diff options
18 files changed, 568 insertions, 0 deletions
diff --git a/netsec-assignment5-S4498062/exercise1/exercise1a b/netsec-assignment5-S4498062/exercise1/exercise1a new file mode 100644 index 0000000..89585b6 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise1/exercise1a @@ -0,0 +1 @@ +<OC@(OL4 diff --git a/netsec-assignment5-S4498062/exercise1/exercise1b b/netsec-assignment5-S4498062/exercise1/exercise1b new file mode 100644 index 0000000..a599436 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise1/exercise1b @@ -0,0 +1,37 @@ +# nmap -sn 192.168.84.0/24 + +Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-08 16:39 CEST +Nmap scan report for 192.168.84.1 +Host is up (0.0042s latency). +MAC Address: 48:5B:39:89:8C:10 (Asustek Computer) +Nmap scan report for gromit.local (192.168.84.10) +Host is up (0.46s latency). +MAC Address: 00:0F:C9:0C:F7:8C (Allnet GmbH) +Nmap scan report for 192.168.84.11 +Host is up (0.21s latency). +MAC Address: 00:0F:C9:0C:F7:8C (Allnet GmbH) +Nmap scan report for 192.168.84.12 +Host is up (0.21s latency). +MAC Address: 00:0F:C9:0C:F7:8C (Allnet GmbH) +Nmap scan report for 192.168.84.14 +Host is up (0.26s latency). +MAC Address: 00:0F:C9:0C:F7:8C (Allnet GmbH) +Nmap scan report for 192.168.84.15 +Host is up (0.21s latency). +MAC Address: 00:0F:C9:0C:F7:8C (Allnet GmbH) +Nmap scan report for 192.168.84.43 +Host is up (0.23s latency). +MAC Address: 00:0F:C9:0C:EE:ED (Allnet GmbH) +Nmap scan report for 192.168.84.44 +Host is up (0.23s latency). +MAC Address: 00:0F:C9:0C:EE:ED (Allnet GmbH) +Nmap scan report for 192.168.84.45 +Host is up (0.24s latency). +MAC Address: 00:0F:C9:0C:EE:ED (Allnet GmbH) +Nmap scan report for Farore.local (192.168.84.161) +Host is up (0.29s latency). +MAC Address: A4:DB:30:8E:BA:31 (Liteon Technology) +Nmap scan report for zenbook.local (192.168.84.168) +Host is up. +Nmap done: 256 IP addresses (11 hosts up) scanned in 15.27 seconds + diff --git a/netsec-assignment5-S4498062/exercise1/exercise1c b/netsec-assignment5-S4498062/exercise1/exercise1c new file mode 100644 index 0000000..b10698f --- /dev/null +++ b/netsec-assignment5-S4498062/exercise1/exercise1c @@ -0,0 +1 @@ +http://www.cs.ru.nl/~paubel/assignment5-start.html diff --git a/netsec-assignment5-S4498062/exercise1/exercise1d.creds b/netsec-assignment5-S4498062/exercise1/exercise1d.creds new file mode 100644 index 0000000..acc488e --- /dev/null +++ b/netsec-assignment5-S4498062/exercise1/exercise1d.creds @@ -0,0 +1,2 @@ +username=ru-netsec +password=obhaCYnmIRDyy7joqdsj diff --git a/netsec-assignment5-S4498062/exercise1/exercise1e b/netsec-assignment5-S4498062/exercise1/exercise1e new file mode 100644 index 0000000..e3dae98 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise1/exercise1e @@ -0,0 +1 @@ +s4498062 This result has been hidden for privacy reasons. diff --git a/netsec-assignment5-S4498062/exercise2/exercise2a b/netsec-assignment5-S4498062/exercise2/exercise2a new file mode 100644 index 0000000..4752ff2 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise2/exercise2a @@ -0,0 +1,4 @@ +$ dig +bufsize=4096 +dnssec +ignore +tries=1 +time=1 any "lk." "@204.61.216.27" + +I just followed instructions on http://dnscurve.org/dnssecamp.html. + diff --git a/netsec-assignment5-S4498062/exercise2/exercise2b b/netsec-assignment5-S4498062/exercise2/exercise2b new file mode 100644 index 0000000..d745494 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise2/exercise2b @@ -0,0 +1,15 @@ +Nothing special on Ethernet level. + +On the IP level, we set the source IP to the IP of blackboard.ru.nl +(131.174.57.69). The destination IP should be the IP of the nameserver we're +using (204.61.216.27). + +Nothing special on the UDP level. + +On the DNS level we use the query as can be found in the capture file: + + 4c1901200001000000000001026c6b0000ff00010000291000000080000000 + +For the rest, we craft the packet as normally. This way, the nameserver will +send its reply to 131.174.57.69. + diff --git a/netsec-assignment5-S4498062/exercise2/exercise2c b/netsec-assignment5-S4498062/exercise2/exercise2c new file mode 100644 index 0000000..f16c731 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise2/exercise2c @@ -0,0 +1,5 @@ +We could reject all packets with a spoofed IP address by only accepting packets +where the source address is in our subnet: + +# iptables -A OUTPUT -j DROP +# iptables -A OUTPUT -s 203.0.113.0/24 ACCEPT diff --git a/netsec-assignment5-S4498062/exercise3/exercise3a b/netsec-assignment5-S4498062/exercise3/exercise3a new file mode 100644 index 0000000..fd9364a --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3a @@ -0,0 +1,26 @@ +We query a non-existing domain which likely isn't in the cache already (that is, +a random string as subdomain). For example, we might query for: + +$ dig eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl + +Then we race the actual DNS server to provide this response: + + ;; ANSWER SECTION: + eWVwLCB0aGlzIGlzIGJhc2U2NC4u.blackboard.ru.nl. 120 IN A 10.10.10.10 + + ;; AUTHORITY SECTION: + blackboard.ru.nl. 86400 IN NS ourns.blackboard.ru.nl. + + ;; ADDITIONAL SECTION: + ourns.blackboard.ru.nl. 604800 IN A 10.10.10.20 + +Here, 10.10.10.20 would be our address. The cache will now ask stuff about +blackboard.ru.nl to our nameserver which he thinks is at ourns.blackboard.ru.nl. + +Thus by simply requesting + +$ dig blackboard.ru.nl + +and sending back an incorrect A record for blackboard.ru.nl from 10.10.10.20, we +have spoofed the cache. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3b b/netsec-assignment5-S4498062/exercise3/exercise3b new file mode 100644 index 0000000..34d75bf --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3b @@ -0,0 +1,6 @@ +The QID is a 16-bit random string, so we have a chance of 1 over 2^16 to guess +it correctly. + +If we also use port randomisation, we have to guess 16+16=32 bits, giving us a +1 over 2^32 chance. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3c b/netsec-assignment5-S4498062/exercise3/exercise3c new file mode 100644 index 0000000..35ca2b0 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3c @@ -0,0 +1,3 @@ +We have to guess 14 extra bits, that is, 46 bits, giving us a 1 over 2^46 +probability to guess correctly. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3d b/netsec-assignment5-S4498062/exercise3/exercise3d new file mode 100644 index 0000000..d4e9ff0 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3d @@ -0,0 +1,3 @@ +Using a birthday attack, sending many the same queries increases our odds of +getting one right. + diff --git a/netsec-assignment5-S4498062/exercise3/exercise3e b/netsec-assignment5-S4498062/exercise3/exercise3e new file mode 100644 index 0000000..99abf57 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise3/exercise3e @@ -0,0 +1,3 @@ +If you're in the middle anyway you can change everything. You don't have to +guess anything, because you only modify the relevant section(s). + diff --git a/netsec-assignment5-S4498062/exercise4 b/netsec-assignment5-S4498062/exercise4 new file mode 100644 index 0000000..6df780b --- /dev/null +++ b/netsec-assignment5-S4498062/exercise4 @@ -0,0 +1,6 @@ +The firewall can keep track of the source and destination IPs and ports for +out-going UDP packets. Then, when an UDP packet comes in, it can check of these +same data (though source and destination are swapped) match somewhere in the +table of outgoing packets. If there is a match, the firewall may assume the +incoming packet is a response - and accept it - otherwise, it may drop it. + diff --git a/netsec-assignment5-S4498062/exercise5/exercise5a/client-config/client.conf b/netsec-assignment5-S4498062/exercise5/exercise5a/client-config/client.conf new file mode 100644 index 0000000..6b31c78 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise5/exercise5a/client-config/client.conf @@ -0,0 +1,123 @@ +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server. +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote 192.168.1.70 1194 +;remote my-server-2 1194 + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +;user nobody +;group nogroup + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +ca ./ca.crt +cert ./client.crt +key ./client.key + +# Verify server certificate by checking +# that the certicate has the nsCertType +# field set to "server". This is an +# important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the nsCertType +# field set to "server". The build-key-server +# script in the easy-rsa folder will do this. +ns-cert-type server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ta.key 1 + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +;cipher x + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +comp-lzo + +# Set log file verbosity. +verb 3 + +# Silence repeating messages +;mute 20 diff --git a/netsec-assignment5-S4498062/exercise5/exercise5a/commands b/netsec-assignment5-S4498062/exercise5/exercise5a/commands new file mode 100644 index 0000000..607002c --- /dev/null +++ b/netsec-assignment5-S4498062/exercise5/exercise5a/commands @@ -0,0 +1,24 @@ +As on https://openvpn.net/index.php/open-source/documentation/howto.html#pki, +on the server: + +# cp -R /usr/share/doc/openvpn /etc/openvpn +# cd /etc/openvpn/examples/easy-rsa/2.0 +# . ./vars +# ./clean-all +# ./build-ca +# ./build-key-server server +# ./build-key client +# ./build-dh + +Then the client.crt, client.key and ca.crt I copied to the client. + +On the client I only had to edit client.conf. + +Then, on the server: + +# openvpn server.conf + +And on the client: + +# openvpn client.conf + diff --git a/netsec-assignment5-S4498062/exercise5/exercise5a/server-config/server.conf b/netsec-assignment5-S4498062/exercise5/exercise5a/server-config/server.conf new file mode 100644 index 0000000..31ce619 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise5/exercise5a/server-config/server.conf @@ -0,0 +1,299 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port 1194 + +# TCP or UDP server? +;proto tcp +proto udp + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca /etc/openvpn/examples/easy-rsa/2.0/keys/ca.crt +cert /etc/openvpn/examples/easy-rsa/2.0/keys/server.crt +key /etc/openvpn/examples/easy-rsa/2.0/keys/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh /etc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 10.8.0.0 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Configure server mode for ethernet bridging +# using a DHCP-proxy, where clients talk +# to the OpenVPN server-side DHCP server +# to receive their IP address allocation +# and DNS server addresses. You must first use +# your OS's bridging capability to bridge the TAP +# interface with the ethernet NIC interface. +# Note: this mode only works on clients (such as +# Windows), where the client-side TAP adapter is +# bound to a DHCP client. +;server-bridge + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 192.168.10.0 255.255.255.0" +;push "route 192.168.20.0 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir ccd +;route 192.168.40.128 255.255.255.248 +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. + +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 + +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# or bridge the TUN/TAP interface to the internet +# in order for this to work properly). +;push "redirect-gateway def1 bypass-dhcp" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +# The addresses below refer to the public +# DNS servers provided by opendns.com. +;push "dhcp-option DNS 208.67.222.222" +;push "dhcp-option DNS 208.67.220.220" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +;client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +;user nobody +;group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status openvpn-status.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log openvpn.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 3 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 diff --git a/netsec-assignment5-S4498062/exercise5/exercise5b/commands b/netsec-assignment5-S4498062/exercise5/exercise5b/commands new file mode 100644 index 0000000..5f8ba63 --- /dev/null +++ b/netsec-assignment5-S4498062/exercise5/exercise5b/commands @@ -0,0 +1,9 @@ +On the server: + +# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + +Client and server configuration is exactly the same, except that the server has +this extra line: + + push "redirect-gateway local def1" + |