses and IPX addresses, are not divided into ”host” and ”net- work” portions. Therefore, a host cannot determine from the MAC address of another host whether that host is on the same layer 2 network segment as the sending host or a network segment bridged to that network segment.
ARP is commonly used to convert from addresses in a layer 3 protocol such as Internet Protocol (IP) to the layer 2 MAC address. On broadcast networks, such as Ethernet, the MAC address allows each host to be uniquely identified and allows frames to be marked for specific hosts. It thus forms the basis of most of the layer 2 networking upon which higher OSI Layer protocols are built to produce complex, functioning networks.
Notational conventions
The standard (IEEE 802) format for printing MAC-48 addresses in human-readable media is six groups of two hexadecimal digits, separated by hyphens (-) in transmission order, e.g. 01-23-45- 67-89-ab. This form is also commonly used for EUI-64. Other conventions include six groups of bachelorproject ws 07/08 SHiNE 106
Figure 43: Quelle: http://upload.wikimedia.org/wikipedia/commons/9/94/MAC-48 Ad- dress.svg
two separated by colons (:), e.g. 01:23:45:67:89:ab; or three groups of four hexadecimal digits separated by dots (.), e.g. 0123.4567.89ab; again in transmission order.
Address details
The original IEEE 802 MAC address comes from the original Xerox Ethernet addressing scheme. This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC ad- dresses.
All three numbering systems use the same format and differ only in the length of the iden- tifier. Addresses can either be ”universally administered addresses” or ”locally administered addresses.”
A universally administered address is uniquely assigned to a device by its manufacturer; these are sometimes called ”burned-in addresses” (BIA). The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI). The following three (MAC-48 and EUI-48) or five (EUI-64) octets are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100; EUI-64s are not expected to run out in the foreseeable future.
A locally administered address is assigned to a device by a network administrator, overriding the burned-in address. Locally administered addresses do not contain OUIs.
Universally administered and locally administered addresses are distinguished by setting the second least significant bit of the most significant byte of the address. If the bit is 0, the address is universally administered. If it is 1, the address is locally administered. The bit is 0 in all
bachelorproject ws 07/08 SHiNE 107
OUIs. For example, 02-00-00-00-00-01. The most significant byte is 02h. The binary is 00000010 and the second least significant bit is 1. Therefore, it is a locally administered address.
If the least significant bit of the most significant byte is set to a 0, the packet is meant to reach only one receiving NIC. This is called unicast. If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast.
MAC-48 and EUI-48 addresses are usually shown in hexadecimal format, with each octet sep- arated by a dash or colon. An example of a MAC-48 address would be ”00-08-74-4C-7F-1D”. If you cross-reference the first three octets with IEEE’s OUI assignments,[3] you can see that this MAC address came from Dell Computer Corp. The last three octets represent the serial number assigned to the adapter by the manufacturer.
The following technologies use the MAC-48 identifier format:
* Ethernet * 802.11 wireless networks * Bluetooth * IEEE 802.5 token ring * most other IEEE 802 networks * FDDI * ATM (switched virtual connections only, as part of an NSAP address) * Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)
The distinction between EUI-48 and MAC-48 identifiers is purely semantic: MAC-48 is used for network hardware; EUI-48 is used to identify other devices and software. (Thus, by definition, an EUI-48 is not in fact a ”MAC address”, although it is syntactically indistinguishable from one and assigned from the same numbering space.)
Note: The IEEE now considers the label MAC-48 to be an obsolete term which was previously used to refer to a specific type of EUI-48 identifier used to address hardware interfaces within existing 802-based networking applications and should not be used in the future. Instead, the term EUI-48 should be used for this purpose.
EUI-64 identifiers are used in:
* FireWire * IPv6 (as the low-order 64 bits of a unicast network address when temporary addresses are not being used) * ZigBee / 802.15.4 wireless personal-area networks
The IEEE has built in several special address types to allow more than one Network Interface Card to be addressed at one time:
* Packets sent to the broadcast address, all one bits, are received by all stations on a local area network. In hexadecimal the broadcast address would be ”FF:FF:FF:FF:FF:FF”. * Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address. * Functional addresses identify one of more Token Ring NICs that provide a particular service, defined in IEEE 802.5.
These are ”group addresses”, as opposed to ”individual addresses”; the least significant bit of the first octet of a MAC address distinguishes individual addresses from group addresses. That bit is set to 0 in individual addresses and 1 in group addresses. Group addresses, like individual addresses, can be universally administered or locally administered. bachelorproject ws 07/08 SHiNE 108
In addition, the EUI-64 numbering system encompasses both MAC-48 and EUI-48 identifiers by a simple translation mechanism. To convert a MAC-48 into an EUI-64, copy the OUI, append the two octets ”FF-FF”, and then copy the organization-specified part. To convert an EUI- 48 into an EUI-64, the same process is used, but the sequence inserted is ”FF-FE”. In both cases, the process can be trivially reversed when necessary. Organizations issuing EUI-64s are cautioned against issuing identifiers that could be confused with these forms. The IEEE policy is to discourage new uses of 48-bit identifiers in favor of the EUI-64 system.
IPv6one of the most prominent standards that uses EUI-64applies these rules inconsistently. Due to an error in the appendix to the specification of IPv6 addressing, it is standard practice to extend MAC-48 addresses (such as IEEE 802 MAC address) to EUI-64 using ”FF-FE” rather than ”FF-FF.”
Individual address block
An Individual Address Block comprises a 24-bit OUI managed by the IEEE Registration Au- thority, followed by 12 IEEE-provided bits (identifying the organization), and 12 bits for the owner to assign to individual devices. An IAB is ideal for organizations requiring fewer than 4097 unique 48-bit numbers (EUI-48).[4]
Bit-reversed notation
The standard transmission order notation for MAC addresses, as seen in the output of the ifconfig command for example, is also called canonical format.
However, since IEEE 802.3 (Ethernet) and IEEE 802.4 (Token Bus) send the bits over the wire with least significant bit first, while IEEE 802.5 (Token Ring) and IEEE 802.6 send the bits over the wire with most significant bit first, confusion may arise where an address in the latter scenario is represented with bits reversed from the canonical representation. So for instance, an address whose canonical form is 12-34-56-78-9A-BC would be transmitted over the wire as bits 01001000 00101100 01101010 00011110 01011001 00111101 in the standard transmission order (least significant bit first). But for Token Ring networks, it would be transmitted as bits 00010010 00110100 01010110 01111000 10011010 10111100 in most significant bit first order. If care is not taken to translate correctly and consistently to the canonical representation, the latter might be displayed as 482C6A1E593D, which could cause confusion. This would be referred to as ”Bit-reversed order”, ”Non-canonical form”, ”MSB format”, ”IBM format”, or ”Token Ring format” as explained by RFC 2469. Canonical form is preferred.
Shell scripts
1 #!/bin/bash
2
3 # external parameter
4 gamers=$CAKE1 #group for sudo right
5 mainfolder=$CAKE2 #mainfolder for backup and scripts (normal / tmp / arp )
bachelorproject ws 07/08 SHiNE 109
6 host_spoofer=$CAKE3 #host on which the automatik ettercap arpspoof is located (the drone)
7 host_spoofer_user=$CAKE4 #temp user at the spoofing host
8 host_spoofer_pw=$CAKE5 #the users cleartext password
9 script_spoofer=$CAKE6 #PATH to the scrip (normal /home/ $host_spoofer_user/automaticARPSpoof
10 host_user=$CAKE7 #the IP Address on the spoofed host
11
12 # internal parameter
13 backdir=$mainfolder/back #backup directory for changed files
14 scriptdir=$mainfolder/scripts #script directory for needed scripts
15 undo=$mainfolder/undo #what ever was changed should could be restored
16 timeafterarp=60 #spoofing the user start after this time ( seconds )
17 spoofingtime=180 #time the host is spoofed ( seconds )
18
19 #undo file for simple restoring
20 mkdir $mainfolder || exit 1
21 echo "#!/bin/bash" > $undo || exit 1
22 chmod +x $undo || exit 1
23 echo "folder=$mainfolder" >> $undo || exit 1
24
25 #install sudo for using priviliges commands if it isn’t installed
26 stat /usr/bin/sudo > /dev/null 2&>1
27 if [ "$?" == "1" ]; then
28 aptitude install sudo -y > /dev/null 2&>1 || exit 1
29 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1
30 fi
31
32 #install expect for password required login if it isn’t installed
33 stat /usr/bin/expect > /dev/null 2&>1
34 if [ "$?" == "1" ]; then
35 aptitude install expect -y > /dev/null 2&>1 || exit 1
36 echo "aptitude purge expect -y /dev/null 2&>1 || exit 1" >> $undo || exit 1
37 fi
38
39 #make the directorys
40 mkdir $backdir || exit 1
41 mkdir $scriptdir || exit 1
42
43 #save the default sudo file
44 cp /etc/sudoers $backdir/sudoers || exit 1
45 echo "cp $backdir/sudoers /etc/sudoers" >> $undo || exit 1
bachelorproject ws 07/08 SHiNE 110
46
47 #add a group for the gamer
48 groupadd $gamers || exit 1
49 echo "groupdel $gamers" >> $undo || exit 1
50 echo %$gamers ALL=/usr/sbin/arp >> /etc/sudoers || exit 1
51
52 #replace the arp command !! we need it for usage !!
53 mv /usr/sbin/arp $backdir/arp || exit 1
54 echo "mv $backdir/arp /usr/sbin/arp" >> $undo || exit 1
55
56 ### functions ###
57
58 #script builder needs $mylist and $TARGET_AND_LOCATION
59 scriptbuild()
60 {
61 for i in "${mylist[@]}"; do
62 echo $i >> $TARGET_AND_LOCATION || exit 1
63 done
64 }
65 ### end functions ###
66
67 ## cheating the arp command
68
69 #make the own arp script
70 TARGET_AND_LOCATION=$scriptdir/arpThis
71 mylist=("echo used \$@ >> $scriptdir/checkfile")
72 scriptbuild
73
74 #append the default arp command
75 echo $backdir/arp \$@ >>$TARGET_AND_LOCATION || exit 1
76 # link arp to cheated arp
77 ln -s $scriptdir/arp /usr/sbin/arp || exit 1
78 #change rights
79 chmod +x $TARGET_AND_LOCATION || exit 1
80
81 #make ssh-connection with password required login to start the script
82 TARGET_AND_LOCATION=$scriptdir/autospoof
83 mylist=("#!/usr/bin/expect -f" "log_user 0" "set timeout -1" "spawn ssh $host_spoofer_user@$host_spoofer $script_spoofer $host_user $spoofingtime" "match_max 100000" "expect \"*(yes/no)*\"" "send -- yes \r" "expect \"*?assword:*\"" "send -- \"$host_spoofer_pw\r\"" "send -- \"\r\"" "expect eof")
84 scriptbuild
85 chmod +x $TARGET_AND_LOCATION || exit 1
86
87 #make backgroundspoof
bachelorproject ws 07/08 SHiNE 111
88 TARGET_AND_LOCATION=$scriptdir/backgroundscript
89 mylist=("#!/bin/bash" "while [ a=1 ]" "do" "if [ \"grep used $scriptdir/ checkfile\" ];" "then" "break" "fi" "sleep 5" "done" "sleep $timeafterarp" "$scriptdir/autospoof")
90 scriptbuild
91 chmod +x $TARGET_AND_LOCATION || exit 1
92
93 exit 0
Listing 7: Setup Environment
1 #!/bin/bash
2
3 # external parameter
4 mainfolder=$CAKE1
5 $mainfolder/undo
6 rm -rf $mainfolder || exit 1
7 exit 0
Listing 8: Cleanup Environment
1 #!/bin/bash
2
3 #external parameter
4 USERNAME=$CAKEUSER # Hacking game user name
5 PASSWORD=$CAKEPASS # must be md5 encrypted
6 gamers=$CAKE1 #group for sudo right
7 mainfolder=$CAKE2 #mainfolder for backup and scripts
8
9 #internal parameter
10 backscript=$mainfolder/scripts/backgroundscript
11 timeafterarp=3
12
13 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then
14 exit 1; #empty username = error and quit!
15 fi
16
17 #adduser and make home dir
18 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $gamers > /dev/null 2>&1 || exit 1
19 #cp /etc/skel/.bash_profile /home/ $USERNAME/
20 #cp /etc/skel/.bashrc /home/ $USERNAME/
21
22 #modify user .bashrc
23 echo "$backscript &" >> /home/$USERNAME/.bashrc || exit $?
24 exit 0
Listing 9: Setup user
bachelorproject ws 07/08 SHiNE 112
1 #!/bin/bash
2
3 #external parameter
4 USERNAME=$CAKEUSER # Hacking game user name
5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1
6 exit 0
Listing 10: Cleanup user
1 #!/bin/bash
2
3 #external parameter
4 USERNAME=$CAKEUSER # Hacking game user name
5 PASSWORD=$CAKEPASS # must be md5 encrypted
6 GROUP=$CAKE1 #group for sudo right
7 mainfolder=$CAKE2 # optional
8 #spoofscript= $CAKE3 #optional
9
10 spoofscript=/home/$USERNAME/automaticARPSpoof
11 undo=$mainfolder/undo
12
13 #internal parameter
14
15 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then
16 exit 1; #empty username = error and quit!
17 fi
18
19 #undo file for simple deinstalling
20 mkdir $mainfolder || exit 1
21 echo "#!/bin/bash" > $undo || exit 1
22 chmod +x $undo || exit 1
23 echo "folder=$mainfolder" >> $undo || exit 1
24
25 #install sudo for using priviliges commands if it isn’t istalled yet
26 stat /usr/bin/sudo > /dev/null 2&>1
27 if [ "$?" == "1" ]; then
28 aptitude install sudo -y > /dev/null 2&>1 || exit 1
29 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1
30 fi
31
32 #install ettercap
33 stat /usr/sbin/ettercap > /dev/null 2>&1
34 if [ "$?" == "1" ]; then
35 aptitude install ettercap -y > /dev/null 2&>1 || exit 1
bachelorproject ws 07/08 SHiNE 113
36 echo "aptitude purge ettercap -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1
37 fi
38
39 #save the default sudo file
40 cp /etc/sudoers $mainfolder/sudoers || exit 1
41 echo "cp $mainfolder/sudoers /etc/sudoers " >> $undo || exit 1
42
43 #add a group for the gamer
44 groupadd $GROUP || exit 1
45 echo "groupdel $GROUP" >> $undo || exit 1
46 echo %$GROUP ALL=NOPASSWD: /usr/sbin/ettercap, /bin/kill >> /etc/sudoers || exit 1
47
48
49 #adduser and make home dir
50 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP || exit 1
51 #cp /etc/skel/.bash_profile /home/ $USERNAME/
52 #cp /etc/skel/.bashrc /home/ $USERNAME/
53
54 #script builder needs $mylist and $TARGET_AND_LOCATION
55 scriptbuild()
56 {
57 for i in "${mylist[@]}"; do
58 echo $i >> $TARGET_AND_LOCATION || exit 1
59 done
60 }
61
62 #make backgroundpoof
63 TARGET_AND_LOCATION=$spoofscript
64 mylist=("#/bin/bash" ’if ((${#@}<2));’ then "echo Not enough arguments USAGE: IP Time" "exit 3" fi ’time=$2’ ’ip=$1’ "echo ARP Poisening start" ’sudo ettercap -Tq -Q -M arp //$ip >etter_outputi > /dev/null &’ ’if [ $? -eq 0 ]’ then ’ etterPID=$!’ ’sleep $time&& sudo kill -9 $etterPID’ else ’ echo "ARP Poisening isnt started"’ "exit 1" fi "echo ARP Poisening end" "exit 0")
65 scriptbuild
66 chmod +x $spoofscript || exit 1
67 exit 0
Listing 11: Setup drone
1 #!/bin/bash
2
3 # external parameter
4 mainfolder=$CAKE2
5 USERNAME=$CAKEUSER # Hacking game user name
bachelorproject ws 07/08 SHiNE 114
6 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1
7 $mainfolder/undo || exit 1
8 rm -rf $mainfolder > /dev/null 2&>1 || exit 1
9 exit 0
Listing 12: Cleanup drone
E.2.2 Hijacking[rb]
Wiki text
Telnet
From Wikipedia, the free encyclopedia [10]
TELNET (TELecommunication NETwork) is a network protocol used on the Internet or lo- cal area network (LAN) connections. It was developed in 1969 beginning with RFC 15 and standardized as IETF STD 8, one of the first Internet standards.
The term telnet also refers to software which implements the client part of the protocol. TEL- NET clients have been available on most Unix systems for many years and are available for virtually all platforms. Most network equipment and OSs with a TCP/IP stack support some kind of TELNET service server for their remote configuration (including ones based on Windows NT). Because of security issues with TELNET, its use has waned as it is replaced by the use of SSH for remote access.
”To telnet” is also used as a verb meaning to establish or use a TELNET or other interactive TCP connection, as in, ”To change your password, telnet to the server and run the passwd command”.
Most often, a user will be telneting to a Unix-like server system or a simple network device such as a switch. For example, a user might ”telnet in from home to check his mail at school”. In doing so, he would be using a telnet client to connect from his computer to one of his servers. Once the connection is established, he would then log in with his account information and execute operating system commands remotely on that computer, such as ls or cd.
On many systems, the client may also be used to make interactive raw-TCP sessions. It is commonly believed that a telnet session which does not include an IAC (character 255) is functionally identical. This is not the case however due to special NVT (Network Virtual Terminal) rules such as the requirement for a bare CR (ASCII 13) to be followed by a NULL (ASCII 0).
Protocol details
TELNET is a client-server protocol, based on a reliable connection-oriented transport. Typically this is TCP port 23, although TELNET predates TCP/IP and was originally run on NCP.
bachelorproject ws 07/08 SHiNE 115
Initially, TELNET was an ad-hoc protocol with no official definition [1]. Essentially, it used an 8-bit channel to exchange 7-bit ASCII data. Any byte with the high bit set was a special TELNET character. On March 5th, 1973, a meeting was held at UCLA [2] where ”New TELNET” was defined in two NIC documents: TELNET Protocol Specification, NIC #15372, and TELNET Option Specifications, NIC #15373. The protocol has many extensions, some of which have been adopted as Internet standards. IETF standards STD 27 through STD 32 define various extensions, most of which are extremely common. Other extensions are on the IETF standards track as proposed standards. Security When TELNET was initially developed in 1969, most users of networked computers were in the computer departments of academic institutions, or at large private and government research facilities. In this environment, security was not nearly as much of a concern as it became after the bandwidth explosion of the 1990s. The rise in the number of people with access to the Internet, and by extension, the number of people attempting to crack other people’s servers made encrypted alternatives much more necessary. Experts in computer security, such as SANS Institute, and the members of the comp.os.linux.security newsgroup recommend that the use of TELNET for remote logins should be discontinued under all normal circumstances, for the following reasons: * TELNET, by default, does not encrypt any data sent over the connection (including pass- words), and so it is often practical to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access to a router, switch, hub or gateway located on the network between the two hosts where TELNET is being used can intercept the packets passing by and obtain login and password information (and whatever else is typed) with any of several common utilities like tcpdump and Wireshark. * Most implementations of TELNET have no authentication to ensure that communication is carried out between the two desired hosts and not intercepted in the middle. * Commonly used TELNET daemons have several vulnerabilities discovered over the years. These security-related shortcomings have seen the usage of the TELNET protocol drop rapidly, especially on the public Internet, in favor of the ssh protocol, first released in 1995. SSH provides much of the functionality of telnet, with the addition of strong encryption to prevent sensitive data such as passwords from being intercepted, and public key authentication, to ensure that the remote computer is actually who it claims to be. As has happened with other early Internet protocols, extensions to the TELNET protocol pro- vide TLS security and SASL authentication that address the above issues. However, most TELNET implementations do not support these extensions; and there has been relatively little interest in implementing these as SSH is adequate for most purposes. The main advantage of TLS-TELNET would be the ability to use certificate-authority signed server certificates to au- thenticate a server host to a client that does not yet have the server key stored. In SSH, there bachelorproject ws 07/08 SHiNE 116
is a weakness in that the user must trust the first session to a host when it has not yet acquired the server key.
Man In the Middle
From Wikipedia, the free encyclopedia [11]
In cryptography, the man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM) is a form of active eavesdropping in which the attacker makes independent connec- tions with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for exam- ple, the owner of a public wireless access point can in principle conduct MITM attacks on the users).
A man-in-the-middle attack can only be successful when the attacker can impersonate each endpoint to the satisfaction of the other. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.
The need for an additional transfer over a secure channel
With the exception of the Interlock Protocol, all cryptographic systems that are secure against MITM attacks require an additional exchange or transmission of information over some kind of secure channel. Many key agreement methods with different security requirements for the secure channel have been developed.
Example of a successful MITM attack against public-key encryption
Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to eavesdrop on the conversation, or possibly deliver a false message to Bob. To get started, Alice must ask Bob for his public key. If Bob sends his public key to Alice, but Mallory is able to intercept it, a man-in- the-middle attack can begin. Mallory sends a forged message to Alice that claims to be from Bob, but includes Mallory’s public key. Alice, believing this public key to be Bob’s, then encrypts her message with Mallory’s key and sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message, keeps a copy, and reenciphers it (after alteration if desired) using the public key Bob originally sent to Alice. When Bob receives the newly enciphered message, he will believe it came from Alice.
This example shows the need for Alice and Bob to have some way to ensure that they are truly using each other’s public keys, rather than the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key technology. Fortunately, there are a variety of techniques that help defend against MITM attacks.
Defenses against the attack
Various defenses against MITM attacks use authentication techniques that are based on: bachelorproject ws 07/08 SHiNE 117
* Public key infrastructures * Stronger mutual authentication * Secret keys (high information entropy secrets) * Passwords (low information entropy secrets) * Other criteria, such as voice recognition or other biometrics * Off-the-Record Messaging for instant messenging The integrity of public keys must generally be assured in some manner, but need not be secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a Certificate Authority, whose public key is distributed through a secure channel (for example, with a web browser or OS installation). Public keys can also be verified by a web of trust that distributes public keys through a secure channel (for example by face-to-face meetings). See key agreement for a classification of protocols that use various forms of keys and passwords to prevent man-in-the-middle attacks. MITM in quantum cryptography MITM attacks are a potential problem in quantum cryptography as well. Recently, hybrid protocols (classical + quantum) have been proposed to deal with it, especially for the three- stage quantum cryptography protocol. Beyond cryptography MITM should be seen as a general problem resulting from the presence of intermediate parties acting as proxy for clients on either side. If they are trustworthy and competent, all may be well; if they are not, nothing will be. How can one distinguish the cases? By acting as proxy and appearing as the trusted client to each side, the intermediate attacker can carry out much mischief, including various attacks against the confidentiality or integrity of the data passing through it. A notable non-cryptographic man-in-the-middle attack was perpetrated by one version of a Belkin wireless network router in 2003. Periodically, it would take over an HTTP connection being routed through it: it would fail to pass the traffic on to destination, but instead itself respond as the intended server. The reply it sent, in place of the web page the user had requested, was an advertisement for another Belkin product. After an outcry from technically- literate users, this ’feature’ was removed from later versions of the router’s firmware . Another example of a non-cryptographic man-in-the-middle attack is the ”Turing porn farm.” Brian Warner says this is a ”conceivable attack” that spammers could use to defeat CAPTCHAs. The spammer sets up a pornographic web site where access requires that the user solves the CAPTCHAs in question. However, Jeff Atwood points out that this attack is merely theoretical – there is no evidence that any spammer has ever built a Turing porn farm”. However, as reported in an October, 2007 news story[6] while perhaps not being a farm as such, spammers have indeed built a Windows game in which users type in CAPTCHAs acquired from the Yahoo webmail service, and are rewarded with pornographic pictures. This allows the spammers to create temporary free email accounts with which to send out spam. MITM Implementation Examples bachelorproject ws 07/08 SHiNE 118
* dsniff - A tool for SSL MITM attacks * Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning * PacketCreator - A tool for LAN based MITM attacks * Ettercap - A tool for LAN based MITM attacks * Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks * AirJack - A tool that demonstrates 802.11 based MITM attacks * wsniff - A tool for 802.11 HTTP/HTTPS based MITM attacks
Ettercap
From http://ettercap.sourceforge.net/ [12]
Short Description:
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Interface: All this feature are integrated with a easy-to-use and pleasureful ncurses/gtk inter- faces.
Running Ettercap:
* You need to select a user interface (no default) using -T for Text only, -C for the Ncurses based GUI, or -G for the nice GTK2 interface.
Using Ettercap getting connection -¿ sniffing
The attacker is not able to see the connection because the switch is only forwarding the pakets to the targeted address. To see all connections in the network the attacker starts Ettercap with the command : ettercap -T -i eth1 -M arp // //
* the first parameter is the output mode, in this case it is text. * with ’i’ the interface is described, on which every attack is handled. Default is eth0. * ’M’ means an man in the middle attack based on ’arp’ for all ’// //’, with ’/a.b.c.d/port /a.b.c.d/port’ it is possible to define direct hosts to attack
Ettercap now starts for every possible IP address in the network an arp-request to find out which addresses are in the network and which are active (figure: Host-Test). To every active IP address are now send faked arp-replys so that all packets will be send over the MAC-address of the attacker.
Control Connection and plant packets
With the use of filters it is now possible to log packets or to plant them. Therefore a filter has to be created and compiled. A detailed description of creating and using a filter are in the manual ’etterfilter’ of Ettercap. This is an example of a filter that logs every telnet connection: bachelorproject ws 07/08 SHiNE 119
# Loggen if( ip.proto == TCP ) if( tcp.src == 23 —— tcp.dst == 23) log(DECODED.data, ”./telnet.log”);
The collected data is written into telnet.log. The filter itself is saved beneath the name filter.txt and is compiled with the following command into filter.ef : etterfilter filter.txt -o filter.ef
Using this function the command ’ettercap -F filter.ef’ has to be set. By restarting Ettercap all data from a TCP-stream over the port 23 is logged: ettercap -T -i eth1 -F filter.ef -M arp // //
Alternatively it is possible to run Ettercap as an daemon and to log the data directly : ettercap -D -L /home/stud/log.log
Filtering gives a lot of possibilities to search a stream and to insert data.
End attack
By ending an attack with Ettercap every Connection will be released and the connected host is directed by a re-ARP to the original MAC, so that in the ARP-cache of the hosts is now again the correct connection.
Session Hijacking
From Wikipedia, the free encyclopedia [13]
The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer (see HTTP cookie theft).
Analysis
Many web sites allow users to create and manage their own accounts, logging in using a username and password (which may or may not be encrypted during transit) or other authentication method. In order that the user does not have to re-enter their username and password on every page to maintain their session, many web sites use session cookies: a token of information issued by the server and returned by the user’s web browser to confirm its identity.
If an attacker is able to steal this cookie, they can make requests themselves as if they were the genuine user, gaining access to privileged information or changing data. If this cookie is a persistent cookie, then the impersonation can continue for a considerable period of time. Of course, session hijacking is not limited to the web; any protocol in which state is maintained using a key passed between two parties is vulnerable, especially if it’s not encrypted. other nodes and the access point. bachelorproject ws 07/08 SHiNE 120
* Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user’s computer or the server. * Cross-site scripting, where the attacker tricks the user’s computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations. Prevention Methods to prevent session hijacking include: * Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks. * Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in. * Encryption of the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. * Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session. * Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly, on the web). Use of SecurID card, or other token based secondary authentication is useless as protection against hijacking, as the attacker can simply wait until after the user authenticates, then hijack the session. Shell scripts
1 #!/bin/bash
2
3 # external parameter
4 GROUP=$CAKE1 #group for sudo right
5 mainfolder=$CAKE2 #mainfolder for changes
6 backdir=$mainfolder/back #backup directory for changed files
7 scriptdir=$mainfolder/scripts #script directory for needed scripts
8 undo=$mainfolder/undo #what ever was changed should could be restored
9
10 #undo file for simple restoring
11 mkdir $mainfolder || exit 1
12 echo "#!/bin/bash" > $undo || exit 1
13 chmod +x $undo || exit 1
14 echo "folder=$mainfolder" >> $undo || exit 1
bachelorproject ws 07/08 SHiNE 121
15
16 #install sudo for using priviliges commands if it isn’t installed
17 stat /usr/bin/sudo > /dev/null 2&>1
18 if [ "$?" == "1" ]; then
19 aptitude install sudo -y > /dev/null 2&>1 || exit 1
20 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1
21 fi
22
23 #install ettercap for password required login if it isn’t installed
24 stat /usr/sbin/ettercap > /dev/null 2&>1
25 if [ "$?" == "1" ]; then
26 aptitude install ettercap -y > /dev/null 2&>1 || exit 1
27 echo "aptitude purge ettercap -y /dev/null 2&>1 || exit 1" >> $undo || exit 1
28 fi
29
30 #make the directorys
31 mkdir $backdir || exit 1
32 mkdir $scriptdir || exit 1
33
34 #save the default sudo file
35 cp /etc/sudoers $backdir/sudoers || exit 1
36 echo "cp $backdir/sudoers /etc/sudoers" >> $undo || exit 1
37
38 #add a group for the gamer
39 groupadd $GROUP || exit 1
40 echo "groupdel $GROUP" >> $undo || exit 1
41 echo %$GROUP ALL=/usr/sbin/ettercap >> /etc/sudoers || exit 1
42
43 exit 0
Listing 13: Setup Environment
1 #!/bin/bash
2
3 # external parameter
4 mainfolder=$CAKE1
5 $mainfolder/undo
6 rm -rf $mainfolder || exit 1
7 exit 0
Listing 14: Cleanup Environment
1 #!/bin/bash
2
3 #external parameter
bachelorproject ws 07/08 SHiNE 122
4 USERNAME=$CAKEUSER # Hacking game user name
5 PASSWORD=$CAKEPASS # must be md5 encrypted
6 GROUP=$CAKE1 #group for sudo right
7
8 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then
9 exit 1; #empty username = error and quit!
10 fi
11
12 #adduser and make home dir
13 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1
14 #cp /etc/skel/.bash_profile /home/ $USERNAME/
15 #cp /etc/skel/.bashrc /home/ $USERNAME/
16
17 exit 0
Listing 15: Setup User
1 #!/bin/bash
2
3 #external parameter
4 USERNAME=$CAKEUSER # Hacking game user name
5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1
6 exit 0
Listing 16: Cleanup User
1 #!/bin/bash
2
3 # external parameter
4 user=$CAKE1 #user name for telnet
5 password=$CAKE2 #telnet password
6 IP_TELNET_SERVER=$CAKE3 #the telnet server ip (router dmz)
7 mainfolder=$CAKE5 #the mainfolder for backups (normal /tmp/ drone )
8
9 #internal parameter
10 telnethost=linux #choose linux or cisco as telnet host
11 interface=eth0 #the interface which should be spoofed ( for arpwatch)
12
13 # internal parameter
14 backdir=$mainfolder/back # backup directory for changed files
15 scriptdir=$mainfolder/scripts # script directory for needed scripts
16 undo=$mainfolder/undo
17
18 #undo file for simple deinstalling
bachelorproject ws 07/08 SHiNE 123
19 mkdir $mainfolder || exit 1
20 echo "#!/bin/bash" > $undo || exit 1
21 chmod +x $undo || exit 1
22 echo "folder=$mainfolder" >> $undo || exit 1
23
24 #make the directorys
25 mkdir $backdir || exit 1
26 mkdir $scriptdir || exit 1
27
28
29 #install arpwatch if it isn’t istalled
30 stat /etc/init.d/arpwatch > /dev/null 2&>1
31 if [ "$?" == "1" ]; then
32 aptitude install arpwatch -y > /dev/null 2&>1 || exit 1
33 echo "aptitude purge arpwatch -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1
34 else
35 echo "cp $backdir/arpwatch,conf /etc/arpwatch.conf || exit 1" >> $undo || exit 1
36
37 fi
38
39 #install expect for password required login
40 stat /usr/bin/expect > /dev/null 2&>1
41 if [ "$?" == "1" ]; then
42 aptitude install expect -y > /dev/null 2&>1 || exit 1
43 echo "aptitude purge expect -y /dev/null 2&>1 || exit 1" >> $undo || exit 1
44 fi
45
46 cp /etc/arpwatch.conf $backdir/arpwatch.conf || exit 1
47 echo "$interface -a -N -m arp@noreport" >> /etc/arpwatch.conf || exit 1
48 /etc/init.d/arpwatch restart > /dev/null 2&>1 || exit 1
49
50 #script builder needs $mylist and $TARGET_AND_LOCATION
51 scriptbuild()
52 {
53 for i in "${mylist[@]}"; do
54 echo $i >> $TARGET_AND_LOCATION || exit 1
55 done
56 }
57 ### end functions ###
58
59 #make Background scripts
60 TARGET_AND_LOCATION=$scriptdir/autotelnetlogin
61 if [ "$telnethost" == "linux" ]; then
bachelorproject ws 07/08 SHiNE 124
62 mylist=("#!/usr/bin/expect -f" "set timeout -1" "log_user 0" " spawn telnet $IP_TELNET_SERVER" "match_max 100000" ’expect "*? ogin:*"’ "send -- \"$user\r\"" ’expect "*?assword:*"’ "send -- \"$password\r\"" ’send -- "\r"’ ’send -- "who\r"’ "expect eof ")
63 fi
64
65 if [ "$telnethost" == "cisco" ]; then
66 mylist=("#!/usr/bin/expect -f" "log_user 0" "set timeout -1" " spawn telnet $IP_TELNET_SERVER" "match_max 100000" "expect \"*?assword:*\"" "send -- \"$password\r\"" "expect \"*>*\"" " send -- \"show ssh\r\"" "expect \"*>*\"" "send -- \"exit\r\"" "send -- \"\r\"" "expect eof")
67 fi
68 scriptbuild
69 chmod +x $TARGET_AND_LOCATION || exit 1
70
71 TARGET_AND_LOCATION=$scriptdir/backgroundcheck
72 mylist=("#!/bin/bash" "count=1" "while [ i=1 ]" ’do’ ’arpchange=‘tail -n 5 /var/log/syslog | grep "changed ethernet address"‘’ ’if [ "$arpchange " != "" ];’ ’then’ ’let "count++"’ "$scriptdir/autotelnetlogin" ’fi’ " sleep 30" ’if [ $count -eq 5 ];’ ’then’ ’$i=2’ ’fi’ ’done’)
73 scriptbuild
74 chmod +x $TARGET_AND_LOCATION || exit 1
75
76 #start the backgroundcheck script
77 nohup $scriptdir/backgroundcheck &
78 #kill the backgroundprocess at cleanup
79 echo "kill -9 $! > /dev/null 2&>1 || exit 1" >> $undo
80
81 exit 0
Listing 17: Setup Drone
1 #!/bin/bash
2
3 # external parameter
4 mainfolder=/tmp/drone
5 $mainfolder/undo || exit 1
6 rm -rf $mainfolder > /dev/null 2&>1 || exit 1
7 exit 0
Listing 18: Cleanup Drone
bachelorproject ws 07/08 SHiNE 125
E.2.3 SSL-Cracking [aoe]
Wiki text Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are crypto- graphic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same. The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom it is communicating. The next level of securityin which both ends of the ”conversation” are sure with whom they are communicatingis known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients unless TLS-PSK or TLS-SRP are used, which provide strong mutual authentication without needing to deploy a PKI. A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection’s security. * The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions. * From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision. * The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server’s public encryption key. The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding. * In order to generate the session keys used for the secure connection, the client encrypts a random number with the server’s public key, and sends the result to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. * From the random number, both parties generate key material for encryption and decryption. This concludes the handshake and begins the secured connection, which is encrypted and de- crypted with the key material until the connection closes. If any one of the above steps fails, the TLS handshake fails, and the connection is not created. [14] bachelorproject ws 07/08 SHiNE 126
Shell scripts
1 #!/bin/bash
2
3 # external parameter
4 gamers=sslgamer #group for sudo right
5 mainfolder=/tmp/ssl #mainfolder for backup and scripts (normal / tmp / arp )
6
7 # internal parameter
8 backdir=$mainfolder/back #backup directory for changed files
9 scriptdir=$mainfolder/scripts #script directory for needed scripts
10 undo=$mainfolder/undo #what ever was changed should could be restored
11
12 #undo file for simple restoring
13 mkdir $mainfolder || exit 1
14 echo "#!/bin/bash" > $undo || exit 1
15 chmod +x $undo || exit 1
16 echo "folder=$mainfolder" >> $undo || exit 1
17
18 #install sudo for using priviliges commands if it isn’t installed
19 stat /usr/bin/sudo > /dev/null 2&>1
20 if [ "$?" == "1" ]; then
21 aptitude install sudo -y > /dev/null 2&>1 || exit 1
22 echo "aptitude purge sudo -y > /dev/null 2&>1 || exit 1 " >> $undo || exit 1
23 fi
24
25 #install expect for password required login if it isn’t installed
26 stat /usr/bin/expect > /dev/null 2&>1
27 if [ "$?" == "1" ]; then
28 aptitude install expect -y > /dev/null 2&>1 || exit 1
29 echo "aptitude purge expect -y /dev/null 2&>1 || exit 1" >> $undo || exit 1
30 fi
31
32 #install sniffing required login if it isn’t installed
33 stat /usr/sbin/webmitm > /dev/null 2&>1
34 if [ "$?" == "1" ]; then
35 aptitude install dsniff -y > /dev/null 2&>1 || exit 1
36 echo "aptitude purge dsniff -y /dev/null 2&>1 || exit 1" >> $undo || exit 1
37 fi
38
39 #install ettercap
40 stat /usr/sbin/ettercap > /dev/null 2>&1
bachelorproject ws 07/08 SHiNE 127
41 if [ "$?" == "1" ]; then
42 aptitude install ettercap -y > /dev/null 2&>1 || exit 1
43 echo "aptitude purge ettercap -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1
44 fi
45
46 #install tcpdump
47 stat /usr/sbin/tcpdump > /dev/null 2>&1
48 if [ "$?" == "1" ]; then
49 aptitude install tcpdump -y > /dev/null 2&>1 || exit 1
50 echo "aptitude purge tcpdump -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1
51 fi
52
53 #install ssldump
54 stat /usr/sbin/ssldump > /dev/null 2>&1
55 if [ "$?" == "1" ]; then
56 aptitude install ssldump -y > /dev/null 2&>1 || exit 1
57 echo "aptitude purge ssldump -y > /dev/null 2&>1 || exit 1" >> $undo || exit 1
58 fi
59
60 #make the directorys
61 mkdir $backdir || exit 1
62 mkdir $scriptdir || exit 1
63
64 #save the default sudo file
65 cp /etc/sudoers $backdir/sudoers || exit 1
66 echo "cp $backdir/sudoers /etc/sudoers" >> $undo || exit 1
67
68 #add a group for the gamer
69 groupadd $gamers || exit 1
70 echo "groupdel $gamers" >> $undo || exit 1
71 echo %$gamers ALL=/usr/sbin/arp, /usr/sbin/ssldump, /usr/sbin/tcpdump, / usr/sbin/webmitm, /usr/sbin/msgsnarf, /usr/sbin/webspy, /usr/sbin/ tcpnice, /usr/sbin/sshow, /usr/sbin/filesnarf, /usr/sbin/dnsspoof, / usr/sbin/tcpkill, /usr/sbin/dsniff, /usr/sbin/macof, /usr/sbin/sshmitm , /usr/sbin/arpspoof, /usr/sbin/urlsnarf, /usr/sbin/mailsnarf, /usr/ sbin/ettercap > /etc/sudoers || exit 1
72
73 echo 1 > /proc/sys/net/ipv4/ip_forward || exit 1
74
75
76 exit 0
Listing 19: setup env
bachelorproject ws 07/08 SHiNE 128
1 #!/bin/bash
2
3 #external parameter
4 USERNAME=$CAKEUSER # Hacking game user name
5 PASSWORD=$CAKEPASS # must be md5 encrypted
6 GROUP=$CAKE1 #group for sudo right
7
8 mainfolder=/tmp/ssl
9 undo=$mainfolder/undo
10
11 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then
12 exit 1; #empty username = error and quit!
13 fi
14
15 #adduser and make home dir
16 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1
17 #cp /etc/skel/.bash_profile /home/ $USERNAME/
18 #cp /etc/skel/.bashrc /home/ $USERNAME/
19
20 #after ettercap start the forward is broken : the user should could fix it
21 chown $USERNAME:$GROUP /proc/sys/net/ipv4/ip_forward || exit 1
22 echo "chown root:root /proc/sys/net/ipv4/ip_forward" >> $undo || exit 1
23
24 exit 0
Listing 20: setup user
1 #!/bin/bash
2
3 # internal parameter
4 mainfolder=/tmp/ssl
5 backdir=$mainfolder/back #backup directory for changed files
6 scriptdir=$mainfolder/scripts #script directory for needed scripts
7 undo=$mainfolder/undo #what ever was changed should could be restored
8
9 #undo file for simple restoring
10 mkdir $mainfolder || exit 1
11 echo "#!/bin/bash" > $undo || exit 1
12 chmod +x $undo || exit 1
13 echo "folder=$mainfolder" >> $undo || exit 1
14 #apache2 ssl support
15 mkdir -p /etc/apache2/ssl/ || exit 1
16 echo "rm -rf /etc/apache2/ssl/" >> $undo || exit 1
17 cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
bachelorproject ws 07/08 SHiNE 129
18 echo "rm /etc/apache2/sites-available/ssl" >> $undo || exit 1
19 ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
20 echo ’-----BEGIN RSA PRIVATE KEY-----
21 MIICXgIBAAKBgQCpono+cSOkpJ/G/sxjWCNvmZcW5SKHpqjMPTwBKBeLqFxFDYcR
22 viu0itQZdj5/W2PeJqiTLy+jNubHI0KhiXusiMcjZEdWHa5ibpprYxFVUndBILfk
23 i7/fI9+pnlJM4AVRpyspg+cnjMGcaFO7HGhg48S1PgthseLmWrkoQ9w9nQIDAQAB
24 AoGBAIj3e6S3TYQ+uBPA397G57XQWcJOuJa25kwilTSJ3pkRE49d4NVeq4NXJPJ6
25 GvRSIkzZAfv1eY1bYvMfcUlk7MmNlli4WqnhAPtiyuy2bx/UY+6LukZInCTGLG3M
26 bjN6BZsz6ONnuChuCpOmHCZseSLYp4NQd+6OU9GoF1KjL2WxAkEA29AwPQ5eKzvh
27 zZVIOH5kCsJpFBWPoT0R+tLeRmHrNxmi9lVk37ayTxMK8QmoyLcdHJUxibV9L6bA
28 8I4D4E22twJBAMWPkDc1tOpTP35A9HvtnMFjq3wTMubSirwsTG7GD3Qzvb0kYH6r
29 QuqmVfALD46A6KmztEbPYrUx8rHwLzuf+ksCQQDO65sNTsIs1rEIMxgKPkh0rG/4
30 PRe5A+EyCWC+Rp0CgHqcguRzh+swbs+k+Z/OWjnoVzWL2bHfsoz7peRWOTHfAkAv
31 UxOV1hyvYR+9i6vFIAdD4C9M+oBgAKFRMD9i7bj3+gkCjPs8fKP797pwVQX1+fVB
32 6ZVOvREFHKDpdQKrgsf/AkEAirH3IUiJgHjxZysOtz7aqa7YQ3a6MQL0WAzDrAOn
33 Ow4nA+kuY6d1Cl6HVqblPw3RiTkVVXSLSJPTVsv7jLtWCw==
34 -----ENDRSAPRIVATEKEY-----
35 -----BEGINCERTIFICATE-----
36 MIIDrjCCAxegAwIBAgIJAJ+FD8ULidqPMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD
37 VQQGEwJERTEPMA0GA1UECBMGQlJFTUVOMQ8wDQYDVQQHEwZCUkVNRU4xFzAVBgNV
38 BAoTDmhzLWJyZW1lbi5nYW1lMQ8wDQYDVQQLEwZuZXRzLXgxIjAgBgNVBAMTGWRt
39 ei1zZXJ2ZXIuaHMtYnJlbWVuLmdhbWUxGDAWBgkqhkiG9w0BCQEWCXRlc3RAdGVz
40 dDAeFw0wODAzMTYyMDIzNTRaFw0wODA0MTUyMDIzNTRaMIGXMQswCQYDVQQGEwJE
41 RTEPMA0GA1UECBMGQlJFTUVOMQ8wDQYDVQQHEwZCUkVNRU4xFzAVBgNVBAoTDmhz
42 LWJyZW1lbi5nYW1lMQ8wDQYDVQQLEwZuZXRzLXgxIjAgBgNVBAMTGWRtei1zZXJ2
43 ZXIuaHMtYnJlbWVuLmdhbWUxGDAWBgkqhkiG9w0BCQEWCXRlc3RAdGVzdDCBnzAN
44 BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqaJ6PnEjpKSfxv7MY1gjb5mXFuUih6ao
45 zD08ASgXi6hcRQ2HEb4rtIrUGXY+f1tj3iaoky8vozbmxyNCoYl7rIjHI2RHVh2u
46 Ym6aa2MRVVJ3QSC35Iu/3yPfqZ5STOAFUacrKYPnJ4zBnGhTuxxoYOPEtT4LYbHi
47 5lq5KEPcPZ0CAwEAAaOB/zCB/DAdBgNVHQ4EFgQUzcoc307Z6Z6su3wlQx5GNN6x
48 Aq8wgcwGA1UdIwSBxDCBwYAUzcoc307Z6Z6su3wlQx5GNN6xAq+hgZ2kgZowgZcx
49 CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCUkVNRU4xDzANBgNVBAcTBkJSRU1FTjEX
50 MBUGA1UEChMOaHMtYnJlbWVuLmdhbWUxDzANBgNVBAsTBm5ldHMteDEiMCAGA1UE
51 AxMZZG16LXNlcnZlci5ocy1icmVtZW4uZ2FtZTEYMBYGCSqGSIb3DQEJARYJdGVz
52 dEB0ZXN0ggkAn4UPxQuJ2o8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
53 gQBbjKcX68SWkZakS4SEM4eBD4XzpacDxRTOa9196m+xBdlatptq2D2J8sXgtveM
54 5nPSrZDEk8YluJQumCVau8VWp9j4Ymh1k3FosWKFkb9kKQOX0K8pb1WwR/jJ+4UM
55 EXGHw2vBknXUFeoyd9AO7XYnRa+DVI3576h7D5lLe/pzxQ==
56 -----ENDCERTIFICATE-----
57 ’ > /etc/apache2/ssl/apache.pem || exit 1
58 echo "rm /etc/apache2/ssl/apache.pem" >> $undo || exit 1
59 cp /etc/apache2/sites-available/default $backdir/apachedefault || exit 1
60 echo "cp $backdir/apachedefault /etc/apache2/sites-available/default" >> $undo || exit 1
61 sed ’s/VirtualHost \*/VirtualHost \*:80/g’ /etc/apache2/sites-available/ default > /etc/apache2/sites-available/default.tmp || exit 1
bachelorproject ws 07/08 SHiNE 130
62 mv /etc/apache2/sites-available/default.tmp /etc/apache2/sites-available/ default || exit 1
63 sed ’s/VirtualHost \*/VirtualHost \*:443/g’ /etc/apache2/sites-available/ ssl | sed -e ’2a\\tSSLEngine ON\n\tSSLCertificateFile /etc/apache2/ssl /apache.pem’ > /etc/apache2/sites-available/ssl.tmp || exit 1
64 mv /etc/apache2/sites-available/ssl.tmp /etc/apache2/sites-available/ssl || exit 1
65 echo "Listen 443" >> /etc/apache2/ports.conf || exit 1
66 echo "sed ’s/Listen 443//g’ /etc/apache2/ports.conf > /etc/apache2/ports. conf.tmp || exit 1" >> $undo || exit 1
67 echo "mv /etc/apache2/ports.conf.tmp /etc/apache2/ports.conf" >> $undo || exit 1
68 a2enmod ssl > /dev/null 2&>1 || exit 1
69 echo "a2dismod ssl > /dev/null 2&>1 || exit 1" >> $undo || exit 1
70 apache2ctl restart > /dev/null 2&>1 || exit 1
71 echo "apache2ctl restart > /dev/null 2&>1 || exit 1" >> $undo || exit 1
Listing 21: setup drone DM
1 #!/bin/bash
2
3 # internal parameter
4 mainfolder=/tmp/drone #mainfolder for backup and scripts
5 scriptdir=$mainfolder/scripts #script directory for needed scripts
6 undo=$mainfolder/undo #what ever was changed should could be restored
7
8 #script builder needs $mylist and $TARGET_AND_LOCATION
9 scriptbuild()
10 {
11 for i in "${mylist[@]}"; do
12 echo $i >> $TARGET_AND_LOCATION || exit 1
13 done
14 }
15 ### end functions ###
16
17 #make Background scripts
18 TARGET_AND_LOCATION=$scriptdir/autowget
19 mylist=("#!/bin/bash" "cd $mainfolder" "while [ i=1 ]" ’do’ ’wget https:// dmz-sever.hs-bremen.game/homepage --no-check-certificate’ "sleep 20" ’ done ’)
20 scriptbuild
21 chmod +x $TARGET_AND_LOCATION || exit 1
22
23 #start the backgroundcheck script
24 nohup $scriptdir/autowget &
25 #kill the backgroundprocess at cleanup
bachelorproject ws 07/08 SHiNE 131
26 echo "kill -9 $! > /dev/null 2&>1 || exit 1" >> $undo
Listing 22: setup drone
1 #!/bin/bash
2
3 ip_userhost=$CAKE1 #ip where the user played
4 echo ‘ping -c 3 www.netzlabor.hs-bremen.de‘ > tmp || exit 1
5 if [ "grep $ip_userhost tmp" ]; then
6 wget https://dmz-sever.hs-bremen.game/homepage --no-check- certificate || exit 1
7 if [ "stat index*" ]; then
8 exit 2
9 fi
10 exit 3
11 fi
12 exit 0
Listing 23: evaluation
1 #!/bin/bash
2
3 # external parameter
4 mainfolder=/tmp/ssl
5 $mainfolder/undo
6 rm -rf $mainfolder || exit 1
7 exit 0
Listing 24: cleanup env
1 #!/bin/bash
2
3 #external parameter
4 USERNAME=$CAKEUSER # Hacking game user name
5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1
6 exit 0
Listing 25: cleanup user
1 #!/bin/bash
2
3 # external parameter
4 mainfolder=/tmp/drone
5 $mainfolder/undo || exit 1
6 rm -rf $mainfolder > /dev/null 2&>1 || exit 1
7 exit 0
Listing 26: cleanup drone
bachelorproject ws 07/08 SHiNE 132
1 #!/bin/bash
2
3 # internal parameter
4 mainfolder=/tmp/ssl
5 $mainfolder/undo
6 rm -rf $mainfolder || exit 1
7 exit 0
Listing 27: cleanup drone DMZ
E.3 Passwort Hacking [ts]
E.3.1 John the Ripper
Wiki text
John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (11 architecture-specific fla- vors of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, au- todetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most com- monly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others.
Sample output
Here is a sample output in a Debian GNU/Linux environment. root@0[john-1.6.37]# cat pass.txt user:AZl.zWwxIh15Q root@0[john-1.6.37]# john -w:password.lst pass.txt Loaded 1 password hash (Traditional DES [24/32 4K]) example (user) guesses: 1 time: 0:00:00:00 100% c/s: 752 trying: 12345 - pookie
Attack types
One of the modes John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John’s single attack
bachelorproject ws 07/08 SHiNE 133
mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the encrypted hashes.
John also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently-used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it does take a long time (for all practical purposes, forever) to run.
Usage of John
To use John, you just need to supply it a password file and the desired options. If no mode is specified, john will try ”single” first, then ”wordlist” and finally ”incremental”. Once John finds a password, it will be printed to the terminal and saved into a file called /john.pot. John will read this file when it restarts so it doesn’t try to crack already done passwords. To see the cracked passwords, use john -show passwd Important: do this under the same directory where the password was cracked (when using the cronjob, /var/lib/john), otherwise it won’t work. While cracking, you can press any key for status, or Ctrl+C to abort the session, saving point information to a file ( /restore by default). By the way, if you press Ctrl+C twice John will abort immediately without saving. The point information is also saved every 10 minutes (configurable in the configuration file, /john.ini ) in case of a crash. To continue an interrupted session, run: john -restore
Options
All the options recognized by john start with a single dash (‘-’). A summary of options is included below.
-external:MODE
Enables an external mode, using external functions defined in /john.ini’s [List.External:MODE] section.
-format:NAME
Allows you to override the ciphertext format detection. Currently, valid format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when cracking or with ’-test’. Note that John can’t crack password files with different ciphertext formats at the same time.
-groups:[-]GID[,..]
Tells John to load users of the specified group(s) only.
-incremental[:MODE]
Enables the incremental mode, using the specified /john.ini definition (section [Incremen- tal:MODE], or [Incremental:All] by default).
-makechars:FILE
bachelorproject ws 07/08 SHiNE 134
Generates a charset file, based on character frequencies from /john.pot, for use with the incre- mental mode. The entire /john.pot will be used for the charset file unless you specify some password files. You can also use an external filter() routine with this option.
-restore[:FILE]
Continues an interrupted cracking session, reading point information from the specified file ( /restore by default).
-rules
Enables wordlist rules, that are read from [List.Rules:Wordlist].
-salts:[-]COUNT
This feature sometimes allows to achieve better performance. For example you can crack only some salts using ’-salts:2’ faster, and then crack the rest using ’-salts:-2’. Total cracking time will be about the same, but you will get some passwords cracked earlier.
-savemem:LEVEL
You might need this option if you don’t have enough memory, or don’t want John to affect other processes too much. Level 1 tells John not to waste memory on login names, so you won’t see them while cracking. Higher levels have a performance impact: you should probably avoid using them unless John doesn’t work or gets into swap otherwise.
-session:FILE
Allows you to specify another point information file’s name to use for this cracking session. This is useful for running multiple instances of John in parallel, or just to be able to recover an older session later, not always continue the latest one.
-shells:[-]SHELL[,..]
This option is useful to load accounts with a valid shell only, or not to load accounts with a bad shell. You can omit the path before a shell name, so ’-shells:csh’ will match both ’/bin/csh’ and ’/usr/bin/csh’, while - shells:/bin/csh’ will only match ’/bin/csh’.
-show
Shows the cracked passwords in a convenient form. You should also specify the password files. You can use this option while another John is cracking, to see what it did so far.
-single
Enables the ”single crack” mode, using rules from [List.Rules:Single].
-status[:FILE]
Prints status of an interrupted or running session. To get an up to date status information of a detached running session, send that copy of John a SIGHUP before using this option.
-stdin bachelorproject ws 07/08 SHiNE 135
These are used to enable the wordlist mode (reading from stdin).
-stdout[:LENGTH]
When used with a cracking mode, except for ”single crack”, makes John print the words it generates to stdout instead of cracking. While applying wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.
-test
Benchmarks all the enabled ciphertext format crackers, and tests them for correct operation at the same time.
-users:[-]LOGIN—UID[,..]
Allows you to filter a few accounts for cracking, etc. A dash before the list can be used to invert the check (that is, load all the users that aren’t listed).
-wordfile:FILE
These are used to enable the wordlist mode, reading words from FILE.
Modes
John can work in the following modes:
Wordlist
John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
Single crack
In this mode, john will try to crack the password using the login/GECOS information as pass- words.
Incremental
This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.
Files
/etc/john/john.conf is where you configure how john will behave.
/etc/john/john-mail.msg has the message sent to users when their paswords are successfully cracked.
/etc/john/john-mail.conf is used to configure how john will send messages to users that had their passwords cracked. [15] [16] bachelorproject ws 07/08 SHiNE 136
Shell scripts Player setup script
#external parameter H_USERNAME=$CAKEUSER # Hacking game user name H_PASSWORT=$CAKEPASS # must be md5 encrypted if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi
#adduser and make home dir useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $? cp /etc/skel/.bash_profile /home/$H_USERNAME/ || exit $? cp /etc/skel/.bashrc /home/$H_USERNAME/ || exit $?
#copy needed files #put john.tar in the deployment field to have it deployed by game engine (not implemented yet) cp -r /root/john-1.7.0.2/run /home/$H_USERNAME || exit $? mv /home/$H_USERNAME/run /home/$H_USERNAME/john || exit $?
#create mypass file (fake unshadowed passw) passw=$(echo $(date +%S)$(date +%M)$(date +%w)) pass=$( perl -e "print crypt($passw,’xy’);") puser="root"$(echo $(date +%M)) echo "$puser:$pass:1019:100::/home/$puser:/bin/bash"> / home/$H_USERNAME/john/mypass || exit $?
#background_eval mkdir -p /tmp/$H_USERNAME || exit $? BACKGROUND_EVAL=/tmp/$H_USERNAME/background_eval echo "#!/bin/sh" > $BACKGROUND_EVAL echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_EVAL echo "RUNNING=1" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The john executable is located in home/$H_USERNAME/john." bachelorproject ws 07/08 SHiNE 137
>> $BACKGROUND_EVAL echo "echo The unshadowed passwd is also located there and named" >> $BACKGROUND_EVAL echo "echo mypass. Good luck!" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_EVAL echo "do" >> $BACKGROUND_EVAL echo "if (cat /home/$H_USERNAME/john/john.pot | grep "$pass" >> /dev/null); then" >> $BACKGROUND_EVAL echo "RUNNING=0" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "sleep 3" >> $BACKGROUND_EVAL echo "done" >> $BACKGROUND_EVAL echo "echo done >> done" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo You discovered the password for user $puser." >> $BACKGROUND_EVAL echo "echo Your task is done." >> $BACKGROUND_EVAL echo "echo You will be logged out in 10 seconds." >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "sleep 10" >> $BACKGROUND_EVAL echo "killall -u $H_USERNAME sshd" >> $BACKGROUND_EVAL
#change owner chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $? chown $H_USERNAME:$H_USERNAME $BACKGROUND_EVAL || exit $? chmod u+x $BACKGROUND_EVAL || exit $? chmod o+x /home/$H_USERNAME/ || exit $? chmod o+x /tmp/$H_USERNAME/ || exit $?
#modify user .bashrc echo "$BACKGROUND_EVAL &" >> /home/$H_USERNAME/.bashrc || exit $?
Evaluation script
#/bin/sh bachelorproject ws 07/08 SHiNE 138
H_USERNAME=$CAKEUSER if (cat /home/$H_USERNAME/done | grep done); then exit 0; else exit 1; fi
Player cleanup script
#!/bin/sh H_USERNAME=$CAKEUSER
RC=0 deluser -q --remove-home $H_USERNAME || RC=$? rm -r /tmp/$H_USERNAME || RC=$? exit $RC
E.3.2 Cron John
Wiki text cron is a time-based scheduling service in Unix-like computer operating systems. The name is derived from Greek chronos, meaning time. cron has been recreated several times in its history. cron is driven by a crontab, a configuration file that specifies shell commands to run periodically on a given schedule.
Usage
Generally, the schedules modified by crontab are enacted by a daemon, crond, which runs constantly in the background and checks once a minute to see if any of the scheduled jobs need to be executed. If so, it executes them. These jobs are generally referred to as cron jobs. A job is executed when the time/date specification fields all match the current time and date, with the exception that either the ”day of month” field (3) or the ”day of week” field (5) must match the current day, even though the other of the two fields doesn’t match the current day. crontab syntax
The crontab files are where the lists of jobs and other instructions to the cron daemon are kept. Users can have their own individual crontab files and often there is a systemwide crontab file (usually in /etc or a subdirectory of /etc) which is also used but can only be edited by the system administrator(s). Each line of a crontab file represents a job and follows a particular bachelorproject ws 07/08 SHiNE 139
format as a series of fields, separated by spaces and/or tabs. Each field can have a single value or a series of values. Operators There are several ways of specifying multiple date/time values in a field: * The comma (’,’) operator specifies a list of values, for example: ”1,3,4,7,8” * The dash (’-’) operator specifies a range of values, for example: ”1-6”, which is equivalent to ”1,2,3,4,5,6” * The asterisk (’*’) operator specifies all possible values for a field. For example, an asterisk in the hour time field would be equivalent to ’every hour’ (subject to matching other specified fields). There is also an operator which some extended versions of cron support, the slash (’/’) operator (called ”step”), which can be used to skip a given number of values. For example, ”*/3” in the hour time field is equivalent to ”0,3,6,9,12,15,18,21”; ”*” specifies ’every hour’ but the ”/3” means only those hours divisible by 3. Fields
# +------minute (0 - 59) # | +------hour (0 - 23) # | | +------day of month (1 - 31) # | | | +------month (1 - 12) # | | | | +---- day of week (0 - 6) (Sunday=0 or 7) # | | | | | * * * * * command to be executed
Each of the patterns from the first five fields may be either * (an asterisk), which matches all legal values, or a list of elements separated by commas. Some implementations of cron (eg. that in the popular 4th BSD edition, written by Paul Vixie and included in Debian Linux distributions including Ubuntu) insert a username into the format as the sixth field, as whom the specified job will be run (subject to user existence in /etc/passwd and allowed permissions), but only in the system crontabs (/etc/crontab and /etc/cron.d/*), not in others which are each assigned to a single user to configure. The seventh (or sixth if no user field is part of the format) and subsequent fields (i.e., the rest of the line) specify the command to be run. For ”day of the week” (field 5), both 0 and 7 are considered Sunday, though some versions of Unix such as AIX do not list ”7” as acceptable in the man page. Sample of a crontab
#M H D M W Command 5 * * * * /usr/bin/message.sh */5 * * * * /usr/bin/message.sh 59 23 * * 0 cp /var/log/messages /log/backup/messages 0 0 * * * cp /var/log/syslog /log/backup/syslog 20,30 1 * * 1-5 /usr/bin/work.sh bachelorproject ws 07/08 SHiNE 140
The first command (first line) always starts 5 minutes after every full hour, the second every 5 minutes, the third once a week, saturdays at 23.59h pm, the fourth every day at 00.00h and the fifth mondays to fridays at 01.20h and 01.30h. A job is executed when the time/date specification fields all match the current time and date. There is one exception: if both ”day of month” and ”day of week” are restricted (not ”*”), then either the ”day of month” field (3) or the ”day of week” field (5) must match the current day (even though the other of the two fields need not match the current day). [17] [18] Shell scripts Player setup script
#!/bin/sh
#external parameter H_USERNAME=$CAKEUSER # Hacking game user name H_PASSWORT=$CAKEPASS # must be md5 encrypted if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi
#adduser and make home dir useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $? cp /etc/skel/.bash_profile /home/$H_USERNAME/ cp /etc/skel/.bashrc /home/$H_USERNAME/
#copy needed files #put john.tar in the deployment field to have it deployed by game engine (not implemented yet) cp -r /root/john-1.7.0.2/run /home/$H_USERNAME || exit $? mv /home/$H_USERNAME/run /home/$H_USERNAME/john || exit $? echo > /home/$H_USERNAME/john/mypass USERCRON=/var/spool/cron/crontabs/$H_USERNAME echo > $USERCRON
#background_eval mkdir -p /tmp/$H_USERNAME || exit $? BACKGROUND_EVAL=/tmp/$H_USERNAME/background_eval echo > /home/$H_USERNAME/crontab2 bachelorproject ws 07/08 SHiNE 141
echo "#!/bin/sh" > $BACKGROUND_EVAL echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_EVAL echo "RUNNING=1" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The cronjob should be scheduled for every saturday 10pm." >>$BACKGROUND_EVAL echo "echo The john executable is located in home/$H_USERNAME/john." >> $BACKGROUND_EVAL echo "echo The unshadowed passwd is also located there and named" >> $BACKGROUND_EVAL echo "echo mypass. Good luck setting up the cronjob!" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_EVAL echo "do" >> $BACKGROUND_EVAL echo "if ( cat /home/$H_USERNAME/crontab | grep -w \"00 ** 22 ** \\* ** \\* ** 1 ** /home/$H_USERNAME/john/john ** /home/$H_USERNAME/john/mypass\" >> /dev/null); then" >> $BACKGROUND_EVAL echo "RUNNING=0" >> $BACKGROUND_EVAL echo "else" >> $BACKGROUND_EVAL echo "if ( cat /home/$H_USERNAME/crontab | grep \" ** \" >> /dev/null); then" >> $BACKGROUND_EVAL echo "if !( cmp /home/$H_USERNAME/crontab /home/$H_USERNAME/crontab2 >> /dev/null); then" >> $BACKGROUND_EVAL echo "cp /home/$H_USERNAME/crontab /home/$H_USERNAME/crontab2" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The cronjob was not set up correct!" >> $BACKGROUND_EVAL echo "if !( cat /home/$H_USERNAME/crontab | grep \"00 ** 22 ** \\* ** \\* ** 1\" >> /dev/null); then" >> $BACKGROUND_EVAL echo "echo The part with the time is wrong." >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "if !( cat /home/$H_USERNAME/crontab | grep -w \"/home/$H_USERNAME/john/john ** /home/$H_USERNAME/john/mypass\" >> /dev/null); then" >> $BACKGROUND_EVAL echo "echo The part with the command is wrong." >> $BACKGROUND_EVAL bachelorproject ws 07/08 SHiNE 142
echo "fi" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "sleep 3" >> $BACKGROUND_EVAL echo "done" >> $BACKGROUND_EVAL echo "echo done >> done" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo $H_USERNAME, you correctly set up the cronjob." >> $BACKGROUND_EVAL echo "echo Your task is done." >> $BACKGROUND_EVAL echo "echo You will be logged out in 10 seconds." >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "sleep 10" >> $BACKGROUND_EVAL echo "killall -u $H_USERNAME sshd" >> $BACKGROUND_EVAL
#Background copy of user’s crontab with root rights BACKGROUND_COPY=/tmp/$H_USERNAME/BACKGROUND_COPY.sh echo "#!/bin/sh" > $BACKGROUND_COPY echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_COPY echo "RUNNING=1" >> $BACKGROUND_COPY RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_COPY echo "do" >> $BACKGROUND_COPY echo "cp /var/spool/cron/crontabs/$H_USERNAME /home/$H_USERNAME/crontab" >> $BACKGROUND_COPY echo "chown $H_USERNAME:$H_USERNAME /home/$H_USERNAME/crontab" >> $BACKGROUND_COPY echo "sleep 2" >> $BACKGROUND_COPY echo "done" >> $BACKGROUND_COPY
#change owner bachelorproject ws 07/08 SHiNE 143
chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $? chown $H_USERNAME:$H_USERNAME $BACKGROUND_EVAL || exit $? chmod u+x $BACKGROUND_EVAL || exit $? chmod o+x /home/$H_USERNAME/ || exit $? chmod o+x /tmp/$H_USERNAME/ || exit $? chmod u+x $BACKGROUND_COPY || exit $? chown $H_USERNAME:$H_USERNAME $USERCRON
#modify user .bashrc echo "$BACKGROUND_EVAL &" >> /home/$H_USERNAME/.bashrc || exit $? /tmp/$H_USERNAME/BACKGROUND_COPY.sh &
Evaluation script
#/bin/sh H_USERNAME=$CAKEUSER if (cat /home/$H_USERNAME/done | grep done); then exit 0; else exit 1; fi
Player cleanup script
#!/bin/sh H_USERNAME=$CAKEUSER
RC=0 deluser -q --remove-home $H_USERNAME || RC=$? killall BACKGROUND_COPY.sh || RC=$? rm -r /tmp/$H_USERNAME || RC=$? rm -f /var/spool/cron/crontabs/$H_USERNAME || RC=$? exit $RC
bachelorproject ws 07/08 SHiNE 144
E.3.3 Hydra
Wiki text
Hydra was a software project developed by ”The Hacker’s Choice” (THC) that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords.
The list of supported services includes: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA.
How to use
When installed on the machine start a shell and simply type ”hydra” to get an overview of the possible switches.
Restoring an aborted/crashed session
When hydra is aborted with Control-C, killed or crashs, it leavs a ”hydra.restore” file behind which contains all necessary information to restore the session. This session file is written every 5 minutes. NOTE: if you are cracking parallel hosts (-M option), this feature doesnt work, and is therefore disabled! NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. from little indian to big indian, or from solaris to aix)
[19] [20]
Shell scripts
Setup script
#!/bin/sh
#external parameter H_USERNAME=$CAKE1 # Hacking game user name H_PASSWORT=$CAKE2 # must be md5 encrypted if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi
#adduser and make home dir useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash || exit $? cp /etc/skel/.bash_profile /home/$H_USERNAME/ bachelorproject ws 07/08 SHiNE 145
cp /etc/skel/.bashrc /home/$H_USERNAME/
#add root user with random number (root##) passw=rex pass=$( perl -e "print crypt($passw,’xy’);") puser="root"$(echo $(date +%S)$(date +%M)) echo $puser > /home/$H_USERNAME/user useradd -m $puser -p $pass -s /bin/bash || exit $? echo > /home/$H_USERNAME/ftpuser
#create dictionary file echo cat>> /home/$H_USERNAME/dic.txt echo doggy >> /home/$H_USERNAME/dic.txt echo pass >> /home/$H_USERNAME/dic.txt echo rantanplan >> /home/$H_USERNAME/dic.txt echo lucky >> /home/$H_USERNAME/dic.txt echo felix >> /home/$H_USERNAME/dic.txt echo garfield >> /home/$H_USERNAME/dic.txt echo lassy >> /home/$H_USERNAME/dic.txt echo password >> /home/$H_USERNAME/dic.txt echo bark >> /home/$H_USERNAME/dic.txt echo john >> /home/$H_USERNAME/dic.txt echo candy >> /home/$H_USERNAME/dic.txt echo rex >> /home/$H_USERNAME/dic.txt
#background_eval mkdir -p /tmp/$H_USERNAME || exit $? BACKGROUND_EVAL=/tmp/$H_USERNAME/background_eval echo "#!/bin/sh" > $BACKGROUND_EVAL echo "USER_NAME=$H_USERNAME" >> $BACKGROUND_EVAL echo "RUNNING=1" >> $BACKGROUND_EVAL echo "echo" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo The login you have to find the password for is $puser. You" >> $BACKGROUND_EVAL echo "echo have to execute hydra from your home directory and use the" >> $BACKGROUND_EVAL echo "echo -o switch with the filename ftpuser. for the evaluation" >> $BACKGROUND_EVAL bachelorproject ws 07/08 SHiNE 146
echo "echo script to work properly. Good luck!" >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL RUNNING=’$RUNNING’ echo "while [ $RUNNING -eq 1 ]" >> $BACKGROUND_EVAL echo "do" >> $BACKGROUND_EVAL echo "if (cat /home/$H_USERNAME/ftpuser | grep "$passw" >> /dev/null); then" >> $BACKGROUND_EVAL echo "RUNNING=0" >> $BACKGROUND_EVAL echo "fi" >> $BACKGROUND_EVAL echo "sleep 3" >> $BACKGROUND_EVAL echo "done" >> $BACKGROUND_EVAL echo "echo done >> done" >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo " >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "echo You discovered the password for the ftp login of user $puser." >> $BACKGROUND_EVAL echo "echo Your task is done." >> $BACKGROUND_EVAL echo "echo You will be logged out in 10 seconds." >> $BACKGROUND_EVAL echo "echo ======" >> $BACKGROUND_EVAL echo "sleep 10" >> $BACKGROUND_EVAL echo "killall -u $H_USERNAME sshd" >> $BACKGROUND_EVAL
#change owner chown -R $H_USERNAME:$H_USERNAME /home/$H_USERNAME || exit $? chown $H_USERNAME:$H_USERNAME $BACKGROUND_EVAL || exit $? chmod u+x $BACKGROUND_EVAL || exit $? chmod o+x /home/$H_USERNAME/ || exit $? chmod o+x /tmp/$H_USERNAME/ || exit $?
#modify user .bashrc echo "$BACKGROUND_EVAL &" >> /home/$H_USERNAME/.bashrc || exit $?
Evaluation script
#/bin/sh H_USERNAME=$CAKE1 bachelorproject ws 07/08 SHiNE 147
if (cat /home/$H_USERNAME/done | grep done); then exit 0; else exit 1; fi
Cleanup script
#!/bin/sh H_USERNAME=$CAKE1
RC=0 puser=$(cat /home/$H_USERNAME/user) deluser -q --remove-home $puser || RC=$? deluser -q --remove-home $H_USERNAME || RC=$? rm -r /tmp/$H_USERNAME || RC=$? exit $RC
E.4 Honeyd [pm]
Wiki text hping hping is a TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix com- mand, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping[21]:
• Firewall testing
• Advanced port scanning
• Network testing, using different protocols, TOS, fragmentation
• Manual path MTU discovery
• Advanced traceroute, under all the supported protocols bachelorproject ws 07/08 SHiNE 148
• Remote OS fingerprinting
• Remote uptime guessing
• TCP/IP stacks auditing
• hping can also be useful to students that are learning TCP/IP.
For more info see also Linux man page: man hping
Shell scripts Cleanup environment - honeyd host
#!/bin/bash
#external parameter USERNAME=$CAKEUSER # Hacking game user name PASSWORD=$CAKEPASS # must be md5 encrypted GROUP=$CAKE1
USERNAME=honey # Hacking game user name PASSWORD=honeyd GROUP=honeyplayer # default group for sudo rights configured in setup_env if [ $(echo $USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi
#adduser and make home dir useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1 #cp /etc/skel/.bash_profile /home/$USERNAME/ #cp /etc/skel/.bashrc /home/$USERNAME/ exit 0
Shell script - Cleanup environment - player host
#!/bin/bash
#external parameter honeyplayer=$CAKE1 honeyplayer=honeyplayer
bachelorproject ws 07/08 SHiNE 149
BACKUP=/tmp/backup
# delete tool hping aptitude purge hping -y > /dev/null 2>1 || exit 1 aptitude purge hping3 -y > /dev/null 2>1 || exit 1
# delete groups groupdel $honeyplayer > /dev/null 2>1 || exit 1
# backup sudoers cp $BACKUP/sudoers /etc/sudoers > /dev/null 2>1 || exit 1
# delete scenario backup files and /etc/bind rm -rf $BACKUP > /dev/null 2>1 || exit 1 exit 0
Shell script - Cleanup user
#!/bin/bash USERNAME=$CAKEUSER USERNAME=honey deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1 exit 0
Shell script - Setup user environment
#!/bin/bash
# external parameter honeyplayer=$CAKE1 honeyplayer=honeyplayer # group for gamers
# internal parameter BACKUP=/tmp/backup
# make backupdir mkdir $BACKUP > /dev/null 2>&1 || exit 1
bachelorproject ws 07/08 SHiNE 150
# adding group and sudorights for hping & nmap # save sudoers file cp /etc/sudoers $BACKUP/sudoers > /dev/null 2>&1 || exit 1 groupadd honeyplayer echo %$GROUP ALL=/usr/sbin/hping >> /etc/sudoers echo %$GROUP ALL=/usr/sbin/hping >> /etc/sudoers echo %$GROUP ALL=/usr/sbin/hping3 >> /etc/sudoers echo %$GROUP ALL=/usr/bin/nmap >> /etc/sudoers
# install the hping tool aptitude install hping2 -y > /dev/null 2>&1 || exit 1 aptitude install hping3 -y > /dev/null 2>&1 || exit 1 exit 0
Shell script - Setup user environment
#!/bin/bash
HONEYDPLAYER=honeyplayer BACKDIR=/tmp/fsadsad HONEYDDEFAULT=/etc/default/honeyd HONEYDCONF=/etc/honeypot/honeydconf HONEYDFINGERP=/etc/honeypot/nmap.prints INTERFACE=eth1
#virtual pcs HONEY1=10.0.1.11 HONEY2=10.0.1.12 HONEY3=10.0.1.14 HONEY4=10.0.1.15 HONEY5=10.0.1.17 HONEY6=10.0.1.18
#installing of farpd and honeyd aptitude install farpd -y > /dev/null 2>&1 || exit 1 aptitude install honeyd -y > /dev/null 2>&1 || exit 1 cp /etc/default/honeyd $BACKDIR > /dev/null 2>&1 || exit 1 rm $HONEYDDEFAULT > /dev/null 2>&1 || exit 1 bachelorproject ws 07/08 SHiNE 151
#making of Honeyd default confing echo "RUN=\"yes\"" > $HONEYDDEFAULT echo "INTERFACE=\"eth1\"" >> $HONEYDDEFAULT echo "NETWORK=10.0.1.5/24" >> $HONEYDDEFAULT
#making of Honeyd confing echo "create windows" > $HONEYDCONF echo "set windows personality \"Microsoft Windows NT 4.0 Server SP5-SP6\"" >> $HONEYDCONF echo "set windows uptime 1728650" >> $HONEYDCONF echo "set windows maxfds 35" >> $HONEYDCONF echo "#For a complex IIS server" >> $HONEYDCONF echo "add windows tcp port 80 \"perl /scripts/iis-0.95/iisemul8.pl\"" >> $HONEYDCONF echo "add windows tcp port 139 open" >> $HONEYDCONF echo "add windows tcp port 137 open" >> $HONEYDCONF echo "add windows udp port 137 open" >> $HONEYDCONF echo "add windows udp action reset" >> $HONEYDCONF echo "set windows default tcp action reset" >> $HONEYDCONF
echo "route $HONEY1 link $HONEY1/32" >> $HONEYDCONF echo "route $HONEY2 link $HONEY2/32" >> $HONEYDCONF echo "route $HONEY3 link $HONEY3/32" >> $HONEYDCONF echo "route $HONEY4 link $HONEY4/32" >> $HONEYDCONF echo "route $HONEY5 link $HONEY5/32" >> $HONEYDCONF echo "route $HONEY6 link $HONEY6/32" >> $HONEYDCONF echo "bind $HONEY1 windows" >> $HONEYDCONF echo "bind $HONEY2 windows" >> $HONEYDCONF echo "bind $HONEY3 windows" >> $HONEYDCONF echo "bind $HONEY4 windows" >> $HONEYDCONF echo "bind $HONEY5 windows" >> $HONEYDCONF echo "bind $HONEY6 windows" >> $HONEYDCONF
#starting of honeyd and farpd honeyd -i $INTERFACE -f $HONEYDCONF -p $HONEYDFINGERP > /dev/null 2>&1 || exit 1 farpd -i $INTERFACE $HONEY1-$HONEY2 $HONEY3-$HONEY4 $HONEY5-$HONEY6 > /dev/null 2>&1 || exit 1 exit 0
Shell script - Setup user
#!/bin/bash bachelorproject ws 07/08 SHiNE 152
#external parameter USERNAME=$CAKEUSER # Hacking game user name PASSWORD=$CAKEPASS # must be md5 encrypted GROUP=$CAKE1
USERNAME=honey # Hacking game user name PASSWORD=honeyd GROUP=honeyplayer # default group for sudo rights configured in setup_env if [ $(echo $USERNAME | wc -m) -eq 1 ]; then exit 3; #empty username = error and quit! fi
#adduser and make home dir useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1 #cp /etc/skel/.bash_profile /home/$USERNAME/ #cp /etc/skel/.bashrc /home/$USERNAME/ exit 0
E.5 Monitoring Tools [cg]
E.5.1 Cacti
Wiki Text
What is Cacti?
Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, Cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG[22].
Data Sources To handle data gathering, you can feed Cacti the paths to any external script/command along with any data that the user will need to ”fill in”, Cacti will then gather this data in a cron- job and populate round robin archives. All administrative information are stored in a MySQL database.
Data Sources can also be created, which correspond to actual data on the graph. For instance, if a user would want to graph the ping times to a host, you could create a data source utilizing bachelorproject ws 07/08 SHiNE 153
a script that pings a host and returns it’s value in milliseconds. After defining options for RRDTool such as how to store the data you will be able to define any additional information that the data input source requires, such as a host to ping in this case. Once a data source is created, it is automatically maintained at five minute intervals.
Graphs Once one or more data sources are defined, an RRDTool graph can be created using the data. Cacti allows you to create almost any imaginable RRDTool graph using all of the standard RRDTool graph types and consolidation functions. A color selection area and automatic text padding function also aid in the creation of graphs to make the process easier.
Not only can you create RRDTool based graphs in Cacti, but there are many ways to display them. Along with a standard ”list view” and a ”preview mode”, which resembles the RRDTool frontend, there is a ”tree view”, which allows you to put graphs onto a hierarchical tree for organizational purposes.
Templating Lastly, Cacti is able to scale to a large number of data sources and graphs through the use of templates. This allows the creation of a single graph or data source template which defines any graph or data source associated with it. Host templates enable you to define the capabilities of a host so Cacti can poll it for information upon the addition of a new host.[22] Basic Principles
Cacti is a Monitoring Solution. As such, operation may be divided into three different tasks[23]:
Data Retrieval First task is to retrieve data. Cacti will do so using its Poller. The Poller will be executed from the operating system’s scheduler, e.g. crontab for Unix flavored OSes.
In current IT installations, you’re dealing with lots of devices of different kind, e.g. servers, network equipment, appliances and the like. To retrieve data from remote targets/hosts, Cacti will mainly use the Simple Network Management Protocol SNMP. Thus, all devices capable of using SNMP will be eligible to be monitored by Cacti. Later on, we demonstrate how to extend Cacti’s capabilities of retrieving data to scripts, script queries and more.
Data Storage There are lots of different approaches for this task. Some may use an (SQL) database, others flat files. Cacti uses rrdtool to store data. RRD is the Acronym for Round Robin Database. RRD is a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average). It stores the data in a very compact way that will not expand over time, and it can create beautiful graphs. This keeps storage requirements at bay.
Data Presentation One of the most appreciated features of rrdtool is the built-in graphing function. This comes in useful when combining this with some commonly used webserver. Such, it is possible to access bachelorproject ws 07/08 SHiNE 154
the graphs from merely any browser on any plattform. Graphing can be done in very different ways. It is possible, to graph one or many items in one graph. Autoscaling is supported and logarithmic y-axis as well. You may stack items onto another and print pretty legends denoting characteristics such as minimum, average, maximum and lots more.
Basic Usage
Cacti is mainly used to monitor the load (network bandwidth, CPU load) of different network components or other IT-systems within an environment. A common usage is to query network switch or router interfaces via SNMP to monitor network traffic. Furthermore Cacti is also capable of displaying environmental conditions like temperature, air humidity and many more.
Cacti is sometimes used by web hosting providers (especially dedicated server, virtual private server and colocation providers) to display bandwidth statistics for their customers.[24]
Getting Cacti started
Cacti provides a webinterface which can be easily accessed by:
1 http://localhost/cacti/
As a result of this the user is asked for username and password:
1 username:guest password:cacti
Cacti has two users by default: the ”admin” user who has full rights and the user ”guest” with only rights to view graphs.
In addition user based management allows administrators to create users and assign different levels of permissions to the Cacti interface. Permissions can be specified per-graph for each user, making Cacti suitable for co location situations. Each user can keep their own graph settings for varying viewing preferences[25].
The webinterface of Cacti lists all devices like routers, switches and host PCs in a tree view on the left-hand side. The tree view allow users to put graphs into a hierarchical order to manage and organize a large number of graphs easily.
By default Cacti shows all graphs of the last day. This option may be changed to custom settings. Either could the user use presets or he can define a specific time period.
bachelorproject ws 07/08 SHiNE 155
Analysis
All graphs in Cacti look basically like this:
Router NAT is the name of the network device, Fa 0/0.1 means that Fast Ethernet access 0/0.1 is monitored. The x-axis displays the time period (here the standart preset is the last day) and the y-axis shows how many bits per second were received (the green part) and sent (the blue curve). The constant display of data indicates that nothing specific is going on in the network only the devices were sending queries via SNMP.
The following graph is perhaps a little bit more interesting:
It collects data of the interface eth1 and shows a graph of the host Pluto. Until 4 pm there is no activity but then the suddenly rising blue curve indicates that data is sent and quite a lot (over 60 Mbit per second). Also the CPU Usage can be an indicator what is going on or the number of ssh connections on Port 22.
bachelorproject ws 07/08 SHiNE 156
The way the data takes via the net can be followed by looking at the specific interfaces of the routers and switches.
Here, data was sent from a host in a vlan to the DMZ Zone. Data via the routers is always received on Fa 0/0 and will be sent on Fa 0/1 due to the net topology. This example shows us that a comprehension and knowledge of the topology map can be very helpful.
Please keep in mind that the poller for data retrieval in Cacti is starting to collect data at five minutes intervals. So it can take at most five minutes to see the traffic data.
Installation Very helpful for setting up and for receiving further information on Cacti is the following url: http://docs.cacti.net/node/8, which includes the Cacti manual and Cacti howtos. Network lab (http://www.nwlab.net/tutorials/cacti/cacti-tutorial.html) provides also a good tutorial for in- stalling Cacti but in German.
RRDtool
RRDtool is short cut for Round Robin Database tool and was written for Linux and Windows by Tobi Oetiker as a replacement for MRTG (Multi Router Traffic Grapher) and it is licensed under the GNU GPL.
It is designed to handle time series data like network bandwidth, temperatures, CPU load etc. The data is stored in a round-robin database so that system storage footprint remains constant over time[26].
The advantage of RRDs compared to relational databases results in storing more present data with a higher temporal resolution than older ones. Older Data will be restored by current ones. As a result of this a fast database with a constant size is created. In addition the user is allowed to decide on his own on the specific period and the resolution of the measured data which will be stored in so called RRAs (Round Robin Archives)[27].
RRDtool can be used to write your custom monitoring shell scripts or create whole applications using its Perl, Python, Ruby, TCL or PHP bindings[28] and it also includes tools to extract RRD data in a graphical format.
bachelorproject ws 07/08 SHiNE 157
SNMP
The Simple Network Management Protocol (SNMP)[29] forms part of the internet protocol suite as defined by the Internet Engineering Task Force (IETF). SNMP is used in network man- agement systems to monitor network-attached devices for conditions that warrant administrative attention. It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects. SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications.
Overview and basic concepts
In typical SNMP usage, there are a number of systems to be managed, and one or more sys- tems managing them. A software component called an agent (see below) runs on each managed system and reports information via SNMP to the managing systems. Essentially, SNMP agents expose management data on the managed systems as variables (such as ”free memory”, ”system name”, ”number of running processes”, ”default route”). The managing system can retrieve the information through the GET, GETNEXT and GETBULK protocol operations or the agent will send data without being asked using TRAP or INFORM protocol operations. Management systems can also send configuration updates or controlling requests through the SET protocol operation to actively manage a system. Configuration and control operations are used only when changes are needed to the network infrastructure. The monitoring operations are usually performed on a regular basis. The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Infor- mation Bases (MIBs).
SNMP basic components
An SNMP-managed network consists of three key components:
• Managed devices
• Agents
• Network-management systems (NMSs)
A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be any type of device including, but not limited to, routers and access servers, switches and bridges, hubs, IP telephones, computer hosts, or printers. bachelorproject ws 07/08 SHiNE 158
An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. A network management system (NMS) executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs may exist on any managed network.
Usage examples
• Monitoring device uptimes (sysUpTimeInstance)
• Inventory of OS versions (sysDescr)
• Collect interface information (ifName, ifDescr, ifSpeed, ifType, ifPhysAddr)
• Measuring network interface throughput (ifInOctets, ifOutOctets)
• Querying a remote ARP cache (ipNetToMedia)
Shell scripts The player setup script should always be executed on the Cacti server ramses.
1 #!/bin/bash
2
3 #external parameter
4 H_USERNAME=$CAKEUSER # Hacking game user name
5 H_PASSWORT=$CAKEPASS # must be md5 encrypted
6
7 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then
8 exit 3; #empty username = error and quit!
9 fi
10
11 #add user and make home dir
12 useradd -m $H_USERNAME -p $H_PASSWORT -s /bin/bash >/dev/null 2>&1 || exit 1
13 cp /etc/skel/.bash_profile /home/$USERNAME/ >/dev/null 2>&1 || exit 1
14 cp /etc/skel/.bashrc /home/$USERNAME/ >/dev/null 2>&1 || exit 1
15
16 #change file permission
17 chown -R $D_USERNAME:$D_USERNAME /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1
18
19 exit 0
Listing 28: player setup
bachelorproject ws 07/08 SHiNE 159
1 #!/bin/bash
2
3 #external parameter
4 H_USERNAME=$CAKEUSER
5
6 #delete user
7 deluser --remove-home $H_USERNAME >/dev/null 2>&1 || exit 1
8
9 exit 0
Listing 29: player cleanup
The drone setup script should be executed both on Pluto and DMZ Server(or any other sys- tems). For the transfer of the trafficfile via scp without password query, an authentification via private and public key is needed.
Therefore the cactiScenario keys.tar file (which can be downloaded on https://www.netzlabor.hs-bremen.de/wiki/index.php/Basisszenario Cacti) has to be put on the game engine in the var/www/nets-x/packages/cactiScenario keys.tar folder and also in the soft- ware deployment field next to the drone setup script in the game authoring admin interface.
The cactiScenario keys.tar file contains the ssh keys for the drone user, which were created by
1 ssh-keygen -t rsa -b 2048
and also a data file authorized keys which contains the content of the public key in order to allow authentification by public and private key (Normally this data file will be needed only for target system).
1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
To ensure a ssh/scp connection without interaction of the user, the data file ssh config in /etc/ssh/ should be adapted in a way that strict host key checking will be supressed.
1 #drone setup script
2 #should be executed both on PC03 and PC01
3
4 #!/bin/bash
5
6 #internal parameter
7 D_USERNAME=uXtInVw #hardcoded username
8 D_PASSWORT=’30b0f6fca3f5bf514d28a568df75ae13’ #cleartext:netzlabor
bachelorproject ws 07/08 SHiNE 160
9 D_KEYS=cactiScenario_keys.tar
10
11 #add user and make home dir
12 useradd -m $D_USERNAME -p $D_PASSWORT -s /bin/bash -d /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1
13 cp /etc/skel/.bash_profile /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1
14 cp /etc/skel/.bashrc /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1
15
16 #untar keys to user home directory
17 tar -xf /tmp/$D_KEYS -C /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1
18
19 #change file permission
20 chown -R $D_USERNAME:$D_USERNAME /home/$D_USERNAME/ >/dev/null 2>&1 || exit 1
21
22 exit 0
Listing 30: drone setup
Since it is allowed to execute more than one script on each script stack, the traffic setup script is executed together with the drone setup script, but on level 2. This script is executed as drone and only on host pluto.
1 #should be executed on PC03
2
3 #!/bin/bash
4
5 #internal parameter
6 D_USERNAME=uXtInVw
7 D_TARGET=$CAKE1 #IP DMZ_Server
8 D_TRAFFIC=trafficfile
9
10 #create new trafficfile
11 su $D_USERNAME -c "dd bs=1M count=100 if=/dev/zero of=/home/$D_USERNAME/ $D_TRAFFIC >/dev/null 2>&1 || exit 1;
12
13 #change file permission
14 chown $D_USERNAME:$D_USERNAME /home/$D_USERNAME/$D_TRAFFIC >/dev/null 2>&1 || exit 1;
15
16 #file will be copied to target (will be stopped by cleanup script)
17 while [ true ];do
18 scp /home/$D_USERNAME/$D_TRAFFIC $D_USERNAME@$D_TARGET:/home/ $D_USERNAME/ >/dev/null 2>&1 || exit 1
19 done "
20
bachelorproject ws 07/08 SHiNE 161
21 exit 0
Listing 31: traffic setup
Evaluation will be handled by string evaluation. In this case the name of the employee (drone) is:
1 Pluto
Listing 32: evaluation string
The drone cleanup script should be executed both on Pluto and DMZ Server.
1 #!/bin/bash
2
3 D_USERNAME=uXtInVw
4 D_KEYS=cactiScenario_keys.tar
5
6 if [ "‘hostname‘" = "PC03" ]; then
7 #kill all processes running by drone
8 killall -u $D_USERNAME >/dev/null 2>&1 || exit 1
9 fi
10
11 #delete user
12 deluser --remove-home $D_USERNAME >/dev/null 2>&1 || exit 1
13
14 #delete keys
15 rm /tmp/$D_KEYS >/dev/null 2>&1 || exit 1
16
17 exit 0
Listing 33: drone cleanup
Integration FAI [mt]
All relevant preparations for integrating Cacti in the fully automatic installation can be found on https://www.netzlabor.hs-bremen.de/wiki/index.php/Cacti ”Integration in FAI”.
E.5.2 Ntop
Integration FAI [cg]
Please refer to https://www.netzlabor.hs-bremen.de/wiki/index.php/Ntop ”Integration FAI” for information concerning the preparation of ntop for FAI.
bachelorproject ws 07/08 SHiNE 162
E.6 IDS scenarios [jl]
E.6.1 Run snort
Wiki text Wiki article for scenario run snort. snort The Intrusion Detection System (IDS) snort scannes the whole traffic on one network interface for data or events that are defined in its configuration. If one of the rules in this configuration matches an event or data on the network traffic an alert file is written which can be evaluated. This file is located at /var/log/snort/alert. To run snort enter the following
snort -c <
The parameter -c defines the configuration file to use. By default this is /etc/snort/snort.conf but you can use any other valid file. The interface to scan on is defined with -i parameter. If you want to run snort in background use parameter -D else omit it.
Shell scripts
1 #!/ bin /sh
2 H_GROUPNAME=$CAKE1
3 H_INTERFACE=$CAKE2
4
5 #locale variables
6 H_GROUPFOLDER=’/tmp/’$H_GROUPNAME
7 H_SUDOERS=’/etc/sudoers’
8
9 #kill running snorts
10 killall -s SIGKILL snort >/dev/null
11 #folder for caching
12 mkdir $H_GROUPFOLDER >/dev/null
13 #create group, which is allowed to run snort
14 groupadd -g 1000 $H_GROUPNAME -f >/dev/null
15 #backup files
16 cp $H_SUDOERS $H_GROUPFOLDER >/dev/null
17 #define sudoers
18 echo ’Defaults env_reset’ > $H_SUDOERS
19 echo ’Cmnd_Alias SNORT = /usr/sbin/snort’ >> $H_SUDOERS
20 echo ’root ALL=(ALL) ALL’ >> $H_SUDOERS
21 echo ’%’$H_GROUPNAME’ ALL = SNORT’ >> $H_SUDOERS
22
23 #start one snort on correct interface
24 if [ $H_INTERFACE = "eth2" ]; then
25 snort -c /etc/snort/snort.conf -D -i eth3 >/dev/null
26 else
bachelorproject ws 07/08 SHiNE 163
27 snort -c /etc/snort/snort.conf -D -i eth2 >/dev/null
28 fi
29 #save snort PID
30 pidof snort > $H_GROUPFOLDER’/pid’
Listing 34: environment setup
1 #!/ bin /sh
2 H_GROUPNAME=$CAKE1
3 H_GROUPFOLDER=’/tmp/’$H_GROUPNAME
4 H_SUDOERS=’/etc/sudoers’
5
6 groupdel $H_GROUPNAME >/dev/null
7 cp $H_GROUPFOLDER’/sudoers’ $H_SUDOERS >/dev/null
8 rm -r $H_GROUPFOLDER >/dev/null
9 killall -s SIGKILL snort >/dev/null
10 snort -c /etc/snort/snort.conf -D -i eth2 >/dev/null
11 snort -c /etc/snort/snort.conf -D -i eth3 >/dev/null
12 exit 0
Listing 35: environment cleanup
1 #!/ bin /sh
2 H_GROUPNAME=$CAKE1
3 H_USERNAME=$CAKEUSER
4 H_PASSWORD=$CAKEPASS
5
6 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then
7 exit 3; #empty username = error and quit!
8 fi
9
10 useradd -m $H_USERNAME -p $H_PASSWORD -g $H_GROUPNAME -s /bin/bash|| exit $?
11 cp /etc/skel/.bash_profile /home/$H_USERNAME >/dev/null
12 cp /etc/skel/.bashrc /home/$H_USERNAME >/dev/null
13 mkdir /tmp/$H_USERNAME >/dev/null
14 exit 0
Listing 36: player setup
1 #!/ bin /sh
2 H_USERNAME=$CAKEUSER
3 RC =0
4
5 if [ $(echo $H_USERNAME | wc -m) -eq 1 ]; then
6 exit 3; #empty username = error and quit!
7 fi
bachelorproject ws 07/08 SHiNE 164
8
9 pkill -KILL -u $H_USERNAME
10 rm -r /tmp/$H_USERNAME >/dev/null || RC=$?
11 deluser --remove-home $H_USERNAME >/dev/null || RC=$?
12 exit $RC
Listing 37: player cleanup
1 #!/ bin /sh
2 function checkpid {
3 H_CONF_FLAG=0
4 H_INFC_FLAG=0
5 H_VALID =1
6 H_SNORT_CONFIG=’/etc/snort/snort.conf’
7
8 for j in $( ps -ef | grep snort | grep $1 ); do
9 if [ $H_CONF_FLAG -eq 1 ]; then
10 if [ "$j" != $H_SNORT_CONFIG ]; then
11 H_VALID =0
12 fi
13 H_CONF_FLAG=2
14 fi
15 if [ $H_INFC_FLAG -eq 1 ]; then
16 if [ "$j" != $2 ]; then
17 H_VALID =0
18 fi
19 H_INFC_FLAG=2
20 fi
21 if [ "$j" = "-c" ]; then
22 if [ $H_CONF_FLAG -eq 0 ]; then
23 H_CONF_FLAG=1
24 fi
25 fi
26 if [ "$j" = "-i" ]; then
27 if [ $H_INFC_FLAG -eq 0 ]; then
28 H_INFC_FLAG=1
29 fi
30 fi
31 done
32 if [ $H_VALID -eq 1 ]; then
33 exit 0
34 fi
35 }
36
37 H_INTERFACE=$CAKE2
38
39 #locale variables
bachelorproject ws 07/08 SHiNE 165
40 H_PID=$(cat /tmp/snorters/pid)
41
42 for i in $( pidof snort ); do
43 if [ "$i" != "$H_PID" ]; then
44 checkpid $i $H_INTERFACE
45 fi
46 done
47 exit 2
Listing 38: evaluation
E.6.2 Snort rule
Wiki text Wiki article for scenario snort rule. snort rule There can be defined individual rules for the Intrusion Detection System (IDS) snort. This is done by creating a file containing one or several valid rules and including them into the the configuration file you are using. A rule must at least have the following parameters:
action protocol source-IP source-port direction target-IP target-port
The common parameter for action is alert which implies that the defined alert file should be written on fitting scan. All the other parameters can be filled with the key any. This e.g. for source-IP implies that any source-IP could trigger an alert for this rule. At least one of the parameters should not be any so that not all of the traffic on the network interface triggers an alert. Valid values for parameter direction are -> , <- or <> . To implement the new rule to the snort configuration add the following line to config file:
1 include <
2 e.g. include /etc/snort/rules/myRule.rules
Now snort can be restarted to publish the new rule.
E.7 DNS [mt]
E.7.1 DNS Basics
Wiki text Under [30] is a very good open Source DNS explanation. The copyright is licensed under a Creative Commons License, so we shouldn’t have problems to integrate this Guide into the Game Wiki. This Document contains everything about DNS, the DNS Structure and the tools, we need for assisting the Shine user. DSN Cause of the complexity of this guide, i just
bachelorproject ws 07/08 SHiNE 166
point out the table of contents here. Integrating this guide to the gamewiki by copy&paste it from the online source or from this document is likely the same effort.
DNS for Rocket Scientists Quelle: DNS for Rocket Scientists [30]
This Open Source Guide is about DNS and (mostly) BIND 9.x on Linux (Fedora Core), BSD’s (FreeBSD, OpenBSD and NetBSD) and Windows (Win 2K, XP, Server 2003). It is meant for newbies, Rocket Scientist wannabees and anyone in between.
This Guide was born out of our first attempts a number of years ago at trying to install a much needed DNS service on an early Redhat Linux system. We completed the DNS ’rite of passage’ and found it a pretty unedifying and pointless experience.
Health Warning: This is still a work-in-progress. If you find errors don’t grumble - tell us. Look at our to do list and if you want to contribute something please do so.
Overview
• 1. Boilerplate and Terminology 1.1 Objectives and Scope 1.2 How to read this Guide 1.3 Terminology and Conventions used 1.4 Acknowledgements 1.5 Copyright and License
• 2. DNS - Overview 2.1 A brief History of Name Servers 2.2 DNS Concepts & Implementation 2.2.1 DNS Overview 2.2.2 Domains and Delegation 2.2.3 DNS Organization and Structure 2.2.4 DNS System Components 2.2.5 Zones and Zone Files 2.2.6 DNS Queries 2.2.6.1 Recursive Queries 2.2.6.2 Iterative Queries 2.2.6.3 Inverse Queries 2.2.7 Zone Updates 2.2.7.1 Full Zone Transfer (AXFR) bachelorproject ws 07/08 SHiNE 167
2.2.7.2 Incremental Zone Transfer (IXFR) 2.2.7.3 Notify (NOTIFY) 2.2.7.4 Dynamic Zone Updates 2.2.7.5 Alternative Dynamic DNS Approaches 2.3 DNS Security Overview 2.3.1 Security Threats 2.3.2 Security Types 2.3.3 Local Security 2.3.4 Server-Server (TSIG Transactions) 2.3.5 Server-Client (DNSSEC)
• 3. DNS Reverse Mapping 3.1 Reverse Mapping Overview 3.2 IN-ADDR.ARPA Files 3.3 Reverse Map Delegation
• 4. DNS Types 4.1 Master (a.k.a. Primary) DNS Server 4.2 Slave (Secondary) DNS Server 4.3 Caching (a.k.a. hint) DNS Server 4.4 Forwarding (a.k.a. Proxy, Client, Remote) DNS Server 4.5 Stealth (a.k.a. DMZ or Split) DNS Server 4.6 Authoritative Only DNS Server
• Section 2 - Get Something Running
• 5. BIND (Berkeley Internet Name Daemon) Installing on FreeBSD (4.x and 5.x+) Installing on Linux (Fedora Core 2) Installing on Windows (NT 4.0 and Windows 2000) BIND Command Line
• 6. DNS Sample Configurations 6.1 Sample Configuration Overview 6.1.1 Zone File Naming Convention 6.2 Master (Primary) DNS bachelorproject ws 07/08 SHiNE 168
6.3 Slave (Secondary) DNS 6.4 Caching only DNS 6.5 Forwarding (a.k.a. Proxy, Client, Remote) DNS 6.6 Stealth (a.k.a. Split or DMZ) DNS 6.7 Authoritative Only DNS 6.8 Views based Authoritative Only DNS
• Section 3 Mind Numbing Details
• 7. BIND named.conf Parameters named.conf format, structure and overview named.conf required zone files named.conf acl section (statements) named.conf controls section (statements) named.conf include section (statements) named.conf key section (statements) named.conf logging section (statements) named.conf server section (statements) named.conf trusted-keys section (statements) named.conf views section (statements) named.conf zone section (statements)
• 8. DNS Resource Records Zone File Format DNS Binary Record Formats List of Record Types A - IPv4 Address Record A6 - IPv6 Address Record CNAME - Host Alias Record DNAME - Delegate Reverse Name Record HINFO - System Information Record KEY - DNSSEC Public Key Record MX - Mail Exchanger Record NS - Name Server Record NXT - DNSSEC Content Record bachelorproject ws 07/08 SHiNE 169
PTR - Pointer Record SIG - DNSSEC Signature Record SOA - Start of Authority Record SRV - Services Record TXT - Text Record Section 4 DNS Operations
• Chapter 9 DNS HowTos HOWTO - DNS Round Robin or Load Balancing HOWTO - support http://domain.com HOWTO - Configure Sub-domains (a.k.a. subzones) HOWTO - Delegate a sub-domain (a.k.a. subzone) HOWTO - Configure mail fail-over HOWTO - Delegate Reverse Subnet Maps HOWTO Fix SOA RR serial numbers HOWTO - Define an SPF record HOWTO Install BIND 9 on Fedora Core 2 (Linux) HOWTO Install BIND 9 on FreeBSD HOWTO Install BIND 9 on Windows HOWTO Create a DNSBL (email black list) HOWTO Close your DNS (to protect against DoS attacks and Cache Poisoning)
• Chapter 10 Diagnostics and Tools 10.1 Introduction 10.2 nslookup 10.3 dig
• Chapter 11 Trouble and Error Messages Work in progress
• Chapter 12 BIND APIs Work in progress
• Section 5 DNS Security
bachelorproject ws 07/08 SHiNE 170
• Chapter 13 DNS Security 13.1 DNS Security Overview 13.1.1 Security Threats 13.1.2 Security Types 13.1.3 Local Security 13.1.4 Server-Server (TSIG Transactions) 13.1.5 Server-Client (DNSSEC)
• Section 6 DNS Bits and Bytes
• Chapter 15 DNS Message Formats 15.1 Overview Generic Format 15.2 The Message Header 15.3 The DNS Question 15.4 The DNS Answer 15.5 Domain Authority 15.6 Additional Information
• Appendices: Resources
• Appendix A: DNS & BIND Notes and Explanations
• Appendix B: Domains and Registration
• Appendix C: DNS Alternate Software and Resources
• Appendix D: DNS and Relevant RFCs
Shell scripts
1 #!/bin/bash
2
3 #external parameter
4 # USERNAME = $CAKEUSER # Hacking game user name
5 # PASSWORD = $CAKEPASS # must be md5 encrypted
6 # DOMAIN = $CAKE1 # Domain to check
7 # REVERSE = $CAKE2 # IP for Reverse Check
8
9 USERNAME=tester # Hacking game user name
10 PASSWORD=lxSigVD0RJEAM # must be md5 encrypted
11 DOMAIN=hs-bremen.de # Domain to check
12 REVERSE=213.148.129.10 # IP for Reverse Check
13
bachelorproject ws 07/08 SHiNE 171
14 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then
15 exit 1; #empty username = error and quit!
16 fi
17
18 #internal parameter
19 BACKGROUND_SCRIPT=/tmp/$USERNAME/background_script
20 TODO_FILE=/home/$USERNAME/todo
21
22 # functions
23 #script builder needs $mylist and $TARGET_AND_LOCATION
24 scriptbuild()
25 {
26 for i in "${mylist[@]}"; do
27 echo $i >> $TARGET_AND_LOCATION
28 done
29 }
30
31 #chmodder needs $mylist and $newrights
32 chmodder ()
33 {
34 for i in "${mylist[@]}"; do
35 chmod $newrights $i > /dev/null 2>&1 || exit 1
36 done
37 }
38
39 #dirmaker needs $mylist
40 dirmaker ()
41 {
42 for i in "${mylist[@]}"; do
43 mkdir -p $i > /dev/null 2>&1 || exit 1
44 done
45 }
46 ##end functions
47
48 #adduser and make home dir
49 useradd -m $USERNAME -p $PASSWORD -s /bin/bash > /dev/null 2>&1 || exit 1
50 #cp /etc/skel/.bash_profile /home/ $USERNAME/ > /dev/null 2>&1 || exit 1
51 #cp /etc/skel/.bashrc /home/ $USERNAME/ > /dev/null 2>&1 || exit 1
52
53
54 #add needed dirs
55 mylist=(/tmp/$USERNAME)
56 dirmaker
57
58 #make needed files
59 TARGET_AND_LOCATION=$TODO_FILE
bachelorproject ws 07/08 SHiNE 172
60 mylist=(’# Hello User’ ’# You start with scenario dns’ ’# This scenario should show you, which records are stored in the dns.’ ’# The records you have to find out are given in the table below.’ "# For your challenge you’re allowed to use tools like ’nslookup’ and ’dig’." ’# Feel Free to choose your prefered one.’ ’# For more informations about these tools use the man command like "man dig"’ ’#’ ’# 1) start the commadline’ "# 2) find your tool for dns query’s" ’# 3) start the query for the given domain’ ’# 4) find out the records given in the table below’ ’# 5) replace ????? with your answer’ ’# 6) save the document’ ’# 7) wait for a response’ ’#’ "# Please don’t change anything else in this document" ’#’ ’#’)
61 scriptbuild
62
63 echo -e "Domain : \t\t\t $DOMAIN" >> $TARGET_AND_LOCATION
64 echo -e "A : \t\t\t ?????" >> $TARGET_AND_LOCATION
65 echo -e "MX : \t\t\t ?????" >> $TARGET_AND_LOCATION
66 echo -e "PTR $REVERSE: \t ?????" >> $TARGET_AND_LOCATION
67
68 #make Background_script
69
70 TARGET_AND_LOCATION=$BACKGROUND_SCRIPT
71 mylist=("#!/bin/bash" "todo=$TODO_FILE" ’lastAccess=‘stat $todo -c%x‘’ ’ lastMod=‘stat $todo -c%y‘’ ’while [ "‘stat $todo -c%x‘" == " $lastAccess" ]’ ’do’ ’sleep 10’ ’echo "You have to read $todo"’ ’done ’ ’while [ checker=1 ]’ ’do’ ’while [ "‘stat $todo -c%y‘" == " $lastMod" ]’ ’do’ ’sleep 10’ ’done’ ’echo "we check your work"’ ’ lastMod=‘stat $todo -c%y‘’ ’declare -a todoList’ ’declare -a entryList ’)
72 scriptbuild
73 #something difficult to insert
74 echo ’todoList=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}//g\’’| awk -F: ’\’{print ’$1’}\’’‘)’ >> $TARGET_AND_LOCATION
75 echo ’entryList=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}//g\’’| awk -F: ’\’{print ’$2’}\’’‘)’ >> $TARGET_AND_LOCATION
76
77 mylist=(’entrys=${#todoList[@]}’ ’domain=${entryList[0]}’ ’verifier=0’ ’ for ((a=1; a 78 79 scriptbuild bachelorproject ws 07/08 SHiNE 173 80 81 #change dir and file permissions 82 chown -R $USERNAME:$USERNAME /home/$USERNAME/ > /dev/null 2>&1 || exit 1 83 chown $USERNAME:$USERNAME $BACKGROUND_SCRIPT > /dev/null 2>&1 || exit 1 84 chmod u+x $BACKGROUND_SCRIPT > /dev/null 2>&1 || exit 1 85 86 #modify user .bashrc 87 echo "$BACKGROUND_SCRIPT &" >> /home/$USERNAME/.bashrc || exit 1 88 exit 0 Listing 39: Setup 1 #!/bin/bash 2 # USERNAME = $CAKEUSER 3 USERNAME=tester 4 rm -r /tmp/$USERNAME > /dev/null 2>&1 || exit 1 5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1 6 exit 0 Listing 40: Cleanup 1 #!/bin/bash 2 # user = $CAKEUSER 3 user=tester 4 todo=/home/$user/todo 5 declare -a todoList 6 declare -a entryList 7 todoList=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}//g’| awk -F: ’{print $1}’‘) || exit 1 8 entryList=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}//g’| awk -F: ’{print $2}’‘) || exit 1 9 entrys =${#todoList[@]} 10 domain=${entryList[0]} 11 verifier =0 12 for ((a=1; a 13 do 14 if [ "${todoList[$a]}" == "${todoList[$a]#PTR}" ]; then 15 check=‘dig ${todoList[$a]} $domain | grep ${entryList[$a ]}‘ 16 else 17 check=‘dig -x "${todoList[$a]#PTR}" | grep ${entryList[$a ]}‘ 18 fi 19 if [ "$check" == "" ]; then 20 #echo "Fault with Record ${ todoList [$a ]} Entry ${entryList[$a ]}." 21 let "verifier++" 22 fi bachelorproject ws 07/08 SHiNE 174 23 done 24 if [ "$verifier" -eq 0 ]; then 25 #echo "finished." 26 exit 2 27 else 28 #echo "not finished" 29 exit 3 30 fi 31 exit 1 Listing 41: Evaluation E.7.2 DNS Server manipulation Wiki text Bind Configuration From Section6 [31] Introduction Here is a sprint through DNS. It is in no way meant to explain the intricacies of DNS as well as a book (like DNS and BIND by OReilly publishing). It is however, meant to get you running DNS quickly with a rudimentary knowledge of how it all works. Many of these configurations will run on Bind 8 as well. However they have not been tested. If you can I highly suggest running version 9 for the following reasons: * Bind9 has a number of security enhancements over Bind8. * Bind9 and its tools have full support of IPv6. * It comes with the current stable version of FreeBSD (5.3 at the time of this writing). Enabling Named You’ll want to enable bind in your /etc/rc.conf so that the startup script will know you want it: named enable=”YES” named chrootdir=”/var/named” named chroot autoupdate=”YES” Chrooting Bind9 You may ask, Why should I chroot Bind?. First and foremost you need to assume that there is a possibility that someone will hack your services somehow. If you set up a chroot for Bind in the manner described below youll have a server running as nonroot in its own sandbox so if someone does break in, the worst theyll be able to do is manipulate the files in the directory your bind server is confined to. For this reason you may wish to back up your zone files at some point. If you’re running the latest FreeBSD the below is really not needed. The startup script will do everything for you with the exception of making a named.conf and named.root. So what you’ll want to do is make a working named.conf in /var/named/etc/namdb/named.conf and do: bachelorproject ws 07/08 SHiNE 175 1 cp /usr/src/etc/namedb/named.root /var/named/etc/namedb/named.root From here we can activate the startup script and assuming your named.conf is good (which can be checked with named-checkconf) you can start named with 1 /etc/rc.d/named start Creating the chroot envirnonment (deprecated) If you’re letting the startup script create your chroot environment as above this section can be skipped. Continue on to Finishing Touches. Youll first need to create the directories for your chrooted environment by doing the following: 1 mkdir -p /var/named/dev /var/named/etc /usr/named/var/run Next youll need to place the appropriate files into the dirs you just created: 1 cp /etc/named/named.root /var/named/named.root 2 cp /etc/localtime /var/named/etc/localtime If you have any existing conf or zone files youll want to move them into /var/named as well. Be sure to change the directory option in your existing named.conf (see below). Since Bind will be in its own nearly autonomous environment youll need to make some device entries as well by doing the following: 1 mknod /var/named/dev/null c 2 2 2 mknod /var/named/dev/random c 2 3 And last, well have to let Bind own all the files and directories we created 1 chown -R bind:bind /var/named/* Finishing Touches Okay so the environment is created, now we just have to set up syslog and /etc/rc.conf. 1 /etc/rc.d/syslogd stop 2 /etc/rc.d/syslogd start The syslogd script will detect that you are running named, and that it needs to add an additional socket. This will restart syslogd with an additional logging socket in /var/named/dev. Be sure that syslogd is running in your /etc/rc.conf if its not already: syslogd enable=”YES” Setting up Bind9 for IPv4 Ill show you how to set up a bind server for a NAT and Internet server. Of course if you dont wish this to be visible on the Internet you can choose to have it blocked via firewall. Many of bachelorproject ws 07/08 SHiNE 176 you will probably be doing bind9 setups for the standard v4 addresses. This may not be the most helpful tutorial out there, Im only giving a background for Ipv6 setups if you know how to set up IPv4 bind feel free to skip this. Also Ill assume you are using the chrooted environment as explained above so take that into consideration. Setting up rndc The rndc tool is useful for controlling named locally or remotely, some of its functions can give you useful stats as well. Its worth setting up. So heres how. Run rndc-confgen -a. This will drop the file rndc.key into /etc/namedb/. Youll notice the key looks something like this: 1 key "rndc-key" { 2 algorithm hmac-md5; 3 secret "5CKK3LlNDdkxshC5gmnzYQ=="; 4 }; Place the key in your /var/named/etc/namedb/named.conf. Itll work if you put the rndc spec- ifications at the head of the file like this: 1 controls { 2 inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; 3 }; 4 key "rndc-key" { 5 algorithm hmac-md5; 6 secret "5CKK3LlNDdkxshC5gmnzYQ=="; 7 }; This allows only the localhost to have access to controlling named with rndc, this however, can be modified. Place the key in your /etc/rndc.conf. Here is a sample of this file with the above sample key. 1 options { 2 default-server localhost; 3 default-key "rndc-key"; 4 }; 5 6 server localhost { 7 key "rndc-key"; 8 }; 9 10 key "rndc-key" { 11 algorithm hmac-md5; 12 secret "5CKK3LlNDdkxshC5gmnzYQ=="; 13 }; Start named or killall -HUP named for the changes to take effect if you have named set up already. If not, then they will take effect when you do start named after it has been configured. Setting up the named.conf bachelorproject ws 07/08 SHiNE 177 First youll need a config file. Ill attempt to run through this and explain by example how it was done on Section 6 Networks so that you may learn and adopt it to your own needs. Set up options on your /etc: 1 Options { 2 directory "/"; 3 listen-on { 1.2.3.4; }; 4 recursion no; #Make it so people can only look up records on this host 5 version ""; 6 pid-file "/var/run/named/pid"; 7 rrset-order { 8 class IN type A name "www.example.com" order random; 9 }; 10 }; This well set up your main directory as the chrooted directory. Since named is chrooted, its root is /var/namedb/ if you set it up from the example. Explanation of options • Don’t set recursion no; if you’re setting up dns for an intranet. • version ””; will make it so hackers can’t probe what version you’re using, making you a less likely target. • rrset-order is how you set up round robin dns. If you want round robin dns for all multiple A records in your zones you can simply do this: 1 rrset-order { 2 order random; 3 }; Other choices besides random include cyclic, and fixed Set up your zone info: 1 zone "." { 2 type hint ; 3 file "named.root"; 4 }; 5 zone "section6.net" { 6 type master; 7 file "zones/db.section6.net"; 8 notify yes ; 9 allow-transfer { 216.7.11.132; 64.71.191.27; 212.100.224.176; 66.37.215.46; }; 10 }; 11 zone "0.0.10.in-addr.arpa" { 12 type master; 13 file "zones/db.0.0.10.in-addr.arpa"; bachelorproject ws 07/08 SHiNE 178 14 }; 15 zone "89.67.45.123.in-addr.arpa" { 16 type master; 17 file "zones/db.13.180.230.12.in-addr.arpa"; 18 }; 19 // Provide a reverse mapping for the loopback address 127.0.0.1 20 zone "localhost" { 21 type master; 22 file "zones/db.localhost"; 23 }; 24 zone "0.0.127.in-addr.arpa" { 25 type master; 26 file "zones/db.0.0.127.in-addr.arpa"; 27 notify no; 28 }; Okay so thats a lot. Basically we have the root hints file, a mandatory file for looking up DNS unknowns, and one forward zone: section6.net which show name to address mappings. We have 2 address to name mappings, one for our private net 10.0.0.0/24 and one for our outside IP, 123.45.67.89. Notice the format of these zones, itll become more clear later. We also have the mandatory zone files for localhost, our computer which are localhost and 127.0.0.1. Youll notice that section6.net is the only one with notify yes¡tt¿ and ¡tt¿allow transfer options. notify yes says to notify the transfer hosts upon any changes. We have notify no set on a majority of the zones as they are for internal use only.allow transfer specfies the hosts allowed to transfer your information to theirs. The Zone Files For each defined zone in your named.conf youll need a corrosponding zone file detailing the forward or reverse info for that zone. Below is a sample IPv4 forward zone file for section6.lan. The file name, according to named.conf is db.section6.lan. 1 $ORIGIN section6.net. 2 $TTL 1d 3 section6.net. IN SOA syndie.section6.net. root.syndie.section6.net. ( 4 1 ; Serial 5 10800 ; Refresh after 3 hours 6 3600 ;Retryafter1hour 7 604800 ; Expire after 1 week 8 86400 ) ; Minimum TTL of 1 day 9 10 IN NS syndie.section6.net. 11 ; 12 section6.net IN MX 10 syndie.section6.net. 13 ; 14 @ INA 10.0.0.1 15 localhost IN A 127.0.0.1 16 syndie INA 10.0.0.1 bachelorproject ws 07/08 SHiNE 179 17 vpn INA 10.0.0.2 18 schism INA 10.0.0.5 19 test INA 10.0.0.20 20 ganymede IN A 10.0.0.42 21 web INA 10.0.0.99 22 gabrielle IN A 10.0.0.242 23 ; 24 hades INCNAME syndie 25 ns INCNAME syndie 26 mail INCNAME syndie 27 ftp INCNAME ganymede Youll notice a few things here. The $ORIGIN bascially tells named which domain to tack onto the records so we dont have to write the whole thing out each time. The . at the end of the domain is important if you forget it things will break. There are 2 strings after SOA (Start of Authority). One tells who the SOA is for the domain, the other names the contact (root.syndie.section6.lan = [email protected]). A records point to IPs, CNAMEs are essentially aliases for A records. Part of good practice in to not have a CNAME pointing to another CNAME. The MX record tells mail exchangers to to send mail to for that domain. The number after it is the priority, 1 being highest. Now for an example of a reverse zone file. This is for the zone 0.0.10.in-addr.arpa. 1 $TTL 1d 2 0.0.10.in-addr.arpa. IN SOA syndie.section6.net. root.syndie.section6.net. ( 3 1 ; Serial 4 10800 ; Refresh after 3 hours 5 3600 ; Retry after 1 hour 6 604800 ; Expire after 1 week 7 86400 ) ; Minimum TTL of 1 day 8 9 @ IN NS syndie.section6.net. 10 11 1 IN PTR syndie.section6.net. 12 2 IN PTR vpn.antithesist.net. 13 5 IN PTR schism.section6.net. 14 20 IN PTR test.section6.net. 15 42 IN PTR ganymede.section6.net. 16 99 IN PTR web.section6.net. 17 242 IN PTR gabrielle.section6.net. Many of the declarations here are the same as was in the forward file. All the records here are PTR records. Since you have 0.0.10.in-addr.arpa defined (which translates to 10.0.0.x). You just need to put the x value for each of the addresses. Again, don’t forget the . at the end of each full domain name or it wont work. Setting up Bind9 for IPv6 bachelorproject ws 07/08 SHiNE 180 First of all, if youre really hating this tutorial and you want to read something else on setting up BIND for IPv6 you can read This document. Some additional notes about IPv6 DNS. There are 2 competing formats for A style records in IPv6: AAAA and A6. Since I have yet to see an A6 record in the wild Ill refer you to the above mentioned document if you wish to set it up. I will, however, detail how to set up the 2 formats for reverse DNS (nibble and bitstream). IPv6 zones in the named.conf I have set up my IPv6 forward records in the same zone file that the IPv4 records are located, this works but some may not want to do this. You can create a subdomain to differentiate you IPv4 and IPv6 records, but there is no harm in making both records in the same file, or even 2 identical names each pointing to one IPv6 and one IPv4 record. It has worked alright for me so far. Here is the IPv6 specific information as appeneded to my named.conf example above. 1 // IPv6 zone files 2 // ====== 3 // 4 // First, load the zone for the IPv6 loopback address. 5 // 6 //The new current way of reverse (Bitstream) 7 zone "\[x0000000000000000/64].ip6.arpa" { 8 type master; 9 file "zones/db.0000:0000:0000:0000.ip6.arpa"; 10 allow-transfer {none;}; 11 }; 12 //The old (depreciated) reverse (Nibble format) 13 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" { 14 type master; 15 file "zones/db.0000:0000:0000:0000.ip6.int"; 16 allow-transfer {none;}; 17 }; 18 zone "\[x200104701f000222/64].ip6.arpa" { 19 type master; 20 file "zones/db.2001.470.1f00:222.ip6.arpa"; 21 }; 22 zone "2.2.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.int" { 23 type master; 24 file "zones/db.2001.470.1f00:222.ip6.int"; 25 }; As you can see I have the first 4 groups of 16 bits (also known as a /64 since 16 * 4 = 64) defined in the zone files. The first two entries define my localhost, the second 2 define my public address range 2001.470.1f00.222/64. Most of this part of the file is fairly self explanatory. Shell scripts 1 #!/bin/bash 2 # bachelorproject ws 07/08 SHiNE 181 3 # Szenario DNS Server 4 # 5 # short manual 6 # File operations in /etc/bind/* /etc/resolv.conf | all allowed to group $dnsgamers 7 # configuration backup in $backdir 8 # zone files for default dns-server.hs-bremen.game includes 9 # 10 11 # external parameter 12 #dnsgamers= $CAKE1 13 dnsgamers=dnsgamers # group for gamers 14 15 # internal parameter or a zone out of cake 16 backdir=/tmp/bkdsds 17 # dns zones 18 rootDNS=194.94.24.34 #IP Address Root DNS Server this case uses dns.hs- bremen .de 19 mainzone=hs-bremen.game #realm of the game zone 20 servermainzone=dmz-server.$mainzone # name of DNS Server 21 dmzzone=1.0.10.in-addr.arpa 22 managementzone=10.20.172.in-addr.arpa 23 preludezone=20.20.172.in-addr.arpa 24 workerzone=30.20.172.in-addr.arpa 25 serverzone=40.20.172.in-addr.arpa 26 guestzone=50.20.172.in-addr.arpa 27 # record options 28 ttl =604800 29 retry=86400 30 expire=2419200 31 32 # make backupdir 33 mkdir $backdir > /dev/null 2>&1 || exit 1 34 35 # adding group and sudorights for bind interaction 36 # save sudoers file 37 cp /etc/sudoers $backdir/sudoers > /dev/null 2>&1 || exit 1 38 groupadd $dnsgamers > /dev/null 2>&1 || exit 1 39 echo %$dnsgamers ALL=/etc/init.d/bind9 >> /etc/sudoers || exit 1 40 41 # install the dnsserver bind9 without interaction 42 aptitude install bind9 -y > /dev/null 2>&1 || exit 1 43 44 45 # save bind default in /tmp 46 cd $backdir && tar cf bind.bak.tar /etc/bind > /dev/null 2>&1 || exit 1 bachelorproject ws 07/08 SHiNE 182 47 48 # save resolv.conf 49 cp /etc/resolv.conf $backdir/ > /dev/null 2>&1 || exit 1 50 51 # bind configuration with default bind config hs-bremen.game 52 # 53 # configuration of /etc/bind/named.conf.options 54 # 55 # create temp file 56 cp /etc/bind/named.conf.options /etc/bind/named.conf.options.tmp > /dev/ null 2>&1 || exit 1 57 58 #search for string forwarders and uncomment | search for 0.0.0.0 and uncomment | replace 0.0.0.0 with $rootDNS | search close of sequenz forwarders and uncomment | write to file 59 sed ’/forwarders {/s/\/\///g’ /etc/bind/named.conf.options.tmp | sed ’ /0.0.0.0/s/\/\///g’ | sed "s/0.0.0.0/$rootDNS/" | sed ’/\/\/ };/s /\/\///g’ > /etc/bind/named.conf.options || exit 1 60 #delete tmp file 61 rm /etc/bind/named.conf.options.tmp > /dev/null 2>&1 || exit 1 62 63 # 64 # configuration of default zones hs-bremen.game 65 # 66 67 #Target is always the same 68 TARGET_AND_LOCATION=/etc/bind/named.conf.local 69 70 #zoneadd needs $mylist and $TARGET_AND_LOCATION 71 zoneadd () 72 { 73 mylist=("zone \"$zone\"{" "\\t type master;" "\\t file \"/etc/bind/zone. $zone\";" "allow-query {any;};" ’};’) 74 for i in "${mylist[@]}"; do 75 echo -e $i >> $TARGET_AND_LOCATION || exit 1 76 done 77 } 78 79 #recordbuilder 80 # needs for soa : ttl retry expire servermainzone 81 # needs for filefunctions : zone 82 # needs for records : recordlist 83 recordbuilder() 84 { 85 file=/etc/bind/zone.$zone 86 #make new zonefile with soa bachelorproject ws 07/08 SHiNE 183 87 echo -e "\$TTL \t $ttl" > $file || exit 1 88 echo -e "@ \t IN \t SOA \t $servermainzone. \t root.localhost. (" >> $file || exit 1 89 echo -e "\t \t \t ‘date +%F | sed ’s/-//g’‘1 \t; Serial YYYYMMDDVersion" >> $file || exit 1 90 echo -e "\t \t \t $ttl \t ; Refresh" >> $file || exit 1 91 echo -e "\t \t \t $retry \t \t; Retry" >> $file || exit 1 92 echo -e "\t \t \t $expire \t; Expire" >> $file || exit 1 93 echo -e "\t \t \t $ttl ) \t; Negative Cache TTL" >> $file || exit 1 94 if [ "${zone}" == "${mainzone}" ]; then 95 addpoint="" #point for PTR break in Reverse Lookup 96 echo -e "\t \t \t IN \t NS \t $servermainzone." >> $file || exit 1 97 else 98 addpoint="." 99 echo -e "@ \t \t IN \t NS \t $servermainzone." >> $file || exit 1 100 fi 101 echo -e ";\$ORIGIN \t $mainzone" >> $file || exit 1 102 for i in "${recordlist[@]}"; do 103 echo -e $i$addpoint >> $file || exit 1 104 done 105 } 106 107 # zone game main 108 zone=$mainzone 109 zoneadd 110 # add Records 111 recordlist=("dmz-server \t IN\t A \t 10.0.1.3" "zeus \t\t IN \t A \t 172.20.10.3" "ramses\t\t IN\t A\t 172.20.20.131" "cleopatra\t IN\t A\t 172.20.20.132" "pluto\ t\t IN\t A\t 172.20.30.21""venus\t\t IN\t A\t 172.20.30.22" "roadwarrior1\t IN\t A\t 172.20.30.33" " roadwarrior2\t IN\t A\t 172.20.30.34" "roadwarrior3\t IN\t A\t 172.20.30.35" "roadwarrior4\t IN\t A\t 172.20.30.36" "roadwarrior5\t IN\t A\t 172.20.30.37" " roadwarrior6\t IN\t A\t 172.20.30.38" "roadwarrior7\t IN\t A\t 172.20.30.39" "roadwarrior8\t IN\t A\t 172.20.30.40" "roadwarrior9\t IN\t A\t 172.20.30.41" " roadwarrior10\t IN\t A\t 172.20.30.42" "roadwarrior11\t IN\t A\t 172.20.30.43" "roadwarrior12\t IN\t A\t 172.20.30.44" "roadwarrior13\t IN\t A\t 172.20.30.45" " roadwarrior14\t IN\t A\t 172.20.30.46" "roadwarrior15\t IN\t A\t 172.20.30.47" "roadwarrior16\t IN\t A\t 172.20.30.48" "roadwarrior17\t IN\t A\t 172.20.30.49" " bachelorproject ws 07/08 SHiNE 184 roadwarrior18\t IN\t A\t 172.20.30.50" "roadwarrior19\t IN\t A\t 172.20.30.51" "roadwarrior20\t IN\t A\t 172.20.30.52" "merkur\t\t IN\t A\t 172.20.30.60" "erde\t\ t IN\t A\t 172.20.30.61" "mars\t\t IN\t A\t 172.20.30.62 " "jupiter\t\t IN\t A\t 172.20.30.63" "saturn\t\t IN \t A\t 172.20.30.64" "neptun\t\t IN\t A\t 172.20.30.65" "phobos\t\t IN\t A\t 172.20.30.66" "deimo\t \t IN\t A\t 172.20.30.67""kallisto\t IN\t A\t 172.20.30.68" "uranus\t\t IN\t A\t 172.20.30.69" " deutschland\t IN\t A\t 172.20.40.51" "holland\t\t IN\t A\t 172.20.40.52" ’$GENERATE 126-254 roadwarrior$ IN A 172.20.30.$’) 112 recordbuilder 113 114 115 # zone DMZ 116 zone=$dmzzone 117 zoneadd 118 recordlist=("3\t\t IN\t PTR\t dmz-server.hs-bremen.game") 119 recordbuilder 120 121 # zone Management 122 zone=$managementzone 123 zoneadd 124 recordlist=("3\t\t IN\t PTR\t zeus.hs-bremen.game") 125 recordbuilder 126 127 # zone Prelude 128 zone=$preludezone 129 zoneadd 130 recordlist=("131\t\t IN\t PTR\t ramses.hs-bremen.game" "132\t\t IN\t PTR\t cleopatra.hs-bremen.game") 131 recordbuilder 132 133 134 # zone Worker 135 zone=$workerzone 136 zoneadd 137 recordlist=("21\t IN\t PTR\t pluto.hs-bremen.game" "22\t IN \t PTR\t venus.hs-bremen.game" "33\t IN\t PTR\t roadwarrior1.hs-bremen.game" "34\t IN\t PTR\t roadwarrior2. hs-bremen.game" "35\t IN\t PTR\t roadwarrior3.hs-bremen.game " "36\t IN\t PTR\t roadwarrior4.hs-bremen.game" "37\t IN\t PTR\t roadwarrior5.hs-bremen.game" "38\t IN\t PTR\t roadwarrior6.hs-bremen.game" "39\t IN\t PTR\t roadwarrior7.hs-bremen.game" "40\t IN\t PTR\t roadwarrior8. bachelorproject ws 07/08 SHiNE 185 hs-bremen.game" "41\t IN\t PTR\t roadwarrior9.hs-bremen.game " "42\t IN\t PTR\t roadwarrior10.hs-bremen.game" "43\t IN\t PTR\t roadwarrior11.hs-bremen.game" "44\t IN\t PTR\t roadwarrior12.hs-bremen.game" "45\t IN\t PTR\t roadwarrior13.hs-bremen.game" "46\t IN\t PTR\t roadwarrior14. hs-bremen.game" "47\t IN\t PTR\t roadwarrior15.hs-bremen.game " "48\t IN\t PTR\t roadwarrior16.hs-bremen.game" "49\t IN \t PTR\t roadwarrior17.hs-bremen.game" "50\t IN\t PTR\t roadwarrior18.hs-bremen.game" "51\t IN\t PTR\t roadwarrior19. hs-bremen.game" "52\t IN\t PTR\t roadwarrior20.hs-bremen.game " "60\t IN\t PTR\t merkur.hs-bremen.game" "61\t IN\t PTR\t erde.hs-bremen.game" "62\t IN\t PTR\t mars.hs-bremen .game" "63\t IN\t PTR\t jupiter.hs-bremen.game" "64\t IN\t PTR\t saturn.hs-bremen.game" "65\t IN\t PTR\t neptun.hs- bremen.game" "66\t IN\t PTR\t phobos.hs-bremen.game" "67\t IN\t PTR\t deimo.hs-bremen.game" "68\t IN\t PTR\t kallisto.hs-bremen.game" "69\t IN\t PTR\t uranus.hs-bremen.game" ’$GENERATE 126-254 $ PTR roadwarrior$.hs-bremen.game’) 138 recordbuilder 139 140 # zone Server 141 zone=$serverzone 142 zoneadd 143 recordlist=("51\t IN\t PTR\t deutschland.hs-bremen.game" "52\t IN\t PTR\t holland.hs-bremen.game") 144 recordbuilder 145 146 # zone Guest 147 zone=$guestzone 148 zoneadd 149 recordlist=() 150 recordbuilder 151 152 # change rights in /etc/bind 153 chown -R bind:$dnsgamers /etc/bind 154 chmod g+w /etc/bind/* > /dev/null 2>&1 || exit 1 155 chmod g+w /etc/bind > /dev/null 2>&1 || exit 1 156 157 # to allow user changes in resolv.conf 158 chown root:$dnsgamers /etc/resolv.conf > /dev/null 2>&1 || exit 1 159 chmod g+w /etc/resolv.conf > /dev/null 2>&1 || exit 1 160 161 # make the nameserver work for localhost 162 echo search $mainzone > /etc/resolv.conf || exit 1 163 echo nameserver localhost >> /etc/resolv.conf || exit 1 164 bachelorproject ws 07/08 SHiNE 186 165 # save the default game configuration 166 167 # save bind default in /tmp 168 cd $backdir && tar cf bind.game.bak.tar /etc/bind > /dev/null 2>&1 || exit 1 169 170 # save resolv.conf 171 cp /etc/resolv.conf $backdir/resolv.game.conf > /dev/null 2>&1 || exit 1 172 173 # restart the nameserver 174 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1 175 176 exit 0 Listing 42: Setup Environment 1 #!/bin/bash 2 3 #external parameter 4 #dnsgamers= $CAKE1 5 dnsgamers=dnsgamers 6 7 backdir=/tmp/bkdsds 8 9 # delete nameserver bind 10 aptitude purge bind9 -y > /dev/null 2>&1 || exit 1 11 12 # delete groups and sudo rights 13 groupdel $dnsgamers > /dev/null 2>&1 || exit 1 14 15 # backup resolv.conf/sudoers 16 cp $backdir/resolv.conf /etc/resolv.conf > /dev/null 2>&1 || exit 1 17 cp $backdir/sudoers /etc/sudoers > /dev/null 2>&1 || exit 1 18 19 # delete szenario backup files and /etc/bind 20 rm -rf $backdir > /dev/null 2>&1 || exit 1 21 rm -rf /etc/bind > /dev/null 2>&1 || exit 1 22 23 exit 0 Listing 43: Cleanup Environment 1 #!/bin/bash 2 3 backdir=/tmp/bkdsds 4 5 #external parameter bachelorproject ws 07/08 SHiNE 187 6 # USERNAME = $CAKEUSER 7 # PASSWORD = $CAKEPASS 8 # GROUP = $CAKE1 9 10 USERNAME=gamer # Hacking game user name 11 PASSWORD=AJhEqbz7CCzbE # must be md5 encrypted (password=test) 12 GROUP=dnsgamers # default group for sudo rights configured in setup_env 13 14 #parameter for usertask 15 TODO_FILE=/home/$USERNAME/todo 16 # zone = $CAKE2 17 # mailIP = $CAKE3 18 # wwwIP = $CAKE4 19 # netIP = $CAKE5 20 21 zone=hs-bremen.game # zone for the task 22 mailIP=10.0.1.100 # the new mailserver ip 23 wwwIP=10.0.1.101 # the new wwwserver ip 24 netIP=172.20.66 # the new zone net with ptr for IP $netIP .1 25 26 # levels 27 # level 1 = insert the mailserver and the wwwserver 28 # level 2 = level 1 and insert the complete reverse for the netIP 29 # level 3 = level 2 and insert the new zone 30 # level = $CAKE6 31 level =3 32 33 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then 34 exit 1; #empty username = error and quit! 35 fi 36 37 #adduser and make home dir 38 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1 39 #cp /etc/skel/.bash_profile /home/ $USERNAME/ 40 #cp /etc/skel/.bashrc /home/ $USERNAME/ 41 42 #make default bind.game config from default configuration and restart nameserver 43 rm -rf /etc/bind/* > /dev/null 2>&1 || exit 1 44 cd / && tar xf $backdir/bind.game.bak.tar > /dev/null 2>&1 || exit 1 45 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1 46 47 48 #script builder needs $mylist and $TARGET_AND_LOCATION 49 scriptbuild() bachelorproject ws 07/08 SHiNE 188 50 { 51 for i in "${mylist[@]}"; do 52 echo $i >> $TARGET_AND_LOCATION || exit 1 53 done 54 } 55 TARGET_AND_LOCATION=$TODO_FILE 56 mylist=(’# Hello User’ ’# You start with scenario dns-server’ ’# This scenario schould show you how to work with the dns server bind’ ’# You have to manipulate some records given below’ ’#’ ’# Please keep in mind to start / stop or reload services it could be required used the privileged user mode’ ’# For security reasons you don’t have the superusers password, but you are allowed to use the sudo command’ ’#’ ’ ’ ’Tasklist (only DNS Settings)’ "(1) You have to implement the required settings for the new mailserver (IP: $mailIP Name: mail)" "(2) Integrate the www Server at IP $wwwIP ") 57 scriptbuild 58 if [ "$level" -gt 1 ]; then 59 mylist=("(3) The Net 172.20.50.XXX is reserved for guests. Please complete the zonefile with PTR records like guest 60 scriptbuild 61 fi 62 if [ "$level" -gt 2 ]; then 63 mylist=("(4) Insert a new zone for net $netIP.0 /24 and place a PTR Record for IP $netIP.1 with \"users.$zone\"" ) 64 scriptbuild 65 fi 66 67 chown root:$GROUP $TODO_FILE > /dev/null 2>&1 || exit 1 68 chmod u-w,g-w,o-w $TODO_FILE > /dev/null 2>&1 || exit 1 69 70 exit 0 Listing 44: Setup User 1 #!/bin/bash 2 # USERNAME = $CAKEUSER 3 USERNAME=gamer 4 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1 5 exit 0 Listing 45: Cleanup User 1 #!/bin/bash 2 3 #external parameter bachelorproject ws 07/08 SHiNE 189 4 level =3 5 score =1500 6 dnsserver=localhost # server for dns checks 7 zone=hs-bremen.game # zone for the task 8 mailIP=10.0.1.100 # the new mailserver ip 9 wwwIP=10.0.1.101 # the new wwwserver ip 10 netIP=172.20.66 # the new zone net with ptr for IP $netIP .1 11 ptrNET=172.20.50 # net for guest ptr 12 dmzzone=1.0.10.in-addr.arpa 13 guestzone=50.20.172.in-addr.arpa 14 15 #check if bind is working for zone 16 if [ "‘dig $zone @$dnsserver | grep SOA‘" ]; then 17 echo dnsserver works for zone $zone > /dev/null 18 if [ "‘dig $zone | grep SOA‘" ]; then 19 echo dnsserver is working for localhost > /dev/null 20 else 21 # echo dnsserver dont work for localhost 22 let "score-=$score/10" # -10% scorepoints 23 fi 24 25 else 26 # echo dnsserver dont work for $zone 27 score =0 28 exit 3 29 fi 30 31 # checkversion needs $file $expectedversion 32 checkversion() 33 { 34 #check if version is changed (default Version is 1,date is today) 35 datestring=‘date +%F | sed ’s/-//g’‘ 36 version=‘grep $datestring $file | sed ’s/\s//g’‘ 37 version=${version%;*n} 38 version=${version:${#datestring}} 39 if [ "$version" == "$expectedversion" ]; then 40 echo $file version OK > /dev/null 41 else 42 echo $file version not OK > /dev/null 43 echo version $version expected $expectedversion > /dev/ null 44 45 let "score-=$score/10" # -10% scorepoints 46 fi 47 } 48 bachelorproject ws 07/08 SHiNE 190 49 #check level 1 50 #if level1 isn’t finished player don’t get any points 51 52 #version has to be changed in $zone , $dmzzone 53 file=/etc/bind/zone.$zone 54 expectedversion=2 55 checkversion 56 file=/etc/bind/zone.$dmzzone 57 expectedversion=2 58 checkversion 59 60 # check MX 61 if [ "‘dig mx $zone @$dnsserver | grep mail | grep MX‘" ]; then 62 if [ "‘dig mail.$zone @$dnsserver | grep $mailIP‘" ]; then 63 #echo A Record for MX OK 64 if [ "‘dig -x $mailIP @$dnsserver | grep mail‘" ]; then 65 echo PTR Record for MX OK > /dev/null 66 else 67 echo PTR Record for MX not OK > /dev/null 68 score =0 69 exit 3 70 fi 71 else 72 echo A Record for MX not OK > /dev/null 73 74 exit 3 75 fi 76 echo mx OK > /dev/null 77 else 78 score =0 79 echo mx not OK > /dev/null 80 exit 3 81 fi 82 # check www 83 if [ "‘dig www.$zone @$dnsserver | grep $wwwIP‘" ]; then 84 echo www OK > /dev/null 85 else 86 echo www not OK > /dev/null 87 score =0 88 exit 3 89 fi 90 91 #check level 2 92 93 #version has to be changed in $guestzone 94 file=/etc/bind/zone.$guestzone bachelorproject ws 07/08 SHiNE 191 95 expectedversion=2 96 checkversion 97 98 # we check the whole net 99 if [ "$level" -gt 1 ]; then 100 true =1 101 for ((x=1; x<255 ; x++)) 102 do 103 test=‘dig -x $ptrNET.$x @$dnsserver | grep guest$x‘ 104 if [ "$test" ]; then 105 # check ending 106 if [ "$test" == "${test%guest$x.$zone.}" ]; then 107 true =0 108 fi 109 fi 110 done 111 if [ "$true" -lt 1 ]; then 112 echo PTR guests not OK > /dev/null 113 exit 3 114 else 115 echo PTR guests OK > /dev/null 116 fi 117 fi 118 119 #check level 3 120 121 #version has to be 1 cause of new zone 122 #version isnt checked 123 124 if [ "$level" -gt 2 ]; then 125 if [ "‘dig -x $netIP.1 @$dnsserver | grep user‘" ]; then 126 echo new net $netIP OK > /dev/null 127 else 128 echo new net $netIP not OK > /dev/null 129 exit 3 130 fi 131 fi 132 exit 2 Listing 46: Evaluation E.7.3 DNS-Spoofing Wiki text DNS Spoofing bachelorproject ws 07/08 SHiNE 192 From securesphere.net [32] Overview : What is DNS Spoofing ? DNS Spoofing is the art of making a DNS entry to point to an another IP than it would be supposed to point to. To understand better, let’s see an example. You’re on your web browser and wish to see the news on www.cnn.com, without to think of it, you just enter this URL in your address bar and press enter. Now, what’s happening behind the scenes ? Well... basically, your browser is going to send a request to a DNS Server to get the matching IP address for www.cnn.com, then the DNS server tells your browser the IP address of CNN, so your browser to connect to CNN’s IP address and display the content of the main page. Hold on a minute... You get a message saying that CNN’s web site has closed because they don’t have anymore money to pay for their web site. You’re so amazed, you call and tell that to your best friend on the phone, of course he’s laughing at you, but to be sure, he goes to CNN web site to check by himself. You are surprised when he tells you he can see the news of the day as usual and you start to wonder what’s going on. Are you sure you are talking to the good IP address ? Let’s check. You ask your friend to fire up his favorite DNS resolving tool (or simply ping) and to give you the IP address he’s getting for www.cnn.com. Once you got it, you put it in your browser URL bar : http://212.153.32.65 You feel ridiculous and frustrated when you see CNN’s web page with its daily news. Well you’ve just been the witness of a DNS hijacking scenario. You’re wondering what happened, did the DNS Server told you the wrong IP address ? Maybe... At least this is the most obvious answer coming to our mind. In fact there are two techniques for accomplishing this DNS hijacking. Let’s see the first one, the ”DNS ID Spoofing” technique. - A) DNS Cache Poisoning As you can imagine, a DNS server can’t store information about all existing names/IP on the net in its own memory space. That’s why DNS server have a cache, it enables them to keep a DNS record for a while. In fact, A DNS Server has the records only for the machines of the domain it has the authority, if it needs to know about machines out of his domain, it has to send a request to the DNS Server which handles these machines and since it doesn’t want to ask all the time about records, it can store in its cache the replies returned by other DNS servers. Now let’s see how someone could poison the cache of our DNS Server. An attacker his running is own domain (attacker.net) with his own hacked DNS Server (ns.attacker.net) Note that I said hacked DNS Server because the attacker customized the records in his own DNS server, for instance one record could be www.cnn.com=81.81.81.81 bachelorproject ws 07/08 SHiNE 193 1) The attacker sends a request to your DNS Server asking it to resolve www.attacker.net 2) Your DNS Server is not aware of this machine IP address, it doesn’t belongs to his domain, so it needs to asks to the responsible name server. 3) The hacked DNS Server is replying to your DNS server, and at the same time, giving all his records (including his record concerning www.cnn.com) Note : this process is called a zone transfer. 4) The DNS server is not ”poisoned”. The attacker got his IP, but who cares, his goal was not to get the IP address of his web server but to force a zone transfer and make your DNS server poisoned as long as the cache will not be cleared or updated. 5) Now if you ask your DNS server, about www.cnn.com IP address it will give you 172.50.50.50, where the attacker run his own web server. Or even simple, the attacker could just run a bouncer forwarding all packets to the real web site and vice versa, so you would see the real web site, but all your traffic would be passing through the attacker’s web site. - B) DNS ID Spoofing We saw that when a machine X wants to communicate with a machine Y, the former always needs the latter IP address. However in most of cases, X only has the name of Y, in that case, the DNS protocol is used to resolve the name of Y into its IP address. Therefore, a DNS request is sent to a DNS Server declared at X, asking for the IP address of the machine Y. Meanwhile, the machine X assigned a pseudo random identification number to its request which should be present in the answer from the DNS server. Then when the answer from the DNS server will be received by X, it will just have to compare both numbers if they’re the same, in this case, the answer is taken as valid, otherwise it will be simply ignored by X. Does this concept is safe ? Not completely. Anyone could lead an attack getting this ID number. If you’re for example on LAN, someone who runs a sniffer could intercept DNS requests on the fly, see the request ID number and send you a fake reply with the correct ID number... but with the IP address of his choice. Then, without to realize it, the machine X will be talking to the IP of attacker’s choice thinking it’s Y. By the way, the DNS protocol relies on UDP for requests (TCP is used only for zone transferts), which means that it is easy to send a packet coming from a fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn’t provide a minimum of protection against IP spoofing). Nevertheless, there are some limitations to accomplish this attack. In my example above, the attacker runs a sniffer, intercept the ID number and replies to his victim with the same ID number and with a reply of his choice. In the other hand, even if the attacker intercepted your request, it will be transmitted to the DNS Server anyway which will also reply to the request (unless the attacker is blocking the request at the gateway or carry out ARP cache poisoning which would make the attack possible on a switched network by the way). bachelorproject ws 07/08 SHiNE 194 That means that the attacker has to reply BEFORE the real DNS server, which means that to succeed this attack, the attacker MUST be on the same LAN so to have a very quick ping to your machine, and also to be able to capture your packets. Practical example To see yourself how to hijack a connection from a machine on your local area network, we can do the followings : First step : Poison the ARP cache of the victim’s machine Second step : Now, outgoing packets of the target will be redirected to your host, but you have to forward the traffic to the real gateway. Third step : We then use a DNS spoofing tool like dnsspoof a tool that greatly help to carry out DNS ID Spoofing. Shell scripts 1 #!/bin/bash 2 # 3 # Szenario DNS Server 4 # 5 # short manual 6 # File operations in /etc/bind/* /etc/resolv.conf | all allowed to group $dnsgamers 7 # configuration backup in $backdir 8 # zone files for default dns-server.hs-bremen.game includes 9 # 10 11 # external parameter 12 #dnsgamers= $CAKE1 13 dnsgamers=dnsgamers # group for gamers 14 15 # internal parameter or a zone out of cake 16 backdir=/tmp/bkdsds 17 # dns zones 18 rootDNS=194.94.24.34 #IP Address Root DNS Server this case uses dns.hs- bremen .de 19 mainzone=hs-bremen.game #realm of the game zone 20 servermainzone=dmz-server.$mainzone # name of DNS Server 21 dmzzone=1.0.10.in-addr.arpa 22 managementzone=10.20.172.in-addr.arpa 23 preludezone=20.20.172.in-addr.arpa 24 workerzone=30.20.172.in-addr.arpa 25 serverzone=40.20.172.in-addr.arpa 26 guestzone=50.20.172.in-addr.arpa 27 # record options 28 ttl =604800 bachelorproject ws 07/08 SHiNE 195 29 retry=86400 30 expire=2419200 31 32 # make backupdir 33 mkdir $backdir > /dev/null 2>&1 || exit 1 34 35 # adding group and sudorights for bind interaction 36 # save sudoers file 37 cp /etc/sudoers $backdir/sudoers > /dev/null 2>&1 || exit 1 38 groupadd $dnsgamers > /dev/null 2>&1 || exit 1 39 echo %$dnsgamers ALL=/etc/init.d/bind9 >> /etc/sudoers || exit 1 40 41 # install the dnsserver bind9 without interaction 42 aptitude install bind9 -y > /dev/null 2>&1 || exit 1 43 44 45 # save bind default in /tmp 46 cd $backdir && tar cf bind.bak.tar /etc/bind > /dev/null 2>&1 || exit 1 47 48 # save resolv.conf 49 cp /etc/resolv.conf $backdir/ > /dev/null 2>&1 || exit 1 50 51 # bind configuration with default bind config hs-bremen.game 52 # 53 # configuration of /etc/bind/named.conf.options 54 # 55 # create temp file 56 cp /etc/bind/named.conf.options /etc/bind/named.conf.options.tmp > /dev/ null 2>&1 || exit 1 57 58 #search for string forwarders and uncomment | search for 0.0.0.0 and uncomment | replace 0.0.0.0 with $rootDNS | search close of sequenz forwarders and uncomment | write to file 59 sed ’/forwarders {/s/\/\///g’ /etc/bind/named.conf.options.tmp | sed ’ /0.0.0.0/s/\/\///g’ | sed "s/0.0.0.0/$rootDNS/" | sed ’/\/\/ };/s /\/\///g’ > /etc/bind/named.conf.options || exit 1 60 #delete tmp file 61 rm /etc/bind/named.conf.options.tmp > /dev/null 2>&1 || exit 1 62 63 # 64 # configuration of default zones hs-bremen.game 65 # 66 67 #Target is always the same 68 TARGET_AND_LOCATION=/etc/bind/named.conf.local 69 bachelorproject ws 07/08 SHiNE 196 70 #zoneadd needs $mylist and $TARGET_AND_LOCATION 71 zoneadd () 72 { 73 mylist=("zone \"$zone\"{" "\\t type master;" "\\t file \"/etc/bind/zone. $zone\";" "allow-query {any;};" ’};’) 74 for i in "${mylist[@]}"; do 75 echo -e $i >> $TARGET_AND_LOCATION || exit 1 76 done 77 } 78 79 #recordbuilder 80 # needs for soa : ttl retry expire servermainzone 81 # needs for filefunctions : zone 82 # needs for records : recordlist 83 recordbuilder() 84 { 85 file=/etc/bind/zone.$zone 86 #make new zonefile with soa 87 echo -e "\$TTL \t $ttl" > $file || exit 1 88 echo -e "@ \t IN \t SOA \t $servermainzone. \t root.localhost. (" >> $file || exit 1 89 echo -e "\t \t \t ‘date +%F | sed ’s/-//g’‘1 \t; Serial YYYYMMDDVersion" >> $file || exit 1 90 echo -e "\t \t \t $ttl \t ; Refresh" >> $file || exit 1 91 echo -e "\t \t \t $retry \t \t; Retry" >> $file || exit 1 92 echo -e "\t \t \t $expire \t; Expire" >> $file || exit 1 93 echo -e "\t \t \t $ttl ) \t; Negative Cache TTL" >> $file || exit 1 94 if [ "${zone}" == "${mainzone}" ]; then 95 addpoint="" #point for PTR break in Reverse Lookup 96 echo -e "\t \t \t IN \t NS \t $servermainzone." >> $file || exit 1 97 else 98 addpoint="." 99 echo -e "@ \t \t IN \t NS \t $servermainzone." >> $file || exit 1 100 fi 101 echo -e ";\$ORIGIN \t $mainzone" >> $file || exit 1 102 for i in "${recordlist[@]}"; do 103 echo -e $i$addpoint >> $file || exit 1 104 done 105 } 106 107 # zone game main 108 zone=$mainzone 109 zoneadd bachelorproject ws 07/08 SHiNE 197 110 # add Records 111 recordlist=("dmz-server \t IN\t A \t 10.0.1.3" "zeus \t\t IN \t A \t 172.20.10.3" "ramses\t\t IN\t A\t 172.20.20.131" "cleopatra\t IN\t A\t 172.20.20.132" "pluto\ t\t IN\t A\t 172.20.30.21""venus\t\t IN\t A\t 172.20.30.22" "roadwarrior1\t IN\t A\t 172.20.30.33" " roadwarrior2\t IN\t A\t 172.20.30.34" "roadwarrior3\t IN\t A\t 172.20.30.35" "roadwarrior4\t IN\t A\t 172.20.30.36" "roadwarrior5\t IN\t A\t 172.20.30.37" " roadwarrior6\t IN\t A\t 172.20.30.38" "roadwarrior7\t IN\t A\t 172.20.30.39" "roadwarrior8\t IN\t A\t 172.20.30.40" "roadwarrior9\t IN\t A\t 172.20.30.41" " roadwarrior10\t IN\t A\t 172.20.30.42" "roadwarrior11\t IN\t A\t 172.20.30.43" "roadwarrior12\t IN\t A\t 172.20.30.44" "roadwarrior13\t IN\t A\t 172.20.30.45" " roadwarrior14\t IN\t A\t 172.20.30.46" "roadwarrior15\t IN\t A\t 172.20.30.47" "roadwarrior16\t IN\t A\t 172.20.30.48" "roadwarrior17\t IN\t A\t 172.20.30.49" " roadwarrior18\t IN\t A\t 172.20.30.50" "roadwarrior19\t IN\t A\t 172.20.30.51" "roadwarrior20\t IN\t A\t 172.20.30.52" "merkur\t\t IN\t A\t 172.20.30.60" "erde\t\ t IN\t A\t 172.20.30.61" "mars\t\t IN\t A\t 172.20.30.62 " "jupiter\t\t IN\t A\t 172.20.30.63" "saturn\t\t IN \t A\t 172.20.30.64" "neptun\t\t IN\t A\t 172.20.30.65" "phobos\t\t IN\t A\t 172.20.30.66" "deimo\t \t IN\t A\t 172.20.30.67""kallisto\t IN\t A\t 172.20.30.68" "uranus\t\t IN\t A\t 172.20.30.69" " deutschland\t IN\t A\t 172.20.40.51" "holland\t\t IN\t A\t 172.20.40.52" ’$GENERATE 126-254 roadwarrior$ IN A 172.20.30.$’) 112 recordbuilder 113 114 115 # zone DMZ 116 zone=$dmzzone 117 zoneadd 118 recordlist=("3\t\t IN\t PTR\t dmz-server.hs-bremen.game") 119 recordbuilder 120 121 # zone Management 122 zone=$managementzone 123 zoneadd 124 recordlist=("3\t\t IN\t PTR\t zeus.hs-bremen.game") 125 recordbuilder 126 127 # zone Prelude bachelorproject ws 07/08 SHiNE 198 128 zone=$preludezone 129 zoneadd 130 recordlist=("131\t\t IN\t PTR\t ramses.hs-bremen.game" "132\t\t IN\t PTR\t cleopatra.hs-bremen.game") 131 recordbuilder 132 133 134 # zone Worker 135 zone=$workerzone 136 zoneadd 137 recordlist=("21\t IN\t PTR\t pluto.hs-bremen.game" "22\t IN \t PTR\t venus.hs-bremen.game" "33\t IN\t PTR\t roadwarrior1.hs-bremen.game" "34\t IN\t PTR\t roadwarrior2. hs-bremen.game" "35\t IN\t PTR\t roadwarrior3.hs-bremen.game " "36\t IN\t PTR\t roadwarrior4.hs-bremen.game" "37\t IN\t PTR\t roadwarrior5.hs-bremen.game" "38\t IN\t PTR\t roadwarrior6.hs-bremen.game" "39\t IN\t PTR\t roadwarrior7.hs-bremen.game" "40\t IN\t PTR\t roadwarrior8. hs-bremen.game" "41\t IN\t PTR\t roadwarrior9.hs-bremen.game " "42\t IN\t PTR\t roadwarrior10.hs-bremen.game" "43\t IN\t PTR\t roadwarrior11.hs-bremen.game" "44\t IN\t PTR\t roadwarrior12.hs-bremen.game" "45\t IN\t PTR\t roadwarrior13.hs-bremen.game" "46\t IN\t PTR\t roadwarrior14. hs-bremen.game" "47\t IN\t PTR\t roadwarrior15.hs-bremen.game " "48\t IN\t PTR\t roadwarrior16.hs-bremen.game" "49\t IN \t PTR\t roadwarrior17.hs-bremen.game" "50\t IN\t PTR\t roadwarrior18.hs-bremen.game" "51\t IN\t PTR\t roadwarrior19. hs-bremen.game" "52\t IN\t PTR\t roadwarrior20.hs-bremen.game " "60\t IN\t PTR\t merkur.hs-bremen.game" "61\t IN\t PTR\t erde.hs-bremen.game" "62\t IN\t PTR\t mars.hs-bremen .game" "63\t IN\t PTR\t jupiter.hs-bremen.game" "64\t IN\t PTR\t saturn.hs-bremen.game" "65\t IN\t PTR\t neptun.hs- bremen.game" "66\t IN\t PTR\t phobos.hs-bremen.game" "67\t IN\t PTR\t deimo.hs-bremen.game" "68\t IN\t PTR\t kallisto.hs-bremen.game" "69\t IN\t PTR\t uranus.hs-bremen.game" ’$GENERATE 126-254 $ PTR roadwarrior$.hs-bremen.game’) 138 recordbuilder 139 140 # zone Server 141 zone=$serverzone 142 zoneadd 143 recordlist=("51\t IN\t PTR\t deutschland.hs-bremen.game" "52\t IN\t PTR\t holland.hs-bremen.game") 144 recordbuilder 145 146 # zone Guest bachelorproject ws 07/08 SHiNE 199 147 zone=$guestzone 148 zoneadd 149 recordlist=() 150 recordbuilder 151 152 # change rights in /etc/bind 153 chown -R bind:$dnsgamers /etc/bind 154 chmod g+w /etc/bind/* > /dev/null 2>&1 || exit 1 155 chmod g+w /etc/bind > /dev/null 2>&1 || exit 1 156 157 # to allow user changes in resolv.conf 158 chown root:$dnsgamers /etc/resolv.conf > /dev/null 2>&1 || exit 1 159 chmod g+w /etc/resolv.conf > /dev/null 2>&1 || exit 1 160 161 # make the nameserver work for localhost 162 echo search $mainzone > /etc/resolv.conf || exit 1 163 echo nameserver localhost >> /etc/resolv.conf || exit 1 164 165 # save the default game configuration 166 167 # save bind default in /tmp 168 cd $backdir && tar cf bind.game.bak.tar /etc/bind > /dev/null 2>&1 || exit 1 169 170 # save resolv.conf 171 cp /etc/resolv.conf $backdir/resolv.game.conf > /dev/null 2>&1 || exit 1 172 173 # restart the nameserver 174 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1 175 176 exit 0 Listing 47: Setup Environment 1 #!/bin/bash 2 3 #external parameter 4 #dnsgamers= $CAKE1 5 dnsgamers=dnsgamers 6 7 backdir=/tmp/bkdsds 8 9 # delete nameserver bind 10 aptitude purge bind9 -y > /dev/null 2>&1 || exit 1 11 12 # delete groups and sudo rights 13 groupdel $dnsgamers > /dev/null 2>&1 || exit 1 bachelorproject ws 07/08 SHiNE 200 14 15 # backup resolv.conf/sudoers 16 cp $backdir/resolv.conf /etc/resolv.conf > /dev/null 2>&1 || exit 1 17 cp $backdir/sudoers /etc/sudoers > /dev/null 2>&1 || exit 1 18 19 # delete szenario backup files and /etc/bind 20 rm -rf $backdir > /dev/null 2>&1 || exit 1 21 rm -rf /etc/bind > /dev/null 2>&1 || exit 1 22 23 exit 0 Listing 48: Cleanup Environment 1 #!/bin/bash 2 3 backdir=/tmp/bkdsds 4 5 #external parameter 6 # USERNAME = $CAKEUSER # Hacking game user name 7 # PASSWORD = $CAKEPASSWORD # must be md5 encrypted (password=test) 8 #dnsserver= $CAKE1 # IP Address of this host 9 #spoofingName= $CAKE2 10 #spoofingIP= $CAKE3 11 # GROUP = $CAKE4 # default group for sudo rights configured in setup_env 12 USERNAME=gamer # Hacking game user name 13 PASSWORD=AJhEqbz7CCzbE # must be md5 encrypted (password=test) 14 GROUP=dnsgamers # default group for sudo rights configured in setup_env 15 16 #parameter for usertask 17 TODO_FILE=/home/$USERNAME/todo 18 zone=hs-bremen.game # zone for the task 19 spoofingName=heise.de # Zone to spoof 20 spoofingIP=10.0.1.4 # manupulated IP 21 22 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then 23 exit 1; #empty username = error and quit! 24 fi 25 26 #adduser and make home dir 27 useradd -m $USERNAME -p $PASSWORD -s /bin/bash -G $GROUP > /dev/null 2>&1 || exit 1 28 #cp /etc/skel/.bash_profile /home/ $USERNAME/ 29 #cp /etc/skel/.bashrc /home/ $USERNAME/ 30 31 #make default bind.game config from default configuration and restart nameserver 32 rm -rf /etc/bind > /dev/null 2>&1 || exit 1 bachelorproject ws 07/08 SHiNE 201 33 cd / && tar xf $backdir/bind.game.bak.tar > /dev/null 2>&1 || exit 1 34 /etc/init.d/bind9 restart > /dev/null 2>&1 || exit 1 35 36 37 #script builder needs $mylist and $TARGET_AND_LOCATION 38 scriptbuild() 39 { 40 for i in "${mylist[@]}"; do 41 echo $i >> $TARGET_AND_LOCATION || exit 1 42 done 43 } 44 TARGET_AND_LOCATION=$TODO_FILE 45 mylist=(’# Hello User’ ’# You start with scenario dns-spoofing’’# You have to manipulate some records given below’ ’#’ ’# Please keep in mind to start / stop or reload services it could be required used the privileged user mode’ ’# For security reasons you dont have the superusers password, but you are allowed to use the sudo command’ ’#’ ’ ’ ’Tasklist (only DNS Settings)’) 46 47 scriptbuild 48 mylist=("(1) Insert a new zone for $spoofingName and add the www and mx records to $spoofingIP" ) 49 scriptbuild 50 51 chown root:$GROUP $TODO_FILE > /dev/null 2>&1 || exit 1 52 chmod u-w,g-w,o-w $TODO_FILE > /dev/null 2>&1 || exit 1 53 54 exit 0 Listing 49: Setup User 1 #!/bin/bash 2 # USERNAME = $CAKEUSER 3 USERNAME=gamer 4 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1 5 exit 0 Listing 50: Cleanup User 1 #!/bin/bash 2 3 #external parameter 4 5 #dnsserver= $CAKE1 # server for dns checks 6 #spoofingName= $CAKE2 # zone to spoof 7 #spoofingIP= $CAKE3 8 score =1500 bachelorproject ws 07/08 SHiNE 202 9 dnsserver=localhost # server for dns checks 10 spoofingName=heise.de # zone to spoof 11 spoofingIP=10.0.1.4 12 13 #check if bind is working for zone 14 if [ "‘dig $spoofingName @$dnsserver | grep SOA‘" ]; then 15 echo dnsserver works for zone $spoofingName 16 if [ "‘dig $spoofingName | grep SOA‘" ]; then 17 echo dnsserver is working for localhost >/dev/null 18 else 19 echo dnsserver dont work for localhost >/dev/null 20 21 let "score-=$score/10" # -10% scorepoints 22 fi 23 24 else 25 echo dnsserver dont work for $spoofingName >/dev/null 26 27 score =0 28 exit 3 29 fi 30 31 # check MX 32 if [ "‘dig mx $spoofingName @$dnsserver | grep mail | grep MX‘" ]; then 33 if [ "‘dig mail.$spoofingName @$dnsserver | grep $spoofingIP‘" ]; then 34 echo A Record for MX OK >/dev/null 35 36 else 37 echo A Record for MX not OK >/dev/null 38 39 score =0 40 exit 3 41 fi 42 echo mx OK >/dev/null 43 44 else 45 score =0 46 echo mx not OK >/dev/null 47 exit 3 48 fi 49 50 # check www 51 if [ "‘dig www.$spoofingName @$dnsserver | grep $spoofingIP‘" ]; then 52 echo www OK >/dev/null 53 else bachelorproject ws 07/08 SHiNE 203 54 echo www not OK >/dev/null 55 score =0 56 exit 3 57 fi 58 exit 2 Listing 51: Evaluation E.7.4 Domain Wiki text Quelle: DNS for Rocket Scientists [33] Domain name From Wikipedia, the free encyclopedia The term domain name has multiple related meanings: 1. * A name that identifies a computer or computers on the Internet. These names appear as a component of a Web site’s URL, e.g. en.wikipedia.org. This type of domain name is also called a hostname. 2. * The product that domain name registrars provide to their customers. These names are often called registered domain names. 3. * Names used for other purposes in the Domain Name System (DNS), for example the special name which follows the @ sign in an email address, or the Top-level domain names like .com, or the names used by the Session Initiation Protocol (VoIP), or DomainKeys. 4. * They are sometimes colloquially (and incorrectly) referred to by marketers as ”web addresses”. This article will primarily discuss registered domain names. See the Domain Name System article for technical discussions about general domain names and the hostname article for further information about the most common type of domain name. Overview The most common types of domain names are hostnames that provide more memorable names to stand in for numeric IP addresses. They allow for any service to move to a different location in the topology of the Internet (or an intranet), which would then have a different IP address. By allowing the use of unique alphabetical addresses instead of numeric ones, domain names allow Internet users to more easily find and communicate with web sites and other server-based services. The flexibility of the domain name system allows multiple IP addresses to be assigned to a single domain name, or multiple domain names to be assigned to a single IP address. This means that one server may have multiple roles (such as hosting multiple independent Web sites), bachelorproject ws 07/08 SHiNE 204 or that one role can be spread among many servers. One IP address can also be assigned to several servers, as used in anycast and hijacked IP space. Hostnames are restricted to the ASCII letters ”a” through ”z” (case-insensitive), the digits ”0” through ”9”, and the hyphen, with some other restrictions. Registrars restrict the domains to valid hostnames, since, otherwise, they would be useless. The Internationalized domain name (IDN) system has been developed to bypass the restrictions on character allowances in host- names, making it easier for users of non-English alphabets to use the Internet. The underscore character is frequently used to ensure that a domain name is not recognized as a hostname, for example with the use of SRV records, although some older systems, such as NetBIOS did allow it. Due to confusion and other reasons, domain names with underscores in them are sometimes used where hostnames are required. Examples The following example illustrates the difference between a URL (Uniform Resource Locator) and a domain name: URL: http://www.example.net/index.html Domain name: www.example.net Registered domain name: example.net As a general rule, the IP address and the server name are interchangeable. For most Internet services, the server will not have any way to know which was used. However, the explosion of interest in the Web means that there are far more Web sites than servers. To accommodate this, the hypertext transfer protocol (HTTP) specifies that the client tells the server which name is being used. This way, one server with one IP address can provide different sites for different domain names. This feature goes under the name virtual hosting and is commonly used by Web hosts. For example, as referenced in RFC 2606 (Reserved Top Level DNS Names), the server at IP address 192.0.34.166 handles all of the following sites: • example.com • www.example.com • example.net • www.example.net • example.org • www.example.org When a request is made, the data corresponding to the hostname requested is served to the user. Top-level domains bachelorproject ws 07/08 SHiNE 205 Every domain name ends in a top-level domain (TLD) name, which is always either one of a small list of generic names (three or more characters), or a two-character territory code based on ISO-3166 (there are few exceptions and new codes are integrated case by case). Top-level domains are sometimes also called first-level domains. The generic top-level domain (gTLD) extensions are: Generic top-level domains Unsponsored .biz .com .edu .gov .info .int .mil .name .net .org Sponsored .aero .asia .cat .coop .jobs .mobi .museum .pro .tel .travel Infrastructure .arpa .root Proposed Locations — Children .berlin .lat .nyc — .kid .kids Linguistic .bzh .cym .gal .sco Technical — Other .geo .mail .web — .post .xxx Deleted/retired .nato Reserved .example .invalid .localhost .test Pseudo .bitnet .csnet .ip .local .onion .exit .uucp Unofficial Alternative DNS roots Country code top-level domains The country code top-level domain (ccTLD) extensions are: Country code top-level domains Active: .ac .ad .ae .af .ag .ai .al .am .an .ao .aq .ar .as .at .au .aw .ax .az .ba .bb .bd .be .bf .bg .bh .bi .bj .bm .bn .bo .br .bs .bt .bw .by .bz .ca .cc .cd .cf .cg .ch .ci .ck .cl .cm .cn .co .cr .cu .cv .cx .cy .cz .de .dj .dk .dm .do .dz .ec .ee .eg .er .es .et .eu .fi .fj .fk .fm .fo .fr .ga .gd .ge .gf .gg .gh .gi .gl .gm .gn .gp .gq .gr .gs .gt .gu .gw .gy .hk .hm .hn .hr .ht .hu .id .ie .il .im .in .io bachelorproject ws 07/08 SHiNE 206 .iq .ir .is .it .je .jm .jo .jp .ke .kg .kh .ki .km .kn .kp .kr .kw .ky .kz .la .lb .lc .li .lk .lr .ls .lt .lu .lv .ly .ma .mc .md .me .mg .mh .mk .ml .mm .mn .mo .mp .mq .mr .ms .mt .mu .mv .mw .mx .my .mz .na .nc .ne .nf .ng .ni .nl .no .np .nr .nu .nz .om .pa .pe .pf .pg .ph .pk .pl .pn .pr .ps .pt .pw .py .qa .re .ro .rs .ru .rw .sa .sb .sc .sd .se .sg .sh .si .sk .sl .sm .sn .sr .st .sv .sy .sz .tc .td .tf .tg .th .tj .tk .tl .tm .tn .to .tr .tt .tv .tw .tz .ua .ug .uk .us .uy .uz .va .vc .ve .vg .vi .vn .vu .wf .ws .ye .za .zm .zw Cyrillic: . Reserved/unassigned: .bl .eh .mf Allocated/unused: .bv .gb .pm .sj .so .um .yt Phaseout: .su .tp .yu Deleted/retired: .cs .zr Other-level domains In addition to the top-level domains, there are second-level domain (SLD) names. These are the names directly to the left of .com, .net, and the other top-level domains. As an example, in the domain en.wikipedia.org, ”wikipedia” is the second-level domain. On the next level are third-level domains. These domains are immediately to the left of a second-level domain. In the en.wikipedia.org example, ”en” is a third-level domain. There can be fourth and fifth level domains and so on, with virtually no limitation. An example of a working domain with five levels is www.sos.state.oh.us. Each level is separated by a dot or period symbol between them. Domains of third or higher level are also known as subdomains, though this term technically applies to a domain of any level, since even a top-level domain is a ”subdomain” of the ”root” domain (a ”zeroth-level” domain that is designated by a dot alone). Traditionally, the second level domain has been chosen based on the name of a company (i.e. microsoft.com). The third level was commonly used to designate a particular host server. There- fore, ftp.wikipedia.org might be an FTP server, www.wikipedia.org would be a World Wide Web Server, and mail.wikipedia.org could be an email server. Modern technology now allows multiple servers to serve a single subdomain, or multiple protocols or domains to be served by a single computer. Therefore, subdomains may or may not have any real purpose. Official assignment ICANN (Internet Corporation for Assigned Names and Numbers) has overall responsibility for managing the DNS. It controls the root domain, delegating control over each top-level domain to a domain name registry. For ccTLDs, the domain registry is typically controlled by the government of that country. ICANN has a consultation role in these domain registries but is in no position to regulate the terms and conditions of how a domain name is allocated or who allocates it in each of these country level domain registries. On the other hand, generic top-level domains (gTLDs) are governed directly under ICANN which means all terms and conditions are defined by ICANN with the cooperation of the gTLD registries. Domain names which are theoretically leased can be considered in the same way as real estate, due to a significant impact on online brand building, advertising, search engine optimization, etc. bachelorproject ws 07/08 SHiNE 207 A few companies have offered low-cost, below-cost or even free domain registrations, with a variety of models adopted to recoup the costs to the provider. These usually require that domains are hosted on their site in a framework or portal, with advertising wrapped around the user’s content, revenue from which allows the provider to recoup the costs. When the DNS was new, domain registrations were free. A domain owner can generally give away or sell infinite subdomains of their domain, e.g. the owner of example.edu could provide domains that are subdomains, such as foo.example.edu and foo.bar.example.edu. Uses and abuses As domain names became attractive to marketers, rather than just the technical audience for which they were originally intended, they began to be used in manners that in many cases did not fit in their intended structure. As originally planned, the structure of domain names followed a strict hierarchy in which the top level domain indicated the type of organization (commercial, governmental, etc.), and addresses would be nested down to third, fourth, or further levels to express complex structures, where, for instance, branches, departments, and subsidiaries of a parent organization would have addresses which were subdomains of the parent domain. Also, hostnames were intended to correspond to actual physical machines on the network, generally with only one name per machine. However, once the World Wide Web became popular, site operators frequently wished to have memorable addresses, regardless of whether they fit properly in the structure; thus, since the .com domain was the most popular and memorable, even noncommercial sites would often get addresses under it, and sites of all sorts wished to have second-level domain registrations even if they were parts of a larger entity where a logical subdomain would have made sense (e.g., abcnews.com instead of news.abc.com). A Web site found at http://www.example.org/ will often be advertised without the ”http://”, and in most cases can be reached by just entering ”example.org” into a Web browser. In the case of a .com, the Web site can sometimes be reached by just entering ”example” (depending on browser versions and configuration settings, which vary in how they interpret incomplete addresses). The popularity of domain names also led to uses which were regarded as abusive by established companies with trademark rights; this was known as cybersquatting, in which somebody took a name that resembled a trademark in order to profit from traffic to that address. To com- bat this, various laws and policies were enacted to allow abusive registrations to be forcibly transferred, but these were sometimes themselves abused by overzealous companies committing reverse domain hijacking against domain users who had legitimate grounds to hold their names, such as their being generic words as well as trademarks in a particular context, or their use in the context of fan or protest sites with free speech rights of their own. Laws that specifically address domain name conflicts include the Anticybersquatting Consumer Protection Act in the United States and the Trademarks Act, 1999, in India. Alternatively, do- main registrants are bound by contract under the UDRP to comply with mandatory arbitration proceedings should someone challenge their ownership of the domain name. bachelorproject ws 07/08 SHiNE 208 Generic domain names problems arising out of unregulated name selection Within a particular top-level domain, parties are generally free to select an unallocated domain name as their own on a first come, first served basis, resulting in Harris’s lament, all the good ones are taken. For generic or commonly used names, this may sometimes lead to the use of a domain name which is inaccurate or misleading. This problem can be seen with regard to the ownership or control of domain names for a generic product or service. By way of illustration, there has been tremendous growth in the number and size of literary festivals around the world in recent years. In this context, currently a generic domain name such as literary.org is available to the first literary festival organisation which is able to obtain registration, even if the festival in question is very young or obscure. Some critics would argue that there is greater amenity in reserving such domain names for the use of, for example, a regional or umbrella grouping of festivals. Related issues may also arise in relation to non- commercial domain names. Shell script 1 #!/bin/bash 2 3 #external parameter 4 # USERNAME = $CAKEUSER # Hacking game user name 5 # PASSWORD = $CAKEPASS # must be md5 encrypted 6 # DOMAIN = $CAKE1 # Domain to check 7 8 USERNAME=tester # Hacking game user name 9 PASSWORD=lxSigVD0RJEAM # must be md5 encrypted 10 domain=hs-bremen.de # Domain to check 11 12 13 if [ $(echo $USERNAME | wc -m) -eq 1 ]; then 14 exit 3; #empty username = error and quit! 15 fi 16 #just for the style 17 if [ "${#domain}" -gt 8 ]; then 18 tabulator="\t\t" 19 if [ "${#domain}" -gt 15 ]; then 20 tabulator="\t" 21 fi 22 fi 23 24 #internal parameter 25 BACKGROUND_SCRIPT=/tmp/$USERNAME/background_script 26 TODO_FILE=/home/$USERNAME/todo 27 28 # functions 29 #script builder needs $mylist and $TARGET_AND_LOCATION bachelorproject ws 07/08 SHiNE 209 30 scriptbuild() 31 { 32 for i in "${mylist[@]}"; do 33 echo $i >> $TARGET_AND_LOCATION || exit 1 34 done 35 } 36 37 #chmodder needs $mylist and $newrights 38 chmodder () 39 { 40 for i in "${mylist[@]}"; do 41 chmod $newrights $i > /dev/null 2>&1 || exit 1 42 done 43 } 44 45 #dirmaker needs $mylist 46 dirmaker () 47 { 48 for i in "${mylist[@]}"; do 49 mkdir -p $i > /dev/null 2>&1 || exit 1 50 done 51 } 52 53 #funtion to make random querys need $mylist $record 54 randomquery() 55 { 56 random_number=$RANDOM 57 let "random_number %=${#mylist[@]}" 58 for ((a=0; a 59 do 60 declare -a checklist 61 while [ "${#checklist[@]}" -le "$random_number" ] 62 do 63 check =0 64 length =${#checklist[@]} 65 random_field=$RANDOM 66 let "random_field %= ${#mylist[@]}" 67 for ((x=0; x<=length ; x++)) 68 do 69 if [ "${checklist[x]}" == "${mylist[$random_field ]}" ]; then 70 check =1 71 fi 72 done 73 if [ "$check" -eq 0 ]; then bachelorproject ws 07/08 SHiNE 210 74 checklist=( ${checklist[@]} ${mylist[$random_field ]}) 75 fi 76 done 77 #append todo file 78 if [ "${#record}" -lt 7 ]; then 79 tabulator2="\t\t" 80 else 81 tabulator2="\t" 82 fi 83 if [ "${#checklist[$a]}" -lt 7 ]; then 84 tabulator3="\t\t" 85 else 86 tabulator3="\t" 87 fi 88 echo -e "$domain$tabulator $record$tabulator2 ${checklist[$a]} $tabulator3"’??????’ >> $TODO_FILE || exit 1 89 done 90 } 91 92 ##end functions 93 94 #adduser and make home dir 95 useradd -m $USERNAME -p $PASSWORD -s /bin/bash > /dev/null 2>&1 || exit 1 96 #cp /etc/skel/.bash_profile /home/ $USERNAME/ > /dev/null 2>&1 || exit 1 97 #cp /etc/skel/.bashrc /home/ $USERNAME/ > /dev/null 2>&1 || exit 1 98 99 #add needed dirs 100 mylist=(/tmp/$USERNAME) 101 dirmaker 102 103 #make the todo file 104 TARGET_AND_LOCATION=$TODO_FILE 105 mylist=(’# Hello User’ ’# You start with scenario domain’ ’# This scenario should show you, which records are stored by a registrar.’ ’# The records you have to find out are given in the table below.’ "# For your challenge you’re allowed to use tools like ’whois’." ’# For more informations about these tools use the man command like "man whois"’ ’ #’ ’# 1) start the commadline’ "# 2) find your tool for whois query’s" ’# 3) start the query for the given domain’ ’# 4) find out the records given in the table below’ ’# 5) replace ????? with your answer ’ ’# 6) save the document’ ’# 7) wait for a response’ ’#’ "# Please don’t change anything else in this document" ’#’ ’#’) 106 scriptbuild 107 108 #append the random questions bachelorproject ws 07/08 SHiNE 211 109 echo -e "Domain $tabulator Record\t\t Field\t\t Entry" >> $TODO_FILE || exit 1 110 111 #Functionality only for .com .net .org .edu .de .us 112 case ${domain #[(a-zA-Z0-9)|(_)|(-)]*.} in 113 de) 114 #Lists for DE Domains 115 recordlist=( Admin-C Tech-C Zone-C ) 116 nameserver=Nserver 117 #nameserver is always a query 118 echo -e "$domain$tabulator $nameserver\t $nameserver\t ??????" >> $TODO_FILE || exit 1 119 #funtion to make random querys need $mylist $record 120 for i in ${recordlist[@]} 121 do 122 record =$i 123 case $i in 124 ${recordlist[0]}) 125 mylist=( Type Name Address Pcode City Country Changed ) 126 randomquery 127 ;; 128 ${recordlist[1]}) 129 mylist=( Type Name Address Pcode City Country Phone Fax Email Changed ) 130 randomquery 131 ;; 132 ${recordlist[2]}) 133 mylist=( Type Name Address Pcode City Country Phone Fax Email Changed ) 134 randomquery 135 ;; 136 esac 137 done 138 ;; 139 com ) 140 #Lists for Com Domains 141 recordlist=( Registrant Administrative Technical ) 142 nameserver=Nameserver 143 #nameserver is always a query 144 echo -e "$domain$tabulator $nameserver\t $nameserver\t\t ??????" >> $TODO_FILE || exit 1 145 #funtion to make random querys need $mylist $record 146 for i in ${recordlist[@]} 147 do 148 record =$i bachelorproject ws 07/08 SHiNE 212 149 #List is always the same by .com 150 mylist=( Name Organisation Address City State Country Postal Phone Fax Email Registration Updated ) 151 randomquery 152 done 153 ;; 154 net ) 155 #Lists for net Domains 156 recordlist=( Registrant Administrative Technical ) 157 nameserver=Nameserver 158 #nameserver is always a query 159 echo -e "$domain$tabulator $nameserver\t $nameserver\t\t ??????" >> $TODO_FILE || exit 1 160 #funtion to make random querys need $mylist $record 161 for i in ${recordlist[@]} 162 do 163 record =$i 164 #List is always the same by .net 165 mylist=( Name Organisation Address City State Country Postal Phone Fax Email Registration Updated ) 166 randomquery 167 done 168 ;; 169 170 org ) 171 #Lists for org Domains 172 recordlist=( Registrant Admin Tech ) 173 nameserver=Name 174 #nameserver is always a query 175 echo -e "$domain$tabulator Name\t\t Server\t\t??????" >> $TODO_FILE || exit 1 176 #funtion to make random querys need $mylist $record 177 for i in ${recordlist[@]} 178 do 179 record =$i 180 #List is always the same by .org 181 mylist=( Name Organisation Street City State Country Postal Phone FAX Email) 182 randomquery 183 done 184 ;; 185 edu ) 186 #Lists for edu Domains 187 recordlist=( Registrant Administrative Technical ) bachelorproject ws 07/08 SHiNE 213 188 nameserver=Name 189 #nameserver is always a query 190 echo -e "$domain$tabulator $nameserver\t\t Servers\t?????? " >> $TODO_FILE || exit 1 191 #funtion to make random querys need $mylist $record 192 for i in ${recordlist[@]} 193 do 194 record =$i 195 case $i in 196 ${recordlist[0]}) 197 mylist=( Name Address City Country ) 198 randomquery 199 ;; 200 ${recordlist[1]}) 201 mylist=( Name Address City Country Tel Email ) 202 randomquery 203 ;; 204 ${recordlist[2]}) 205 mylist=( Name Address City Country Tel Email ) 206 randomquery 207 ;; 208 esac 209 done 210 ;; 211 us) 212 #Lists for us Domains 213 recordlist=( Registrant Administrative Billing Technical ) 214 #nameserver isn’t given but Domain ID is a special field 215 nameserver=Domain 216 #nameserver is always a query 217 echo -e "$domain$tabulator $nameserver\t\t ID\t\t??????" >> $TODO_FILE || exit 1 218 #funtion to make random querys need $mylist $record 219 for i in ${recordlist[@]} 220 do 221 record =$i 222 #List is always the same in us 223 mylist=( Name Address City State Postal Country Phone Email ) 224 randomquery 225 done 226 ;; 227 esac 228 bachelorproject ws 07/08 SHiNE 214 229 230 #make Background_script 231 232 TARGET_AND_LOCATION=$BACKGROUND_SCRIPT 233 mylist=(’#!/bin/bash’ "todo=$TODO_FILE" ’lastAccess=‘stat $todo -c%x‘’ ’ lastMod=‘stat $todo -c%y‘’ ’checker()’ ’{’ ’if [ "$check" == "" ]; then’ ’echo "your task isnt finished"’ ’let "verifier++"’ ’echo " Problem at ${domainlist[$a]} ${recordlist[$a]} ${fieldlist[$a]} ${ entrylist[$a]}"’ ’fi’ ’}’ ’while [ "‘stat $todo -c%x‘" == "$lastAccess " ]’ ’do’ ’sleep 10’ ’echo "You have to read $todo"’ ’done’ ’while [ checker=1 ]’ ’do’ ’while [ "‘stat $todo -c%y‘" == "$lastMod" ]’ ’do’ ’ sleep 10’ ’done’ ’echo "we check your work"’ ’lastMod=‘stat $todo -c%y ‘’ ’declare -a domainlist’ ’declare -a recordlist’ ’declare -a fieldlist’ ’declare -a stringlist’) 234 scriptbuild 235 #something difficult to insert 236 echo ’domainlist=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}/:/g\’’ | awk -F: ’\’{print ’$1’}\’’‘)’ >> $TARGET_AND_LOCATION 237 echo ’recordlist=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}/:/g\’’ | awk -F: ’\’{print ’$2’}\’’‘)’ >> $TARGET_AND_LOCATION 238 echo ’fieldlist=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}/:/g\’’| awk -F: ’\’{print ’$3’}\’’‘)’ >> $TARGET_AND_LOCATION 239 echo ’entrylist=(‘grep -v "#" $todo | sed ’\’s/[\\t \\ ]\\\{1,\\\}/:/g\’’| awk -F: ’\’{print ’$4’}\’’‘)’ >> $TARGET_AND_LOCATION 240 mylist=(’entry=${#domainlist[@]}’ ’verifier=0’ ’for ((a=1; a 241 scriptbuild 242 243 244 #change dir and file permissions 245 chown -R $USERNAME:$USERNAME /home/$USERNAME/ > /dev/null 2>&1 || exit 1 246 chown $USERNAME:$USERNAME $BACKGROUND_SCRIPT > /dev/null 2>&1 || exit 1 bachelorproject ws 07/08 SHiNE 215 247 chmod u+x $BACKGROUND_SCRIPT > /dev/null 2>&1 || exit 1 248 #modify user .bashrc 249 echo "$BACKGROUND_SCRIPT &" >> /home/$USERNAME/.bashrc || exit 1 250 exit 0 Listing 52: Setup 1 #!/bin/bash 2 # USERNAME = $CAKEUSER 3 USERNAME=tester 4 rm -r /tmp/$USERNAME > /dev/null 2>&1 || exit 1 5 deluser --remove-home $USERNAME > /dev/null 2>&1 || exit 1 6 exit 0 Listing 53: Cleanup 1 #!/bin/bash 2 # user = $CAKEUSER #username 3 user=tester 4 todo=/home/$user/todo 5 checker () 6 if [ "$check" == "" ]; then 7 echo "your task isnt finished" 8 let "verifier++" 9 #echo "Problem at ${domainlist[$a ]} ${recordlist[$a ]} ${fieldlist[$a ]} ${ entrylist [$a ]}" 10 fi 11 declare -a domainlist 12 declare -a recordlist 13 declare -a fieldlist 14 declare -a stringlist 15 domainlist=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}/:/g’| awk -F: ’{ print $1}’‘) || exit 1 16 recordlist=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}/:/g’| awk -F: ’{ print $2}’‘) || exit 1 17 fieldlist=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}/:/g’| awk -F: ’{print $3}’‘) || exit 1 18 entrylist=(‘grep -v "#" $todo | sed ’s/[\t \ ]\{1,\}/:/g’| awk -F: ’{print $4}’‘) || exit 1 19 entry =${#domainlist[@]} 20 verifier =0 21 for ((a=1; a 22 do 23 domain=${domainlist[$a]} 24 case ${domain #[(a-zA-Z0-9)|(_)|(-)]*.} in bachelorproject ws 07/08 SHiNE 216 25 de) check=‘whois ${domainlist[$a]} | grep -i -A 15 ${ recordlist[$a]} | grep -i ${fieldlist[$a]} | grep -i $ {entrylist[$a]}‘ 26 checker 27 ;; 28 us) check=‘whois ${domainlist[$a]} | grep -i ${ recordlist[$a]} | grep -i ${fieldlist[$a]} | grep -i $ {entrylist[$a]}‘ 29 checker 30 ;; 31 org) check=‘whois ${domainlist[$a]} | grep -i ${ recordlist[$a]} | grep -i ${fieldlist[$a]} | grep -i $ {entrylist[$a]}‘ 32 checker 33 ;; 34 edu) check=‘whois ${domainlist[$a]} | grep -i -A 15 ${ recordlist[$a]} | grep -i ${entrylist[$a]}‘ 35 checker 36 ;; 37 net) check=‘whois ${domainlist[$a]} | grep -i -A 16 ${ recordlist[$a]} | grep -i ${fieldlist[$a]} | grep -i $ {entrylist[$a]}‘ 38 checker 39 ;; 40 com) check=‘whois ${domainlist[$a]} | grep -i -A 16 ${ recordlist[$a]} | grep -i "${fieldlist[$a]}" | grep -i ${entrylist[$a]}‘ 41 checker 42 ;; 43 esac 44 done 45 if [ "$verifier" -eq 0 ]; then 46 # echo "finished" 47 exit 2 48 else 49 # echo "not finished" 50 exit 3 51 fi 52 exit 1 Listing 54: Evaluation bachelorproject ws 07/08 SHiNE 217 References [1] Honeywalldetection. http://www.xsec.org/download/tools/other/ Honeywalldetection.pdf. [Online; Stand 25. Mrz 2008]. [2] Cacti forum. How to change date of .rrd databases? http://forums.cacti.net/ viewtopic.php?p=122560#122560. [3] Wikipedia. A* search algorithm — wikipedia, the free encyclopedia, 2008. [Online; accessed 27-March-2008]. [4] Wikipedia. Demilitarized zone (computing) — wikipedia, the free encyclopedia. http://en.wikipedia.org/w/index.php?title=Demilitarizedzone\%28computing\ %29&oldid=200047584, 2008. [Online; Stand 22. Mrz 2008]. [5] Thomas Lange. Fai - fully automatic installation. http://www.informatik.uni-koeln. de/fai/, 2008. [Online; Stand 22. Mrz 2008]. [6] Adam Lackorzynski. minicom. http://alioth.debian.org/projects/minicom/, 2008. [Online; Stand 22. Mrz 2008]. [7] Wikipedia. Address resolution protocol — wikipedia, the free encyclopedia. http: //en.wikipedia.org/w/index.php?title=Address_Resolution_Protocol&oldid= 198969149, 2008. [Online; accessed 20-March-2008]. [8] Wikipedia. Arp spoofing — wikipedia, the free encyclopedia. http://en.wikipedia.org/ w/index.php?title=ARP_spoofing&oldid=199299855, 2008. [Online; accessed 20-March- 2008]. [9] Wikipedia. Mac address — wikipedia, the free encyclopedia. http://en.wikipedia.org/ w/index.php?title=MAC_address&oldid=199537494, 2008. [Online; accessed 20-March- 2008]. [10] Wikipedia. Telnet — wikipedia, the free encyclopedia. http://en.wikipedia.org/w/ index.php?title=TELNET&oldid=198987462, 2008. [Online; accessed 20-March-2008]. [11] Wikipedia. Man-in-the-middle attack — wikipedia, the free encyclopedia. http://en. wikipedia.org/w/index.php?title=Man-in-the-middle_attack&oldid=197708855, 2008. [Online; accessed 20-March-2008]. [12] Ettercap. ettercap.sourcefourge.net. http://ettercap.sourceforge.net/index.php, 2008. [13] Wikipedia. Session hijacking — wikipedia, the free encyclopedia. http://en.wikipedia. org/w/index.php?title=Session_hijacking&oldid=199335845, 2008. [Online; accessed 20-March-2008]. bachelorproject ws 07/08 SHiNE 218 [14] Wikipedia. Transport layer security — wikipedia, the free encyclopedia. http://en. wikipedia.org/wiki/Transport_Layer_Security, 2008. [Online; Stand 23. Mrz 2008]. [15] Wikipedia. John the ripper — wikipedia, the free encyclopedia. http://en.wikipedia. org/wiki/John_the_Ripper, 2008. [Online; accessed 23-March-2008]. [16] Manual. Manual page of john, 2004. [17] Wikipedia. Cron — wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/ Cron, 2008. [Online; accessed 23-March-2008]. [18] Manual. Manual page of cron, 1996. [19] Wikipedia. Hydra (software) — wikipedia, the free encyclopedia. http://en.wikipedia. org/wiki/hydra, 2007. [Online; accessed 23-March-2008]. [20] README. readme file of hydra, 2006. [21] http://www.hping.org. [Online; Stand 25. Mrz 2008]. [22] Cacti the complete rrdtool-based graphing solution. What is cacti? http://www.cacti. net/what_is_cacti.php. [23] cacti documentation and howtos. Basic principles. http://docs.cacti.net/node/126. [24] Wikipedia. Cacti (software) — wikipedia, the free encyclopedia. http://en.wikipedia. org/w/index.php?title=Cacti_\%28software\%29&oldid=189832698, 2008. [Online; accessed 25-March-2008]. [25] Features. http://www.cacti.net/features.php. [Online; Stand 25. Mrz 2008]. [26] Wikipedia. Rrdtool — wikipedia, the free encyclopedia. http://en.wikipedia.org/w/ index.php?title=RRDtool&oldid=200117989, 2008. [Online; accessed 25-March-2008]. [27] Wikipedia. Rrdtool — wikipedia, die freie enzyklopdie. http://de.wikipedia.org/w/ index.php?title=RRDtool&oldid=38949757, 2007. [Online; Stand 25. Mrz 2008]. [28] Tobias Oetiker. About rrdtool. http://oss.oetiker.ch/rrdtool/. [29] Wikipedia. Simple network management protocol — wikipedia, the free encyclo- pedia. http://en.wikipedia.org/w/index.php?title=Simple_Network_Management_ Protocol&oldid=198224042, 2008. [Online; accessed 25-March-2008]. [30] zytrax. Dns for rocket scientists. http://www.zytrax.com/books/dns, 2008. [Online; Stand 22. Mrz 2008]. [31] section6. Using dns with bind. http://www.section6.net/wiki/index.php/Using_DNS_ with_BIND, 2008. [Online; Stand 22. Mrz 2008]. bachelorproject ws 07/08 SHiNE 219 [32] securesphere.net. Dns spoofing. http://www.securesphere.net/download/papers/ dnsspoof.htm, 2008. [Online; Stand 22. Mrz 2008]. [33] Wikipedia. Domain name — wikipedia, the free encyclopedia. http://en.wikipedia.org/ w/index.php?title=Domainname&oldid=200267119, 2008. [Online; Stand 22. Mrz 2008]. bachelorproject ws 07/08