BackgroundThe ProjectSome TipsSubmission InstructionsForensic QuestionsWireshark and tsharkThe Bro NIDSInstallationInstalling it by yourselfInvocationLog AnalysisThe Connection AnalyzerThe HTTP AnalyzerWriting Policy ScriptsSummaryPaxsonSpring 2011CS 161Computer SecurityProject 2Due: Thursday May 5, 11:59pmUpdated 22Apr11: We linked the two Bro scripts at the end of Section 2. Thus far they were onlyavailable in the VM at /root/bro-scripts.1 BackgroundHuge Big Dairy is a farming and poultry conglomerate run out of Madison, Wisconsin. They pridethemselves on their yogurts, brie cheeses, and buffalo wings (made out of Real Buffalotm). However,Huge Big has many detractors who allege that the company not only manifests incompetence whenit comes to dairy products, but also a propensity towards venal undertakings.During an ill-advised television interview, Huge Big’s CEO, Chuck “Mondo” Cheeze, brashly trum-pets his company’s expertise, not only in all things dairy, but their emarketing prowess and home-grown Internet security savvy. Mondo’s biggest gaffe, however, is to imply that he does not considercows as bovines—instantly incurring the wrath of the shadowy underground hacker group Syn-onymous, whose members unite in their violent objection to any terminology errors that confusewhether two words have the same meaning.Synonymous decides to humiliate HBDairy, exposing their secrets and incompetence, and disruptingthe activity of their employees. In a series of Internet attacks that HBDairy finds itself powerlessto counter, Synonymous deeply embarrasses the company. Eventually, HBDairy must admit theyhave been outmatched, and in desperation they turn to expert outside help: you. They commissionyour team to analyze how Synonymous achieved their exploits. Luckily, the one facet of computersecurity they managed not to screw up is logging: they have full packet traces of all of the systemsin question.One gloomy morning as the end of the semester looms, you head out to Richmond Field, board theHBDairy corporate jet, and 5 hours later find yourself at their offices in Madison, armed only witha trusty VM image that contains all of your analysis tools. You need to complete your forensicanalysis, file your report, hop back on their jet, and return to Berkeley—with enough time left inRRR Week so you can adequately prepare for your final exams.2 The ProjectThe goals of this project are to build up your familiarity with both (1) how real network attacksmanifest, and (2) how to effectively employ some widely available tools for analyzing networkactivity.Collaboration. We intend for you to work on this project in teams of two. Beyond your team,you may not collaborate with other students. You can share general information on how to usePage 1 of 16Wireshark, tshark, and Bro with other students if it is not specific to the questions on this project,but you must not share tips, advice, hints, etc. on how to solve any of the questions on this project.You must write up your solutions entirely between the two of you on your team. You must neverread or copy the solutions of other teams, and you must not share your own solutions—includingpartial solutions—with other students. If you have any questions, please contact the instructors.VM. To minimize the steps required for you to have a working analysis environment, we havepre-built VirtualBox and (soon-to-be-available) VMware virtual machine (VM) images that comewith both the network traces and the analysis tools pre-installed.VirtualBox is freely available open-source software running on Windows, Linux, Macintosh, andSolaris. You can download it from:http://www.virtualbox.org/wiki/DownloadsVMware is installed on the instructional machines iserver1.eecs.berkeley.edu, is-erver2.eecs.berkeley.edu, and iserver3.eecs.berkeley.edu (all running Windows). Youcan log into any of those remotely with a Remote Desktop Client, as discussed athttp://inst.eecs.berkeley.edu/connecting.html#labs (and in particular at http://inst.eecs.berkeley.edu/cgi-bin/pub.cgi?file=microsoft-rdc.help).The VMs are based on the BackTrack Linux distribution. You can login with username root andpassword toor. After logging in, you can type startx to launch the X window system or SSHto the machine (the steps to obtain the IP address are described below). If you choose to workremotely via SSH, use the -X switch to enable X forwarding, allowing you to run graphical toolslike Wireshark on your local machine over the SSH connection.You will perform all actions as user root whose home directory is /root. Inside is a bro-scriptswhich contains two Bro policy scripts you might find useful. If you opt to work with the VM overSSH, you can login remotely via ssh -X [email protected] on the virtual machine software you wish to use, follow the corresponding instructionsbelow:VirtualBox: After having installed it, you should change the IP address of the VM host to bestatic. To this end, launch VirtualBox and click on “Preferences” and then “Network,” where youshould see a list of “Host-only Networks.” Usually you are presented with one single interfacevboxnet0; if not, select the interface you want to choose with the guest VM. Go ahead an clickthe little screwdriver button to edit the interface settings. In the “Adapter” tab, change the IPv4address to 10.1.1.1 (and leave the subnet mask at 255.255.255.0). In the “DHCP Server” tab,uncheck “Enable Server” to disable the DHCP server. Next you need to download a copy of theVM image, which you can download from:http://www.eecs.berkeley.edu/~mobin/teaching/cs161vbox.tar.bz2Project 2 Page 2 of 16 CS 161 – SP 11Once you have downloaded it, extract the image and import it into VirtualBox by clicking “File”followed by “Import Appliance.” The import should also take place by double-clicking the filecs161vbox.ova. To launch it, simply press the “Start” button.VMware: A copy of the VMware image will soon be available at:http://www.eecs.berkeley.edu/~mobin/teaching/cs161vm.tar.bz2To find out the IP address of the VM, run the command ifconfig from the terminal.Traces. You can retrieve the HBDairy traces from:http://www.eecs.berkeley.edu/~mobin/teaching/cs161traces.zipIf you decide to use the VM environment we have prepared for you, then it also comes pre-loadedwith the traces at /root/traces. These traces store the corresponding packets in the PCAP1fileformat, a simple and widely used standard.Tools.
View Full Document
Unlocking...