RE: Looking for ideas for simulated intrusions

["M. Shirk" <shirkdog_list () hotmail com>]

Get a copy of Windows XP (on vmware or a separate machine) and don't patch 
it.

Then load up Metasploit
http://www.metasploit.org

Shirkdog
http://www.shirkdog.us



> From: Bill Moran <wmoran () potentialtech com>
> To: security-basics () securityfocus com
> Subject: Looking for ideas for simulated intrusions
> Date: Sun, 10 Jul 2005 12:37:52 -0400
>
>
> Hello all.  I'm new to this list.
>
> I'm running a security class for a client of mine, and I'm to a part of the
> course where the instructor (me) should be simulating breakins for the
> students to analyze.  The curriculum doesn't give any details.
>
> We have a pretty isolated lab to work in, so I have a pretty free reign as
> to what I can try against the network the students put together.
>
> I'm looking for suggestions.  The network is based on RH9, and the students
> have done a good bit of patching to ensure everything is up to date, as
> well as characterizing their system (using tripwire and nmap an the like)
> so they can detect when an intrusion occurs and determine what has been
> damaged and fix it.
>
> I only have a few ideas at this point, and they all revolve around "someone
> has leaked a password", and now a crook is running loose on your network.
> Even those are fully formed yet, and I have to have something together
> for this week, and more for next week.
>
> Here's what I'm looking for:
> * I know a lot of stuff is done with bot-nets these days, and most of those
>   bot-nets are running customized IRC servers.  Is there anywhere I can 
> get
>   one of these special IRC servers to insert into the lab network.  If so,
>   what potential dangers are there in doing so?  The lab is an isolated
>   (sandbox, or air-gapped) environment, and it's specifically for this
>   purpose (read: sacrificial) but I don't want to completely hose it with
>   two weeks of labs still remaining ;)
> * Any ideas on simple (and especially illustrative) remote exploits?
> * I need to do something that triggers the snort machine, but this is less
>   important because only two students worked on this ... better is things
>   I can launch against all the machines on the network.
>
> I'm looking particularly for things that will trigger the tripwire rules
> to notice problems, as well as things that open up listening sockets.
>
> I'm not looking for things that are so terribly clever that they can find
> their way around tripwire - the point of the lab is to teach, not expose
> the students to something so complicated that it's beyond their grasp.
>
> Any ideas, or pointers to better forums are welcome.
>
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement