Skip to content

Commit

Permalink
Update in view of release 0.2
Browse files Browse the repository at this point in the history 
Changes due to various modifications in CyRIS annd cnt2lms.
  • Loading branch information
Razvan committed Sep 22, 2017
1 parent 48e699d commit 6b5db6d
Show file tree
Hide file tree
Showing 4 changed files with 166 additions and 169 deletions.
90 changes: 53 additions & 37 deletions code/instsrv.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,19 +46,20 @@
CYRIS_STATUS_FILENAME = "cr_creation_status"
CYRIS_NOTIFICATION_TEMPLATE = "range_notification-cr{0}.txt"
CYRIS_NOTIFICATION_SIMULATED = "range_notification-simulated.txt"
CYRIS_DESTRUCTION_SCRIPT = "whole-controlled-destruction.sh"
#CYRIS_DESTRUCTION_SCRIPT = "whole-controlled-destruction.sh"
CYRIS_DESTRUCTION_SCRIPT = "main/range_cleanup.py"
CYRIS_CONFIG_FILENAME = "CONFIG"
SIMULATION_DURATION = -1 # use -1 for random interval, positive value for fixed interval

# Debugging constants
DEBUG = False
USE_CYRIS = True

# Temporary
# Temporary solution until better way is implemented
USE_CNT2LMS_SCRIPT_GENERATION = False
#CYRIS_MASTER_HOST = "172.16.1.7"
#CYRIS_MASTER_ACCOUNT = "cyuser"
#CNT2LMS_PATH = "/home/cyuser/moodle/cnt2lms/"
CYRIS_MASTER_HOST = "172.16.1.7"
CYRIS_MASTER_ACCOUNT = "cyuser"
CNT2LMS_PATH = "/home/cyuser/moodle/cnt2lms/"


#############################################################################
Expand Down Expand Up @@ -174,6 +175,7 @@ def do_POST(self):
return_value = os.system(command)
exit_status = os.WEXITSTATUS(return_value)
if exit_status != 0:
self.handle_cyris_error(range_id)
self.send_error(SERVER_ERROR, "CyRIS execution issue")
return

Expand All @@ -199,39 +201,41 @@ def do_POST(self):
message = urllib.quote(notification_file_content)

response_content = self.build_response(Storyboard.SERVER_STATUS_SUCCESS, message)

# We try to prepare the terminal for Moodle, but
# errors are only considered as warnings for the
# moment, since this functionality is not publicly
# released yet in cnt2lms
try:
if USE_CNT2LMS_SCRIPT_GENERATION:
ssh_command = "ssh -tt -o 'ProxyCommand ssh [email protected] -W %h:%p' crond@moodle"
python_command = "python -u " + CNT2LMS_PATH + "get_cyris_result.py " + CYRIS_MASTER_HOST + " " + CYRIS_MASTER_ACCOUNT + " " + CYRIS_PATH + CYRIS_RANGE_DIRECTORY + " " + range_id + " 1"
command = ssh_command + " \"" + python_command + "\""
print "* DEBUG: instsrv: get_cyris_result command: " + command
return_value = os.system(command)
exit_status = os.WEXITSTATUS(return_value)
if exit_status == 0:
#response_content = RESPONSE_SUCCESS
pass
else:
#self.send_error(SERVER_ERROR, "LMS terminal preparation issue")
#return
print "* DEBUG: instsrv: LMS terminal preparation issue"
except IOError:
#self.send_error(SERVER_ERROR, "LMS terminal preparation I/O error)
#return
print "* DEBUG: instsrv: LMS terminal preparation I/O error"
else:
# CyRIS is now destroying automatically the cyber range
# in case of error, so we just return the error status
# Even though CyRIS is now destroying automatically the cyber range
# in case of error, as it may fail we still try to clean up here
self.handle_cyris_error(range_id)
response_content = self.build_response(Storyboard.SERVER_STATUS_ERROR,
Storyboard.INSTANTIATION_STATUS_FILE_NOT_FOUND)
except IOError:
self.handle_cyris_error(range_id)
self.send_error(SERVER_ERROR, Storyboard.INSTANTIATION_CYRIS_IO_ERROR)
return

# We try to prepare the terminal for Moodle, but
# errors are only considered as warning for the
# moment, since this functionality is not publicly
# released yet in cnt2lms
try:
if USE_CNT2LMS_SCRIPT_GENERATION:
ssh_command = "ssh -tt -o 'ProxyCommand ssh [email protected] -W %h:%p' cyuser@moodle"
python_command = "python -u " + CNT2LMS_PATH + "get_cyris_result.py " + CYRIS_MASTER_HOST + " " + CYRIS_MASTER_ACCOUNT + " " + CYRIS_PATH + CYRIS_RANGE_DIRECTORY
command = ssh_command + " \"" + python_command + "\""
print "* DEBUG: instsrv: get_cyris_result command: " + command
return_value = os.system(command)
exit_status = os.WEXITSTATUS(return_value)
if exit_status == 0:
#response_content = RESPONSE_SUCCESS
pass
else:
#self.send_error(SERVER_ERROR, "LMS terminal preparation issue")
#return
print "* DEBUG: instsrv: LMS terminal preparation issue"
except IOError:
#self.send_error(SERVER_ERROR, "LMS terminal preparation I/O error)
#return
print "* DEBUG: instsrv: LMS terminal preparation I/O error"

# Don't use CyRIS, just simulate the instantiation
else:
# Simulate time needed to instantiate the cyber range
Expand Down Expand Up @@ -271,14 +275,16 @@ def do_POST(self):

# Use CyRIS to really do cyber range destruction
if USE_CYRIS:
destruction_filename = CYRIS_PATH + CYRIS_RANGE_DIRECTORY + str(range_id) + "/" + CYRIS_DESTRUCTION_SCRIPT
if os.path.exists(destruction_filename):
os.system(destruction_filename)
destruction_filename = CYRIS_PATH + CYRIS_DESTRUCTION_SCRIPT
destruction_command = "{0} {1} {2}".format(destruction_filename, range_id, CYRIS_PATH + CYRIS_CONFIG_FILENAME)
print "* DEBUG: instrv: destruction_command: " + destruction_command
return_value = os.system(destruction_command)
exit_status = os.WEXITSTATUS(return_value)
if exit_status == 0:
response_content = self.build_response(Storyboard.SERVER_STATUS_SUCCESS)
else:
response_content = self.build_response(Storyboard.SERVER_STATUS_ERROR,
Storyboard.DESTRUCTION_SCRIPT_NOT_FOUND)

"CyRIS destruction issue")

# Don't use CyRIS, just simulate the destruction
else:
Expand Down Expand Up @@ -327,7 +333,17 @@ def build_response(self, status, message=None):
response_body = '[{' + response_status + '}]'

return response_body


def handle_cyris_error(self, range_id):
print "* INFO: Error occurred in CyRIS => perform cyber range cleanup."
destruction_filename = CYRIS_PATH + CYRIS_DESTRUCTION_SCRIPT
destruction_command = "{0} {1} {2}".format(destruction_filename, range_id, CYRIS_PATH + CYRIS_CONFIG_FILENAME)
print "* DEBUG: instrv: destruction_command: " + destruction_command
return_value = os.system(destruction_command)
exit_status = os.WEXITSTATUS(return_value)
if exit_status != 0:
print "* ERROR: instrv: Range cleanup failed."

# Print usage information
def usage():
print "OVERVIEW: CyTrONE instantiation server that manages the CyRIS cyber range instantiation system.\n"
Expand Down
120 changes: 55 additions & 65 deletions database/NIST-level1-content-en.yml
View file
Original file line number Diff line number Diff line change
@@ -1,100 +1,90 @@
---
- training:
- id: L1-E1
description: Investigate the security of a desktop computer
header: |
- id: L1-EN
title: Investigate the security of a desktop computer
overview: |
<p>Today is your first day on the job as a sysadmin. Your boss tells you that he suspects somebody tried to hack into your company's network, and asks you to investigate a possible cyber attack that may have happened when the system administrator was a guy called Daniel Craig. The boss sits you in front of the previous sysadmin's computer, and wishes you good luck.</p>
<p>You glance at the machine and reluctantly get to work.<p>
level: 1

questions:
- id: R-L1-001
type: fill
content: The operating system and kernel release number can tell you about the possible vulnerabilities of a computer. Find out the full kernel release number of the machine (e.g., 3.4.5-6.7.8.abc.x86_64).
answer: 3.10.0-514.16.1.el7.x86_64
- id: L1-EN-001
body: The operating system and kernel release number can tell you about the possible vulnerabilities of a computer. Find out the full kernel release number of the machine (e.g., 3.4.5-6.7.8.abc.x86_64).
answer: 3.10.0-514.21.1.el7.x86_64
hints:
- hint: You can use the command <code>uname</code> to find out OS details.
- hint: $ uname -r
- hint: An alternative solution is to get the required information from the <code>/proc/version</code> file.
- You can use the command <code>uname</code> to find out OS details.
- $ uname -r
- An alternative solution is to get the required information from the <code>/proc/version</code> file.

- id: R-L1-002
type: fill
content: In order to understand the network your computer is connected to, you should know more about the machine. Find out the IPv4 address of its first network interface, and enter the <i>last 2 bytes</i> (inverse netmask /16 address) below (e.g, 0.0.123.234).
- id: L1-EN-002
body: In order to understand the network your computer is connected to, you should know more about the machine. Find out the IPv4 address of its first network interface, and enter the <i>last 2 bytes</i> (inverse netmask /16 address) below (e.g, 0.0.123.234).
answer: 0.0.1.2
hints:
- hint: You can use the command <code>ifconfig</code> to find out NIC information.
- hint: <code>$ ifconfig eth0</code>
- hint: "An alternative solution is to use the <code>ip</code> command: <code>$ ip addr show dev eth0</code>"
- You can use the command <code>ifconfig</code> to find out NIC information.
- <code>$ ifconfig eth0</code>
- "An alternative solution is to use the <code>ip</code> command: <code>$ ip addr show dev eth0</code>"

- id: R-L1-003
type: fill
content: You also need to know about the routing settings of the machine. Find out the IPv4 address of the default gateway, and enter the <i>last 2 bytes</i> (inverse netmask /16 address) below (e.g, 0.0.123.1).
- id: L1-EN-003
body: You also need to know about the routing settings of the machine. Find out the IPv4 address of the default gateway, and enter the <i>last 2 bytes</i> (inverse netmask /16 address) below (e.g, 0.0.123.1).
answer: 0.0.1.1
hints:
- hint: You can use the command <code>route</code> to obtain routing information.
- hint: <code>$ route -n | grep ^0.0.0.0</code>
- hint: "It is also possible to use the <code>netstat</code> command: <code>$ netstat -rn | grep ^0.0.0.0</code>"
- You can use the command <code>route</code> to obtain routing information.
- <code>$ route -n | grep ^0.0.0.0</code>
- "It is also possible to use the <code>netstat</code> command: <code>$ netstat -rn | grep ^0.0.0.0</code>"

- id: R-L1-004
type: fill
content: Investigating deeper requires you to know what accounts exist on the computer. Find out the user name of the previous system administrator.
- id: L1-EN-004
body: Investigating deeper requires you to know what accounts exist on the computer. Find out the user name of the previous system administrator.
answer: daniel
hints:
- hint: The name of the previous sysadmin was already mentioned on this page. The <code>/home</code> directory could also provide some hints.
- hint: The <code>/etc/passwd</code> file is used to store login-related information.
- hint: <code>$ grep -i Daniel /etc/passwd</code>
- The name of the previous sysadmin was already mentioned on this page. The <code>/home</code> directory could also provide some hints.
- The <code>/etc/passwd</code> file is used to store login-related information.
- <code>$ grep Craig /etc/passwd</code>

- id: R-L1-005
type: fill
content: A network intrusion is suspected, so you should check the relevant log file. Find out how many unsuccessful login attempts using the account of the previous sysadmin have occurred on March 28th, 2017.
- id: L1-EN-005
body: A network intrusion is suspected, so you should check the relevant log file. Find out how many unsuccessful login attempts using the account of the previous sysadmin have occurred on March 28th, 2017.
answer: 54
hints:
- hint: Unsuccessful login attempts are specific kind of <i>authentication</i> events.
- hint: In CentOS authentication events are logged in the file <code>/var/log/secure</code>.
- hint: <code>$ sudo grep "Failed password" /var/log/secure | grep daniel | grep -c "Mar 28"</code>
- Unsuccessful login attempts are specific kind of <i>authentication</i> events.
- In CentOS authentication events are logged in the file <code>/var/log/secure</code>.
- <code>$ sudo grep "Failed password" /var/log/secure | grep daniel | grep -c "Mar 28"</code>

- id: R-L1-006
type: choice
content: You believe that the previous administrator's account password is too weak, which may have contributed to the hacking. What is his password?
choice: "\"JasonBourne\", \"GoldenEye\", \"JamesBond\", \"CasinoRoyale\""
- id: L1-EN-006
body: You believe that the previous administrator's account password is too weak, which may have contributed to the hacking. What is his password?
choices: "\"JasonBourne\", \"GoldenEye\", \"JamesBond\", \"CasinoRoyale\""
answer: JamesBond
hints:
- hint: This is a multiple-choice question, so one of the answers must be the password.
- hint: You can use the command <code>su</code> to switch to another user.
- hint: <code>$ su daniel</code>
- This is a multiple-choice question, so one of the answers must be the password.
- You can use the command <code>su</code> to switch to another user.
- <code>$ su daniel</code>

- id: R-L1-007
type: fill
content: You suspect that someone may have hacked the previous administrator's account. You need to verify whether this would have allowed hackers to have root privileges on this machine. What commands was the sysadmin allowed to execute as root?
- id: L1-EN-007
body: You suspect that someone may have hacked the previous administrator's account. You need to verify whether this would have allowed hackers to have root privileges on this machine. What commands was the sysadmin allowed to execute as root?
answer: ALL
hints:
- hint: One can execute commands as root by using the command <code>sudo</code>.
- hint: The configuration file for sudo is <code>/etc/sudoers</code>.
- hint: <code>$ sudo grep daniel /etc/sudoers</code>
- One can execute commands as root by using the command <code>sudo</code>.
- The configuration file for sudo is <code>/etc/sudoers</code>.
- <code>$ sudo grep daniel /etc/sudoers</code>

- id: R-L1-008
type: fill
content: You report the attempted intrusion and the sysadmin account weaknesses to your boss. He congratulates you and provides you with more data so that you can continue your investigation. The file <code>/home/traffic.pcap</code> contains the traffic capture related to a password guessing attack. In which country did the attack originate?
- id: L1-EN-008
body: You report the attempted intrusion and the sysadmin account weaknesses to your boss. He congratulates you and provides you with more data so that you can continue your investigation. The file <code>/home/traffic.pcap</code> contains the traffic capture related to a password guessing attack. In which country did the attack originate?
answer: Russian Federation
hints:
- hint: "You can use the tool called <b>Wireshark</b> (or the terminal-based <b>tshark</b> or <b>tcpdump</b> commands) to investigate traffic capture files. For example: <code>$ tshark -r /home/traffic.pcap -p ssh</code>"
- hint: Use the IP address identified as source of the SSH login attempts to identify the country associated to it.
- hint: <code>$ geoiplookup IP_ADDRESS</code>
- "You can use the tool called <b>Wireshark</b> (or the terminal-based <b>tshark</b> or <b>tcpdump</b> commands) to investigate traffic capture files. For example: <code>$ tshark -r /home/traffic.pcap -p ssh</code>"
- Use the IP address identified as source of the SSH login attempts to identify the country associated to it.
- <code>$ geoiplookup IP_ADDRESS</code>

- id: R-L1-009
type: fill
content: You are worried that hackers may still be connected to the machine. Find out what ports are open for all the IPv4 interfaces.
- id: L1-EN-009
body: You are worried that hackers may still be connected to the machine. Find out what ports are open for all the IPv4 interfaces.
answer: 22
hints:
- hint: You can use the command <code>netstat</code> to investigate network status.
- hint: <code>$ netstat -atun | grep LISTEN</code>
- hint: "An alternative is to use the <code>lsof</code> command: <code>$sudo lsof | grep LISTEN</code>"
- You can use the command <code>netstat</code> to investigate network status.
- <code>$ netstat -atun | grep LISTEN</code>
- "An alternative is to use the <code>lsof</code> command: <code>$sudo lsof | grep LISTEN</code>"

- id: R-L1-010
type: fill
content: You suspect that malware may be running on your machine. Find out the name of the malware.
- id: L1-EN-010
body: You suspect that malware may be running on your machine. Find out the name of the malware.
answer: DAEMON
hints:
- hint: A basic way to differentiate between legit processes and rogue ones is to look at process names.
- hint: "The command <code>ps</code> can be used to display all the running processes on a computer. For example: <code>$ ps -ef</code>"
- hint: You can use the command <code>top</code> to view the processes with highest CPU utilization.
- A basic way to differentiate between legit processes and rogue ones is to look at process names.
- "The command <code>ps</code> can be used to display all the running processes on a computer. For example: <code>$ ps -ef</code>"
- You can use the command <code>top</code> to view the processes with highest CPU utilization.
Loading

0 comments on commit 6b5db6d

Please sign in to comment.