CIS4407 - 2008 Summer
Group Assignment 11
Journals Due Friday, August 8th, at the beginning of class.


Assignment: Security, Part II

As of distribution of this assignment on July 30th, 2008 (Wednesday), each team will defend its own machines and seek to compromise the machines of the other system administration groups.

Attacks may continue until 8:00am, August 8th, 2008 (Friday, the final day of class). Journals will be due at 9:30am on August 8th. NO LATE JOURNALS WILL BE ACCEPTED.

Your grade in this exercise will reflect your success in securing your machine against the widest possible variety of attacks (with the exceptions noted below) AND your success in gaining access to the machines of other groups. The methods to employ, within the rules delineated below, are yours to research and choose. Thorough research and diligent implementation, rather than perfect performance, will count most strongly in the grading process.

Each team will be given a hard copy "flag" from the instructor on CDROM. Each flag is a unique number which must be stored on all of your physical and virutal computers in the specified directory with the specified filename. This flag is the secret value that will be the "prize" of the attackers and the object that you must defend.

On both of your physical machines, s1 and s2, and on your virtual machines, dns and mail, the file containing the flag must be placed in /root/.ssh/my_key.


PURPOSE OF EXERCISE. Be sure that you understand that the purpose of this exercise is NOT to foster a "hacker" mentality or to arbitrarily teach the methods used by hackers. Knowledge of the techniques used by attackers must be understood to properly secure a network, which is one of the more critical jobs of the modern system administrator. Use what you learn in a responsible manner.

SCOPE OF USE. In this exercise, strictly limit all attacks and attempts to gain information to the other sysadmin machines (192.168.10.*) in room 016 as listed on my webpage and the lab netowrk. Any use of such techniques or ANY such use on ANY other Computer Science machines or those of any other system is strictly prohibited. Be careful and stay within our sandbox.

NO ACTUAL DAMAGE. The goal of this exercise is to gain access; not to damage ANY portion of the target computer, including its filesystems or to cause ANY mischief whatsoever. DO NO DAMAGE.

NO PHYSICAL INTRUSION. For the purposes of this exercise, it will be assumed that each machine is physically secure. Therefore, no attempt may be made to gain physical access to the components of a given computer or to access said computer from the console. Attempting to boot said computer from a floppy disk, cdrom, USB drives, or other physical media attached to the subject computer is specifically prohibited. All access must be made over the network.

ACTS UPON INTRUSION. Upon successful capture of an opponent's flag, immediately communicate this (along with the captured flag) to your instructor. You may NOT attempt the same attack until you have been notified, but once you have been notified, you may choose to make the same attack again to determine if the target team has made successful modifications.

USER ACCOUNTS. All regular system accounts must exist and remain normally usable on all three machines. All of the accounts that you created for the previous assignment must remain operable for the duration of this exercise, and this will be tested on a random basis.

NORMAL SERVICES. All three machines must continue to provide normal user services to local users (i.e., those people with a local account on the machine itself.) All services configured in earlier assignments must remain running and available. This will be checked on a random basis.

PACKET SNIFFERS. Packet sniffing is allowed, but only within the confines of your local network. You should naturally not use any passwords for your machines that you use outside of the sandboxes, as they may become compromised.

DENIAL OF SERVICE. Denial of service attacks are allowed, but only if used temporarily to try and obtain access to a machine.

There will be one point added to your final numeric grade for this course for each flag value you email to the instructor (other than your own team's, of course). I will accept a maximum of three (3) discovered flags. This means you can earn up to three (3) points to be added for this lab exercise, bringing your score to a maximum of possible 13 points.

For each time that your flag is captured, one point will be deducted from the grade for this exercise up to three times, and the maximum grade that you can receive for this lab exercise will be 7 of 10 points.

I reserve the right to deny these additional points if I have any inkling that you got the flag values by other means (collusion with other teams, for instance).

A journal is due for this assignment. Make sure that you document in your journal all of the steps that you went through, following the guidelines on the class home page. Please share the workload so that all team members get experience with all aspects of the work. Do not forget to assign your work percentages to yourself and your other teammates in your journal. Please turn in a printed copy of this assignment at the beginning of class on Friday, August 8th.