Looking for ideas for simulated intrusions

From: Bill Moran (wmoran_at_potentialtech.com)
Date: 07/10/05

  • Next message: Eduardo Kienetz: "pop before smtp ?"
    Date: Sun, 10 Jul 2005 12:37:52 -0400
    To: security-basics@securityfocus.com

    Hello all. I'm new to this list.

    I'm running a security class for a client of mine, and I'm to a part of the
    course where the instructor (me) should be simulating breakins for the
    students to analyze. The curriculum doesn't give any details.

    We have a pretty isolated lab to work in, so I have a pretty free reign as
    to what I can try against the network the students put together.

    I'm looking for suggestions. The network is based on RH9, and the students
    have done a good bit of patching to ensure everything is up to date, as
    well as characterizing their system (using tripwire and nmap an the like)
    so they can detect when an intrusion occurs and determine what has been
    damaged and fix it.

    I only have a few ideas at this point, and they all revolve around "someone
    has leaked a password", and now a crook is running loose on your network.
    Even those are fully formed yet, and I have to have something together
    for this week, and more for next week.

    Here's what I'm looking for:
    * I know a lot of stuff is done with bot-nets these days, and most of those
      bot-nets are running customized IRC servers. Is there anywhere I can get
      one of these special IRC servers to insert into the lab network. If so,
      what potential dangers are there in doing so? The lab is an isolated
      (sandbox, or air-gapped) environment, and it's specifically for this
      purpose (read: sacrificial) but I don't want to completely hose it with
      two weeks of labs still remaining ;)
    * Any ideas on simple (and especially illustrative) remote exploits?
    * I need to do something that triggers the snort machine, but this is less
      important because only two students worked on this ... better is things
      I can launch against all the machines on the network.

    I'm looking particularly for things that will trigger the tripwire rules
    to notice problems, as well as things that open up listening sockets.

    I'm not looking for things that are so terribly clever that they can find
    their way around tripwire - the point of the lab is to teach, not expose
    the students to something so complicated that it's beyond their grasp.

    Any ideas, or pointers to better forums are welcome.

    Bill Moran
    Potential Technologies

  • Next message: Eduardo Kienetz: "pop before smtp ?"