The following assignments have been given, with due dates as shown:
Assignment 1 – Due: Tuesday, September 11
Assignment 2 – Due: Tuesday, September 25
Complete the “Environment Variable and Set-UID Lab” from the Syracuse SEED Labs. You are encouraged to work on your own computer – install VirtualBox, download and set up the SEED Labs Ubuntu 16.04 virtual machine, and do your work there. Alternatively, you can use the SEED Lab image hosted on the class server (we will go over this in class, and a summary of instructions is available here.
Your assignment submission will be a lab report, describing what you did, what you saw, and what you learned. This should be typed and submitted electronically in Canvas.
Assignment 3 – Due: Tuesday, October 16 Thursday, October 18
Complete the “Buffer-Overflow Vulnerability Lab” from the Syracuse SEED Labs. As in the last assignment, you can either use a virtual machine on your own computer, or the one that is set up for you on the class server.
Assignment 4 – Due: Tuesday, November 6
Complete the "TCP/IP Attack Lab from the Syracuse SEED Labs.
Note that this lab requires multiple virtual machines running simultaneously. Each virtual machine takes up a good chunk of RAM, so if you are running this on a machine with less than 8GB RAM then running 3 VMs simultaneously is a bit of a stretch. It is perfectly acceptable to do this lab with just two VMs, with the “attacker” tasks being executed on the client or server VMs. That’s a little less realistic, but you use and see all the same concepts.
Tip 1: Make sure you follow the instructions in the SEED Lab VirtualBox setup manual for setting up multiple virtual machines (Appendix B). To make your work a little easier, you should look into the “Customization” directory on the SEED Lab VMs to make each VM look a little different (visual cues are very helpful!). Note that one step is missing: To install the custom icons in the Launch bar, the .desktop files must be executable. Just go into the Customization directory and execute the command “chmod a+x *.desktop” to fix this problem.
Tip 2: Unfortunately, “NAT Network” mode is broken in the standard Ubuntu VirtualBox packages. If your host computer is running Ubuntu (or a variant, like Mint) then you should install the VirtualBox packages from Oracle – not from Ubuntu.
Tip 3: The third main task, interfering with video streaming, won’t work with modern, robust video stream sites (like YouTube). Try it anyway and see what happens. For 5 points extra credit, use Wireshark to capture packets so you can see what is going on when this attack is launched against a browser streaming a YouTube video and explain what happens. Note that video streaming sends a lot of packets, so only capture 2 or 3 seconds of streaming under this attack or you’ll have way too much to look at.
And finally: Everything in this lab can be done with the netwox tool automating the attacks. For up to 25 points extra credit, do the exercises with Scapy. You’ll need to do some tutorials to see how to make Scapy work (and you’ll need to be able to write simple Python programs), but this is a very beneficial exercise if you have the time to take it on!
Assignment 5 – Due: Tuesday, November 27
This assignment uses the OWASP SecurityShepherd lessons and challenges that are available on the class server. First, follow the instructions that are on Canvas or were given in class to register for an account on the server. You will see a menu on the left side of the screen giving different “levels” of challenges, with increasing difficulty. Everyone should be able to do all of the “Field Training” and “Private” level challenges, and a few of the harder ones.
You should write up a brief (1-2 sentences) description of each level solved describing the solution and how you figured it out, and should submit this write-up in Canvas. The maximum possible assignment grade is calculated based on the number points earned from challenges, translated as follows:
90 points: 60% (this corresponds to all “Field Training” challenges)
150 points: 70% (all “Field Training” and at least two “Private”)
405 points: 85% (all “Field Training” and “Private”)
500 points: 100% (at least two challenges above “Private”)
Anything above 500 points will provide extra credit (up to 25% extra credit)
Tips and hints will be posted to Canvas.