Paxson Spring 2011 CS 161 Computer Security Project 2 Due Thursday May 5 11 59pm Updated 22Apr11 We linked the two Bro scripts at the end of Section 2 Thus far they were only available in the VM at root bro scripts 1 Background Huge Big Dairy is a farming and poultry conglomerate run out of Madison Wisconsin They pride themselves on their yogurts brie cheeses and buffalo wings made out of Real Buffalotm However Huge Big has many detractors who allege that the company not only manifests incompetence when it comes to dairy products but also a propensity towards venal undertakings During an ill advised television interview Huge Big s CEO Chuck Mondo Cheeze brashly trumpets his company s expertise not only in all things dairy but their emarketing prowess and homegrown Internet security savvy Mondo s biggest gaffe however is to imply that he does not consider cows as bovines instantly incurring the wrath of the shadowy underground hacker group Synonymous whose members unite in their violent objection to any terminology errors that confuse whether two words have the same meaning Synonymous decides to humiliate HBDairy exposing their secrets and incompetence and disrupting the activity of their employees In a series of Internet attacks that HBDairy finds itself powerless to counter Synonymous deeply embarrasses the company Eventually HBDairy must admit they have been outmatched and in desperation they turn to expert outside help you They commission your team to analyze how Synonymous achieved their exploits Luckily the one facet of computer security they managed not to screw up is logging they have full packet traces of all of the systems in question One gloomy morning as the end of the semester looms you head out to Richmond Field board the HBDairy corporate jet and 5 hours later find yourself at their offices in Madison armed only with a trusty VM image that contains all of your analysis tools You need to complete your forensic analysis file your report hop back on their jet and return to Berkeley with enough time left in RRR Week so you can adequately prepare for your final exams 2 The Project The goals of this project are to build up your familiarity with both 1 how real network attacks manifest and 2 how to effectively employ some widely available tools for analyzing network activity Collaboration We intend for you to work on this project in teams of two Beyond your team you may not collaborate with other students You can share general information on how to use Page 1 of 16 Wireshark tshark and Bro with other students if it is not specific to the questions on this project but you must not share tips advice hints etc on how to solve any of the questions on this project You must write up your solutions entirely between the two of you on your team You must never read or copy the solutions of other teams and you must not share your own solutions including partial solutions with other students If you have any questions please contact the instructors VM To minimize the steps required for you to have a working analysis environment we have pre built VirtualBox and soon to be available VMware virtual machine VM images that come with both the network traces and the analysis tools pre installed VirtualBox is freely available open source software running on Windows Linux Macintosh and Solaris You can download it from http www virtualbox org wiki Downloads VMware is installed on the instructional machines iserver1 eecs berkeley edu iserver2 eecs berkeley edu and iserver3 eecs berkeley edu all running Windows You can log into any of those remotely with a Remote Desktop Client as discussed at http inst eecs berkeley edu connecting html labs and in particular at http inst eecs berkeley edu cgi bin pub cgi file microsoft rdc help The VMs are based on the BackTrack Linux distribution You can login with username root and password toor After logging in you can type startx to launch the X window system or SSH to the machine the steps to obtain the IP address are described below If you choose to work remotely via SSH use the X switch to enable X forwarding allowing you to run graphical tools like Wireshark on your local machine over the SSH connection You will perform all actions as user root whose home directory is root Inside is a bro scripts which contains two Bro policy scripts you might find useful If you opt to work with the VM over SSH you can login remotely via ssh X root IP address of VM Depending on the virtual machine software you wish to use follow the corresponding instructions below VirtualBox After having installed it you should change the IP address of the VM host to be static To this end launch VirtualBox and click on Preferences and then Network where you should see a list of Host only Networks Usually you are presented with one single interface vboxnet0 if not select the interface you want to choose with the guest VM Go ahead an click the little screwdriver button to edit the interface settings In the Adapter tab change the IPv4 address to 10 1 1 1 and leave the subnet mask at 255 255 255 0 In the DHCP Server tab uncheck Enable Server to disable the DHCP server Next you need to download a copy of the VM image which you can download from http www eecs berkeley edu mobin teaching cs161vbox tar bz2 Project 2 Page 2 of 16 CS 161 SP 11 Once you have downloaded it extract the image and import it into VirtualBox by clicking File followed by Import Appliance The import should also take place by double clicking the file cs161vbox ova To launch it simply press the Start button VMware A copy of the VMware image will soon be available at http www eecs berkeley edu mobin teaching cs161vm tar bz2 To find out the IP address of the VM run the command ifconfig from the terminal Traces You can retrieve the HBDairy traces from http www eecs berkeley edu mobin teaching cs161traces zip If you decide to use the VM environment we have prepared for you then it also comes pre loaded with the traces at root traces These traces store the corresponding packets in the PCAP1 file format a simple and widely used standard Tools Once you have obtained the traces you can use whatever tools you wish to analyze them and come up with your answers to the forensic challenges that appear below You will not need to submit any code with your answers though we will ask for a list of the tools you used In general we believe you will find two tools particularly helpful The first is Wireshark an open source program for
View Full Document
Unlocking...