diff --git a/README.md b/README.md index 0a9376e..c624b0f 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ the related explanatory slides. * [Labs Integrating Several Technologies](main-labs/labs-integrating-several-technologies) * [P4](main-labs/p4) (Thanks to ETH Zurich :smile:) * [SDN-Openflow](main-labs/sdn-openflow) +* [Cybersecurity](cybersecurity) ## Community Labs The [community-labs](community-labs) directory contains a collection of network scenarios from the KatharĂ¡ community. diff --git a/main-labs/README.md b/main-labs/README.md index 8711b5c..7cdc0be 100644 --- a/main-labs/README.md +++ b/main-labs/README.md @@ -13,3 +13,4 @@ the related explanation slides. * [Labs Integrating Several Technologies](labs-integrating-several-technologies): A set of network scenarios integrating several technologies. * [P4](p4) (Thanks to ETH Zurich :smile:): A set of network scenarios on programmable switches using P4. * [SDN-Openflow](sdn-openflow): A set of network scenarios on SDN and Openflow. +* [Cybersecurity](cybersecurity): A set of cybersecurity-relevant network scenarios. diff --git a/main-labs/cybersecurity/README.md b/main-labs/cybersecurity/README.md new file mode 100644 index 0000000..4dc9fd8 --- /dev/null +++ b/main-labs/cybersecurity/README.md @@ -0,0 +1,7 @@ +# Cyber Security Labs + +This section includes cybersecurity-relevant network scenarios. + +| Name | Description | Slides | Lab | +|------------------------------|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| **mDNS Poisoning** | Poison multicast DNS responses to capture authentication attempts. | [ppt](missing), [pdf](missing) | [Poisoning with Responder](mdns-poisoning/kathara-lab_mdns_poisoning.zip) diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning.zip b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning.zip new file mode 100644 index 0000000..2ee68a8 Binary files /dev/null and b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning.zip differ diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1.startup b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1.startup new file mode 100644 index 0000000..d114ff8 --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1.startup @@ -0,0 +1,9 @@ +apt-get -y update +apt -y install \ + python3-pycryptodome \ + python3-netifaces \ + python3-six + + +git clone https://github.com/lgandx/Responder /root/responder +ip address add 10.13.37.3/24 dev eth0 \ No newline at end of file diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1/etc/resolv.conf b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1/etc/resolv.conf new file mode 100644 index 0000000..81027f8 --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1/etc/resolv.conf @@ -0,0 +1 @@ +nameserver 1.1.1.1 \ No newline at end of file diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/lab.conf b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/lab.conf new file mode 100644 index 0000000..1b79828 --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/lab.conf @@ -0,0 +1,17 @@ +LAB_DESCRIPTION="MDNS Poisoning to Capture NetSMBv2 Hashes" +LAB_VERSION=3.0 +LAB_AUTHOR="V. Casalino" +LAB_EMAIL=contact@kathara.org +LAB_WEB=http://www.kathara.org/ + +server1[bridged]=True +server1[0]="A" +server1[image]="kathara/base" + +victim1[bridged]=True +victim1[0]="A" +victim1[image]="kathara/base" + +attacker1[bridged]=True +attacker1[0]="A" +attacker1[image]="kathara/base" diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1.startup b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1.startup new file mode 100644 index 0000000..2bbad1d --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1.startup @@ -0,0 +1,18 @@ +apt-get -y update +apt-get -y install avahi-daemon samba + +sed -i 's/.*enable-dbus=.*/enable-dbus=no/' /etc/avahi/avahi-daemon.conf +sed -i 's/.*allow-interfaces=.*/allow-interfaces=eth0/' /etc/avahi/avahi-daemon.conf + +mkdir -p /srv/share +chmod -R 755 /srv/share +chown -R nobody:nobody /srv/share + +adduser --disabled-password --gecos "" valerio +(echo iloveyou; echo iloveyou) | smbpasswd -s -a valerio + +ip address add 10.13.37.1/24 dev eth0 + +/usr/sbin/avahi-daemon -D +/etc/init.d/smbd start +/etc/init.d/nmbd start diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/hosts b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/hosts new file mode 100644 index 0000000..cdebead --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/hosts @@ -0,0 +1 @@ +127.0.0.1 localhost server1 server1.local diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/resolv.conf b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/resolv.conf new file mode 100644 index 0000000..81027f8 --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/resolv.conf @@ -0,0 +1 @@ +nameserver 1.1.1.1 \ No newline at end of file diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/samba/smb.conf b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/samba/smb.conf new file mode 100644 index 0000000..19898ab --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/samba/smb.conf @@ -0,0 +1,221 @@ +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options (perhaps too +# many!) most of which are not shown in this example +# +# For a step to step guide on installing, configuring and using samba, +# read the Samba-HOWTO-Collection. This may be obtained from: +# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf +# +# Many working examples of smb.conf files can be found in the +# Samba-Guide which is generated daily and can be downloaded from: +# http://www.samba.org/samba/docs/Samba-Guide.pdf +# +# Any line which starts with a ; (semi-colon) or a # (hash) +# is a comment and is ignored. In this example we will use a # +# for commentry and a ; for parts of the config file that you +# may wish to enable +# +# NOTE: Whenever you modify this file you should run the command "testparm" +# to check that you have not made any basic syntactic errors. +# +#======================= Global Settings ===================================== +[global] + +# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH + workgroup = MYGROUP + +# server string is the equivalent of the NT Description field + server string = Samba Server + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + +# This option is important for security. It allows you to restrict +# connections to machines which are on your local network. The +# following example restricts access to two C class networks and +# the "loopback" interface. For more examples of the syntax see +# the smb.conf man page +; hosts allow = 192.168.1. 192.168.2. 127. + +# Uncomment this if you want a guest account, you must add this to /etc/passwd +# otherwise the user "nobody" is used +; guest account = pcguest + +# this tells Samba to use a separate log file for each machine +# that connects + log file = /usr/local/samba/var/log.%m + +# Put a capping on the size of the log files (in Kb). + max log size = 50 + +# Specifies the Kerberos or Active Directory realm the host is part of +; realm = MY_REALM + +# Backend to store user information in. New installations should +# use either tdbsam or ldapsam. smbpasswd is available for backwards +# compatibility. tdbsam requires no further configuration. +; passdb backend = tdbsam + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting. +# Note: Consider carefully the location in the configuration file of +# this line. The included file is read at that point. +; include = /usr/local/samba/lib/smb.conf.%m + +# Configure Samba to use multiple interfaces +# If you have multiple network interfaces then you must list them +# here. See the man page for details. +; interfaces = 192.168.12.2/24 192.168.13.2/24 + +# Where to store roving profiles (only for Win95 and WinNT) +# %L substitutes for this servers netbios name, %U is username +# You must uncomment the [Profiles] share below +; logon path = \\%L\Profiles\%U + +# Windows Internet Name Serving Support Section: +# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server +; wins support = yes + +# WINS Server - Tells the NMBD components of Samba to be a WINS Client +# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both +; wins server = w.x.y.z + +# WINS Proxy - Tells Samba to answer name resolution queries on +# behalf of a non WINS capable client, for this to work there must be +# at least one WINS Server on the network. The default is NO. +; wins proxy = yes + +# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names +# via DNS nslookups. The default is NO. + dns proxy = yes + +# These scripts are used on a domain controller or stand-alone +# machine to add or delete corresponding unix accounts +; add user script = /usr/sbin/useradd %u +; add group script = /usr/sbin/groupadd %g +; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u +; delete user script = /usr/sbin/userdel %u +; delete user from group script = /usr/sbin/deluser %u %g +; delete group script = /usr/sbin/groupdel %g + + +#============================ Share Definitions ============================== +#[homes] +# comment = Home Directories +# browsable = no +# writable = yes + +# Un-comment the following and create the netlogon directory for Domain Logons +; [netlogon] +; comment = Network Logon Service +; path = /usr/local/samba/lib/netlogon +; guest ok = yes +; writable = no +; share modes = no + + +# Un-comment the following to provide a specific roving profile share +# the default is to use the user's home directory +;[Profiles] +; path = /usr/local/samba/profiles +; browsable = no +; guest ok = yes + + +# NOTE: If you have a BSD-style print system there is no need to +# specifically define each individual printer +#[printers] +# comment = All Printers +# path = /usr/spool/samba +# browsable = no +## Change 'guest ok' from 'no' to 'yes' to allow the 'guest account' user to print +# guest ok = no +# writable = no +# printable = yes + +# This one is useful for people to share files +;[tmp] +; comment = Temporary file space +; path = /tmp +; read only = no +; public = yes + +# A publicly accessible directory, but read only, except for people in +# the "staff" group +;[public] +; comment = Public Stuff +; path = /home/samba +; public = yes +; writable = no +; printable = no +; write list = @staff + +# Other examples. +# +# A private printer, usable only by fred. Spool data will be placed in fred's +# home directory. Note that fred must have write access to the spool directory, +# wherever it is. +;[fredsprn] +; comment = Fred's Printer +; valid users = fred +; path = /homes/fred +; printer = freds_printer +; public = no +; writable = no +; printable = yes + +# A private directory, usable only by fred. Note that fred requires write +# access to the directory. +;[fredsdir] +; comment = Fred's Service +; path = /usr/somewhere/private +; valid users = fred +; public = no +; writable = yes +; printable = no + +# a service which has a different directory for each machine that connects +# this allows you to tailor configurations to incoming machines. You could +# also use the %U option to tailor it by user name. +# The %m gets replaced with the machine name that is connecting. +;[pchome] +; comment = PC Directories +; path = /usr/pc/%m +; public = no +; writable = yes + +# A publicly accessible directory, read/write to all users. Note that all files +# created in the directory by users will be owned by the default user, so +# any user with access can delete any other user's files. Obviously this +# directory must be writable by the default user. Another user could of course +# be specified, in which case all files would be owned by that user instead. +;[public] +; path = /usr/somewhere/else/public +; public = yes +; only guest = yes +; writable = yes +; printable = no + +# The following two entries demonstrate how to share a directory so that two +# users can place files there that will be owned by the specific users. In this +# setup, the directory should be writable by both users and should have the +# sticky bit set on it to prevent abuse. Obviously this could be extended to +# as many users as required. +[share] + comment = Super Secret Share + path = /srv/share + valid users = valerio + public = no + writable = yes + create mask = 0755 + diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1.startup b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1.startup new file mode 100644 index 0000000..8f6fee6 --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1.startup @@ -0,0 +1,9 @@ +apt-get -y update +apt-get -y install avahi-daemon cifs-utils smbclient + +sed -i 's/.*enable-dbus=.*/enable-dbus=no/' /etc/avahi/avahi-daemon.conf +sed -i 's/.*allow-interfaces=.*/allow-interfaces=eth0/' /etc/avahi/avahi-daemon.conf + +ip address add 10.13.37.2/24 dev eth0 +/usr/sbin/avahi-daemon -D +bash /usr/bin/access-share.sh \ No newline at end of file diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/hosts b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/hosts new file mode 100644 index 0000000..c99c6ed --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/hosts @@ -0,0 +1 @@ +127.0.0.1 localhost victim1 victim1.local \ No newline at end of file diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/resolv.conf b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/resolv.conf new file mode 100644 index 0000000..81027f8 --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/resolv.conf @@ -0,0 +1 @@ +nameserver 1.1.1.1 \ No newline at end of file diff --git a/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/usr/bin/access-share.sh b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/usr/bin/access-share.sh new file mode 100644 index 0000000..0d8170d --- /dev/null +++ b/main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/usr/bin/access-share.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +for i in $(seq 1 10000); do + timeout 5 smbclient //srv1.local/share -U valerio%iloveyou + sleep 5 +done \ No newline at end of file