CNT 4603, Summer 2013
Pentest Assignment
No Journal due for this exercise, but feel free to write one if you like

Assignment: Pentesting

As of distribution of this assignment on July 23, 2013 (Tuesday), each student can seek to compromise the machines of the other system administration groups in the Networking Lab.

Attacks may continue until 5:00pm, August 2nd, 2013 (Friday, the final day of classes for the semester).

Your grade in this exercise will reflect your success in securing your machine against the widest possible variety of attacks (with the exceptions noted below) AND your success in gaining access to the machines of other groups. The methods to employ, within the rules delineated below, are yours to research and choose.

On any machine that you successfully compromise, you are to open a "backdoor" shell requiring no authentication on a port of your choice that is greater than 35000. The test of a successfully compromised machine will be the ability to use either nc IPNUMBER PORT or telnet IPNUMBER PORT to get access to a bash shell on the machine. Alternatively, you may start a "reverse backdoor" going to port 49999 on machine; this reverse backdoor must try to connect at least once every five minutes, and provide a shell prompt to any ordinary "nc" in listening mode (i.e., this should be in the clear, and not using SSL.)


PURPOSE OF EXERCISE. Knowledge of the techniques used by attackers must be understood to properly secure a network, which is one of the more critical jobs of the modern system administrator. Use what you learn in a responsible manner.

SCOPE OF USE. In this exercise, strictly limit all attacks and attempts to gain information to the other sysadmin machines in room 016; the only ip numbers you should test are 192.168.26.[10-240] Any use of such techniques or any such use on any other Computer Science machines or those of any other system is strictly prohibited. Be careful and stay within our sandbox.

NO ACTUAL DAMAGE. The goal of this exercise is to gain access; not to damage ANY portion of the target computer, including its filesystems or to cause ANY mischief whatsoever. DO NO DAMAGE. Just start up a backdoor shell or reverse shell.

NO PHYSICAL INTRUSION. For the purposes of this exercise, it will be assumed that each machine is physically secure. Therefore, no attempt may be made to gain physical access to the components of a given computer or to access said computer from the console. Attempting to boot said computer from an optical drive, flash drives, or other physical media attached to the subject computer is specifically prohibited. All access must be made over the network.

ACTS UPON INTRUSION. Upon starting a backdoor, immediately communicate the ipnumber and port to your instructor via email. You may NOT attempt the same attack until you have been notified that it's okay to do so, but once you have been notified, you may choose to make the same attack again to determine if the target team has made successful modifications.

USER ACCOUNTS. All regular system accounts must exist and remain normally usable on all three machines. All of the accounts that you created for the previous assignment must remain operable for the duration of this exercise, and this will be tested on a random basis.

NORMAL SERVICES. Both your CentOS instance and your Debian machine must continue to provide normal user services to local users (i.e., those people with a local account on the machine itself.) All services configured in earlier assignments must remain running and available, and in particular both ssh and your webservers must be available. This will be checked on a random basis. Don't turn OFF the machines for any reason. Your machines must also respond to ping, so don't firewall off ICMP ECHO packets.

PACKET SNIFFERS. Packet sniffing is allowed.

ARP POISONING: ARP poisoning is not allowed. It has historically been the most successful technical technique for compromising machines, but ARP cache poisoning is highly disruptive.

DENIAL OF SERVICE. Denial of service attacks are not allowed.


  1. Can I turn off iptables for my backdoor? Yes, you can turn off iptable blocking of up to four ports on a compromised host to allow incoming connections to your backdoor. However, this should not be a permanent change; use iptables -I to insert your temporary rules from the command line.
  2. Can I use port knocking to obscure my backdoor? Yes, you may, but the port knocking needs to be incorporated in your backdoor program. Do not install a separate daemon like knockd to do your portknocking, and don't reconfigure any existing knockd on the compromised machine.
  3. Can I use a kernel module rather than a userland process for the backdoor? Yes, you may, but you should insert the module by hand (for instance, with insmod), and it should not be automatically re-installed at reboot. This kernel module should be thoroughly tested before you install it on the target — and "thorough" means "tested on the same kernel as the target".
  4. Can I use a rootkit for the backdoor? Generally, no. However, as stated in 3, you can use a one-shot kernel module insertion. But you are not to change the target machine's kernel, shared libraries, or system binaries in any permanent fashion.
  5. Can I use my second lab machine as an attack platform? If you do have a second machine in the lab, you may also use it as an attack platform. That means that if you want to install Backtrack/Kali or just run it as a live image on the machine, that's fine. However, if it is compromised, I will count that as a successful compromise. Please use one of your five IP numbers for this machine.
  6. Can I use my attack laptop in the lab? Yes, but you must use a wired connection. For that purpose, you can use the network cable for your second machine.

There will be one point added to your final numeric grade for this course for each ordinary user backdoor successfully created and demonstrated. You will receive 3 points added to your final grade for the class if you manage to create a root (uid 0) backdoor or root reverse shell. You can earn up to five such points for your final grade.

For each time that one of your machines is compromised, five points will be deducted from the grade for this exercise up to four times.

So, how does this work? Your grade for this exercise is a base 100 points. If you are not compromised during the exercise, you get 100 points. If you are compromised twice, then your grade for this assignment is 90 points; 4 times would give you an 80. If you compromise a machine, create a root reverse shell, and demonstrate it, you get 3 points on your final grade for the term (not just this assignment); if you can do it twice, you get 5 points added to your final grade.

I reserve the right to deny these additional points if I believe that you installed the backdoor by other means than a pure network compromise, such as by collusion with other teams or by physical compromise.

A journal is not due for this assignment, but feel free to write one if you would like to do so.