Labtainer - Nist Framework Mapping

Linux Access Control Lists (ACLs)

This exercise explores the use of Linux ACLs to provide access control over files, with more flexibility than the access control offered by traditional UNIX file permissions.

This exercise explores the use of Linux ACLs to provide access control over files, with more flexibility than the access control offered by traditional UNIX file permissions. It is assumed the student has received instruction, or independent study, in access control policies and ACLs. A description of Linux ACLs can be found at https://wiki.archlinux.org/index.php/Access_Control_Lists

This lab runs in the Labtainer framework, available at http://my.nps.edu/web/c3o/labtainers. That site in- cludes links to a pre-built virtual machine that has Labtainers installed, however Labtainers can be run on any Linux host that supports Docker containers.

Task 1: Review existing file permissions Task 2: Set an ACL on a single file Task 3: Set an default ACL for a directory Task 4: Trojan Horses Task 5: Submission

Tags: LABTAINER LINUX ACL K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

S0067 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0397 Knowledge of security concepts in operating systems (e.g., Linux, Unix.)

S0067 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

ARP Spoofing for Sniffing and MITM Attacks

This exercise explores the use of ARP spoofing as a means to sniff local network traffic. Modern Local Area Networks (LANs) use ethernet switches, which prevent passive sniffing of network traffic between other components.

This lab assumes you have separately learned about the ARP protocol. ARP spoofing is a technique by which the attacker sends spoofed ARP messages into the LAN, with a goal of causing traffic meant for one IP address to be routed to the attacker’s computer instead. The attacker’s computer then forwards the traffic to the intended destination. This puts the attacker into the middle of the traffic exchange, hence the name ”Man in the Middle” attack.

Task 1: Sniff the LAN from the Attacker Task 2: Spoof the ARP cache on the User and Gateway Computers

Tags: LABTAINER ARP MITM

S0081 Skill in using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap, etc.).

S0168 Skill in setting up physical or logical sub-networks that separate an internal local area network (LAN) from other untrusted networks.

S0242 Skill in interpreting vulnerability scanner results to identify vulnerabilities.

Backups

The objective of this lab assignment is to introduce students to features of common backup utilities, and to perform a few basic experiments to determine the effects of verification, compression and encryption on backups. These procedures assume the student has access to an accompanying spreadsheet to aid in the analysis. This spreadsheet highlights the cells that require input. Note that these experiments are unscientific because there are not enough test cases (such as a large variety of backup sizes) and a lack of variety in backup destinations (such as external hard disk vs. internal hard disk vs. tape). These tests also ignore the differences between a VM and a physical machine. Nevertheless, despite these limitations, it is hoped that good observations and hypotheses can be made.

Task 1: Getting Started Task 2: Tar Introduction Task 3: Dump Introduction Task 4: Dump and Verification Task 5: Dump and Compression Task 6: Dump and Encryption Task 7: Dump with Everything Task 8: Clean up

Tags: LABTAINER TAR DUMP BACKUPS

K0373 Knowledge of basic software applications (e.g., data storage and backup, database applications) and the types of vulnerabilities that have been found in those applications.

S0158 Skill in operating system administration. (e.g., account maintenance, data backups, maintain system performance, install and configure new hardware/software).

Border Gateway Protocol

his exercise introduces Border Gateway Protocoal (BGP) fundamentals, allowing students to configure BGP routers and view their behavior.

This exercise introduces Border Gateway Protocoal (BGP) fundamentals, allowing students to configure BGP routers and view their behavior. The lab uses Bird routers, which is an open source Linux-based router implementation.

This exercise assumes the student has received instruction on functions of network routers, and BGP. A tuto- rial on BGP can be found at: http://www.cs.fsu.edu/ ̃xyuan/cis6930/APRICOT2004-BGP00. pdf. It is also assumed that the student is familiar with basic Linux routing, e.g., as explored in the routing- basics and routing-basics2 labs. This lab exercise only touches on some of the most basic elements of BGP.

Task 1: Explore Task 2: Configure routers for R4 Task 3: Submission

Tags: LABTAINER BGP ROUTING

K0470 Knowledge of Internet and routing protocols. K0471 Knowledge of Internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering). K0491 Knowledge of networking and Internet communications fundamentals (i.e. devices, device configuration, hardware, software, applications, ports/protocols, addressing, network architecture and infrastructure, routing, operating systems, etc.). K0565 Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications. S0035 Skill in establishing a routing schema.

S0178 Skill in analyzing essential network data (e.g., router configuration files, routing protocols).

Routing: Open Shortest First Path

This exercise introduces the Open Shortest First Path (OSPF) routing protocol, allowing students to con- figure OSPF-enabled routers and view their behavior

This exercise introduces the Open Shortest First Path (OSPF) routing protocol, allowing students to con- figure OSPF-enabled routers and view their behavior. The student will use OSPF to spoof routing tables, leading to malicious mis-routing of traffic. OSPF is an internal gateway protocol (IGP). The bird-bgp lab explored the Border Gateway Protocol (BGP), which is an external gateway protocol (EGP) used within the Internet backbone, e.g., between ISPs. This lab uses routers running the Bird service, which is an open source Linux-based router implementation.

This exercise assumes the student has received instruction on functions of network routers, and OSPF. It is also assumed that the student is familiar with basic Linux routing, e.g., as explored in the routing-basics and routing-basics2 labs. There are a number of web-based resources describing OSPF. Note however that many focus on Cisco command line syntax and semantics. Look for tutorials that explain concepts and not just rote steps needed to pass a certification. This lab exercise only touches on some of the most basic elements of OSPF.

Task 1: Explore Task 2: Confirm connectivity Task 3: Review authentication Task 4: Hijack the WX address Task 5: Improve authentication Task 6: Submission

Tags: LABTAINER IGP OSPF ROUTING

K0471 Knowledge of Internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

S0035 Skill in establishing a routing schema.

S0178 Skill in analyzing essential network data (e.g., router configuration files, routing protocols).

Buffer Overflow: 64 Bit Application

The bufoverflow lab introduced you to buffer overflow vulnerabilities and potential exploits of those vulnerabilities. That lab included a vulnerable program that ran as a 32-bit x86 application

The bufoverflow lab introduced you to buffer overflow vulnerabilities and potential exploits of those vulnerabilities. That lab included a vulnerable program that ran as a 32-bit x86 application. This lab includes the very same vulnerable program source code, however it compiles and runs as a 64-bit application.

The student is expected to have an understanding of the Linux command line, and some amount of low level programming. It is expected that the student will have completed the bufoverflow lab.

Task 1: Explore Task 2: Shell code Task 3: Overwriting return address Task 4: Get a shell Task 5: Follow on Task 6: Submission

Tags: LABTAINER BUFFER OVERFLOW

K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). K0079 Knowledge of software debugging principles.

K0186 Knowledge of debugging procedures and tools.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

Buffer Overflow Vulnerability Lab

The learning objective of this lab is for students to gain first-hand experience with a buffer-overflow vulner- ability by putting what they have learned about the vulnerability from class into action. Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated fixed length buffers. This vulnerability can be utilized by a malicious user to alter the flow control of the program, even execute arbitrary pieces of code. This vulnerability arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can affect the control flow of the program, because an overflow can change the return address. This lab builds off of concepts introduced in the overrun lab. While the overrun lab is not a prerequisite to performing this lab, it may help students are are new to low level references to data structures. In this lab, students will be given a program with a buffer-overflow vulnerability; their task is to develop a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in the operating system to counter against the buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.

Task 1: Initial setup Task 2: Shellcode Task 3: The Vulnerable Program Task 4: Exploiting the Vulnerability Task 5: Address Randomization Task 6: Stack Guard Task 7: Non-executable Stack Task 8: Submission

Tags: LABTAINER BUFFER OVERFLOW

K0402 Knowledge of criticality and vulnerability factors (e.g., value, recuperation, cushion, countermeasures) for target selection and applicability to the cyber domain.

K0079 Knowledge of software debugging principles.

K0186 Knowledge of debugging procedures and tools.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

Linux Capability Exploration Lab

The learning objective of this lab is for students to gain first-hand experiences on the use of capabilities to achieve the principle of least privilege.

The learning objective of this lab is for students to gain first-hand experiences on the use of capabilities to achieve the principle of least privilege. This lab is based on POSIX 1.e capabilities, which is implemented in recent versions of Linux kernel. Capability based systems are sometimes promoted as an access control strategy in contrast to the use of Access Control Lists (ACLs) or Unix file permissions. In practice, Linux systems typically use capabilities to limit program privilege rather than to control access to named objects. This lab focuses on the use of capabilities to limit privilege.

Task 1: Experiencing Capabilities Task 2: Adjusting Privileges Task 3: Submission

Tags: LABTAINER LINUX CAPABILITIES

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

S0067 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0397 Knowledge of security concepts in operating systems (e.g., Linux, Unix.)

S0067 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

Exploring Unix Logs on CentOS

The objective of this exercise is to give the student some hands-on experience with syslog configuration and testing.

Task 1: Explore Task 2: Reconfigure rsyslog for MARK Task 3: Reconfigure and Test rsyslog Task 4: Centralized Logging Task 5: Answer Questions Task 6: Submission

Tags: LABTAINER LINUX LOGS

Knowledge of security concepts in operating systems (e.g., Linux, Unix.)

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0452 Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

Cyber Grand Challenge Services

selection of over two hundred vulnerable network services created by DARPA for their Cyber Grand Challenge (CGC)1, are available for your exploration and experimentation. Each of these services include one or more deliberately planted vulnerabilities.

A selection of over two hundred vulnerable network services created by DARPA for their Cyber Grand Challenge (CGC)1, are available for your exploration and experimentation. Each of these services include one or more deliberately planted vulnerabilities. The vulnerable services were adapted from the CGC corpus to run within Linux by Trail of Bits2. While these services were created by DARPA for an automated capture-the-flag competition, they rep- resent a good collection of memory corruption vulnerabilities that students may explore to better understand the properties and mechanics of different types of software flaws. This lab runs the services in a typical client-server environment over a network as inetd services. This collection of services is intended to provide you with examples to explore using static program analysis tools as well as debuggers and observation of network traffic.

The student is expected to have an understanding of the Linux command line, and some amount of low level programming. It is expected that the student will have some experience with debuggers and decompilers.

Task 1: Review services Task 2: Disassemble using Ghidra Task 3: Disassemble using IDA Free Task 4: Observe network traffic Task 5: Review PoVs Task 6: Debug service during exploit Task 7: Reverse a patch Task 8: Limitations and notes

Tags: LABTAINER DARPA

S0269 Skill in researching vulnerabilities and exploits utilized in traffic.

S0293 Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target. S0334 Skill to identify and apply tasking, collection, processing, exploitation and dissemination to associated collection disciplines.

A0093 Ability to identify/describe techniques/methods for conducting technical exploitation of the target. K0115 Knowledge that technology that can be exploited.

Controlled sharing of information in a database

This lab introduces methods of using access control mechanisms to limit the sharing of information within a database.

This lab introduces methods of using access control mechanisms to limit the sharing of information within a database. In this lab, you will perform the duties of a database administrator (DBA) working for a company that is implementing an online database to manage information about the company and its employees.

The company has an information security policy that you, as the DBA, must ensure is not violated by employees accessing the online database. This security policy is defined below, as are other management directives that prescribe access you are to provide to users of the database.

Task 1: Prelab quiz Task 2: Explore Task 3: Control access to the database Task 4: Check your work Task 5: Submission

Tags: LABTAINER DATABASES

K0278 Knowledge of current and emerging data remediation security features in databases.

K0277 Knowledge of current and emerging data encryption (e.g., Column and Tablespace Encryption, file and disk encryption) security features in databases (e.g. built-in cryptographic key management features).

K0364 Knowledge of available databases and tools necessary to assess appropriate collection tasking.

K0394 Knowledge of common reporting databases and tools. K0419 Knowledge of database administration and maintenance.

Deny Host Lab

The lab is started from the labtainer working directory on your linux host, e.g., a Linux VM.

Brute force attacks on SSH servers may attempt thousands of different user IDs and passwords, often using automated tools, or “bots”. The denyhosts utility allows an administrator to deny access from IP addresses that are the source of multiple failed login attempts.

Task 1: Explore Task 2: Brute force attacks on SSH servers Task 3: Submission

Tags: LABTAINER SSH ATTACK BRUTE FORCE

K0160 Knowledge of the common attack vectors on the network layer.

K0106 Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities.

DMZ Example Lab

This lab illustrates a simple DMZ. It is intended as an example network topology definition for Labtainer exercises.

Task 1: Explore Task 2: NMAP scan the network Task 3: Review IP tables Task 4: Submission

Tags: LABTAINER DMZ ZONES

K0395 Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

K0471 Knowledge of Internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

DMZ Lab

This lab illustrates a simple DMZ. It is intended as an example network topology definition for Labtainer exercises.

Task 1: Remote users can only access the web server using HTTP, HTTPS and SSH. Task 2: Local users can reach the internet via the ISP, e.g., wget www.google.com Task 3: Local users can reach the local web server via HTTP, HTTPS, SSH and MYSQL Task 4: Submission

Tags: LABTAINER DMZ ZONES

K0485 Knowledge of network administration.

K0486 Knowledge of network construction and topology.

K0395 Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

DNS Basics

This exercise introduces some basic functions and protocol elements of the Internet’s Domain Name Ser- vice (DNS).

This exercise introduces some basic functions and protocol elements of the Internet’s Domain Name Ser- vice (DNS). The student will interact with an example enterprise having a local DNS server and several computers.

This exercise, (and manual), is not intended to replace instruction or independent reading on DNS. Broadly, a DNS provides a mapping between IP addresses and computer names. DNS allows us to use names such as “google.com” instead of remembering the IP address for google. Computers generate queries such as “What is the IP address for google.com?” and send them to the DNS. The DNS generates a response to the query, providing the requested information. If the DNS does not itself manage the requested information, the DNS forwards the query to another DNS for resolution.

Task 1: Explore Task 2: View DNS traffic Task 3: Missing names Task 4: Missing DNS Task 5: Add missing name Task 6: Apply and test DNS changes Task 7: Quiz Task 8: Submission

Tags: LABTAINER DNS

K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

S0264 Skill in recognizing technical information that may be used for leads to enable remote operations (data includes users, passwords, email addresses, IP ranges of the target, frequency in DNI behavior, mail servers, domain servers, SMTP header information).

File Deletion Exercise

The goal of this lab is to familiarize students with some issues related to file deletion.

As an introduction to this lab, you need to understand that there are different designs for how data and metadata could be organized and managed on a disk to create a file system. Linux has been using what is called the extended file system (ext) for many years. This design has undergone some changes that have been called ext2, ext3, and now ext4. In DOS, Microsoft started out with what is called the file allocation table (FAT), which continued on with its early Windows products (i.e., Windows version 1, 2, 3, 95, 98 and ME). When Microsoft designed Windows NT1 they did a total redesign of the file system and called it the NT File System (NTFS), which has also undergone a few redesigns since it was first introduced around 1995.

Task 1: EXT2 Virtual Disk Mounting Task 2: Deleting a File on Unix Task 3: Undeleting a File on Unix Task 4: Securely Deleting a File on Unix Task 5: NTFS Virtual Disk Task 6: Submission

Tags: LABTAINER DATALOSS

K0117 Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

S0202 Skill in data mining techniques (e.g., searching file systems) and analysis.

File Integrity Check Lab

The objective of this exercise is to provide the student with a hands-on way to appreciate the concept of system integrity.

One difficult question facing system administrators is this: how can I tell if my system has been hacked? Yet another difficult question is: in the event that an attack is identified, how can I tell which files were modified, or deleted, or added? With some advance planning, these questions can be answered with confidence. Having logging enabled and architected is one step in that direction. This lab exposes the student to some additional tools that can help.

Task 1: Getting Started Task 2: Poor Mans’ Integrity Task 3: AIDE Task 4: Submission

Tags: LABTAINER DATA INTEGRITY

K0117 Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

S0298 Skill in verifying the integrity of all files. (e.g., checksums, Exclusive OR, secure hashes, check constraints, etc.).

Format String: 64 Bit Application

The formatstring lab introduced you to printf vulnerabilities and potential exploits of those vulner- abilities. That lab included a vulnerable program that ran as a 32-bit x86 application.

The formatstring lab introduced you to printf vulnerabilities and potential exploits of those vulner- abilities. That lab included a vulnerable program that ran as a 32-bit x86 application. This lab includes that same source code with one change, however it compiles and runs as a 64-bit application.

The student is expected to have an understanding of the Linux command line, and some amount of low level programming. It is expected that the student will have completed the formatstring lab.

Task 1: Explore Task 2: Exploit the vulnerability Task 3: Memory randomization Task 4: Submission

Tags: LABTAINER STRING FORMATING

S0062 Skill in analyzing memory dumps to extract information.

Format String Vulnerability Lab

The learning objective of this lab is for students to gain the first-hand experience on format-string vulnerabil- ity by putting what they have learned about the vulnerability from class into actions. The format-string vul- nerability is caused by code like printf(user input), where the contents of variable of user input is provided by users. This printf statement can become dangerous, because it can lead to one of the following consequences: (1) crash the program, (2) read from an arbitrary memory place, and (3) modify the values of an arbitrary memory location. The last consequence is very dangerous because it can allow users to modify internal variables of the program, and thus change the behavior of the program. This lab builds off of concepts explored in the printf lab. While the printf lab is not a necessary prereq- uisite, it may help students who don’t have experience with printf memory references. In this lab, students will be given a program with a format-string vulnerability; their task is to develop a scheme to exploit the vulnerability. In addition to the attacks, students will be guided to walk through a protection scheme that can be used to defeat this type of attack. Students need to evaluate whether the scheme will work or not and explain why.

Task 1: Exploit the vulnerability Task 2: Memory randomization Task 3: The Stack and Format Strings Task 4: What if there is a miss-match Task 5: Viewing Memory at Any Location Task 6: Writing an Integer to Memory Task 7: Submission

Tags: LABTAINER FORMATING VULNERABILITY

S0062 Skill in analyzing memory dumps to extract information.

Debugging a C++ program under Unix: gdb Tutorial

This tutorial is intended to help a programmer who is new to the Unix/Linux environment to get started with using the gdb debugger.

This tutorial was originally written for CS 342 at Washington University by Andrew Gilpin. This tutorial is intended to help a programmer who is new to the Unix/Linux environment to get started with using the gdb debugger. This tutorial assumes you already know how to program in C++ and you can compile and execute programs. It also assumes that you basically know what a debugger is and are motivated to use one.

Task 1: Build and run Task 2: Loading a program in gdb Task 3: Conditional breakpoints Task 4: Stepping Task 5: Submission

Tags: LABTAINER C++ GDB

K0186 Knowledge of debugging procedures and tools.

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

S0257 Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS, C++) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

K0079 Knowledge of software debugging principles.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

GDB Lesson Lab

This lab aims to teach you the fundenatals of GDB. The lab is started from the labtainer working directory on your Linux host (e.g., VM).

This lab aims to teach you the fundenatals of GDB. The lab is started from the labtainer working directory on your Linux host (e.g., VM). From there, issue the command: labtainer gdblesson. The resulting virtual terminal will include a bash shell.

Task 1: List all the files in the directory. Task 2: Run the program Task 3: Print strings Task 4: Compile your program

Tags: LABTAINER C++/GDB

K0186 Knowledge of debugging procedures and tools.

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0079 Knowledge of software debugging principles.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

Ghidra Introduction

This lab introduces the Ghidra software reverse engineering suite ghidra-sre.org. You will use Ghidra to analyze a binary executable to determine some of its properties.

This lab introduces the Ghidra software reverse engineering suite ghidra-sre.org. You will use Ghidra to analyze a binary executable to determine some of its properties.The student is expect to have some background in low level programming and basic networking.

Task 1: Context Task 2: Start Ghidra Task 3: Create a project and import cadet01 Task 4: Find the service’s network port Task 5: Find the Easter egg Task 6: Crash the service Task 7: Submission

Tags: LABTAINER GHIDRA

K0001 Knowledge of computer networking concepts and protocols, and network security methodologies.

A0043 Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.

A0058 Ability to execute OS command line (e.g., ipconfig, netstat, dir, nbtstat).

K0186 Knowledge of debugging procedures and tools.

K0079 Knowledge of software debugging principles.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

GrassMarlin Introduction

This lab provides an introduction to GrassMarlin, a software tool that provides a method for discovering and cataloging Supervisory Control & Data Acquisition (SCADA).

This lab provides an introduction to GrassMarlin, a software tool that provides a method for discovering and cataloging Supervisory Control & Data Acquisition (SCADA) and Industrial Control System (ICS) hosts on IP-based networks. The student is expected to have some familiarity with the Linux command line. And some experience with the Wireshark tool is expected (e.g., the wireshark-intro lab).

Task 1: Start the GrassMarlin application Task 2: Import PCAP Files Task 3: Logical Graphs Task 4: Explore and View Frames Task 5: Submission

Tags: LABTAINER GRASSMARLIN

K0061 Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0221 Skill in extracting information from packet captures.

S0199 Skill in creating and extracting important information from packet captures.

IP Tables for Industrial Control Systems

This Labtainer exercise illustrates the use of iptables to limit network access to a PLC component in an operational technology (OT) environment.

This Labtainer exercise illustrates the use of iptables to limit network access to a PLC component in an operational technology (OT) environment. This control is provided by a component serving as a firewall, as illustrated in Figure 1. When properly configured, the firewall will only allow the following traffic between the clients and the PLC: • Client 1 can only access the PLC via SSH and HTTP (port 8080). • Client 2 can only access the PLC via MODBUS TCP and HTTP (ports 80 and 8080).

Task 1: Explore Task 2: Use iptables to limit traffic Task 3: Submission

Tags: LABTAINER PLC

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0031 Skill in developing and applying security system access controls.

Introduction to IPTABLES

This Labtainer exercise illustrates the use of iptables on a firewall to limit network access to a server from a client.

Limiting the types of network traffic sent to a server can help to protect the server from unauthorized access. For example, if the server contains an unsecured service available through its network interface, exploitation of that service is more difficult if something blocks traffic destined for that service. A variety of different techniques and products exist for the purpose of limiting IP network traffic between computers. In this lab, you will limit IP traffic through use of Linux iptables. The student is expected to have separately learned about the use of iptables to selectively block network traffic. The firewall component includes an example firewall setting script that you can reference. The manpage for iptables can be viewed on the firewall component using:

man iptables
man iptables-extensions

Task 1: Explore Task 2: Use iptables to limit traffic Task 3: Open new service port Task 4: Submission

Tags: LABTAINER IPTABLES

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0031 Skill in developing and applying security system access controls.

Introduction to LDAP

This lab illustrates the use of LDAP to authenticate users of Linux systems, such that multiple computers share a single repository of user and group information.

This lab illustrates the use of LDAP to authenticate users of Linux systems, such that multiple computers share a single repository of user and group information, including the passwords that authenticate users. This strategy allows users and administrators to manage a single set of credentials that can then be used to access multiple computers.

The student is expect to have separately learned about the basic elements of Linux users, groups and authen- tication, e.g., the /etc/passwd and /etc/shadow files. For example, see the users lab. The student is also expected to have a basic knowledge of the use of Lightweight Directory Access Protocol (LDAP). The student is expected to have some familiarity with the Linux command line, the basics of the file system, and the ability to locate and edit a file. And some experience with the Wireshark tool is expected (e.g., the wireshark-intro lab).

Task 1: Network configuration Task 2: Explore Task 3: View protocol traffic Task 4: Use the mike credentials to access another server Task 5: Add an LDAP user Task 6: Encrypt LDAP traffic Task 7: Submission

Tags: LABTAINER LDAP

K0336 Knowledge of access authentication methods.

K0007 Knowledge of authentication, authorization, and access control methods.

K0044 Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

S0043 Skill in maintaining directory services. (e.g., Microsoft Active Directory, LDAP, etc.).

Local DNS Attack Lab

In this lab students will learn about -DNS. DNS [1] (Domain Name System) is the Internet’s phone book; it translates hostnames to IP addresses (or IP addresses to hostnames).

DNS [1] (Domain Name System) is the Internet’s phone book; it translates hostnames to IP addresses (or IP addresses to hostnames). This translation is through DNS resolution, which happens behind the scene. DNS Pharming [4] attacks manipulate this resolution process in various ways, with an intent to misdirect users to alternative destinations, which are often malicious. The objective of this lab is to understand how such attacks work. Students will first set up and configure a DNS server [2], and then they will try various DNS Pharming attacks on the target that is also within the lab environment.

The difficulties of attacking local victims versus remote DNS servers are quite different. Therefore, we have developed two labs, one focusing on local DNS attacks, and the other on remote DNS attack. This lab focuses on local attacks.

Task 1: Network Configuration Task 2: Review the DNS server Configuration Task 3: Attackers have already compromised the victim’s machine Task 4: DNS Server Cache Poisoning Task 5: Submission

Tags: LABTAINER DNS

K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

K0398 Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

K0452 Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

K0565 Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

S0295 Skill in using various open source data collection tools (online trade, DNS, mail, etc.).

Exploring MACs and Hash Functions

This lab explores MACs and Hash Functions using a linux virtual machine running labtainer image.

Boot your Linux system or VM. If necessary, log in and then open a terminal window and cd to the labtainer/labtainer-student directory. The pre-packaged Labtainer VM will start with such a terminalopenforyou. Thenstartthelab:

Task 1: Practice Generating Digests Task 2: Checking Software Digests Task 3: Exploring the “Avalanche Effect” Task 4: Exploring Second Pre-Image Resistance Task 5: Exploring Collision Resistance Task 6: Exploring Message Authentication Codes Task 7: Submission

Tags: LABTAINER MAC HASHING

K0196 Knowledge of Import/Export Regulations related to cryptography and other security technologies.

S0298 Skill in verifying the integrity of all files. (e.g., checksums, Exclusive OR, secure hashes, check constraints, etc.).

S0089 Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

Metasploit Lab Exercise

This Labtainer exercise explores the use of the metasploit tool which is installed on a Kali Linux system (attacker) and is meant to learn simple penetration skills on a purposely vulnerable metasploitable host (victim).

Note: the attacker computer is configured to have IP address 192.168.1.3 while the victim computer is 192.168.1.2

Task 1: Verify connectivity between attacker and victim Task 2: Get a list of vulnerable services on the victim Task 3: Vulnerably configured rlogin service (port 513) Task 4: Vulnerable ingreslock service (port 1524) Task 5: Vulnerable distccd service (port 3632) Task 6: Vulnerable IRC daemon (port 6667) Task 7: Vulnerable VSFtpd service (port 21) Task 8: Vulnerable Samba service (port 139) Task 9: Vulnerable HTTP (php) service (port 80) Task 10: Vulnerable Postgres service (port 5432)

Tags: LABTAINER METAEXPLOIT

K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

K0440 Knowledge of host-based security products and how those products affect exploitation and reduce vulnerability.

K0481 Knowledge of methods and techniques used to detect various exploitation activities.

K0536 Knowledge of structure, approach, and strategy of exploitation tools (e.g., sniffers, keyloggers) and techniques (e.g., gaining backdoor access, collecting/exfiltrating data, conducting vulnerability analysis of other systems in the network).

S0269 Skill in researching vulnerabilities and exploits utilized in traffic.

S0293 Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target.

A0093 Ability to identify/describe techniques/methods for conducting technical exploitation of the target.

NetFlow Record Analysis

This lab focussed on analysing netflow records using pcap-lib. A 2GB trace file is included with this lab to work on.

As you learned in the pcap-lib lab, packet traces can be large. The 2 GB trace file from that lab was actually quite small. Consider capturing all of the packets on a high-speed Internet backbone link, or at an enterprise border router (the ingress/egress point for campus traffic) for any extended period of time! However, some traffic analysis tasks do not require the fine granularity of pcap, i.e. do not need details such as individual packet timing, payload contents, etc. Instead, flow records capture many relevant properties of traffic while using less storage capacity, impose different capture processing requirements, etc. By flow we are referring to the aggregate of all packets belonging to a connection. A flow is defined as all packets with a common 5-tuple: ¡IP Src, IP Dst, Protocol, Src Port, Dst Port¿ This lab explores NetFlow. NetFlow is a protocol and data record type1 , first developed by Cisco. NetFlow has matured and evolved into the IP Flow Information Export (IPFIX) standard as specified in http://tools.ietf.org/html/rfc7011. All commercial routers (and even dd-wrt, openwrt, etc.) support some version of IPFIX collection and export 2. Future labs build on the concepts here it is imperative that you understand these basics in order to be successful with subsequent lab work. There are 23 questions in the lab.

Task 1: Understanding IPFIX (25 pts) Task 2: Answer the Questionaire in the lab manual

Tags: LABTAINER NETFLOW

K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

S0178 Skill in analyzing essential network data (e.g., router configuration files, routing protocols).

S0199 Skill in creating and extracting important information from packet captures.

Network Basics

This exercise explores basic network concepts in a Linux environment. These include the ARP protocol, the use of ping and a brief introduction to TCP/IP.

This exercise explores basic network concepts in a Linux environment. These include the ARP protocol, the use of ping and a brief introduction to TCP/IP. The tcpdump utility is used to view network traffic.

This exercise, (and manual), is not intended to replace instruction or independent reading on networking protocols. The exercise is intended to provide students with an environment with which they can observe traffic generated by basic network operations.

This lab and its prerequisite knowlege provide background for other Labtainer networking exercises including a lab on ARP spoofing.

Task 1: Explore Task 2: ARP Task 3: Trusting ARP responses Task 4: Communicating beyond the subnet Task 5: TCP/IP

Tags: LABTAINER NETWORKING

K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

S0178 Skill in analyzing essential network data (e.g., router configuration files, routing protocols).

S0199 Skill in creating and extracting important information from packet captures.

Introduction to Unix Command-Line

This tutorial is meant to help the novice Unix user become more familiar with some of the commonly used commands.

This tutorial is meant to help the novice Unix user become more familiar with some of the commonly used commands. Unix is still (and maybe always will be) a very strong command-line environment, although Apple has successfully hidden Unix underneath the Mac OS X graphical user interface (GUI). However, this tutorial will emphasize the command-line, even though many things can be done via some window. The windowing environment can be so different from one “flavor” of Unix to another (and sometimes within the same flavor of Unix) that it is best to stick with those commands that will probably work on all flavors.

Task 1: Historical Background Task 2: Getting Started Task 3: Basic Commands Task 4: Pipes and Redirection Task 5: Help Task 6: Searching Task 7: Access Control Task 8: Process Management Task 9: Editors Task 10: History Task 11: Shell Scripts Task 12: Executing programs

Tags: LABTAINER UNIX CLI

K0192 Knowledge of Windows/Unix ports and services.

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0397 Knowledge of security concepts in operating systems (e.g., Linux, Unix.)

S0019 Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams.

S0257 Skill in reading, interpreting, writing, modifying, and executing simple scripts (e.g., PERL, VBS) on Windows and Unix systems (e.g., those that perform tasks like parsing large data files, automating manual tasks, and fetching/processing remote data).

Using nmap for network discovery

This Labtainer exercise explores the use of the nmap utility to discover computers and services on networks.

Your boss Randall wants you to prepare for a meeting on a project you have not worked on in months. You have a summary file on the “friedshrimp” server that you previously accessed via ssh; however, you cannot remember the IP address of “friedshrimp”, and you also forgot which port the pesky IT staff assigned for ssh on that server. You know it’s somewhere in between 2000 and 3000. The one thing you most certainly know is that your username and password are both “ubuntu”. You are left with only one option: use the nmap command to find the IP address and and port number used by the ssh service. After finding that information review the contents of the “friedshrimp.txt” file from an ssh session.

Task 1: Explore Task 2: Network data analysis Task 3: Find target Task 4: SSH into Target

Tags: LABTAINER NMAP

K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

A0015 Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.

S0001 Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.

The NMAP SSH Lab

This labtainer exercise uses nmap and skills exercised in previous labtainer labs to identify and exploit a weakness in a system.

You are performing ad-hoc security testing for a client who believes their internal SSH server is relatively secure, but you would like to confirm the validity of this. Your goal is to attempt to remotely access that SSH server and disclose the content of a selected file.

Task 1: Explore Task 2: Wireshark and Tcpdump Task 3: Find the target

Tags: LABTAINER NMAP SSH

K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

A0015 Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.

S0001 Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.

Crypto Lab – One-Way Hash Function and MAC

The learning objective of this lab is for students to get familiar with one-way hash functions and Message Authentication Code (MAC).

The learning objective of this lab is for students to get familiar with one-way hash functions and Message Authentication Code (MAC). After finishing the lab, in addition to gaining a deeper undertanding of the concepts, students should be able to use tools and write programs to generate one-way hash value and MAC for a given message.

Task 1: Generating Message Digest and MAC Task 2: Keyed Hash and HMAC Task 3: The Randomness of One-way Hash Task 4: One-Way Property versus Collision-Free Property

Tags: LABTAINER MAC

K0196 Knowledge of Import/Export Regulations related to cryptography and other security technologies.

S0298 Skill in verifying the integrity of all files. (e.g., checksums, Exclusive OR, secure hashes, check constraints, etc.).

S0089 Skill in one-way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

The OSSEC Host Intrusion Detection System

This exercise provides hands-on experience with the OSSEC host-based intrusion detection system (IDS). This IDS is commonly used and serves as the core of commercial IDS products

This exercise provides hands-on experience with the OSSEC host-based intrusion detection system (IDS). This IDS is commonly used and serves as the core of commercial IDS products 1. Like most IDS products, it applies a set of rules to identify attacks on computers. And as with many host-based IDS systems, OSSEC relies to a large extent on logs messages captured by the underlying operating system.

Task 1: Configure OSSEC to monitor the client1 workstation Task 2: Cause and observe alerts Task 3: Add the Web server and test log monitoring Task 4: Active responses Task 5: Monitor chages to command output Task 6: Monitor web resource access Task 7: Log locations Task 8: Rules testing Task 9: Event coverage Task 10: Failed attempts Task 11: Completeness (i.e., rat holes) Task 12: Effects on system security Task 13: Abuse of active responses

Tags: LABTAINER OSSEC HIDS

K0472 Knowledge of intrusion detection systems and signature development.

K0046 Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions.

K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

K0630 Knowledge of the latest intrusion techniques, methods and documented intrusions external to the organization.

S0120 Skill in reviewing logs to identify evidence of past intrusions.

S0192 Skill in auditing firewalls, perimeters, routers, and intrusion detection systems.

S0025 Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).

S0084 Skill in configuring and utilizing network protection components (e.g., Firewalls, VPNs, network intrusion detection systems).

S0280 Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).

A0128 Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

Overrun of intended bounds in a C program

This exercise illustrates overrunning the intended bounds of data structures in a C program.

This exercise assumes the student has some basic C language programming experience and is familiar with simple data structures. No coding is required in this lab, but it will help if the student can understand a simple C program.

The GDB program is used to explore the executing program, including viewing a bit of its disassembly. However no assembly language background is necessary to perform the lab.

Task 1: Review the mystuff.c program Task 2: Compile and run the program Task 3: Explore with gdb

Tags: LABTAINER C-PROGRAM

K0372 Knowledge of programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

S0239 Skill in interpreting compiled and interpretive programming languages.

S0060 Skill in writing code in a currently supported programming language (e.g., Java, C++).

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

Review of Packet Capture Introspection

This lab looks at PCAP. The pcap (packet capture) format is a standard and portable representation of packet-level network traffic.

The pcap (packet capture) format is a standard and portable representation of packet-level network traffic. You are likely already familiar with pcap both Wireshark and tcpdump store and read data in pcap format. This introductory lab is designed to familiarize students with pcaps and traffic analysis using Wireshark. Wireshark includes many powerful tools and is best suited to performing highly targeted analysis on small packet captures. This lab is adapted from [1], which is a helpful resource for improving your familiarity with the Wireshark toolset.

Task 1: Find Most Active TCP Flow (15 pts) Task 2: Geolocating IP Addresses (15 pts) Task 3: Reassemble text from TCP stream (15 pts) Task 4: Extract binary file from FTP session (15 pts)

Tags: LABTAINER PCAP WIRESHARK TCPDUMP

K0062 Knowledge of packet-level analysis.

K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

S0199 Skill in creating and extracting important information from packet captures.

S0156 Skill in performing packet-level analysis.

S0046 Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

Introduction to Parallel Computing

This lab explores the Message Passing Interface (MPI) standard, used widely in High-Performance Computing (HPC).

Disclaimer: This software is provided as is. Use at your own risk. The views expressed herein do not necessarily reflect those of the DoD.

Description: This lab explores the Message Passing Interface (MPI) standard, used widely in High-Performance Computing (HPC) [5]. This lab will use the MPICH implementation of MPI to run a variety of parallel programs on a single machine [1].

Motivation: Since the performance of sequential processors has plateaued, computer scientists must leverage parallelism to accelerate their applications [2, 3, 4]. MPI allows software to achieve high throughput on chip multiprocessors (i.e., multi-core CPUs) and HPC clusters.

Note: Due to the simple nature of these introductory MPI programs, you might not achieve significant speedup due to the high communication cost relative to the low computation cost. That being said, make sure that your VM has been allocated at least 2 processors.

Task 1: Hello World (hello.c) Task 2: Hello World with Process ID (procid.c) Task 3: Array Summation (arraysum.c) Task 4: Array Search (search.c) Task 5: Image Processing (image.c)

Tags: LABTAINER PARALLEL PROCESSING C-PROGRAM

K0063 Knowledge of parallel and distributed computing concepts.

K0372 Knowledge of programming concepts (e.g., levels, structures, compiled vs. interpreted languages).

S0060 Skill in writing code in a currently supported programming language (e.g., Java, C++).

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

Password Cracking

The goal of this lab is to familiarize students with password files and some elementary password cracking schemes.

The goal of this lab is to familiarize students with password files and some elementary password cracking schemes. Launch the labtainer virtual machine and follow the student guide.

Task 1: Password Files Task 2: Dictionary Attacks Task 3: Considering Execution Time Task 4: Personal Experimentation

Tags: LABTAINER PASSWORD-CRACKING

K0408 Knowledge of cyber actions (i.e. cyber defense, information gathering, environment preparation, cyber-attack) principles, capabilities, limitations, and effects.

K0177 Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

K0144 Knowledge of social dynamics of computer attackers in a global context.

S0067 Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

PCAP Library Programming

The pcap (packet capture) format is a standard and portable representation of packet-level network traffic. The pcap library (http://www.tcpdump.org/) provides many routines1 to interface with both live (off the network card) and stored (previously captured) network traffic. You are already familiar with pcap from packet introspection lab both Wireshark and tcpdump store and read data in pcap format. This lab is designed to familiarize students with the pcap format and library as the basis for performing arbitrarily complex network traffic analysis tasks, especially across large data sets. For example, one might: • Compute the fraction of web traffic on a link • Measure the rate of traffic to a particular destination • Discover anomalous packets • Find scanning worm traffic • Etc, etc.

Task 1: Explore Task 2: Unknown trace Task 2: Basic traffic stats

Tags: LABTAINER PCAP

K0062 Knowledge of packet-level analysis.

K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

S0199 Skill in creating and extracting important information from packet captures.

S0156 Skill in performing packet-level analysis.

S0046 Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

PCAP Lab Analysis

This lab introduces the analysis of PCAP files using the Tshark tool. You will analyze an existing PCAP file, looking for a specific invalid login attempt.

This lab introduces the analysis of PCAP files using the Tshark tool. You will analyze an existing PCAP file, looking for a specific invalid login attempt. PCAP stands for “packet capture”, and is a standard file format for storing traffic recorded from a network.

Task 1: Run tshark to perform PCAP Analysis Task 2: Display the single packet containing invalid “admin” password

Tags: LABTAINER PCAP

K0062 Knowledge of packet-level analysis.

K0301 Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

S0199 Skill in creating and extracting important information from packet captures.

S0156 Skill in performing packet-level analysis.

S0046 Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

Industrial Control Systems Lab

This lab explores a few security issues related to the use of Programmable Logic Controllers (PLCs) in the management of Industrial Control Systems (ICS), or similar forms of infrastructure.

This PLC lab simulates the system illustrated in Figure 1. A PLC manages the water level of a creek-fed catfish pond, ensuring the water level does not exceed minimum and maximum limits. You will interact with the sys_management system to load a program and configuration data into the PLC. You will also use the sys_management system to check the status of the PLC and to query which program and configuration data the PLC is running. You will not have direct access to the PLC subsystem, though you can interact with it via the sys_management computer.

A "Security Proxy" sits between the sys_management computer and the PLC. The vendor promised that this will prevent attacks on the PLC. You can draw your own conclusions about that claim You will interact with the Security Proxy in an attempt to make it useful. But first, start the lab as noted below (if you have not already done so).

Task 1: Explore the PLC lab setup Task 2: Interact with System Management utility Task 3: Check PLC status Task 4: Query PLC programs

Tags: LABTAINER ICS PLC

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0031 Skill in developing and applying security system access controls.

PLC Application Firewall and Software Whitelists Lab

This lab explores security issues related to the use of Programmable Logic Controllers (PLCs) in the man- agement of Industrial Control Systems (ICS), or similar forms of infrastructure.

PLCs typically receive commands from networks containing multiple computers. Not all of these networked computers are necessarily authorized to issue all commands to the PLC. For example, some computers may be authorized to issue commands that monitor the PLC without affecting its behavior, while other computers are designated as being able to reset or reconfigure the PLC. One way to enforce this type of application policy is to use a firewall that serves as a proxy between the network computers and the PLC. These firewalls are designed to decode the commands destined for the PLC, and only permit those that meet the policy for which computer can issue which commands.

Limiting the computers that can alter a PLC’s configuration does not ensure that the PLC will be loaded with a valid configuration. Malicious software on an authorized computer could load the PLC with pro- grams or data intended to damage the infrastructure. One way to limit the ability of malicious software (or individuals) to reconfigure the PLC is to enumerate a set of validated program and configuration files. A ”whitelist” of cryptographic checksums (or digests) for each valid file can then be loaded into a proxy that sits between the computers and the PLC. The proxy, (or firewall), would then only permit those files having validated digests, i.e., those whose digests appear in the whitelist.

Task 1: Explore the lab setup Task 2: Load the PLC for the rainy season Task 3: Constrain PLC commands based on IP address Task 4: Configure the PLC for the dry season Task 5: Living with malware

Tags: LABTAINER PLC ICS

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0031 Skill in developing and applying security system access controls.

Industrial Control System Forensics 1

Analysis of packet captures from a network monitor in an industrial control system (ICS) is an important step towards understanding what has transpired on the control network.

Analysis of packet captures from a network monitor in an industrial control system (ICS) is an important step towards understanding what has transpired on the control network. Captured network data between a supervisory computer (e.g., a Human-Machine Interface (HMI) system or a Historian system) and a field device such as a programmable logic controller (PLC) can provide a record of commands to field devices, malware payloads, and exfiltration of field data during a breach. In addition to Ethernet-based industrial protocols such as Common Industrial Protocol (CIP) [1] and Ethernet/Industrial Protocol (EtherNet/IP) [2], most PLCs support common TCP/IP application protocols such as HTTP, FTP, SNMP, etc. for system configuration and management purposes. These protocols can be exploited by a rogue machine on the network.

The learning objective of this lab is to introduce students to common vulnerabilities in an industrial network and a commercial EtherNet/IP implementation, and to demonstrate the importance of industrial network data analysis in forensics investigations.

Task 1: Explore the lab Task 2: Analyse http traffic data Task 3: Analyse tcp traffic data Task 4: Learn ICS Fundementals Task 5: Answer the Questionaire

Tags: LABTAINER ICS PLC PCAP

K0433 Knowledge of forensic implications of operating system structure and operations.

K0573 Knowledge of the fundamentals of digital forensics to extract actionable intelligence.

S0065 Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).

S0071 Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).

S0075 Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).

Industrial Control System Forensics 2

Analysis of packet captures from a network monitor in an industrial control system (ICS) is an important step towards understanding what has transpired on the control network.

Task 1: Explore the lab Task 2: Analyse http traffic data Task 3: Analyse tcp traffic data Task 4: Learn ICS Fundementals Task 5: Answer the Questionaire

Tags: LABTAINER ICS PLC PCAP

K0433 Knowledge of forensic implications of operating system structure and operations.

K0573 Knowledge of the fundamentals of digital forensics to extract actionable intelligence.

S0065 Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).

S0071 Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).

S0075 Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).

Industrial Control Systems Network Traffic

This exercise uses the GrassMarlin network traffic tool to observe network activity that you generate while working with a simple PLC device.

This exercise uses the GrassMarlin network traffic tool to observe network activity that you generate while working with a simple PLC device. GrassMarlin is a software tool released by the NSA that provides a method for discovering and cataloging Supervisory Control & Data Acquisition (SCADA) and Industrial Control System (ICS) hosts on IP-based networks.

This exercise assumes that student has performed the softplc2 lab. Preliminary steps taken by the student are similar to those from that lab.

Task 1: Explore Task 2: Upload and run PLC program Task 3: Start the PLC user interface & Explore Task 4: Upload the ST program to the PLC Task 5: Test the PLC program Task 6: View traffic Task 7: Remove poor fingerprint Task 8: Connect to internet

Tags: LABTAINER PLC SCADA ICS GRASSMARTIN

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0031 Skill in developing and applying security system access controls.

Introduction to printf memory refererences

This exercise introduces the printf function and encourages the student to explore the manner in which the function references memory addresses in response to its given format specification.

This exercise introduces the printf function and encourages the student to explore the manner in which the function references memory addresses in response to its given format specification. This lab provides an introduction to techniques that are used in the more advanced printf labs (formatstring and format64).

This exercise assumes the student has some basic C language programming experience and is somewhat familiar with the use of gdb1 No coding is required in this lab, but it will help if the student can understand a simple C program. The gdb program is used to explore the executing program, including viewing a bit of its disassembly. Some assembly language background would be helpful in performing the lab, but is not necessary.

Task 1: Review the printTest.c program Task 2: Run printTest Task 3: x86 function calling conventions Task 4: Behavior of printf Task 5: Observe calling conventions with gdb Task 6: User input in format strings Task 7: More detail

Tags: LABTAINER PRINTF

K0079 Knowledge of software debugging principles.

K0186 Knowledge of debugging procedures and tools.

S0062 Skill in analyzing memory dumps to extract information.

S0060 Skill in writing code in a currently supported programming language (e.g., Java, C++).

Exploring Public Key Certificates

The goal of this lab is to familiarize the student with public key certificates and the use of SSL/TLS. Start the labtainer virtual machine and open terminal for this lab.

Task 1: Exploring Given Website Certificates Task 2: Exploring Other Website Certificates Task 3: Submission your work

Tags: LABTAINER SSL/TLS

K0019 Knowledge of cryptography and cryptographic key management concepts

K0049 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

K0190 Knowledge of encryption methodologies.

K0487 Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

S0164 Skill in assessing the application of cryptographic standards.

Quantum Computing Labtainer

This lab explores two fundamental quantum algorithms: (1) teleportation; and (2) Grover's algorithm.

This lab explores two fundamental quantum algorithms: (1) teleportation; and (2) Grover's algorithm. Teleportation uses entanglement to transport a quantum state from one location to another [1], reproducing it at the destination and destroying the original, in accordance with the no-cloning theorem. Grover's algorithm searches an unordered list quadratically faster than a classical computer [2].

Task 1: Explore Quantum Teleportation Task 2: Explore Grover's algorithm

Tags: LABTAINER QUANTUM COMPUTING

K0079 Knowledge of software debugging principles.

K0325 Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

S0060 Skill in writing code in a currently supported programming language (e.g., Java, C++)

S0270 Skill in reverse engineering (e.g., hex editing, binary packaging utilities, debugging, and strings analysis) to identify function and ownership of remote tools.

Radius Authentication Service

This lab requires that you configure a Radius server to handle authentication services for a network device that is already configured to use Radius-based authentication.

This lab requires that you configure a Radius server to handle authentication services for a network device that is already configured to use Radius-based authentication. The Radius server is pre-configured to support an existing network device. You are simply required to add the second device. You are encouraged to use Wireshark within the lab to observe the Radius protocol exchanges.

The student is expect to have separately learned about the basic elements of authentication and the Radius protocol. The student is expected to have at least a basic understanding of the Linux command line, the basics of the file system, and the ability to edit a file. The student should have knowledge of the use of Wireshark, e.g., see the “wireshark-intro” lab.

Task 1: Explore Task 2: Configure radius for controller2 Task 3: Change the cadmin password

Tags: LABTAINER RADIUS

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0452 Knowledge of implementing Unix and Windows systems that provide radius authentication and logging, DNS, mail, web service, FTP server, DHCP, firewall, and SNMP.

S0158 Skill in operating system administration. (e.g., account maintenance, data backups, maintain system performance, install and configure new hardware/software).

Return-to-libc Attack Lab

The learning objective of this lab is for students to gain first-hand experience with a variant of the buffer- overflow attack; this attack can bypass a protection scheme currently implemented in major Linux operating systems. A common way to exploit a buffer-overflow vulnerability is to overflow the buffer with malicious shellcode, and then cause the vulnerable program to jump to the shellcode that is stored in the stack. To prevent these types of attacks, some operating systems provide an ability to make stacks non-executable; therefore, jumping to the shellcode will cause the program to fail.

Unfortunately, the above protection scheme is not fool-proof; there exists a variant of buffer-overflow attack called the return-to-libc attack, which does not need an executable stack; it does not even use shell code. Instead, it causes the vulnerable program to jump to some existing code, such as the system() function in the libc library, which is already loaded into the memory.

In this lab, students are given a program with a buffer-overflow vulnerability; their task is to develop a return-to-libc attack to exploit the vulnerability and finally to gain the root privilege. In addition to the attacks, students will be guided to walk through several protection schemes that have been implemented in Ubuntu to counter against the buffer-overflow attacks. Students need to evaluate whether the schemes work or not and explain why.

Task 1: Exploiting the Vulnerability Task 2: Address Randomization Task 3: Stack Guard Protection Task 4: Find out the addresses of libc functions Task 5: Putting the shell string in the memory Task 6: Understand the Stack Task 7: Calling and Entering foo()

Tags: LABTAINER LIBC

S0062 Skill in analyzing memory dumps to extract information.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).

Routing Basics

This exercise explores basic network routing concepts in a Linux environment. These include use of the route command to modify Linux routing tables, defining a DNS server in the /etc/resolv.conf file, and an example of using Linux iptables to implement Network Address Translation (NAT).

Strictly speaking, this lab explores packet forwarding, and not true network routing, which typically involves the use of routing tables that name other network routers. See the bird-bgp and bird-ospf labs for examples of network routing.

This exercise, (and manual), is not intended to replace instruction or independent reading on the topic of network packet forwarding and routing in Linux systems. The exercise is intended to provide students with an environment with which they can experiment with the mechanics of forwarding network traffic to different network interfaces based on Linux routing tables. The student is only required to view a simple example of using iptables for NAT in this lab. See the iptables2 and the dmz labs for a broader look at iptables.

Task 1: Explore Task 2: Internal Packet Forwarding Task 3: Routing to the Internet Task 4: Use of Network Address Translation (NAT) Task 5: Services behind NAT

Tags: LABTAINER ROUTING

K0470 Knowledge of Internet and routing protocols.

K0471 Knowledge of Internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

K0565 Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

S0035 Skill in establishing a routing schema.

S0146 Skill in creating policies that enable systems to meet performance objectives (e.g. traffic routing, SLA's, CPU specifications).

S0178 Skill in analyzing essential network data (e.g., router configuration files, routing protocols).

Environment Variable and Set-UID Program Lab

The learning objective of this lab is for students to understand how environment variables affect program and system behavior. Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer. They are used by most operating systems, since they were introduced to Unix in 1979. Although environment variables affect program behavior, how they achieve that is not well understood by many programmers. As results, if a program uses environment variables, but the programmer do not know that they are used, the program may have vulnerabilities.

In this lab, students will understand how environment variables work, how they are propogated from parent process to child, and how they affect system/program bahivors. We are particularly interested in how environment variables affect the behavior of Set-UID programs, which are usually privileged programs.

Task 1: Manipulating environment variables Task 2: Inheriting environment variables from parents Task 3: Environment variables and execve() Task 4: Environment variables and system() Task 5: Environment variable and Set-UID Programs Task 6: The system() function and Set-UID Programs Task 7: The LD PRELOAD environment variable and Set-UID Programs Task 8: Capability Leaking

Tags: LABTAINER ENV VARIABLES

K0529 Knowledge of scripting

S0060 Skill in writing code in a currently supported programming language (e.g., Java, C++)

S0019 Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams.

Snort – Intrusion Detection System

This exercise introduces the use of the snort system to provide intrusion detection within a Linux environ- ment. Students will configure simple snort rules and experiment with a network intrusion detection system, (IDS).

Task 1: Starting and stopping snort Task 2: Pre-configured Snort rules Task 3: Write a simple (bad) rule Task 4: Custom rule for CONFIDENTIAL traffic Task 5: Effects of encryption Task 6: Watching internal traffic Task 7: Distinguishing traffic by address

Tags: LABTAINER SNORT IDS

K0324 Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

K0488 Knowledge of network security implementations (e.g., host-based IDS, IPS, access control lists), including their function and placement in a network.

S0025 Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).

S0084 Skill in configuring and utilizing network protection components (e.g., Firewalls, VPNs, network intrusion detection systems).

PLC and Modbus

This exercise explores the use of the Modbus protocol and a PLC to control a simple device. It is assumed the student has had an introduction to PLC’s, ladder logic and the Modbus protocol.

This exercise explores the use of the Modbus protocol and a PLC to control a simple device. It is assumed the student has had an introduction to PLC’s, ladder logic and the Modbus protocol. It is also assumed the student has some experience with Wireshark.

Details of the Modbus protocol can be found at: https://http://modbus.org/docs/PI_ MBUS_300.pdf A tutorial on the use of Ladder Logic is at: //https://www.plcacademy.com/ ladder-logic-tutorial/

Task 1: Explore Task 2: Build and run PLC program Task 3: Build the Hello World Program Task 4: Start the PLC user interface & Explore Task 5: Upload the ST program to the PLC Task 6: Test the PLC program Task 7: Observe Modbus traffic Task 8: Replay coil commands Task 9: Modify the ST program Task 10: Modify the LD program

Tags: LABTAINER MODBUS PLC

K0537 Knowledge of system administration concepts for the Unix/Linux and Windows operating systems (e.g., process management, directory structure, installed applications, Access Controls).

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0031 Skill in developing and applying security system access controls.

SQL Injection Attack Lab

SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications and database servers.

SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications and database servers. The vulnerability is present when user’s inputs are not correctly checked within the web applications before being sent to the back-end database servers.

Many web applications take inputs from users, and then use these inputs to construct SQL queries, so the web applications can get information from the database. Web applications also use SQL queries to store information in the database. These are common practices in the development of web applications. When SQL queries are not carefully constructed, SQL injection vulnerabilities can occur. The SQL injection attack is one of the most common attacks on web applications.

In this lab, we have created a web application that is vulnerable to the SQL injection attack. Our web application includes the common mistakes made by many web developers. Students’ goal is to find ways to exploit the SQL injection vulnerabilities, demonstrate the damage that can be achieved by the attack, and master the techniques that can help defend against such type of attacks.

Task 1: MySQL Console Task 2: SQL Injection Attack on SELECT Statement Task 3: SQL Injection Attack on UPDATE Statement Task 4: Countermeasure — Prepared Statement

Tags: LABTAINER SQLi

K0069 Knowledge of query languages such as SQL (structured query language).

K0095 Knowledge of the capabilities and functionality associated with various technologies for organizing and managing information (e.g., databases, bookmarking engines).

K0373 Knowledge of basic software applications (e.g., data storage and backup, database applications) and the types of vulnerabilities that have been found in those applications.

S0042 Skill in maintaining databases. (i.e., backup, restore, delete data, transaction log files, etc.).

S0220 Skill in exploiting/querying organizational and/or partner collection databases.

S0286 Skill in using databases to identify target-relevant information.

S0292 Skill in using targeting databases and software packages.

SSH Agent Introduction

This lab illustrates the use of an SSH agent to manage private keys used to authenticate to SSH services on Linux computers. The goal is to allow a user to use SSH to securely authenticate from the client to a local server, and then from the local server to a remote server, without providing either a password or a passphrase, (after initial setup and initialization of an SSH Agent).

A previous lab, sshlab, illustrated the use of public and private keys for SSH authentication. This lab will show how to protect those private keys with a passphrase, but without having to type in the passphrase each time you wish to access a remote system. The student is expected to have some familiarity with the Linux command line, the basics of the file system, and the ability to locate and edit a file.

Task 1: Explore Task 2: Generate and copy keys Task 3: Start an SSH Agent to manage your private key Task 4: Use an SSH config file to enable agent forwarding

Tags: LABTAINER SSH

K0485 Knowledge of network administration.

K0486 Knowledge of network construction and topology.

K0395 Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0138 Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

SSH Lab Exercise

This Labtainer explores the use of SSH from a client computer to connect securely to a server using public and private key pairs. In this example, mere possession of the private key is sufficient to access the remote host.

Task 1: Generate authentication keys (public/private RSA key pair) on the client computer input

Task 2: Setup SSH on server for user to use their authentication keys

Task 3: Connect using SSH and display a file on the server

Tags: LABTAINER SSH

K0485 Knowledge of network administration.

K0486 Knowledge of network construction and topology.

K0395 Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0138 Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

SSL Lab

This lab requires that you use SSL certificates to authenticate devices on a simulated industrial control system network shared by Programmable Logic Controlers (PLCs) and Human Machine Inteface (HMI) devices. The concepts covered by this lab are applicable to pairs of clients and servers, e.g., a web broswer and a web server.

The student is expected to have separately learned about the basic elements of PKI certificates, e.g., pub- lic/private key pairs, Certification Authorities, signing requests and certificate chains. If the student is en- gaded in independent study, several tutorial videos that cover public key cryptography are at: https://my.nps.edu/web/c3o/movies

Tutorials on the use of the openssl utility can be found on the web, and details can be viewed using “man openssl”. The student is expected to have at least a basic understanding of the Linux command line, the basics of the file system, and the ability to use scp to copy files from one computer to another.

Task 1: Explore Task 2: Generate certficates and keys Task 3: Demonstrate communication between all 4 components

Tags: LABTAINER SSL

K0485 Knowledge of network administration.

K0486 Knowledge of network construction and topology.

K0395 Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

S0007 Skill in applying host/network access controls (e.g., access control list).

S0138 Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Exploring Symmetric Key Encryption Modes

In this lab, you will explore the concept of encryption modes and their properties. To perform this exploration, you will be using an open source encryption product known as OpenSSL.

In this lab, you will explore the concept of encryption modes and their properties. To perform this exploration, you will be using an open source encryption product known as OpenSSL. You will explore the properties of these modes, seeing a visual representation of the state of the ciphertext, and exploring error propagation during decryption in these various modes.

Note: You can use the commands “man openssl” and “man enc” to get additional help on how to use the openssl command line tool. Appendix A contains a quick reference sheet of commonly used Unix commands and appendix B explains hexadecimal.

Task 1: Warm-up: Encrypt and then decrypt a file (any file) Task 2: Encryption Modes Task 3: Error Propagation During Decryption

Tags: LABTAINER CRYPTOGRAPHY

K0019 Knowledge of cryptography and cryptographic key management concepts

K0049 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

K0190 Knowledge of encryption methodologies.

K0487 Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

S0164 Skill in assessing the application of cryptographic standards.

S0138 Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Exploring Unix Logs (Ubuntu)

The objective of this exercise is to give the student some hands-on experience with syslog configuration and testing.

Task 1: Explore Task 2: Reconfigure rsyslog for MARK Task 3: Reconfigure and Test rsyslog Task 4: More Commands

Tags: LABTAINER RSYSLOG

K0192 Knowledge of Windows/Unix ports and services.

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0397 Knowledge of security concepts in operating systems (e.g., Linux, Unix.)

K0608 Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

S0120 Skill in reviewing logs to identify evidence of past intrusions.

TCP/IP Vulnerabilities Lab

The learning objective of this lab is for students to gain first-hand experience on some TCP/IP vulnerabilities, as well as on attacks against these vulnerabilities.

An introduction to basic networking and TCP/IP can be found in the network-basics lab.

Wise people learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a seemly-benign mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing. The vulnerabilities in the TCP/IP protocols represent a special genre of vulnerabilities in protocol designs and implementations; they provide an invaluable lesson as to why security should be designed in from the beginning, rather than being added as an afterthought. Moreover, studying these vulnerabilities help students understand the challenges of network security and why many network security measures are needed. In this lab, students need to conduct several attacks on the TCP protocol, including the SYN flood attack, the TCP reset attack, and the TCP session hijacking attack.

Task 1: SYN Flooding Attack Task 2: TCP RST Attacks on telnet and ssh Connections Task 3: Creating Reverse Shell using TCP Session Hijacking

Tags: LABTAINER TCP/IP

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

K0555 Knowledge of TCP/IP networking protocols.

K0565 Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

S0078 Skill in recognizing and categorizing types of vulnerabilities and associated attacks.

S0081 Skill in using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap, etc.).

Telnet Lab Exercise

This labtainer exercise illustrates the use of a telnet client to access resources on a server. It is a simple lab intended to illustrate basic client server networking and the transmission of plaintext passwords over a network by telnet.

Task 1: Determine the server IP address Task 2: Telnet to telnet server and display a file on the server Task 3: View plaintext passwords. Task 4: Use SSH to protect communications with the server

Tags: LABTAINER TELNET

K0221 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

K0555 Knowledge of TCP/IP networking protocols.

K0565 Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

S0081 Skill in using network analysis tools to identify vulnerabilities. (e.g., fuzzing, nmap, etc.).

Unix Users and Groups Introduction

This is an introductory lab that only requires a bit of familiarity with the Unix command line. This exercise introduces management of users and groups on a Unix system.

This lab does not provide in-depth coverage of users, groups and Unix permissions. It introduces the concepts and provides hands-on experience. Use the Unix help facilities, e.g., useradd -h to view de- tailed options for different commands covered in this lab.

Task 1: Add users to a shared system. Task 2: Define a group on the system, and assign users to that group. Task 3: Observe how user and group IDs can affect access to files. Task 4: Observe a limitation of discretionary access controls. Task 5: Grant a user sudo or superuser privileges.

Tags: LABTAINER UNIX USERS GROUPS ACL

K0224 Knowledge of system administration concepts for operating systems such as but not limited to Unix/Linux, IOS, Android, and Windows operating systems.

K0397 Knowledge of security concepts in operating systems (e.g., Linux, Unix.)

K0065 Knowledge of policy-based and risk adaptive access controls.

K0158 Knowledge of organizational information technology (IT) user security policies (e.g., account creation, password rules, access control).

VPN Lab Exercise (host-to-host VPN)

This Labtainer exercise illustrates a simple host-to-host vpn implemented with openvpn, and a static shared key. The example network includes a client and a server with a router between them.

This Labtainer exercise illustrates a simple host-to-host vpn implemented with openvpn, and a static shared key.

The example network includes a client and a server with a router between them. The server offers a simple HTTP service, and the student will use wget on the client to retrieve html files from the server.

The openvpn application is pre-installed on the client and the server, and the corresponding openvpn configurtion files already exist. To create an encrypted tunnel, the student only has to execute openvpn on the client and the server.

The student will observe both unencrypted and encrypted network traffic using tcpdump on the router.

Task 1: Observe unencrypted traffic Task 2: Start the VPN Task 3: Explore

Tags: LABTAINER OPENVPN

VPN Lab Exercise (host-to-gateway VPN)

This Labtainer exercise illustrates a simple host-to-gateway vpn implemented with openvpn, and a static shared key.The example network includes a client and a server with a router between them.

This Labtainer exercise illustrates a simple host-to-gateway vpn implemented with openvpn, and a static shared key. The example network, depicted in Figure 1 is identical to that in the ”host-to-host VPN” (vpnlab) exer- cise, except there is now a gateway in front of the server. As with the previous exercise, the server offers a simple HTTP service, and the student will use wget on the client to retrieve html files from the server.

A link to this lab manual will be displayed. The openvpn application is pre-installed on the client and the gateway, and the corresponding openvpn configuration files already exist.

To create an encrypted tunnel, the student only has to execute openvpn on the client and the gateway.

Task 1: Attempt to retrieve data from the server Task 2: Start the VPN Task 3: Explore

Tags: LABTAINER OPENVPN

K0493 Knowledge of obfuscation techniques (e.g., TOR/Onion/anonymizers, VPN/VPS, encryption).

S0059 Skill in using Virtual Private Network (VPN) devices and encryption.

K0104 Knowledge of Virtual Private Network (VPN) security.

S0084 Skill in configuring and utilizing network protection components (e.g., Firewalls, VPNs, network intrusion detection systems).

Web Tracking Lab

Behavioral targeting is a type of online advertising where ads are displayed based on the users web-browsing behavior. The user leaves a trail of digital foot prints moving from one website to the other. Behavioral targeting anonymously monitors and tracks the sites visited by a user. When a user surfs internet, the pages they visit, the searches they make, location of the user browsing from, device used for browsing and many other inputs are used by the tracking sites to collect data.

A user profile is created from the data and data- mined for an online behavioral pattern of the user. As a result when users return to a specific site or a network of sites, the created user profiles are helpful in reaching the targeted audience to advertise. The targeted ads will fetch more user interest, the publisher (or seller) can charge a premium for these ads over random advertising or ads based on the context of a site.

Task 1: Understand the basic working of the web tracking Task 2: Importance of cookie in Web tracking Task 3: Tracked user interests and data Task 4: How ads are displayed in website Task 5: Tracking in a Private browser window Task 6: Real world tracking Task 7: Countermeasures

Tags: LABTAINER WEB-TRACKING

K0398 Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

K0619 Knowledge of software asset management and the value of tracking the location and configuration of networked devices and software across departments, locations, facilities and, potentially, supporting business functions.

S0197 Skill in conducting social network analysis, buddy list analysis, and/or cookie analysis.

K0131 Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Wireshark Introduction

This exercise introduces the the Wireshark network traffic analysis tool. The student will use Wireshark to view network traffic captured in a “PCAP” file and locate a specific packet.

This exercise introduces the the Wireshark network traffic analysis tool. The student will use Wireshark to view network traffic captured in a “PCAP” file and locate a specific packet. PCAP files contain copies of network traffic stored in a format that can be processed by various network analysis tools such as Wireshark and tcpdump. PCAP is short for “packet capture”.

This exercise assumes you have received instruction TCP/IP networking. In this lab you will be asked to analyze packets from a Telnet session. Telnet is a communications protocol that allows a user to issue shell commands to a remote host. Telnet network traffic is not encrypted, which simplifies traffic analysis. Refer to the telnetlab for further background.

This lab exercise only touches on some of the most basic features of Wireshark. Details on using the tool can be found at https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Task 1: Explore Task 2: Run wireshark to perform PCAP Analysis Task 3: Find a specific packet Task 4: Explore some more

Tags: LABTAINER WIRESHARK PCAP

K0555 Knowledge of TCP/IP networking protocols.

K0062 Knowledge of packet-level analysis.

K0185 Knowledge of forensics lab design configuration and support applications (e.g., VMWare, Wireshark).

S0046 Skill in performing packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

Cross-Site Request Forgery (CSRF) Attack Lab

The objective of this lab is to help students understand the Cross-Site Request Forgery (CSRF or XSRF) attack. A CSRF attack involves a victim user, a trusted site, and a malicious site.

The objective of this lab is to help students understand the Cross-Site Request Forgery (CSRF or XSRF) attack. A CSRF attack involves a victim user, a trusted site, and a malicious site. The victim user holds an active session with a trusted site while visiting a malicious site. The malicious site injects an HTTP request for the trusted site into the victim user session, causing damages.

In this lab, students will be attacking a social networking web application using the CSRF attack. The open-source social networking application called Elgg has countermeasures against CSRF, but we have turned them off for the purpose of this lab.

Task 1: CSRF Attack using GET Request Task 2: CSRF Attack using POST Request Task 3: Implementing a countermeasure for Elgg

Tags: LABTAINER CSRF

K0362 Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

K0408 Knowledge of cyber actions (i.e. cyber defense, information gathering, environment preparation, cyber-attack) principles, capabilities, limitations, and effects.

K0436 Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber-attack, cyber defense), principles, capabilities, limitations, and effects.

K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)

S0022 Skill in designing countermeasures to identified security risks.

S0023 Skill in designing security controls based on cybersecurity principles and tenets.

S0031 Skill in developing and applying security system access controls.

Cross-Site Scripting (XSS) Attack Lab

Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as session cookies. The access control policies (i.e., the same origin policy) employed by browsers to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large- scale attacks.

To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web applica- tion named Elgg in a web server within this lab. Elgg is a very popular open-source web application for social network, and it has implemented a number of countermeasures to remedy the XSS threat. To demon- strate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any ar- bitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.

Task 1: Posting a Malicious Message to Display an Alert Window Task 2: Posting a Malicious Message to Display Cookies Task 3: Stealing Cookies from the Victim’s Machine Task 4: Session Hijacking using the Stolen Cookies Task 5: Countermeasures

Tags: LABTAINER XSS

K0362 Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

K0408 Knowledge of cyber actions (i.e. cyber defense, information gathering, environment preparation, cyber-attack) principles, capabilities, limitations, and effects.

K0436 Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber-attack, cyber defense), principles, capabilities, limitations, and effects.

K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)

S0022 Skill in designing countermeasures to identified security risks.

S0023 Skill in designing security controls based on cybersecurity principles and tenets.

S0031 Skill in developing and applying security system access controls.

iam-vipul/labtainers.md

A0093 Ability to identify/describe techniques/methods for conducting technical exploitation of the target. K0115 Knowledge that technology that can be exploited.

K0394 Knowledge of common reporting databases and tools. K0419 Knowledge of database administration and maintenance.

S0031 Skill in developing and applying security system access controls.

S0266 Skill in relevant programming languages (e.g., C++, Python, etc.).