Add mdns poisoning lab - cybersecurity

README.md

@@ -18,6 +18,7 @@ the related explanatory slides.
 * [Labs Integrating Several Technologies](main-labs/labs-integrating-several-technologies)
 * [P4](main-labs/p4) (Thanks to ETH Zurich :smile:)
 * [SDN-Openflow](main-labs/sdn-openflow)
+* [Cybersecurity](cybersecurity)
 
 ## Community Labs
 The [community-labs](community-labs) directory contains a collection of network scenarios from the Kathará community.

main-labs/README.md

@@ -13,3 +13,4 @@ the related explanation slides.
 * [Labs Integrating Several Technologies](labs-integrating-several-technologies): A set of network scenarios integrating several technologies.
 * [P4](p4) (Thanks to ETH Zurich :smile:): A set of network scenarios on programmable switches using P4. 
 * [SDN-Openflow](sdn-openflow): A set of network scenarios on SDN and Openflow.
+* [Cybersecurity](cybersecurity): A set of cybersecurity-relevant network scenarios. 

main-labs/cybersecurity/README.md

@@ -0,0 +1,7 @@
+# Cyber Security Labs
+
+This section includes cybersecurity-relevant network scenarios.
+
+| Name                         | Description                                            | Slides                                                                                                                                                      | Lab                                                                                                                                     |
+|------------------------------|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
+| **mDNS Poisoning** | Poison multicast DNS responses to capture authentication attempts. | [ppt](missing), [pdf](missing) | [Poisoning with Responder](mdns-poisoning/kathara-lab_mdns_poisoning.zip)

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1.startup

@@ -0,0 +1,9 @@
+apt-get -y update
+apt -y install \
+    python3-pycryptodome \
+    python3-netifaces \
+    python3-six
+
+
+git clone https://github.com/lgandx/Responder /root/responder
+ip address add 10.13.37.3/24 dev eth0

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/attacker1/etc/resolv.conf

@@ -0,0 +1 @@
+nameserver 1.1.1.1

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/lab.conf

@@ -0,0 +1,17 @@
+LAB_DESCRIPTION="MDNS Poisoning to Capture NetSMBv2 Hashes"
+LAB_VERSION=3.0
+LAB_AUTHOR="V. Casalino"
+LAB_EMAIL=contact@kathara.org
+LAB_WEB=http://www.kathara.org/
+
+server1[bridged]=True
+server1[0]="A"
+server1[image]="kathara/base"
+
+victim1[bridged]=True
+victim1[0]="A"
+victim1[image]="kathara/base"
+
+attacker1[bridged]=True
+attacker1[0]="A"
+attacker1[image]="kathara/base"

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1.startup

@@ -0,0 +1,18 @@
+apt-get -y update
+apt-get -y install avahi-daemon samba
+
+sed -i 's/.*enable-dbus=.*/enable-dbus=no/' /etc/avahi/avahi-daemon.conf
+sed -i 's/.*allow-interfaces=.*/allow-interfaces=eth0/' /etc/avahi/avahi-daemon.conf
+
+mkdir -p /srv/share
+chmod -R 755 /srv/share
+chown -R nobody:nobody /srv/share
+
+adduser --disabled-password --gecos "" valerio
+(echo iloveyou; echo iloveyou) | smbpasswd -s -a valerio
+
+ip address add 10.13.37.1/24 dev eth0
+
+/usr/sbin/avahi-daemon -D
+/etc/init.d/smbd start
+/etc/init.d/nmbd start

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/hosts

@@ -0,0 +1 @@
+127.0.0.1 localhost server1 server1.local

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/resolv.conf

@@ -0,0 +1 @@
+nameserver 1.1.1.1

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/server1/etc/samba/smb.conf

@@ -0,0 +1,221 @@
+# This is the main Samba configuration file. You should read the
+# smb.conf(5) manual page in order to understand the options listed
+# here. Samba has a huge number of configurable options (perhaps too
+# many!) most of which are not shown in this example
+#
+# For a step to step guide on installing, configuring and using samba,
+# read the Samba-HOWTO-Collection. This may be obtained from:
+#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
+#
+# Many working examples of smb.conf files can be found in the
+# Samba-Guide which is generated daily and can be downloaded from:
+#  http://www.samba.org/samba/docs/Samba-Guide.pdf
+#
+# Any line which starts with a ; (semi-colon) or a # (hash)
+# is a comment and is ignored. In this example we will use a #
+# for commentry and a ; for parts of the config file that you
+# may wish to enable
+#
+# NOTE: Whenever you modify this file you should run the command "testparm"
+# to check that you have not made any basic syntactic errors.
+#
+#======================= Global Settings =====================================
+[global]
+
+# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
+   workgroup = MYGROUP
+
+# server string is the equivalent of the NT Description field
+   server string = Samba Server
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller".
+#
+# Most people will want "standalone server" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+# This option is important for security. It allows you to restrict
+# connections to machines which are on your local network. The
+# following example restricts access to two C class networks and
+# the "loopback" interface. For more examples of the syntax see
+# the smb.conf man page
+;   hosts allow = 192.168.1. 192.168.2. 127.
+
+# Uncomment this if you want a guest account, you must add this to /etc/passwd
+# otherwise the user "nobody" is used
+;  guest account = pcguest
+
+# this tells Samba to use a separate log file for each machine
+# that connects
+   log file = /usr/local/samba/var/log.%m
+
+# Put a capping on the size of the log files (in Kb).
+   max log size = 50
+
+# Specifies the Kerberos or Active Directory realm the host is part of
+;   realm = MY_REALM
+
+# Backend to store user information in. New installations should
+# use either tdbsam or ldapsam. smbpasswd is available for backwards
+# compatibility. tdbsam requires no further configuration.
+;   passdb backend = tdbsam
+
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting.
+# Note: Consider carefully the location in the configuration file of
+#       this line.  The included file is read at that point.
+;   include = /usr/local/samba/lib/smb.conf.%m
+
+# Configure Samba to use multiple interfaces
+# If you have multiple network interfaces then you must list them
+# here. See the man page for details.
+;   interfaces = 192.168.12.2/24 192.168.13.2/24
+
+# Where to store roving profiles (only for Win95 and WinNT)
+#        %L substitutes for this servers netbios name, %U is username
+#        You must uncomment the [Profiles] share below
+;   logon path = \\%L\Profiles\%U
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
+;   wins support = yes
+
+# WINS Server - Tells the NMBD components of Samba to be a WINS Client
+#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
+;   wins server = w.x.y.z
+
+# WINS Proxy - Tells Samba to answer name resolution queries on
+# behalf of a non WINS capable client, for this to work there must be
+# at least one	WINS Server on the network. The default is NO.
+;   wins proxy = yes
+
+# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
+# via DNS nslookups. The default is NO.
+   dns proxy = yes
+
+# These scripts are used on a domain controller or stand-alone
+# machine to add or delete corresponding unix accounts
+;  add user script = /usr/sbin/useradd %u
+;  add group script = /usr/sbin/groupadd %g
+;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+;  delete user script = /usr/sbin/userdel %u
+;  delete user from group script = /usr/sbin/deluser %u %g
+;  delete group script = /usr/sbin/groupdel %g
+
+
+#============================ Share Definitions ==============================
+#[homes]
+#   comment = Home Directories
+#   browsable = no
+#   writable = yes
+
+# Un-comment the following and create the netlogon directory for Domain Logons
+; [netlogon]
+;   comment = Network Logon Service
+;   path = /usr/local/samba/lib/netlogon
+;   guest ok = yes
+;   writable = no
+;   share modes = no
+
+
+# Un-comment the following to provide a specific roving profile share
+# the default is to use the user's home directory
+;[Profiles]
+;    path = /usr/local/samba/profiles
+;    browsable = no
+;    guest ok = yes
+
+
+# NOTE: If you have a BSD-style print system there is no need to
+# specifically define each individual printer
+#[printers]
+#   comment = All Printers
+#   path = /usr/spool/samba
+#   browsable = no
+## Change 'guest ok' from 'no' to 'yes' to allow the 'guest account' user to print
+#   guest ok = no
+#   writable = no
+#   printable = yes
+
+# This one is useful for people to share files
+;[tmp]
+;   comment = Temporary file space
+;   path = /tmp
+;   read only = no
+;   public = yes
+
+# A publicly accessible directory, but read only, except for people in
+# the "staff" group
+;[public]
+;   comment = Public Stuff
+;   path = /home/samba
+;   public = yes
+;   writable = no
+;   printable = no
+;   write list = @staff
+
+# Other examples.
+#
+# A private printer, usable only by fred. Spool data will be placed in fred's
+# home directory. Note that fred must have write access to the spool directory,
+# wherever it is.
+;[fredsprn]
+;   comment = Fred's Printer
+;   valid users = fred
+;   path = /homes/fred
+;   printer = freds_printer
+;   public = no
+;   writable = no
+;   printable = yes
+
+# A private directory, usable only by fred. Note that fred requires write
+# access to the directory.
+;[fredsdir]
+;   comment = Fred's Service
+;   path = /usr/somewhere/private
+;   valid users = fred
+;   public = no
+;   writable = yes
+;   printable = no
+
+# a service which has a different directory for each machine that connects
+# this allows you to tailor configurations to incoming machines. You could
+# also use the %U option to tailor it by user name.
+# The %m gets replaced with the machine name that is connecting.
+;[pchome]
+;  comment = PC Directories
+;  path = /usr/pc/%m
+;  public = no
+;  writable = yes
+
+# A publicly accessible directory, read/write to all users. Note that all files
+# created in the directory by users will be owned by the default user, so
+# any user with access can delete any other user's files. Obviously this
+# directory must be writable by the default user. Another user could of course
+# be specified, in which case all files would be owned by that user instead.
+;[public]
+;   path = /usr/somewhere/else/public
+;   public = yes
+;   only guest = yes
+;   writable = yes
+;   printable = no
+
+# The following two entries demonstrate how to share a directory so that two
+# users can place files there that will be owned by the specific users. In this
+# setup, the directory should be writable by both users and should have the
+# sticky bit set on it to prevent abuse. Obviously this could be extended to
+# as many users as required.
+[share]
+   comment = Super Secret Share
+   path = /srv/share
+   valid users = valerio
+   public = no
+   writable = yes
+   create mask = 0755
+

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1.startup

@@ -0,0 +1,9 @@
+apt-get -y update
+apt-get -y install avahi-daemon cifs-utils smbclient
+
+sed -i 's/.*enable-dbus=.*/enable-dbus=no/' /etc/avahi/avahi-daemon.conf
+sed -i 's/.*allow-interfaces=.*/allow-interfaces=eth0/' /etc/avahi/avahi-daemon.conf
+
+ip address add 10.13.37.2/24 dev eth0
+/usr/sbin/avahi-daemon -D
+bash /usr/bin/access-share.sh

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/hosts

@@ -0,0 +1 @@
+127.0.0.1 localhost victim1 victim1.local

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/etc/resolv.conf

@@ -0,0 +1 @@
+nameserver 1.1.1.1

main-labs/cybersecurity/mdns-poisoning/kathara-lab_mdns_poisoning/victim1/usr/bin/access-share.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+for i in $(seq 1 10000); do
+    timeout 5 smbclient //srv1.local/share -U valerio%iloveyou
+    sleep 5
+done