Exercises

This course has weekly hands-on exercises. Nearly all of exercises come directly from the Labtainers project from the Naval Postgraduate School (NPS). These exercises have been chosen to supplement the concepts we learn in class and give students hands-on experience with the concepts, often using real tools.

Exercises are due every Sunday night at midnight. Unless noted otherwise, you must submit two files:

1. A PDF of your lab report to Gradescope
2. The .lab file to Moodle

Why two files? While your report is embedded in Labtainer’s .lab file, Gradescope makes grading documents really easy for the TAs. We will primarily be looking at the lab reports. However, Labtainers has rudimentary auto-grading for of the .lab files for some exercises, and we will incorporate the results of the auto-grading. Hint: look into Labtainer’s checkwork command.

Finally, the exercise for some of the below weeks is listed as “tentative.” I am completing each exercise myself before finalizing it as a weekly exercise.

Week 1: Setup

There is no formal exercise for this week. However, getting the Labtainers environment setup can take some time. Use this week to (1) read through the Labtainers website, (2) read and familiarize yourself with the Student Guide, and (3) set up your local virtual machine. I highly recommend using their provided Ubuntu image, because the installation guide indicates that it does not work with Ubuntu 22 and later.

Note: If you are using an M-series Mac, some students have had luck using UTM as a virtual machine environment; however, for others the performance is extremely poor. Please see the below instructions for using NC State’s Virtual Computing Lab (VCL) environment.

Week 2: Symmetric Cryptography

Due: Sun Sep 03, 2023 11:59:59 pm ET
Points: 50

For this week, you will be completing the symkey Labtainers exercise on “Exploring Symmetric Key Encryption Modes.” Specifically, you will see how ECB leaves patterns in the ciphertext, just as we saw during the lecture.

Week 3: Hashes and MACs

Due: Sun Sep 10, 2023 11:59:59 pm ET
Points: 50

For this week, you will be completing the macs-hash Labtainers exercise on “Exploring MACs and Hash Functions.” Specifically, you will investigate finding collisions in hash functions.

Weeks 4 and 5: Web of Trust

Due: Sun Sep 24, 2023 11:59:59 pm ET
Points: 100

For the next two weeks we will be taking a pause from the Labtainers exercises to perform a social exercise that provides you first-hand experience in understanding the challenges of key management. Who do you trust? How do you know they are who they say they are? Your goal in this project is to learn about public key cryptography, gpg, verifying identities, and the web of trust.

See the Web of Trust exercise description for details and submission instructions.

Week 6: Exam 1

There are no hands-on exercises this week. Focus on studying for Exam 1

Weeks 7 and 8: Authentication

Due: Sun Oct 15, 2023 11:59:59 pm ET
Points: 50

For this week, you will be completing the pass-crack Labtainers exercise on “Password Cracking.” Specifically, you will get hands-on experience performing dictionary attacks to crack passwords.

Due to fall break, two weeks will be allowed for this exercise.

Week 9: Network Attacks

Due: Sun Oct 22, 2023 11:59:59 pm ET
Points: 50

For this week, you will be completing the arp-spoof Labtainers exercise on “ARP Spoofing for Sniffing.” Specifically, you will get hands-on experience performing and ARP spoofing attack to capture and modify network traffic.

Note: There is no PDF report for this exercise. Make sure that you follow the instructions and save the PCAP file as sniff.pcapng in the attacker containers home directory. The auto-grader will be looking for this file specifically.

Week 10: Firewalls

Due: Sun Oct 29, 2023 11:59:59 pm ET
Points: 50

For this week, you will be completing the iptables2 Labtainers exercise on configuring firewall rules. Specifically, you will be modifying a firewall policy to allow additional connections.

Note: There is no PDF report for this exercise.

Week 11: IDS

Due: Sun Nov 05, 2023 11:59:59 pm ET
Points: 50

For this week, you will be completing the snort Labtainers exercise. In this exercise, you will create a simple Snort IDS rule and explore the limitations of Snort and its signatures.

Note: There is no PDF report for this exercise.

Week 12: Focus on Homework 2

There is no hands-on exercise this week. Focus on completing Homework 2. It is excellent preparation for Exam 2.

Week 13: Exam 2

There are no hands-on exercises this week. Focus on studying for Exam 2

Weeks 14 and 15: Web Attacks (to be determined)

Due: Sun Dec 03, 2023 11:59:59 pm ET
Points: 50 + 5 extra credit

For this the assignment, you’ll be exploiting a number of web vulnerabilities. We will be using Google’s XSS Game located at https://xss-game.appspot.com. There are six challenges. The first five challenges are worth 10 points each. The sixth challenge is extra credit and worth 5 points. You are allowed to use the hints as needed; however, you are explicitly forbidden from searching for the specific answers or share answers with other students in the class. Searching the Web for related concepts, JavaScript documentation, and general vulnerabilities is allowed.

Your solution must report the strings used for the attack, as well as any other information needed to replicate it (e.g., it is a string for a form, or it is a URL).

Due to the Thanksgiving holiday, two weeks will be allowed for this exercise.

Submission: A PDF with your answers should be submitted to GradeScope.

VCL Labtainers Setup

For with an M-series Mac or other systems that are struggling to run the VM locally, we have created a Labtainer VM image available via the NCSU Virtual Computing Lab (VCL).

You can reserve a VM by navigating to https://vcl.ncsu.edu and clicking on “Make a Reservation.” After you log in, click on “New Reservation.” In the resulting popup window, select the “CSC474-Labtainer” image as the environment and increase the duration of the reservation. I recommend setting it to at least 8 hours. Then click on “Create Reservation.” It may take a few minutes for the machine to be created.

VERY IMPORTANT: The VM will be killed and all of your work WILL BE ERASED once the reservation time has expired. Make sure you allow yourself plenty of time to work on the exercise. You do not have to complete it all in one session. As long as the reservation time has not elapsed, you should be able to reconnect.

Once the machine is ready, a “Connect!” button will appear next to the reservation. Click on it and note down the IP address of the machine. Alternatively, download the RDP file. Use an RDP client such as Remote Desktop Connection on Windows or Microsoft Remote Desktop on macOS (available for free on the Mac App Store) to connect to the VM. To start the labtainer terminal environment, launch “Labtainer Terminal” on the desktop.

Make sure you save your work after you finish the lab. The VM will be wiped clean once the reservation time expires or you delete the reservation. You can use the web browser on the VM to upload the .lab file or use SFTP or SCP to download the file to your local machine.

Desktop performance will depend on your network connection and the resolution of the remote virtual display. Performance will generally be best on the NCSU campus but the VM can be accessed anywhere with an internet connection.