Penetration Testing mailing list archives
Re: [PEN-TEST] Educational laboratory setup
From: Omar Herrera <oherrera () prodigy net mx>
Date: Thu, 14 Dec 2000 15:34:18 -0600
We do something similar in a topic called Computer Systems Security at ITESM CCM in México. The simulation is part of the final project for the students and goes like this: 2 teams set up a pair of machines (one for attacking and one for defending) on the network. The reason that each team has 2 machines is that it is hard to attack from a machine protected by a NIDS and a firewall, you overload your own security logs with traffic belonging to your own attacks (and might also block some attack responses to yourself). So, the rules usually go like this: Defending machine (server): * (might have almost any kind of O.S. (Linux, BSD, Solaris, Windows NT...) * must have at least 3 services open to the outside (teams negotiate which ones, usually HTTP, FTP, TELNET and * SMTP) * Net Address of this machine cannot change during the simulation * Defending software can be installed (NIDS, Firewall, ... at least you must have the ability to log traffic) Attacking machine: * (might have almost any kind of O.S. (Linux, BSD, Solaris, Windows NT...) * Attacking software includes poor scanners, vulnerability scanners, sniffers, packet construction tools and specific exploits (it is allowed to download and run them during the simulation based on the scanners results) Simulation: * DoS is prohibited; this might affect the University network, besides, it is not fun and might be proved separately in an isolated network in a lab. * You can't use other machines to attack * Simulation has a time limit (we use 2 hours) Now, we allow the use of defending tools such as NIDS, firewalls, etc. because students not only have to demonstrate their skills at finding vulnerabilities and exploiting them but also at defending a supposedly production server machine (this is not as simple, you just can't block all traffic, you must make sure that some services are accessible from the outside). So despite the armor involved, many times some teams lose because they overlooked some vulnerability (even though their defenses are more or less well setup). For example, in the last edition (november 2000) one team lost when their defending machine was compromised via the Unicode vulnerability in their IIS server. More important than the practice itself is the way that each team reports their findings. All teams must present results showing what they did, what they saw and where they failed. So, you have the both sides of a story in each compromise and even if some attacks result useless during the simulation, you can see how they proceeded and when and where were they stopped. (sometimes some attacks are successful but the attackers never realize that because the defenders responded quickly). Hope this helps. Omar Herrera Markus Peuhkuri escribió:
We have a new course for next term about communication security issues (undergraduate M.Sc.). One part of the course is to do some laboratory work on both attacking and protecting the network and information stored there. As there is not very much time allocated for these tasks, it should be well prepared to be meaningful. We are planning to have attacking hosts outside, a firewall, NIDS, a router network and end system hosts with possible back doors and trojans. It is also possible that some groups have possibility to put a sniffer on network. There is also varying amount of information available about what is happening and what is in network. I'll like to know about similar courses, if you have any experiences or insight.
Current thread:
- [PEN-TEST] Educational laboratory setup Markus Peuhkuri (Dec 15)
- Re: [PEN-TEST] Educational laboratory setup Omar Herrera (Dec 15)