Security Basics mailing list archives
Re: Looking for ideas for simulated intrusions
From: Kurt Buff <kurt.buff () gmail com>
Date: Mon, 11 Jul 2005 15:39:25 -0700
Bill Moran wrote:
Hello all. I'm new to this list. I'm running a security class for a client of mine, and I'm to a part of the course where the instructor (me) should be simulating breakins for the students to analyze. The curriculum doesn't give any details. We have a pretty isolated lab to work in, so I have a pretty free reign as to what I can try against the network the students put together. I'm looking for suggestions. The network is based on RH9, and the students have done a good bit of patching to ensure everything is up to date, as well as characterizing their system (using tripwire and nmap an the like) so they can detect when an intrusion occurs and determine what has been damaged and fix it. I only have a few ideas at this point, and they all revolve around "someone has leaked a password", and now a crook is running loose on your network. Even those are fully formed yet, and I have to have something together for this week, and more for next week. Here's what I'm looking for: * I know a lot of stuff is done with bot-nets these days, and most of those bot-nets are running customized IRC servers. Is there anywhere I can get one of these special IRC servers to insert into the lab network. If so, what potential dangers are there in doing so? The lab is an isolated (sandbox, or air-gapped) environment, and it's specifically for this purpose (read: sacrificial) but I don't want to completely hose it with two weeks of labs still remaining ;) * Any ideas on simple (and especially illustrative) remote exploits? * I need to do something that triggers the snort machine, but this is less important because only two students worked on this ... better is things I can launch against all the machines on the network. I'm looking particularly for things that will trigger the tripwire rules to notice problems, as well as things that open up listening sockets. I'm not looking for things that are so terribly clever that they can find their way around tripwire - the point of the lab is to teach, not expose the students to something so complicated that it's beyond their grasp. Any ideas, or pointers to better forums are welcome.
Any plaintext auth running around on your network? Telnet, HTTP, etc.? How about SAMBA? Any r* utilities? Capturing and cracking hashes, with something like Cain and Abel, can be very instructive. So can OPHCRACK, or THC-Hydra. Maybe you have some wireless? Kismet and siblings might prove useful. Here's a very interesting list of tools: http://www.insecure.org/tools.html
Current thread:
- Looking for ideas for simulated intrusions Bill Moran (Jul 11)
- Re: Looking for ideas for simulated intrusions Kurt Buff (Jul 12)
- <Possible follow-ups>
- RE: Looking for ideas for simulated intrusions M. Shirk (Jul 12)