Looking for ideas for simulated intrusions
From: Bill Moran (wmoran_at_potentialtech.com)
Date: Sun, 10 Jul 2005 12:37:52 -0400 To: email@example.com
Hello all. I'm new to this list.
I'm running a security class for a client of mine, and I'm to a part of the
course where the instructor (me) should be simulating breakins for the
students to analyze. The curriculum doesn't give any details.
We have a pretty isolated lab to work in, so I have a pretty free reign as
to what I can try against the network the students put together.
I'm looking for suggestions. The network is based on RH9, and the students
have done a good bit of patching to ensure everything is up to date, as
well as characterizing their system (using tripwire and nmap an the like)
so they can detect when an intrusion occurs and determine what has been
damaged and fix it.
I only have a few ideas at this point, and they all revolve around "someone
has leaked a password", and now a crook is running loose on your network.
Even those are fully formed yet, and I have to have something together
for this week, and more for next week.
Here's what I'm looking for:
* I know a lot of stuff is done with bot-nets these days, and most of those
bot-nets are running customized IRC servers. Is there anywhere I can get
one of these special IRC servers to insert into the lab network. If so,
what potential dangers are there in doing so? The lab is an isolated
(sandbox, or air-gapped) environment, and it's specifically for this
purpose (read: sacrificial) but I don't want to completely hose it with
two weeks of labs still remaining ;)
* Any ideas on simple (and especially illustrative) remote exploits?
* I need to do something that triggers the snort machine, but this is less
important because only two students worked on this ... better is things
I can launch against all the machines on the network.
I'm looking particularly for things that will trigger the tripwire rules
to notice problems, as well as things that open up listening sockets.
I'm not looking for things that are so terribly clever that they can find
their way around tripwire - the point of the lab is to teach, not expose
the students to something so complicated that it's beyond their grasp.
Any ideas, or pointers to better forums are welcome.
-- Bill Moran Potential Technologies http://www.potentialtech.com