Re: [PEN-TEST] Educational laboratory setup

[Omar Herrera <oherrera () prodigy net mx>]

We do something similar in a topic called Computer Systems Security at
ITESM CCM in México. The simulation is part of the final project for the
students and goes like this:

2 teams set up a pair of machines (one for attacking and one for
defending) on the network. The reason that each team has 2 machines is
that it is hard to attack from a machine protected by a NIDS and a
firewall, you overload your own security logs with traffic belonging to
your own attacks (and might also block some attack responses to
yourself).

So, the rules usually go like this:

Defending machine (server):
* (might have almost any kind of O.S. (Linux, BSD, Solaris, Windows
NT...)
* must have at least 3 services open to the outside (teams negotiate
which ones, usually HTTP, FTP, TELNET and * SMTP)
* Net Address of this machine cannot change during the simulation
* Defending software can be installed (NIDS, Firewall, ...  at least you
must have the ability to log traffic)

Attacking machine:
* (might have almost any kind of O.S. (Linux, BSD, Solaris, Windows
NT...)
* Attacking software includes poor scanners, vulnerability scanners,
sniffers, packet construction tools and specific exploits (it is allowed
to download and run them during the simulation based on the scanners
results)


Simulation:
* DoS is prohibited; this might affect the University network, besides,
it is not fun and might be proved separately in an isolated network in a
lab.
* You can't use other machines to attack
* Simulation has a time limit (we use 2 hours)

Now, we allow the use of defending tools such as NIDS, firewalls, etc.
because students not only have to demonstrate their skills at finding
vulnerabilities and exploiting them but also at defending a supposedly
production server machine (this is not as simple, you just can't block
all traffic, you must make sure that some services are accessible from
the outside).

So despite the armor involved, many times some teams lose because they
overlooked some vulnerability (even though their defenses are more or
less well setup). For example, in the last edition (november 2000) one
team lost when their defending machine was compromised via the Unicode
vulnerability in their IIS server.


More important than the practice itself is the way that each team reports
their findings. All teams must present results showing what they did,
what they saw and where they failed. So, you have the both sides of a
story in each compromise and even if some attacks result useless during
the simulation, you can see how they proceeded and when and where were
they stopped. (sometimes some attacks are successful but the attackers
never realize that because the defenders responded quickly).

Hope this helps.

Omar Herrera




Markus Peuhkuri escribió:

> We have a new course for next term about communication security issues
> (undergraduate M.Sc.).  One part of the course is to do some
> laboratory work on both attacking and protecting the network and
> information stored there.
>
> As there is not very much time allocated for these tasks, it should be
> well prepared to be meaningful.
>
> We are planning to have attacking hosts outside, a firewall, NIDS, a
> router network and end system hosts with possible back doors and
> trojans.  It is also possible that some groups have possibility to put
> a sniffer on network.  There is also varying amount of information
> available about what is happening and what is in network.
>
> I'll like to know about similar courses, if you have any experiences
> or insight.