CNT5605 - 2011 Fall
Group Assignment 9
No Journals Due

Assignment: Security Assignment



Objective: Your objectives are to defend your machines from root compromise, and to attempt to retrieve a flag in a known location. If you do succeed, send me an email with the ip number of the machine compromised and the flag file. Once verified, I will let the compromised team know and give them a new flag file.

Installation: I will give you a CD with a file on it. Place that file on both of your machines in /etc/secret.key.file.

Then, inside of the lab, visit http://192.168.10.4. Add the public key that you find there to both machines' /root/.ssh/authorized_keys file.

Finally, configure your machines so that ssh is publicly available on port 22.

Rules on Offense

You may not modify another team's machine in any meaningful way, such as destroying file systems, changing authentication information, and so forth. Of course, your compromise method may well involve some sort of change in state (if nothing else, it may well leave traces in the logs and so forth).

At no time may you physically touch another team's equipment. Don't plug CDs or USB memory sticks into other folks' machines. Don't rewire the room.

DO NOT ATTEMPT ANY ATTACKS ON MACHINES OUTSIDE THE LAB, AND OF THOSE IN THE LAB, ONLY THESE USING IP NUMBERS: 

192.168.10.N*10 
192.168.10.N*10+1
where 1 <= N <= 13.

No ARP attacks of any type are allowed this semester as they are too disruptive. I have fingerprinted the room, and I will be running continuous checks for ARP modifications.

I will also be running a cron job which verifies that you have the correct key file installed. If your machines do not send this file each time, there will be a proportional, cumulative penalty assessed. If neither of your machines responds the whole time, you will get a 0 on this exercise — check your logs to make sure that the cron logins are succeeding.

Rules on Defense

You must leave your real machines up and running, and able to connect to the Internet.

You may turn off all outward facing services except those we use in class. Once we have enabled a service, however, you should leave it running for the semester unless I ask you to turn it off.




No journal is due for this assignment. I will give you 1 point on your final grade for each successful flag retrieved up to a 3 point maximum.

I will deduct 1 point from your final grade each time you have a flag captured, up to a 5 point maximum.

Flags may be captured until 23:59 on Friday, December 9. Both of your machines must stay up until that time.