Advanced Guide From AFA
User Manual:
Open the PDF directly: View PDF .
Page Count: 382
Download | |
Open PDF In Browser | View PDF |
CYBERPATRIOT AFA’s National Youth Cyber Education Program Program Overview CyberPatriot is the Air Force Association’s National Youth Cyber Education Program, created to motivate students toward careers in cybersecurity and other science, technology, engineering, and mathematics (STEM) disciplines. The program features the National Youth Cyber Defense Competition for high school and middle school students, AFA CyberCamps, an Elementary School Cyber Education Initiative, the Cyber Education Literature Series, and CyberGenerations – the Senior Citizen’s Guide to Cyber Safety. The National Youth Cyber Defense Competition The national youth cyber defense competition is an online, tournament-structured event in which teams of 2-6 students are scored how well they identify and secure known vulnerabilities on a virtual network. Through a partnership with Cisco, they are also tested on a networking curriculum and are required to build secure, virtual networks. Students compete in three divisions: • Open Division: Open to all high schools, scouting units, boys and girls clubs, home school programs, and other approved youth organizations • All Service High School Division: JROTC programs / Civil Air Patrol / Naval Sea Cadet Corps • Middle School Division: Open to teams of middle school students After a series of online qualification rounds, the top teams advance to the National Finals Competition, an in-person event held in Baltimore, Md., each spring. Winners are awarded scholarships, and all registered competitors are eligible to apply for internship opportunities. Not only is the competition fun and exciting, it also creates a career path for today’s students, fostering continued education from middle school through college and into the beginning of their careers. Registration for CyberPatriot XI (2018-2019 school year) is open until October 3, 2018. AFA CyberCamps Held during the summer months, AFA CyberCamps emphasize fun, hands-on learning of cybersecurity principles that are relevant and applicable to everyday life. Through this 20-hour, 5-day camp, students will learn the importance of cyber safety and how to protect their personal devices and information from outside threats. Camps are designed for high school or middle school students (at the discretion of the hosting organization). For more information on AFA CyberCamps, visit the “Special Initiatives” section of www.uscyberpatriot.org. 1501 Lee Hwy, Arlington, VA | www.uscyberpatriot.org | info@uscyberpatriot.org | 877-885-5716 CYBERPATRIOT AFA’s National Youth Cyber Education Program Elementary School Cyber Education Initiative Using game-like computer training software, the Elementary School Cyber Education Initiative is designed to: • Excite students about education in cybersecurity and other STEM disciplines. • Help students understand the widespread importance of cybersecurity in their everyday lives and equip them with skills to better protect themselves on the Internet • Encourage students to apply cyber ethics principles in their online interactions • FREE downloads available online Cyber Education Literature Series The Cyber Education Literature Series introduces cybersecurity principles to our youngest audience in storybook format. The first book in the series Sarah the Cyber Hero was published in December of 2017 and is available for purchase through BookBaby.com, Amazon, and Barnes & Noble. Sarah the Cyber Hero features a female protagonist living in a town full of superheroes. She must earn her superhero cape using the cyber skills she has learned in her school’s cyber education program to protect the town from a virus downloaded to a computer. CyberGenerations CyberGenerations -- the Senior Citizen’s Guide to Cyber Safety -- is designed to encourage and equip more seniors to practice cyber safety. The program covers topics such as password hygiene, malware and ransomware, marketing and fraud scams, and social media awareness. The program also provides resources for individuals who may have been a victim of a cybercrime. Presented by: 1501 Lee Hwy, Arlington, VA | www.uscyberpatriot.org | info@uscyberpatriot.org | 877-885-5716 NATIONAL YOUTH CYBER DEFENSE COMPETITION CyberPatriot – AFA’s National Youth Cyber Education Program Who is on a team? Coach: The team coach is typically a teacher or adult leader of a team-sponsoring school or youth organization. Coaches need no special technical background. Any individual with the desire to help students learn something new and relevant can be a great CyberPatriot coach! Competitors: The team roster must have between two and six competitors (five active, one substitute who are registered with the CyberPatriot Program Office and enrolled with the school or organization they are competing with. All cyber teaching materials are provided and no prior cybersecurity knowledge is required for a competitor to be successful. Technical Mentor (Optional): In cases where a team desires help with the provided online training or with specific topics, the coach may request assistance from the CyberPatriot Program Office in finding qualified technical mentors from our program. Technical mentors are registered volunteers who possess appropriate IT knowledge and skills. Background checks are performed on all technical mentors in our network. Teams compete in three divisions: • Open Division: High schools, scouting units, boys and girls clubs, home school programs, and other youth organizations upon approval from CyberPatriot Program Office • All Service Division: High school JROTC / Civil Air Patrol / Naval Sea Cadet Corps • Middle School Division: Open to teams of middle school students (typically grades 6-8) Team registration for CyberPatriot XI (2018-2019) ends on October 3, 2018 What are the technical requirements? Two to three computers and an Internet connection are required for occasional weekend use during the online portions of the competition. A full list of hardware and software requirements is available on www.uscyberpatriot.org. For teams needing alternate Internet connection, CyberPatriot provides a limited number of AT&T 3G Air Cards on needs/first come-first serve basis. What does it cost to participate? There is a $205 registration fee for each high school team and a $165 fee for each middle school team registered for the competition, with the exception of the following fee waiver opportunities: • All-Girl teams: In an effort to attract more girls to STEM, all-female teams may request a fee waiver • Title I Schools: Teams from Title I schools and other schools with inadequate funding may request fee waivers • All Service Division: JROTC/CAP/NSCC team fees are automatically waived (agreement with service HQs) The fee covers access to the Microsoft Imagine store as well as to Cisco’s Networking Academy. These programs allows the team to download a number of operating systems and productivity tools that can be used to prepare for the competition. Additionally, participants are sent a CyberPatriot t-shirt during the season. 1501 Lee Hwy, Arlington, VA | www.uscyberpatriot.org | info@uscyberpatriot.org | 877-885-5716 NATIONAL YOUTH CYBER DEFENSE COMPETITION CyberPatriot – AFA’s National Youth Cyber Education Program What training materials are needed? Although coaches are welcome to supplement the provided teaching materials as they wish, all materials necessary for a successful competition are provided on the CyberPatriot website. Teachers (and other coaches) are encouraged to use the provided materials not solely for use in preparing their team for competition, but also to educate all students in their school or organization about good cybersecurity practices and safe computer and Internet use. How does the competition work? The early rounds of the competition are done online during weekends from teams’ home locations (schools, homes, libraries, etc.). Prior to the rounds, teams download “virtual image” representations of operating systems with known cybersecurity “vulnerabilities.” At the beginning of the round, a password to unlock the virtual image is sent out. Teams then choose any 6-hour period during the designated round to compete, finding and fixing the cybersecurity vulnerabilities while keeping critical computer functions working. Additionally, students are tested and scored on networking knowledge and building virtual, secure networks. Team progress is recorded by a central CyberPatriot scoring system. For the Open and All Service divisions, the scores from two online qualification rounds are added together to determine team placement into one of three tiers for the State Round: Platinum, Gold, or Silver. These tiers have cybersecurity challenges of different degrees of complexity, with the Platinum Tier having the highest degree of difficulty and being the only tier where teams have the opportunity to advance to the National Finals competition. The top 12 Open Division teams and the top two teams from each All Service Division category (Air Force/Army/Marine Corps/Navy JROTC, CAP, NSCC, and one wildcard team) advance, all-expenses paid, to the in-person National Finals Competition held in Baltimore, Md. There, the Finalists compete face-to-face against other teams in their division to defend virtual networks from a professional aggressor team. Winners are awarded scholarship grants. The competition is slightly different at the middle school level. There are no skill tiers in the Middle School Division, and all teams compete against each other for the full duration of the season. After three qualifying rounds, the top 50% of teams advance to the Semifinals. From there, the top three teams advance to the National Finals Competition. Presented by: 1501 Lee Hwy, Arlington, VA | www.uscyberpatriot.org | info@uscyberpatriot.org | 877-885-5716 AFA CYBERCAMPS CyberPatriot – AFA’s National Youth Cyber Education Program The AFA CyberCamp curriculum is designed to instruct students, both novice and advanced, about cyber ethics, online safety, and the fundamental principles of cybersecurity. How does an AFA CyberCamp work? Through the AFA CyberCamp program, schools and educational organizations can purchase a curriculum kit consisting of five, four-hour instruction modules, as well as accompanying instructor guide, student workbooks, demonstration software, and competition software that will teach students important skills in cybersecurity. Local organizations and volunteer instructors can execute the 20-hour curriculum as a week-long summer program supplemented by guest speakers and additional group activities. The camp’s 20-hour curriculum is designed for completion over five days (must be Monday-Friday), with the final day serving as a “miniature cyber competition day.” Topics covered during a camp include: Standard Camp: • Introduction: Cybersecurity career opportunities, cyber ethics, online safety, how computers work, cyber threats, cybersecurity principles, virtual machines • Windows 10: Basic security policies and tools, account management, file protections, auditing and monitoring Linux/Ubuntu 16: Introduction to Linux, Ubuntu 16 terminology and concepts, basic graphical user interface security, basic command line security, intermediate Ubuntu security. Advanced Camp: • Windows 10 Module: Graphical utilities, command line, optional sysinternals suite • Ubuntu 16 Module: Init systems, advanced command line, processes and scheduled tasks, optional security policies and PAM, optional networking • Cisco: NetAcad Networking Who can host a camp? Public/private middle schools and high schools, home schools, universities and other higher education or career technical education institutes, Civil Air Patrol squadrons, Naval Sea Cadet units, scouting units, boys and girls clubs, and other non-profit organizations. AFA CyberCamps cannot be conducted as a for-profit activity. All applying entities are subject to approval by the CyberPatriot National Commissioner. Host organizations are responsible for providing instructors. Standard camp instructors should have experience working with computers, basic knowledge of cybersecurity, and some familiarity with virtual machines. Advanced camp instructors should be advanced subject matter experts. It is highly desired that instructors have advanced knowledge of networking and intermediate Windows 10 and Ubuntu 16 subject matter. We recommend two or more instructors for advanced camps. 1501 Lee Hwy, Arlington, VA | www.uscyberpatriot.org | info@uscyberpatriot.org | 877-885-5716 AFA CYBERCAMPS CyberPatriot – AFA’s National Youth Cyber Education Program What technical resources are required? The AFA CyberCamp curriculum and activities are largely computer based. To maximize student engagement, the hosting school or organization should provide one computer for every 1-3 participating students. The camp instructor(s) will need a projector and presentation computer with Microsoft PowerPoint. The campers' computers, as well as the presentation computer, must have internet access and must be capable of running VMWare Player, WinMD5, and 7-Zip, all of which are free software programs. Full technical specifications are available on the CyberPatriot website. What is the cost of an AFA CyberCamp? Standard Camp: $1,150 – Includes access to two demonstration images, two competition images, and digital copies of the Instructor Guide and Student Workbook Advanced Camp: $1,450 – Includes access to two demonstration images, two advanced competition images, Cisco Network Academy curriculum, and digital copies of the Instructor Guide and Student Workbook. For an additional cost, host organizations can request hard-copy workbooks and instructor guides, as well as t-shirts and sunglasses. Presented by: 1501 Lee Hwy, Arlington, VA | www.uscyberpatriot.org | info@uscyberpatriot.org | 877-885-5716 2018 AFA Advanced CyberCamp Instructor’s Guide © Air Force Association Authored and edited by Emily Rauer and the Center of Infrastructure Assurance and Security (CIAS) AFA Advanced CyberCamp Instructor’s Guide Advanced CyberCamp Administrative Items Icon Key Note to instructor: Text that follows is a note to the instructor and should not be read aloud. Animation: Indicates that a mouse click is required to activate a text or picture animation on the slide. Timing Note: Indicates the estimated duration of a set of instruction slides or an activity. • Suggested script or question for the students: Identifies suggested comments and questions for instructor to say. To keep students engaged, we recommend asking questions frequently. - Example: Identifies examples supporting the content in the proceeding bulleted script or question item. Setup and Materials Before your Camp: Make sure all of the student computers and the presentation computer have access to the Internet. Install VMWare 6, 7-zip, and WinMD5 to all of the student computers*, as well as to the presentation computer. Next, download the supplied demonstration images and competition images to student computers and the presentation computer. *When resources allow, one computer should be provided for each team of 2-3 students. Demo Image log-in info for Quick Reference: - Windows 10: User Name cyberpatriot Password: CyberPatriot! - Ubuntu 16: User Name cyberpatriot Password: CyberPatriot! Module Materials: – 3.5 hours Monday: Cyber Ethics & Windows 10 • Student Workbook • Demonstration Image – 4.5 hours Tuesday: Ubuntu • Student Workbook • Demonstration Image – 4.5 hours Wednesday: Cisco (Module 1/Begin Module 2) • Student Workbook • Demonstration Image – 4.5 hours Thursday: Cisco (Finish Module 2/Module 3) • Student Workbook • Demonstration Image – 4.5 hours Friday: Final Activity Packet Tracer, Windows 10, Ubuntu 16 - Competition Day! • Competition Images In the Camp Space: Check the sound system to ensure students can hear audio from clips and music you will be playing. Have students sit together in the same teams of 2-3 for the duration of the CyberCamp. Instructor Pre-Survey Dear Camp Coordinator & Instructors, Thank you for hosting an AFA CyberCamp for summer 2018! Before or on Day 1 of your camp, please take a moment to fill out our Camp Coordinator/Instructor Pre-survey. Your feedback helps us improve our CyberCamp experience for you and your students. On Day 5 we will have another reminder in this Instructor Guide letting you know about a post-survey opportunity (page iii). Each survey takes about 5-10 minutes. We have also included in the Student Workbook a student focused Pre-survey for students to fill out on Day 1 (Monday) of their camp session as well as a Post-survey to be filled out on Day 5 (Friday) after their Competition. Each survey takes about 5-10 minutes. Thank you again for taking the time to give us your valuable feedback for our AFA CyberCamp program. The CyberPatriot Program Office wishes you a wonderful summer of cyber! 2018 Instructor Pre-Survey https://www.surveymonkey.com/r/MBT7BQJ AFA Advanced CyberCamp Instructor’s Guide Advanced CyberCamp Instructor’s Guide Table of Contents Cyber Ethics Module Overview (1 min) ………………………….………………………………………………………………..…..Page 1 10 Commandments of Computers (10 mins) ………………………………………………………….………..Page 2 Cyber Bullying (10 mins) ………………………….………………………………………..…………….……..…..Pages 3-4 Student Code of Conduct (10 mins)……………………………………………..……………………….…………Pages 5 Student Workbook Activities Student Code of Conduct (5 mins) ..……………………………………..………………………………..……..….Page 5 – Student Workbook page: i AFA Advanced CyberCamp Instructor’s Guide Slide 0 • This module will cover Cyber Ethics topics: Commandments of Cyber Ethics, Cyberbullying and the CyberPatriot Code of Conduct. ✰Slides 1-4 should take 25-30 minutes, to include two-minute video on slide 3. ✰Slide 4 students will sign their individual Code of Conduct page in their student workbook (page i). © 2018 Air Force Association Page 1 Module 1 AFA Advanced CyberCamp Instructor’s Guide Slide 1 • Overall, computers have improved our lives dramatically, but they can also cause serious harm. Cyber ethics means acting responsibly and ethically when using computers. • In 1992, when computers and the Internet were first becoming popular, the Computer Ethics Institute in D.C. created a list of the 10 Commandments of Computer Ethics. Click to reveal each of the 10 commandments. Read through the list asking students to describe or give examples of to what kind of behavior the commandment is referring. - e.g. “Thou shalt not use a computer to bear false witness:” You should not use a computer to spread rumors, impersonate someone, or launch a smear campaign. • Who knows what etiquette means? What do you think the term “netiquette” means? • Netiquette refers to the commonly accepted rules of how to behave online. It’s a term commonly used to refer to the general concepts outlined by these 10 Commandments of Computer Ethics. Source: http://computerethicsinstitute.org/ © 2018 Air Force Association Page 2 Cyber Ethics AFA Advanced CyberCamp Instructor’s Guide Slide 2 • Bad netiquette often translates or escalates into cyberbullying. Click to reveal sample chat. • Maybe this doesn’t seem too mean, but we don’t know the context. What if “Jane” gets bullied all the time for the way she dresses? What if this chat gets spread around school? Click to reveal the first bullet. • According to the latest government statistics, nearly one in two students is a victim of cyberbullying each year, and that number is growing. • Besides through instant messaging, like in the example here, what other means do cyberbullies use? Click to reveal list of methods. • Why do you think cyberbullying is so harmful? Click to reveal answer. Click to reveal a red cross-out symbol over the chat text. © 2018 Air Force Association Page 3 Cyber Ethics AFA Advanced CyberCamp Instructor’s Guide Slide 3 👆 Click on the photo to see video about How to Stop Cyber-bullying. If an advertisement starts, click the “Skip Ad > “ button in bottom-right corner of video. (2:32 minutes) ✰Return to the slide. The next three clicks will be for group discussion or you can have students share amongst themselves in small groups. 👆Click 1: Have you been cyberbullied? How did it make you feel? 👆Click 2: Have you witnessed cyberbullying, if so what did you do? 👆Click 3: What could you do in school and at home to prevent cyberbullying? Sources: https://www.youtube.com/watch?v=WegCMoQ-UNs © 2018 Air Force Association Page 4 Cyber Ethics AFA Advanced CyberCamp Instructor’s Guide Slide 4 • All participants of the CyberPatriot National Youth Defense Competition are expected to abide by the CP Student Code of Conduct. • In preparation to learn and compete this week, all students will sign the Code of Conduct pledging to behave responsibly and ethically throughout the duration of the AFA CyberCamp. 👆Click the eight bullets individually, reading them out loud or choosing a student to read the bullet. ✰Once all bullets have been reviewed, have students turn to page i in their student workbooks and sign their individual Code of Conduct. ✰Students will keep this page inside their Student Workbook for the entirety of the CyberCamp. © 2018 Air Force Association Page 5 Cyber Ethics AFA Advanced CyberCamp Instructor’s Guide Instructor’s Guide Table of Contents Windows 10 Module Overview (5 mins) ………………………….…………………………………………………….………..Pages 6-7 Windows Review (20 mins) ………………………….………………………………………..……………..…..Pages 8-24 Windows Graphical Utilities (30 mins) …………………………………………………………..………..Pages 25-55 Windows Command Line (30 mins)……………………………………………..……………………………Pages 56-96 Optional Advanced: Sysinternals Suite (30 mins) ………………………………………….……….Pages 97-127 Student Workbook Activities Activity 1-1: Windows Graphical Utilities (20 mins) ..…………………………………………..……..….Page 55 – Student Workbook page: 1-3 Activity 1-2: Windows Command Line (20 mins) …………………………………………………....………Page 96 – Student Workbook pages: 4-5 Optional Advanced: Activity 1-3: Sysinternals Suite (20 mins)……………………………….……...Page 127 – Student Workbook pages: 6-7 AFA Advanced CyberCamp Instructor’s Guide Slide 0 • This module will cover advanced topics on Windows 10. Section 1 Windows Review is intended for the Instructor to go through the Demo with students, instead of having the students using the Demo in order to save time. Students should follow along on their Advanced CyberCamp Demo Windows 10 image for Sections 2 Windows Graphical Utilities and 3 Windows Command Line (Section 4 Sysinternals Suite is optional if time permits). © 2018 Air Force Association Page 6 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 1 • First, we will briefly cover material from the basic CyberCamp, while learning some new shortcuts to help navigate Windows faster. We are going to cover this material quickly, so do not follow along on your demo images in order to help save time. • Next, we are going to cover some additional built-in graphical Windows utilities to help analyze and improve your security posture. • After that, we are going to cover some useful command line utilities that are built into Windows. • Lastly, we are going to cover some of the security utilities in the Sysinternals Suite to help you detect and analyze malware. • For sections 2 and 3 (and 4 if time allows), students should follow along on their Windows Demo image. • At the end of sections 2, 3, and 4 there will be a lab that will ask you to perform tasks and answer questions related to the Windows Demo image. © 2018 Air Force Association Page 7 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 2 Devote about 20 minutes for slides 3-18. There is no activity after this section. Section 1 Windows Review is intended to be done without students following along on their Demo to save time. © 2018 Air Force Association Page 8 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 3 • The Local Users and Groups Microsoft Management Console snap-in is useful for auditing users and groups on the system, and can display hidden users in the Control Panel Users tool. • Using MMC to add snap-ins can be tedious, but you can start them easily if you know the run command. • Open the run dialog box by holding down the Windows key and pressing the letter r (lowercase). • Next to Open, type lusrmgr.msc (you can remember this as an abbreviation for Local User Manager). • MMC plugins end with the .msc extension. • Press Enter or click OK. © 2018 Air Force Association Page 9 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 4 • In Local Users and Groups, you can easily add new users or groups by right-clicking on the corresponding folders. © 2018 Air Force Association Page 10 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 5 • You can delete, rename, or change the password of a user by rightclicking that user. • You can also delete a user by selecting that user and pressing the delete key. • In the user Properties, you can perform additional tasks such as setting the user’s password to never expire, disable the account, unlock the account, and manage group memberships. • You can also open the user Properties by double-clicking on that user. © 2018 Air Force Association Page 11 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 6 • By right-clicking on a group you can easily delete or rename it. • You can also delete a group by selecting it and pressing the delete key. • In the group Properties, or by clicking Add to Group, you can view all members of a group and easily add or remove users from it. • You can also open the Properties for a group by double-clicking on it. © 2018 Air Force Association Page 12 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 7 • Security and Maintenance monitors your computer’s security status. • Security and Maintenance can be found in the Control Panel in Windows 10. It was previously named Action Center, and Security Center before that. • The Security Center is a great place to start when determining your computer’s security status. • To save time, you can navigate to it directly without having to go through the Control Panel. • Open the run dialog box by holding down the Windows key and pressing the letter r. • Next to Open, type wscui.cpl (you can remember this as an abbreviation for Windows Security Center User Interface). • Control Panel Windows end with the .cpl extension. • Press Enter or click OK. © 2018 Air Force Association Page 13 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 8 • Click the arrow across from Security to see the Firewall and other settings. Security and Maintenance monitors several aspects of a computer security, including Virus protection, Network firewall, Internet security settings, User Account Control, and Window SmartScreen. • Below this there is an additional Maintenance section that can handle regular maintenance of your computer, including performing tasks such as backups. Remember, making sure you have backups of your data is critical to computer security. © 2018 Air Force Association Page 14 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 9 • You can easily add and remove many programs using Programs and Features under the Control Panel. • To save time, you can navigate to it directly without having to go through the Control Panel. • Open the run dialog box by holding down the Windows key and pressing the letter r. • Next to Open, type appwiz.cpl (you can remember this as an abbreviation for Application Wizard). • Press Enter or click OK. © 2018 Air Force Association Page 15 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 10 • Here you can view the applications currently installed on your computer. • Often, additional information is available which can be very helpful. - Looking at the version of the application installed can help you determine if it needs to be updated. - Looking at when a program was installed can help you track down old or unwanted programs. - Looking at the size of an installed application can help you when trying to free up disk space. © 2018 Air Force Association Page 16 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 11 • Under Programs and Features, you can click on Turn Windows features on or off. Windows generally comes with a good set of enabled features, but sometimes you may want to modify this. • For example, you may need to install .NET framework 3.5 in order to run applications that require it. • Notice that a portion of Internet Information Services (IIS) is installed. This generally means the computer is running an FTP or HTTP server. If this isn’t a service that is supposed to be running on your computer, it’s probably a good idea to remove it. © 2018 Air Force Association Page 17 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 12 • The Local Security Policy is very important, and allows you to set secure system policies for passwords, account lockout, and auditing. • Using MMC to add snap-ins can be tedious, but you can start them easily if you know the run command. • Open the run dialog box by holding down the Windows key and pressing the letter r. • Next to Open, type secpol.msc (you can remember this as an abbreviation for Security Policy). • Press Enter or click OK. © 2018 Air Force Association Page 18 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 13 • Password Policy and Account Lockout Policy are under Account Policies. • In order to change a setting, just double-click on it, or right-click and select Properties. • We’re going to be using the Local Security Policy in the next section to modify User Rights Assignments and Security Options. © 2018 Air Force Association Page 19 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 14 • Logs are a critical part of computer security, development, and general maintenance. • Event Viewer is another MMC plugin. • Using MMC to add snap-ins can be tedious, but you can start them easily if you know the run command. • Open the run dialog box by holding down the Windows key and pressing the letter r. • Next to Open, type eventvwr.msc (you can remember this as an abbreviation for Event Viewer). • Press Enter or click OK. © 2018 Air Force Association Page 20 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 15 • Event Viewer contains a vast amount of information including application logs, security logs, and system logs. • Application logs include data from many Microsoft applications, Windows services, and third-party applications. • Security logs include auditing events. If auditing is enabled in Local Security Policy, this is where those events would be logged. • System logs include logs for drivers, or functionality built into the Windows OS, such as DHCP, DNS, file system drivers, time service, power management, and modifications to Windows Service configurations. © 2018 Air Force Association Page 21 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 16 • Viewing and making changes to Windows Services can be done through the Services MMC plugin. • In some versions of Windows there is a Services.exe executable which is exactly the same. • Open the run dialog box by holding down the Windows key and pressing the letter r. • Next to Open, type services.msc. • Press Enter or click OK. © 2018 Air Force Association Page 22 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 17 • Services display all the services available, their current Status, and their Startup Type. • Remember you can sort by columns by clicking on the column header. This can make auditing your services configuration much easier. • You can easily start or stop a service by right-clicking on the service and selecting Start or Stop. • Starting and stopping services is a good first step when testing and troubleshooting, but it’s important to also configure the Startup Type. • In order to change the Startup Type, double-click the service, or rightclick the service and select Properties. © 2018 Air Force Association Page 23 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 18 • Inside the service Properties you can configure the service to start Automatically, Manually, or Disabled. • If a service is set to start Automatically, it will always start when the system boots up. Manually means that it can be started by a user, or if needed by another service or application. If a service is set to Disabled, it will never start. • Be very, very careful when changing services, many of these services are important to the correct functionality of your computer. If you Stop or Disable the wrong services, your computer will be unusable. • Make sure and do your research first before making changes to services. • The Windows defaults are a good place to start, with several resources available online from Microsoft or other websites. © 2018 Air Force Association Page 24 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 19 Devote 30 minutes to slides 20-48. Allow the students 20 minutes to complete the activity on slide 49. Throughout this section, students should follow along in the Advanced Windows 10 Demo Image. Actions the students are supposed to take are highlighted in blue and purple. Purple indicates the exact text they are supposed to type or GUI elements they should interact with. © 2018 Air Force Association Page 25 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 20 Have the students follow along as time permits. Stress that the students should not change any passwords or settings unless they are expressly directed to do so. Users are NOT automatically logged in, they should log in as the user cyberpatriot with the password CyberPatriot! © 2018 Air Force Association Page 26 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 21 • In addition to Password Policy, Account Lockout Policy, and Auditing, there are many more important security policies in the Local Security Policy such as User Rights Assignments and Security Options. • Open the run dialog box by holding down the Windows key and pressing the letter r. • Next to Open, type secpol.msc. • Press Enter or click OK. © 2018 Air Force Association Page 27 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 22 • Navigate to Local Policies User Rights Assignments. • To expand items on the left you can double-click the item, or click the arrow on the left side of the item. • The Policy column contains the User Rights. • The Security Setting column contains the users or groups that have been granted that right. - Some of the users and groups are built-in and are not visible in the Local User and Groups Manager. © 2018 Air Force Association Page 28 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 23 • How do you know what secure settings are? - The default values from Microsoft are a good starting point. - You may need to grant additional rights to users depending on your business needs, but there should be a justifiable and documented reason for this. - Normally, it is more appropriate to add and remove users from groups that have already been granted rights, such as Backup Operators. - Remove existing rights that are unnecessary; typically these are rights that have been granted above and beyond the default. - Modifying rights can be dangerous so make sure you’ve done your research before making any changes. • For example, server systems in an access restricted area are typically meant to be only accessible locally by administrators. - In this case it would be a good idea to remove users from the Allow log on locally, while ensuring that Administrators are still granted that right. © 2018 Air Force Association Page 29 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 24 • On your demo image, the user atanasoff should not have privileges that allow him to Act as part of the operating system. - This is a very powerful right that Microsoft strongly recommends not assigning to any users or groups. • Double-click on the Policy Act as part of the operating system. - Alternatively, you could right-click on the Policy and select Properties. © 2018 Air Force Association Page 30 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 25 • To remove atanasoff, select the user and click Remove. • Click Apply, then OK to apply the changes and close the Properties window. © 2018 Air Force Association Page 31 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 26 • Navigate to Local Policies Security Options. • In the Policy column, there are settings that affect the security of the system. • In the Security Settings column is the current value of the corresponding setting. - Typically values may be Not Defined, Enabled, or Disabled, but many options have settings that are specific to the corresponding setting. © 2018 Air Force Association Page 32 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 27 • How do you know what secure values are? - Before you try to determine the correct setting, understand what the option does. - Again, the default values provided by Microsoft are a good starting point. - Modifying these values can be dangerous, and if you don’t know what you are doing you could accidentally make your system less secure, unusable, or affect compatibility with applications or network services. • For example, there may be justified documented reasons to allow users to log in remotely on some computers. - However, remote users typically do not need to access CD-ROM drives remotely. - If there is no reason for users to do this in your environment, you should Enable the policy to Devices: Restrict CD-ROM access to locally logged-on user only. © 2018 Air Force Association Page 33 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 28 • Double-click on the Policy Accounts: Limit local account use of blank passwords to console logon only. • Alternatively you can right-click on the Policy and select Properties. © 2018 Air Force Association Page 34 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 29 • In the Properties window, click the tab Explain. • Reading the description, you can see this Security Setting prevents users without a password from logging in remotely. The Default value is Enabled. However, in the Demo the value is set to Disabled. • This seems like a very good security policy to enable, which we will do in the next slide. • There is also a warning advising you of common pitfalls. - You still should have a secure password policy even with this enabled. - You could affect the ability of all users to log in remotely if you computer is misconfigured. © 2018 Air Force Association Page 35 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 30 • Based on this information we should enable this security option. • Click the Local Security Setting tab. • Select Enabled. • Click OK to apply the changes and close the Properties window. © 2018 Air Force Association Page 36 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 31 • The Local Group Policy is similar to the Local Security Policy. • In fact, the Local Security Policy is contained within the Local Group Policy. • Open the run dialog box by holding down the Windows key and pressing the letter r (lower case). • Next to Open, type gpedit.msc. • Press Enter or click OK. © 2018 Air Force Association Page 37 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 32 • In the Local Group Policy Editor, you can find the Local Security Policy settings under Computer Configuration Windows Settings Security Settings. © 2018 Air Force Association Page 38 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 33 • Group Policy settings are very powerful and can control almost any aspect of Windows, Windows services, and even some applications. - By default many Group Policy settings are not defined. If you define them, they will override other settings in Windows, and prevent you from changing them in other locations. • Group Policy contains far too many settings to list, but a few high level examples include Logon settings, Remote Desktop settings, Windows Update, Windows Defender, Windows Firewall, Internet settings, and scripts that run automatically. • Group Policy settings are also used to lock down a computer by limiting access to applications and features, or installing unapproved software. - This is typically done when setting kiosks or other specific purposes when the users may not be entirely trustworthy. © 2018 Air Force Association Page 39 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 34 • Let’s demonstrate this by turning off Remote Desktop via the Local Group Policy. • But first, we will verify that remote desktop is on from the System Properties window. • Leave the Local Group Policy Editor open since we will go back to it on the next slide. • Open the run dialog box by holding down the Windows key and pressing the letter r. • To open, type sysdm.cpl. • Press Enter or click OK. • Notice that Remote desktop is enabled. • Don’t make any changes here, and click Cancel to close the System Properties window. © 2018 Air Force Association Page 40 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 35 • Navigate to Computer Configuration Administrative Templates Windows Components Remote Desktop Services Remote Desktop Session Host Connections. Give the students a few seconds to navigate to this location. © 2018 Air Force Association Page 41 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 36 • Double-click the Setting Allow users to connect remotely by using Remote Desktop Services. © 2018 Air Force Association Page 42 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 37 • Under Help there is a description of this policy: - Enabling this policy lets members of the Remote Desktop Users group log on remotely. - Disabling this policy prevents users from connecting remotely. - Not Configured allows this setting to be configured using the Remote tab in the System Properties window. • Select Disabled. • Click OK to apply the changes and close the Properties window. © 2018 Air Force Association Page 43 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 38 • Leave the Group Policy Editor open and open the System Properties window. • Make sure you open a new System Properties window, if you left the old window open, the changes may not be visible. • Under the Remote tab, we can see that Remote Desktop is disabled. Additionally, the settings are greyed out and cannot be changed. © 2018 Air Force Association Page 44 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 39 • Some settings can only be changed using the Local Group Policy Editor. • For example, navigate to Computer Configuration Administrative Templates Windows Components AutoPlay Policies. © 2018 Air Force Association Page 45 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 40 • AutoPlay can be a security risk, and our company has no documented business need for it, so we should turn it off. • Double-click the Setting Turn off Autoplay. © 2018 Air Force Association Page 46 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 41 • Briefly read the Help section. Give the students a few seconds: • Select Enabled. • Under Options ensure that Turn off Autoplay is set to All drives. • Click Apply and OK to apply the settings and close the Properties window. © 2018 Air Force Association Page 47 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 42 • There are so many Group Policy settings, you may be wondering which ones you should change. • The answer really depends on your business policies and your environment, including any critical services. • There are too many settings to cover here, so it’s up to you explore and research. • Read the help sections for the different policies. • Microsoft publishes a reference Excel spreadsheet online. You can search for “Group Policy Settings Reference for Windows and Windows Server.” • Research online and look for Group Policy best practices, hardening, and checklists. © 2018 Air Force Association Page 48 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 43 • Undocumented or unauthorized shares can be a security vulnerability. • The Shared folders MMC plugin can help us analyze the current shares on the system. • Open the run dialog box by holding down the Windows key and pressing the letter r. • To open, type fsmgmt.msc. • Press Enter or click OK. © 2018 Air Force Association Page 49 Module 1 AFA Advanced CyberCamp Instructor’s Guide Slide 44 • Click on Shares. • The Share Name is the name you would use when accessing the share over the network. • The Folder Path is the path of the folder that is being shared. • Additionally, Shared Folders displays the type of share, number of client connections, and an optional description of the share. © 2018 Air Force Association Page 50 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 45 • You are probably wondering what all these shares are. • Hidden shares end with a $. - Hidden shares can be accessed just like a regular share, but they are not advertised on the network. • The C$, ADMIN$, and IPC$ shares are default administrative shares created automatically by Windows. • On some computers there may be additional default administrative shares such as PRINT$ or FAX$, and Domain Controllers may have even more default administrative shares such as SYSVOL and NETLOGON. - Notice that these default administrative shares do not end with $, and are not hidden. • While it is possible to delete the default administrative shares, Windows automatically recreates the shares when the system boots. • It is possible to prevent the creation of default administrative shares, but this is not covered here since Microsoft very strongly recommends against this. - https://support.microsoft.com/en-us/help/842715/overview-ofproblems-that-may-occur-when-administrative-shares-are-missing © 2018 Air Force Association Page 51 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 46 • Using Shared folders it is relatively simple to Stop Sharing the C drive. • Right-click the C share and select Stop Sharing. - Make sure not to stop sharing the default administrative share C$. © 2018 Air Force Association Page 52 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 47 • Windows will prompt you to confirm. Click Yes. © 2018 Air Force Association Page 53 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 48 • After confirming, The C share has been deleted. - Notice that the default administrative share C$ is still present. © 2018 Air Force Association Page 54 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 49 Give students about 20 minutes to complete the tasks listed on pages 1-3 of their Workbooks. This lab will review the Local Security Policy, Local Group Policy Editor, and Shared Folders. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case they get locked out. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Secpol.msc Babbage Administrators Enabled Gpedit.msc Under Administrative Templates, System, Logon, Show first sign-in animation is Disabled. Under Adminstrative Templates, Windows Components, Windows Update, Configure Automatic Updates is Disabled 1) Administrative Templates, System, Logon, Do not display network selection UI is Enabled; 2) Administrative Templates, Windows Components, Delivery Optimization, Download Mode is Enabled; 3) Administrative Templates, Control Panel, Personalization, Force a specific default lock screen and logon image is Enabled; 4) Administrative Templates, Windows Components, OneDrive, Prevent the usage of OneDrive for file storage is Enabled; 5) Administrative Templates, Windows Components, Windows Defender, Turn off Windows Defender is Enabled fsmgmt.msc ADMIN$, C$, IPC$ testing$ - © 2018 Air Force Association Page 55 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 50 Devote 30 minutes to Slides 51-89. Allow the students 20 minutes to complete the activity on Slide 90. Throughout this section, students should follow along in the Advanced Windows 10 Demo Image. Actions the students are supposed to take are highlighted in blue and purple. Purple indicates exact text they are supposed to type or GUI elements they should interact with. © 2018 Air Force Association Page 56 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 51 • For this section we will need to open a command prompt as administrator in order to make full use of the commands we will be learning about. • Click Search Windows (the magnifying glass next to the Start button). • Type cmd but don’t press Enter. © 2018 Air Force Association Page 57 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 52 • Right-click on Command Prompt and select Run as administrator. • UAC will ask you if you want to allow this app to make changes to your device. • Click Yes to continue. © 2018 Air Force Association Page 58 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 53 • The Net Service suite of commands can be used to configure or display information about the current configuration of the operating system. • In the command prompt type: net /? • As you can see, there are many different net commands available. We will only be covering a few of the most important ones today. • Remember, in Windows, capitalization usually does not matter. The net commands can be typed as uppercase or lowercase, it makes no difference. © 2018 Air Force Association Page 59 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 54 • The first command we are going to cover is net accounts. • To display the syntax of the different net commands you can use the help command. • Type net help accounts now to display the syntax for the accounts command. • Take a minute to scroll up and down examining the output. © 2018 Air Force Association Page 60 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 55 • We’re not going to cover everything the net accounts command can do, but here are is the syntax of some of the important operations. • Running net accounts with no additional parameters will display the current settings. • Net accounts can also be used to set the minimum password length, the maximum password age, and the minimum password age. • Additionally, net accounts can be used to enforce a password history, preventing users from using the same password for a number of password changes. © 2018 Air Force Association Page 61 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 56 • Although it is not described in the help, net accounts can also set account lockout settings including the lockout threshold, lockout duration, and lockout window. Stress that the students should not set the lockout threshold to a value less than five when participating in the competition on Friday to prevent locking themselves out while competing. These settings were described in the basic class, but we will provide a brief description in case more elaboration is needed. Lockout threshold is the number of invalid login attempts before the account is locked out; Microsoft recommends setting this to between 5-50 inclusive ( https://technet.microsoft.com/enus/library/hh994574(v=ws.11).aspx ) Lockout window is the amount of time after a failed login attempt before the lockout threshold counter is reset; Microsoft recommends setting this to approximately 30 (https://technet.microsoft.com/enus/library/hh994568(v=ws.11).aspx ) Lockout duration is the amount of time that the account remains locked out; Microsoft recommends setting this to approximately 30 (https://technet.microsoft.com/enus/library/hh994569(v=ws.11).aspx ) © 2018 Air Force Association Page 62 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 57 • Type net accounts to view the current settings. • This computer currently has no password policy or account lockout policy. © 2018 Air Force Association Page 63 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 58 • This computer needs a more secure password policy. • Type net accounts /minpwage:3 /maxpwage:60 and press Enter. • This sets a minimum password age of three and a maximum password age of 60. • Type net accounts again to verify the settings. © 2018 Air Force Association Page 64 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 59 • Now we are going to cover the net user command. • Type net help user to display the help for the net user command. © 2018 Air Force Association Page 65 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 60 • Net user will list the current user accounts on the system, including accounts that may be hidden from Control Panel User Management. - These are the same users shown on the Local Users and Groups MMC plugin. • Net user can be used to add or remove users, change user passwords, and see the last logon date and time as well as account and password settings. © 2018 Air Force Association Page 66 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 61 • Type net user to display current user accounts. © 2018 Air Force Association Page 67 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 62 • Let’s create a new user named tomasulo with a password of CyberPatriot! • Type: net user tomasulo CyberPatriot! /add • Next, type net user in order to verify that we created the account. Robert Tomasulo created a hardware algorithm allowing for dynamic out of order execution of computer commands, derivatives of this algorithm are present in most modern processers, this algorithm is commonly referred to as Tomasulo’s algorithm. © 2018 Air Force Association Page 68 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 63 • The user case is unauthorized. • Type: net user case /delete • To verify the user was deleted, type: net user © 2018 Air Force Association Page 69 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 64 • The next command we are going to cover is the net localgroup command. • Type net help localgroup to view the command syntax for the net localgroup command. © 2018 Air Force Association Page 70 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 65 • Just like net user, net localgroup can display or modify local groups. - These are the same users shown on the Local Users and Groups MMC plugin. • Net localgroup with no options will display the current local groups on the system. • Net localgroup can add or delete groups. • Additionally, net localgroup can add or remove users or groups from existing groups. © 2018 Air Force Association Page 71 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 66 • View the current groups on the system by typing: net localgroup © 2018 Air Force Association Page 72 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 67 • View the members of the Administrators group by typing: net localgroup administrators © 2018 Air Force Association Page 73 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 68 • The user liskov is not an authorized administrator and should be removed from the Administrators group. • Type net localgroup administrators liskov /delete and press Enter. • Next, type net localgroup administrators to verify that liskov is no longer in the Administrators group. Barbara Liskov created the Argus programming language at MIT, a groundbreaking high-level programming language designed to support the development of distributed programs (She became one of the first women to receive a Ph.D. in computer science in 1968 from Stanford University). © 2018 Air Force Association Page 74 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 69 • Use net localgroup to create a new compilers group. • Type: net localgroup compilers /add • To verify the new group has been created, type: net localgroup © 2018 Air Force Association Page 75 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 70 • Now that the compilers group has been created, add the users backus and hopper. • Type: net localgroup compilers backus hopper /add • To verify that backus and hopper are in the compilers group, type: net localgroup compilers © 2018 Air Force Association Page 76 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 71 • The next command we are going to cover is the net share command. • The net share command is similar to the Shared Folders MMC plugin covered in the last section. • Type net help share to see the command syntax for net share. © 2018 Air Force Association Page 77 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 72 • Net share without any arguments lists the current resources being shared. • Net share can also display information about a specific resource. • It’s also very simple to add or delete shares using net share. • Share permissions can also be modified using the grant option. © 2018 Air Force Association Page 78 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 73 • List the current shares by typing: net share • Notice that this displays the same information as the Shared Folders MMC plugin. © 2018 Air Force Association Page 79 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 74 • Display information about the users share by typing: net share Users - Both Administrators and Everyone have full permission to access this share. - However, it is important to note that permissions are also dependent on the NTFS permissions of the C:\Users directory which are separate and not displayed by the net share command. © 2018 Air Force Association Page 80 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 75 • We don’t want to share the C:\Users directory on this computer. • Delete the share by typing: net share User /delete • Verify that the Users directory is no longer being shared by typing: net share © 2018 Air Force Association Page 81 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 76 • The icacls command stands for Integrated Control Access Control Lists and is available on Windows Server 2003 SP2 and later, and Windows Vista and later. • This is a replacement for the cacls command, but still allows you to add, remove, grant, or deny permissions. • Checking for and maintaining proper permissions is important for computer security. • If you have trouble viewing, modifying, or deleting a file because of permissions issues, icacls can help resolve those issues. • To view the command syntax for icacls, type icacls and press Enter. © 2018 Air Force Association Page 82 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 77 • Icacls can reset the permissions for a file to the default inherited permissions. • Icacls can also grant or deny permissions to a specific user or group. - Remember, deny takes precedence over grant. • Icacls can remove all references to a user or group • The owner can also be changed using the icacls command. • With the /t (forward-slash t) option, icacls will apply the operation recursively to all files and directories under the specified directory. © 2018 Air Force Association Page 83 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 78 • Change to the root directory by typing cd \ (backslash). • Create a new compilers directory by typing: mkdir compilers • View the default permissions of the compilers directory by typing: icacls compilers © 2018 Air Force Association Page 84 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 79 • What does all this mean? - An I in parentheses indicates the permission is inherited from the parent directory, in this case: C:\ - OI indicates files inside this directory will inherit these permissions. - CI indicates directories inside this directory will inherit these permissions. • These Simple Rights indicate what permissions are granted or denied. • There are more rights that give you much more control over what permissions you can grant or deny. © 2018 Air Force Association Page 85 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 80 • Going back to our compilers directory, we can see the default permissions for the directory. • All permissions have been inherited from the parent directory as indicated by the (I). • Administrators and SYSTEM have Full Access indicated by the (F). • Users have Read and Execute permissions. • Authenticated users have been granted Modify rights. Modify allows users to read and write files and subfolders, as well as delete of the directory. © 2018 Air Force Association Page 86 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 81 • Grant full access to the compilers folder using icacls. • Type: icacls compilers /grant compilers:(OI)(CI)(F) • This grants full access to the compilers group. • OI and CI indicate that children files and directories will inherit these permissions. • Verify that the rights were granted by typing: icacls compilers © 2018 Air Force Association Page 87 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 82 • View the rights for the root directory by typing: icacls \ • It looks like the user Shannon has full control over the root directory. © 2018 Air Force Association Page 88 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 83 • Remove shannon from the root directory ACLs by typing icacls \ /remove shannon (there is a space between the \ and /). • Verify that shannon has been removed by typing: icacls \ © 2018 Air Force Association Page 89 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 84 • The next command line command we are going to cover is netstat • Netstat is a very useful tool for displaying information about current routes, connections, open ports, and statistics • Type netstat /? To view the syntax for the netstat command. © 2018 Air Force Association Page 90 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 85 • Netstat options are often combined, here is what each switch does: • The a option displays all connections and listening ports, instead of just established connections. • The n option displays numerical addresses and port numbers. Without this option, netstat will try to resolve IP addresses to DNS names which can sometimes cause the program to take a long time to run. • The o option displays the owning process IDs. • The b option displays the executable associated with the connection or listening port. - You may think the b option is more useful than the o option, however the output of the o option is much easier to read, so you may want to use o first and then switch to b if you really need it. • The r option displays the current routing table and is very useful for troubleshooting network issues. © 2018 Air Force Association Page 91 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 86 • View all connections and listening ports by typing: netstat –aon - This also displays numeric IPs and ports as well as printing out the PID. • Scroll up to the top of the output from this command. • Since some ports and connections change regularly, parts of your output will differ from what is shown on these slides. © 2018 Air Force Association Page 92 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 87 • In this case there are two active connections from this computer to port 443 which is used by https (you may see only one active connection to port 443). Output may vary from the information of these slides. • The two foreign IP addresses resolve to MSN and Windows names. - You can see this by running the same command without the n option. • The two Process IDs (PIDs) associated with these connections belong to Svchost.exe and Explorer.exe. - You can see this information by using the b option instead of the o option, or with Task Manager. • These connections appear to be used by the Windows operating system for sending and receiving information to and from different cloud-based services. © 2018 Air Force Association Page 93 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 88 • There are several ports open and listening on this computer. - A Local Address of 0.0.0.0 means that the program is listening on all available interfaces and is accepting connections from the internet. - Port 21 is commonly used by the FTP service, so it seems likely that this computer is running a FTP server. - Ports 135, 445, 3389, and 139 are used by the Windows operating system for different network services such as Windows File Sharing and Remote Desktop Services. - Port 1337 looks really suspicious and we’ll have to check that out next! - Ports 49152 through 65535 are dynamic/private port numbers and appear to be in use by Windows Services and components such as EventLog, Task Scheduler, the Local Security Authority Subsystem Service, and Spooler Subsystem App, which manages printing and fax services. © 2018 Air Force Association Page 94 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 89 • Let’s see what’s running on port 1337 using the telnet client (you may not be able to make a connection to port 1337 if it is blocked by your firewall). • Type telnet localhost 1337 to connect to port 1337 on your local computer. • It looks like we got a new prompt in a different directory. This looks like a backdoor. • Type whoami to see what user you are currently logged in as. • It looks like you are logged in as the SYSTEM user which is even more powerful than administrator. • Type exit to get out of the backdoor. • Don’t remove the backdoor yet, we’re going to do more analysis on it in the next section. © 2018 Air Force Association Page 95 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 90 Give students about 20 minutes to complete the tasks listed on Pages 4-5 of their Workbooks. This lab will review the Windows Command Line including the net commands, netstat, and icacls. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Never, 30, 30 net accounts /minpwlen:__ net user smoak /delete, net user anderson /delete net user Johnson putinpassword /add net user lovelace putinpassword net user knuth Answer: 6/11/2017 5:21:57 AM net localgroup administrators tukey /delete, net localgroup administrators karpinski /delete net localgroup administrators Johnson /add net localgroup “Backup Operators” Answer: boole, kleinrock net localgroup Replicator Answer: Supports file replication in a domain net share ftproot Answer: C:\inetpub\ftproot net share ftproot Answer: Administrators, IIS_IUSRS net share ftproot /delete icacls c:\inetpub\ftproot Answer: Cyberpatriot, SYSTEM, Everyone, TrustedInstaller, Administrators 15. icacls c:\inetpub\ftproot /remove Everyone 16. netstat –ab Answer: RpcSs 17. netstat –ab Answer: 5353, UDP (although you may see a second one: 5355, UDP) © 2018 Air Force Association Page 96 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 91 This section is an optional Advanced portion, if time permits. Devote 30 minutes to Slides 92-120. Allow the students 20 minutes to complete the activity on Slide 121. Throughout this section, students should follow along in the Advanced Windows 10 Demo Image. Actions the students are supposed to take are highlighted in blue and purple. Purple indicates exact text they are supposed to type or GUI elements they should interact with. © 2018 Air Force Association Page 97 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 92 • The Sysinternals Suite of utilities are available to download for free from technet.Microsoft.com. • The suite has already been downloaded to your Demo image and extracted to the desktop. • Double-click the Sysinternals Suite folder on your desktop and scroll down until you find the file named procexp.exe. © 2018 Air Force Association Page 98 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 93 • Right-click procexp.exe and Run as administrator, so that you can use its full capabilities. • User Account Control may ask you if you want to allow this app to make changes to your device. We trust this application, so click Yes. © 2018 Air Force Association Page 99 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 94 • Process Explorer is similar to Task Manager, but because of the way Process Explorer gets its information, it is much harder to hide processes from Process Explorer. • The first thing you will notice about Process Explorer is that it shows the hierarchical parent-child relationship of processes. - When a process creates another process, the original process is referred to as the parent process, and the processes it creates is referred to as the child process. • Process Explorer has some really helpful features such as being able to verify image signatures and integration of VirusTotal, a cloud based malware detection service. • Lots of other useful information can be displayed by Process Explorer, including Threads, Loaded DLL’s, Handles, Network Connections, The command line used to start the application, and the location responsible for automatically starting the application. © 2018 Air Force Association Page 100 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 95 • First, lets enable verification of image signatures. • Click Options, and select Verify Image Signatures. • You should see a new column on your screen, don’t worry if it’s blank for now. © 2018 Air Force Association Page 101 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 96 • Next, let’s enable VirusTotal.com integration. • Click Options, and Check VirusTotal.com Check VirusTotal.com. • You should see a new VirusTotal column on the right. © 2018 Air Force Association Page 102 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 97 • Let’s examine wininit.exe. - Wininit.exe is responsible for starting the services.exe process, therefore wininit.exe is the parent of services.exe. - The services.exe process in turn is responsible for starting the services on your system, which is why the svchost.exe processes are children of services.exe. • Back to the wininit.exe row, we can see that VirusTotal reports 1/61 in red. - Since VirusTotal.com is constantly changing your results might be different. • Click the VirusTotal column for wininit.exe. © 2018 Air Force Association Page 103 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 98 • Clicking the VirusTotal column brings up a web page displaying information about the process (since VirusTotal is constantly changing, you may see a different number). - According to this web page, the file wininit.exe with this particular SHA256 was scanned by 61 different antivirus/antimalware products and one of them (Baidu) reported it as a Trojan. - I find the other antivirus products here much more trustworthy than Baidu, so this is likely a single false positive and nothing to worry about. © 2018 Air Force Association Page 104 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 99 • Close out of the VirusTotal web page and look at the Verified Signer column for wininit.exe in Process Explorer. • It looks like this executable has been verified as signed by Microsoft Windows Publisher. - Signatures use cryptographic constructs such as file hashes and public key encryption that allow us to verify that the person who “signed” this executable is actually that person and not someone trying to forge the signature. - Since this has been signed by Microsoft, this gives more validity to our assumption that the VirusTotal.com result was a false positive. © 2018 Air Force Association Page 105 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 100 • Next, let’s examine the backdoor listening on our computer. • Scroll down to find nc.exe. - nc.exe has one child process, conhost.exe. • The description for conhost.exe describes it as a Console Window Host. - This is part of Windows and it’s the command shell that is being run by nc.exe. • Double-click nc.exe to view more information. © 2018 Air Force Association Page 106 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 101 • Click on the Image tab. • This executable has been signed by Jernej Simončič. - Just because a file is signed, doesn’t mean it’s trusted. - I don’t trust Jernej nearly as much as I trust Microsoft. • We can see the command line used to start the program, it appears that netcat is running a Command Prompt on port 1337. • We can also see the Current Directory and Autostart Location, both of which point to this being a Group Policy setting that is responsible for starting this netcat backdoor. • Also VirusTotal reports 12/61 Antivirus products report this as a virus (your VirusTotal result may be a little different). - Netcat is a useful program with many legitimate uses, but can also be used for nefarious purposes, which is probably why we see mixed results from VirusTotal. © 2018 Air Force Association Page 107 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 102 • Click on the TCP/IP tab of process explorer. - This process is listening on TCP port 1337. - It’s currently not connected which is why there is a remote address of 0 and a state of LISTENING. - Close by selecting Cancel. © 2018 Air Force Association Page 108 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 103 • Malware may exist in more than just executables however. • Let’s check out the DLLs linked to nc.exe. • Click View and select Lower Pane View DLLs. © 2018 Air Force Association Page 109 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 104 • It looks like there is nothing obviously bad here. All the DLLs loaded appear to be official, signed DLLs in the C:\Windows\System32 directory. • The dnsapi.dll 1/60 result above appears to be another false positive (your result may vary slightly). • Close out of Process Explorer. © 2018 Air Force Association Page 110 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 105 • Next, let’s examine another extremely useful Sysinternals program called TcpView. • Scroll down in the Sysinternals Suite directory to find Tcpview.exe. - Double-clicking Tcpview.exe will automatically start it as an administrator. • User Account Control may ask you if you want to allow this app to make changes to your device. We trust this application, so click Yes. © 2018 Air Force Association Page 111 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 106 • As you can see, TcpView shows a lot of the same information as netstat, but one big difference that is already visible is the ability to sort by columns. © 2018 Air Force Association Page 112 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 107 • TcpView has a row for each network connection or listening port. • For each network connection, you can see: - The executable that created that connection. - The PID (Process ID). - The local address and port. - The remote address and port (if a connection has been established). - The State of the connection, such as LISTENING or ESTABLISHED. - The number of packets and bytes sent and received. © 2018 Air Force Association Page 113 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 108 • Let’s examine one of the established connections on your computer. - These change regularly, so what is on your computer will be slightly different. • Select Options and click on Resolve Addresses. • It looks like Explorer.exe opened up a connection to a computer at search.msn.com on port 443 which is used by https. • Right-click on Explorer.exe (if you have more than one Explorer.exe shown, click anyone that has an ESTABLISHED connection). - Process Explorer will let you manually end the process or kill the connection. © 2018 Air Force Association Page 114 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 109 • Right-click on Explorer.exe and select Whois, which is a protocol used for querying information about domain names. • Firewall may prevent you from using whois. • Examining the dialog box that pops up, we can see that this domain is registered to Microsoft; we can make that assumption by looking at the Name, Organization, Mailing Address, Email, and Name Servers. • This domain has been registered with markmonitor.com. • We can’t be 100% certain, but the this appears to be legitimately owned by Microsoft. © 2018 Air Force Association Page 115 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 110 • Close TcpView and go back to the Sysinternals Suite folder. • Scroll up and find the executable Autoruns.exe. © 2018 Air Force Association Page 116 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 111 • Right-click on autoruns.exe and select Run as administrator. © 2018 Air Force Association Page 117 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 112 • First, let’s enable checking VirusTotal.com and signatures. • Go to Options and select Scan Options. © 2018 Air Force Association Page 118 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 113 • Check Verify code signatures and Check VirusTotal.com. • Do not select Submit Unknown Images. • Click Rescan. © 2018 Air Force Association Page 119 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 114 • The Everything tab shows what the OS runs automatically including: - Programs started by Group Policy settings. - Logon/Logoff and Startup scripts stored via registry entries. - Programs started by the Task Scheduler. - Services. • Malware may also exist and be automatically loaded as Explorer extensions, drivers, or even media codecs. © 2018 Air Force Association Page 120 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 115 • To see the programs at logon/startup, click on the Logon Tab. - Here you can see the netcat backdoor is automatically started by the Local Group Policy. © 2018 Air Force Association Page 121 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 116 • Right-click on the row for nc.exe and select Jump to Entry… © 2018 Air Force Association Page 122 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 117 • This brings you directly to the Registry. - Here we can see the executable started at boot, and the parameters passed to it. • Close the Registry Editor and go back to Autoruns. © 2018 Air Force Association Page 123 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 118 • Next, right-click the row for nc.exe again, but this time select Jump to Image… © 2018 Air Force Association Page 124 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 119 • A Windows Explorer window is automatically opened with the executable that is referenced already selected. • Close out of Windows Explorer and Autoruns. © 2018 Air Force Association Page 125 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 120 • Other very useful programs in the Sysinternals suite are Handle, Procmon, and PsExec. • Handle lets you find out what processes have a file open, or what files a process has open. - This can be very useful when trying to remove or analyze malware, (or even when Windows won’t let you safely eject your USB drive). • Procmon (short for Process Monitor) can monitor the activity of all the processes on your system by monitoring various system calls. - For example, it can tell you what registry entries or files are accessed or modified by an executable. • PsExec can be used to run programs as other users, including the System user. - This can also be useful to the bad guys, so it might be something you want to watch. © 2018 Air Force Association Page 126 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Slide 121 Give students about 20 minutes to complete the tasks listed on Pages 6-7 of their Workbooks. This lab will review the Sysinternals Suite. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. winlogon.exe 4 Right-click on csrss.exe, select Properties, Image tab, look at the Command Line, and scroll all the way to the end. Answer: 16 Find the right svchost.exe, right-click, select Properties, select the Services tab. Answer: Base Filtering Engine, CoreMessaging, Diagnostic Policy Service, Windows Firewall RiskWare.RemoteAdmin 38db 4 21, 135, 137, 138, 139, 445 AdobeARM.exe Yes Adobe Systems (or Adobe Systems, Incorporated) Igor Pavlov C:\program files\7-zip\7-zip.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run © 2018 Air Force Association Page 127 Windows 10 AFA Advanced CyberCamp Instructor’s Guide Instructor’s Guide Table of Contents Ubuntu 16 Module Overview (5 mins) ………………………….………………………………………….…………..Pages 126-127 Ubuntu Review (20 mins) ………………………….………………………………………………………...Pages 128-147 Init Systems (30 mins) …………………………………………………………..……………………………..Pages 148-171 Advanced Command Line (30 mins)……………………………………………..………………………Pages 172-205 Processes and Scheduled Tasks (30 mins) ………………………………………………………..….Pages 206-234 Security Polices and PAM (40 mins) …………………………………………………….……………….Pages 235-275 Networking (30 mins) ………………………………………………………………………………………….Pages 276-293 Student Workbook Activities Activity 2-1: Init Systems (20 mins) ..……………………………………………………………………..….…Page 171 – Student Workbook page: 8 Activity 2-2: Advanced Command Line (20 mins) ………………………………………………....………Page 205 – Student Workbook page: 9 Activity 2-3: Processes and Scheduled Tasks (20 mins)…………………………………..….………....Page 234 – Student Workbook page: 10 Activity 2-4: Security Policies and PAM (20 mins)……………………………………………..…………..Page 275 – Student Workbook page: 11 Activity 2-5: Networking (20 mins)……………………………………………..……………………….………..Page 293 – Student Workbook pages: 12 AFA Advanced CyberCamp Instructor’s Guide Slide 0 In this module, after the review, students should follow along on the Advanced Ubuntu 16 Demo Image you have downloaded to their machines. © 2018 Air Force Association Page 128 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 1 • Today, we are going to spend the majority of the time on the command line. • We’ll start off with an Ubuntu review and give you a quick refresh of some of the things you learned in the last CyberCamp. • After the review, we will cover advanced init systems, going into detail about how Linux boots and starts services. You’ll learn the many places to look to identify unwanted services and know how to disable them. • Next, we’ll cover advanced command line. After this section you should be comfortable on the command line, and know how to perform complex tasks such as finding files or redirecting input and output streams. • Next, we’ll cover the basis of block devices, partitions, and filesystems. Being able to manage a healthy filesystem is an important security task, and what you will learn forms the basis for advanced filesystem forensics. • After that, you will learn multiple methods to determine what processes are being run on your system, how to kill unwanted processes, and methods for bypassing rootkits on a compromised machine. • Then, we’ll take a long look at a few of the many kernel parameters that can affect the security of your system, and the best way to modify them. In the second part of this section, we will break down PAM and explain how it works step-by-step so you know how to enable secure account and password policies. • Finally, we’ll wrap things up by looking at two different sets of networking utilities available on most modern Linux systems, and discuss how to easily enable the firewall and modify firewall rules from the command line. © 2018 Air Force Association Page 129 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 2 Devote 20 minutes to slides 3-21. There is no activity at the end of this section. To save time, this section was designed to be a quick review without having students follow along on their demo images, or going into too much detail. We’ll start off with an Ubuntu review and give you a quick refresh of some of the things that are taught in the standard CyberCamp. © 2018 Air Force Association Page 130 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 3 • User account management can be performed through the GUI using User Accounts under System Settings. - Here you can create or delete accounts, change account type, or change users passwords. © 2018 Air Force Association Page 131 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 4 • Automatic updates can be configured through Software and Updates in System Settings. - Here you can configure software sources, as well as automatic update frequency. © 2018 Air Force Association Page 132 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 5 • Navigate to Applications System Tools Click on Terminal. • ls lists information about a file or contents of a directory. - The l option outputs the “long” listing, which prints a lot of useful information such as file permissions, ownership, and modification time. - The a option outputs hidden files. - Hidden files in Linux begin with a dot. © 2018 Air Force Association Page 133 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 6 • Directory structures are like trees. - In Linux, everything is under the root directory which is represented as a single forward slash. - You can think of directories as branches of the tree, and files as the leaves. • Paths can be either absolute or relative. - Absolute paths begin with the root directory. - Relative paths begin in the current working directory. • Every directory has two special directories. - The dot directory points to itself, if you begin a path with a dot-slash, you are specifying the current working directory. - The dot-dot directory points it’s parent, for example the parent of /home is the root directory, if you begin a path with a dot-dot you are specifying the parent of the current working directory. - Although they are not directories, some shells have built-in shortcuts, allowing you to use the tilde as a shortcut to your home directory. © 2018 Air Force Association Page 134 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 7 • You can print your current working directory using the command pwd. On Ubuntu your current working directory is also shown on the righthand side of your prompt. • You can change your current working directory by using the cd command. © 2018 Air Force Association Page 135 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 8 • The cat command is used for concatenating files specified as arguments. • It is commonly used to print out the contents of a single file. © 2018 Air Force Association Page 136 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 9 • All Linux systems have a superuser named root. • Root has access to everything, with no restrictions. - Be careful what you do as root, you can permanently destroy your OS with a small typo. • There are many system commands that can only be run by root, and many system configuration files that must be edited as root. • Root always has a User ID of 0. • While technically possible, please don’t change the name of the root account; this is not a recommended security practice and will likely break a great many things on your computer. © 2018 Air Force Association Page 137 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 10 • When you need to run a command or edit a file as root, or any other user, there are two commands you can use. • The su command allows you to switch to another user, if you don’t specify a username, su will assume you want to be root. - The su command requires you to know the password of the user you are switching to. - Ubuntu does not assign a root password by default as a security feature to prevent anyone from logging in as root, unfortunately this means you can’t use su by itself to become root. • The sudo command will allow you to run a specific command as a different user. - Again, if you don’t specify a user, sudo will assume you want to be root. - The sudo command however, only requires you to know your own password (and that you are an administrator). © 2018 Air Force Association Page 138 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 11 • If you want to become root, but are unable to use su because root has no password, you can use sudo su. • This works because sudo requires you to know your own password to run su as root, and if you run su as root, su doesn’t ask you for a password. • If you want to see your current username you can use the whoami command. Ubuntu also prints your username on the left hand side of your prompt. © 2018 Air Force Association Page 139 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 12 • The /etc/password file contains the list of user accounts. - Many of these user accounts are used exclusively by system services. • The password file format is defined as username, password, User ID, Primary Group ID, comment, home directory, and login shell. • However, since this file needs to be readable by everyone, passwords are usually stored in the shadow file instead. © 2018 Air Force Association Page 140 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 13 • The shadow file contains the user’s name, encrypted password, when the password was last changed, the user’s minimum password age, the maximum password age, and the number of days before an expiring password generates a warning. © 2018 Air Force Association Page 141 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 14 • The login.defs file is a configuration file for the shadow password suite. • Inside this file are many configuration options, including the default maximum and minimum password age for new users. • Changing these values however does not modify existing user accounts. © 2018 Air Force Association Page 142 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 15 • The group file defines the user groups on the system. • The format for the groups file is the group name, password, Group ID, and a list of users in that group. • Although it is possible to add a password to a group, this feature is generally not used. © 2018 Air Force Association Page 143 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 16 • If you want to get a line from the password, shadow, or group file you can use the getent command. © 2018 Air Force Association Page 144 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 17 • User management from the command line should be performed with the adduser and deluser commands. - These are the recommended commands for Debian and Ubuntu, however they don’t exist on all Linux distributions. • The useradd and userdel commands are lower-level commands that are more difficult to use, but they exist on all Linux distributions. © 2018 Air Force Association Page 145 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 18 • Similarly, you can create and delete groups with the addgroup and delgroup commands. • Group membership can be modified using the gpasswd command. - The -a option adds the specified user to the group. - The -d option removes the specified user from the group. © 2018 Air Force Association Page 144 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 19 • Software updates from the command line are easy. • You first run apt-get update to get the list of latest packages available. • Then you run apt-get dist-upgrade to update the packages on your system to the latest version. • However, this assumes that your sources.list file is correctly configured. © 2018 Air Force Association Page 145 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 20 • The touch command opens and closes a file, but this command is mostly used create a new, empty file. • The echo command prints out its arguments to standard output, we will discuss this more later, but standard output goes to the terminal by default. • The mkdir command can be used to make directories, and the rmdir command can be used to delete empty directories. © 2018 Air Force Association Page 146 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 21 • cp stands for copy, and is used to copy files, you can specify a new name for the copied file, or if the destination is a directory, the file will be copied to that directory with the same name. • mv is used to move files, similar to the cp command, you can specify a new name for the file, or if the destination is a directory, the file will be moved into that directory with the same name. • The rm command is used to remove a file. © 2018 Air Force Association Page 147 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 22 Devote 30 minutes to slides 23-45. Allow the students 20 minutes to complete the activity on slide 45. Throughout this section, students should follow along in the Advanced Ubuntu 16 Demo Image. In this section, we will cover advanced init systems, going into detail about how Linux boots and starts services. You’ll learn the many places to look to identify unwanted services and know how to disable them. © 2018 Air Force Association Page 148 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 23 Have the students follow along if possible and time permits. Stress that the students should not change any passwords or settings unless they are expressly directed to do so. Users are NOT automatically logged in, they should log in as the user cyberpatriot with the password CyberPatriot! © 2018 Air Force Association Page 149 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 24 • Before we begin, it’s worth noting that your default desktop environment is GNOME Flashback (Metacity). - This looks similar to the traditional GNOME 2 desktop environment. - This desktop environment is a good choice for virtual machines since it doesn’t have fancy 3D effects and has low system requirements. © 2018 Air Force Association Page 150 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 25 • Notice this desktop environment is different from the default Unity desktop environment. • Open a Terminal now by navigating to Applications System Tools and clicking on terminal. © 2018 Air Force Association Page 151 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 26 • Linux starts with the boot process. • Init is the first process executed by the kernel. • It is sometimes referred to as a daemon process because it is running all the time in the background. • All new processes are created by existing processes, therefore Init is the ancestor of all processes. • Init traditionally has only a few responsibilities that include starting services on boot, shutting down services on halt, and the adoption of orphaned processes. - Although it’s not really relevant to our discussion today, when a process’ parent dies that process is known as an orphan process, and init becomes the parent of that process. © 2018 Air Force Association Page 152 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 27 • System V init is the traditional Unix and Linux init system. - It’s no longer used today by most major distributions, however a large amount of the System V init system still exists on some Linux distributions. - Alternatively, init systems are also compatible with System Five, and are therefore still used by many services. • In the normal System V boot process of Debian and Ubuntu, the kernel starts init. • Init then immediately switches to runlevel N and initializes the system. • Then, init switches to runlevel S to initialize the system in single-user mode to complete tasks such as hardware initialization • After runlevel S, the init switches to a specific multi-user mode; runlevel 2-5. The default is runlevel 3. © 2018 Air Force Association Page 153 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 28 • Here is a description of the different runlevels: - Runlevel 0 is used to halt the system. - Runlevel S is the single-user mode, used to boot the system. - Runlevel 1 is the single user mode that can be used to switch from multiuser mode. - Runlevels 2 through 5 are multi-user mode runlevels, with 3 being the default. However, on Debian and Ubuntu all these runlevels are the same by default so it doesn’t much matter. - Runlevel 6 is used for rebooting the system. - Finally, Runlevels 7-9 are technically valid, but not used. © 2018 Air Force Association Page 154 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 29 • I’m sure you are wondering what init does when switching to and from these runlevels. • It’s easy to see for yourself. • When init switches to runlevel n, it first stops services in it’s directory that start with a K, and it does this in alphabetic order. - Here, K stands for kill. - Init does this by running all the K scripts in /etc/rc.d/ with a single argument of stop • Then, it starts processes in the same directory that start with an S. - S stands for start. - Similarly, init accomplishes this by running all the S scripts in /etc/rc .d with a single argument of start. • We’ll talk more about links later, but typically all of the scripts in /etc/rc .d/ are actually just links to scripts in: /etc/init.d/ © 2018 Air Force Association Page 155 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 30 • To view the scripts that get started and stopped at runlevel 3, type: ls /etc/rc3.d/ - Here we can see that the OpenSSH server is not configured to start at boot since the link in this directory starts with a K. - However, it looks like the Apache2 service is starting at boot since it’s link starts with an S. © 2018 Air Force Association Page 156 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 31 • To define if a service starts at boot, you can use the update-rc.d command. - The first argument to update-rc.d is the name of the service, followed by either enable or disable. • You can start or stop a service manually by using the init scripts in: /etc/init.d/ - Just run the script that you want and pass it a single command line argument, either start or stop. - You can also use the status argument to print out the status of a service. © 2018 Air Force Association Page 157 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 32 • We want the SSH service to automatically start at boot. Have the students run the commands on the screen. • After running the commands, notice that the ssh link in /etc/rc3.d/ now starts with an S. © 2018 Air Force Association Page 158 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 33 • Although we told the ssh service to start at boot, it is not running at the moment. - We are going to start the ssh service manually. Have the students run the commands on the screen. • After starting the ssh service, the status now shows active (running). © 2018 Air Force Association Page 159 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 34 • The service command can also be used to start and stop services manually, it simply runs the init script with the specified argument. © 2018 Air Force Association Page 160 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 35 • Upstart was an alternative init system initially developed for Ubuntu and works with Ubuntu 6.10 and later. • It can be used on other Linux distributions but it really never got significant traction outside of Ubuntu. - Upstart was made to be backwards-compatible with System-V by being able to run System-V init scripts. © 2018 Air Force Association Page 161 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 36 • Upstart services are specified in the /etc/init directory. • Each service has its own configuration file ending with .conf. • Under upstart, every service starts at boot, unless there exists a service.override file containing the text “manual.” © 2018 Air Force Association Page 162 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 37 • CUPS is a printing service for Linux but it’s not currently starting. Have the students run the commands on the screen. • As you can see, Upstart won’t start CUPS because of the override file. © 2018 Air Force Association Page 163 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 38 • Ok now forget everything you just learned (just kidding, everything you just learned is still relevant and used). • However as we mentioned before, most major Linux distributions no longer use System V or Upstart as their init systems. • Currently almost all major Linux distributions, including Ubuntu and Debian now use system. • Systemd was developed by Red Hat software engineers but it has had a very controversial adoption for many reasons, due in part to the fact that GNOME 3 requires sytemd. • GNOME 3 is the most widely used Linux desktop environment. © 2018 Air Force Association Page 164 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 39 • None of this really matters since systemd looks like it is here to stay, and has seen widespread adoption as the default init system in all Red Hat and Debian-based Linux distributions (this encompasses the overwhelming majority of Linux distributions). • So how come we just saw all that System-V and Upstart files on our systems if we are now using systemd? - update-rc.d now configures services for all three init systems. - When you run the init scripts manually, most of them actually detect that systemd is being used and instead use systemd to start and stop services. - Upstart is not actually currently installed as the default init system either, but it is installed and running on your system for compatibility. © 2018 Air Force Association Page 165 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 40 • The systemctl command is the systemd command for managing services. • With it, you can configure services to automatically start at boot with the enable argument. • You can stop a service from automatically starting at boot with the disable argument. • If you want to manually start a service, you would use the start argument. • Similarly, the stop argument manually stops a service. • The status argument will display the current status of the service. © 2018 Air Force Association Page 166 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 41 • As we saw earlier, the CUPS service was disabled. Have the students run the commands on the screen. Mention that * is a special character that matches any characters (or none). • After enabling the CUPS service with system, you can see that the System-V and Upstart init systems have been updated as well. © 2018 Air Force Association Page 167 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 42 • You can find the systemd service in /lib/systemd/system. Have the students run the commands on the screen. • Most of the services end in .service, however some end in .target or .path, and there are some additional service management files present as well such as sockets. • The .wants directories specify dependencies of that service. © 2018 Air Force Association Page 168 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 43 • We just saw the list of services available, but what about the list of services started at boot? - The services automatically started at boot are found in /etc/systemd/system and are typically symlinks to the /lib/systemd/system directory. Have the students run the commands on the screen. • The multi-user.target.wants directory is just one of several directories in /etc/systemd/system/ that specify services to start on boot. © 2018 Air Force Association Page 169 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 44 • For the most part it seems like a lot of effort has been put into making all these init systems work with each other. • So which commands should you use? • Well, systemd is the default now, so you should use systemctl when possible. • However a few services do not (yet) work with systemd, so use whatever works for those. • Since systemd doesn’t yet manage everything, make sure to also check System V and Upstart for the presence of unwanted services. © 2018 Air Force Association Page 170 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 45 Give students about 20 minutes to complete the tasks listed on Page 8 of their workbooks. This lab will review the init systems SysV, Upstart, and Systemd. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. rc.local (or S13rc.local) single (or S02single) cups-browsed, whoopsie reload Linux 4.4.0-21-generic en_US.UTF-8 (or LANG=en_US.UTF-8) © 2018 Air Force Association Page 171 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 46 Devote 30 minutes to slides 47-79. Allow the students 20 minutes to complete the activity on slide 79. Throughout this section, students should follow along in the Advanced Ubuntu Demo Image. In this section, we’ll cover advanced command line. After this section you should be comfortable on the command line, and know how to preform complex tasks such as finding files or redirecting input and output streams. © 2018 Air Force Association Page 172 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 47 • When you type commands into the command prompt, you are using your default shell, which is Bash. • Bash has some features to help make your life easier, and one of them is Tab-Completion. • If there is only a single possible file or directory name based on what you have already typed, pressing Tab will automatically complete the name of the file or directory. • If there are no possible paths, Tab will do nothing. • If there are more than one possible path, a single tab will do nothing, but pressing Tab twice will display the possibilities based on what you’ve already typed. © 2018 Air Force Association Page 173 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 48 • For example, type ls /h and press Tab. • You can see that bash automatically types the rest of the directory /home/ • If you then press Tab-Tab, bash will show you all of the directories in /home/ - Tab-Tab means pressing Tab twice. © 2018 Air Force Association Page 174 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 49 • With ls /home/ still on the prompt, type c and then press Tab-Tab. • Bash knows the only two directories that start with a c are case and cyberpatriot, so it displays those options. • Now type y and press TAB to have bash automatically complete the rest of cyberpatriot. • Now press Enter to list the contents of your home directory. © 2018 Air Force Association Page 175 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 50 • A terminal pager allows you to view text files on the console. • It doesn’t allow you to edit the files by design, but it’s excellent for log files or large configuration files. • You can scroll up or down using keys on your keyboard. • The old Linux terminal pager is called more. It displayed the contents of a file on the screen. • Using more you can scroll up or down using s, d, f, or b. © 2018 Air Force Association Page 176 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 51 • More can be a real pain to use sometimes, but there is a much better system pager called less. • The name of less is a play on words, but you can remember it by remembering “less is more.” © 2018 Air Force Association Page 177 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 52 Have the students run the commands on the screen. • Less is used by the man command for displaying manual pages. © 2018 Air Force Association Page 178 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 53 • The diff command can compare two different files or directories. - It’s mostly useful for comparing files that are similar but may differ slightly. - It’s also sometimes helpful to know if two files are exactly the same. • It displays the differences between the two files by using the greater than (<) or less than (>) sign. • Greater-than indicates the line is in file2, but not file1. • Less-than indicates the line is in file1, but not file2. © 2018 Air Force Association Page 179 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 54 Have the students run the commands on the screen. • As you can see, menu2.txt and menu3.txt are the same, except menu3.txt contains spam instead of egg. © 2018 Air Force Association Page 180 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 55 Have the students run the commands on the screen. • Cat-ing out the files confirm that the two files are in fact identical except for the first line. © 2018 Air Force Association Page 181 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 56 • (GNU is officially pronounced like “grew” except with an “n” instead of an “r”, however many people pronounce it like “new”). • The GNU Findutils is a set of programs to help make it easy to find files on your system, but it lets you do a lot more than that. - The three main programs we will cover are find, locate, and updateb. © 2018 Air Force Association Page 182 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 57 • Find is one of the most powerful commands in Linux. The syntax for it can seem rather daunting at first, but most practical operations and examples are easy to understand. • Expressions may be either tests or actions, both return a truth value; but actions may have additional side effects. • Find, finds every file in a directory and evaluates a list of expressions from left to right. - These expressions are evaluated like a logical “and” of the returned values, but the expressions stop being evaluated when the truth value is known. • This may be confusing at first, so let’s look at some real life examples. © 2018 Air Force Association Page 183 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 58 Have the students run the commands on the screen. • This command simply prints out all the files inside the specified directory. • Here, -print is an Action. © 2018 Air Force Association Page 184 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 59 • Say you want to find all the files ending in .pdf. Have the students run the commands on the screen. • The –name expression returns true if the filename matches. • If –name returns false, the expression evaluation is terminated and nothing happens. • If –name returns true, it continues on to the next expression. • Since we didn’t specify an Action, find automatically applies the default Action, which is –print. © 2018 Air Force Association Page 185 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 60 • Suppose you found an unauthorized user on your computer named Libby, you can use the find command to find all files on the system owned by Libby. • The –type f expression returns true for regular files, and false for everything else. • The –user expression returns true if the file is owned by the user, and false otherwise. Have the students run the commands on the screen. • Here you can see Libby owns two files on the filesystem. © 2018 Air Force Association Page 186 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 61 • Find can also be used to execute commands, and will replace openclose-curly-brackets ({}) with the name of the file. • When using find to execute commands, you have to end the command with \; (so that find knows when the command ends). Have the students run the commands on the screen. • The –type f expression returns true for regular files, the –user Libby expression returns true for files owned by Libby, -print is an Action that prints out the filename and returns true, and –exec executes the given command substituting the name of the file with {}. • The rm command removes all matching files. • Searching again for files owned by Libby, you can see that they have indeed been deleted. © 2018 Air Force Association Page 187 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 62 • Find is very useful, but can take a while to run, which isn’t really necessary when only searching for files by their names. • For this purpose, findutils provides the locate and updatedb commands. • Locate looks in a database of files on the system to see if it finds a match. • Updatedb updates the database that is used by locate. © 2018 Air Force Association Page 188 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 63 • Use locate to find all the files on the system ending with .pdf. Have the students run the commands on the screen. © 2018 Air Force Association Page 189 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 64 • Locate and updatedb have security implications that you should be aware of. • Updatedb is usually run automatically as root, so that it can index all of the files on the system. • However, because updatedb runs as root, it is possible that users can use locate to learn of the existence of files that may not be otherwise visible to them. - This isn’t a critical security vulnerability on its own, but it is something you should be aware of. © 2018 Air Force Association Page 190 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 65 • When you run a command in Linux, that command exists somewhere on your filesystem, but you don’t have to know where because Bash automatically searches directories in your PATH. • The which command searches the directories in your PATH, from left to right, looking for the filename you specified and prints out the first match. © 2018 Air Force Association Page 191 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 66 • PATH is an environment variable. • To view your current path type echo $PATH. • These are the directories that Bash searches when looking for a command to execute. • To find the which command is executed when you type which, type which which. • You can see the which command that is executed is inside the /usr/bin/ directory. • It’s important to know what your path is, and which commands are executing. If your path is set to an insecure value, an adversary could trick you into executing commands! © 2018 Air Force Association Page 192 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 67 • The grep command is used to search for a pattern inside files. • Grep can search recursively inside a directory by using the –R option. © 2018 Air Force Association Page 193 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 68 Have the students run the commands on the screen. • This grep command searches for FAILED authentication attempts inside the system authorization log. © 2018 Air Force Association Page 194 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 69 • C programs typically begin in the main function. • Say you downloaded the Quake source code and wanted to know where it starts. • You can use grep to search recursively for the main function with the following commands. Have the students run the commands on the screen. © 2018 Air Force Association Page 195 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 70 • Head and tail are surprisingly useful commands. • Head prints out the first 10 lines of a file, or you can specify the number of lines to print with the –n option. • Similarly, tail prints out the last 10 lines of a file, and again you can specify the number of lines to print with the –n option. • Tail can also output lines appended to a file in real time, as the file grows, by specifying the –f option. © 2018 Air Force Association Page 196 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 71 • Let’s use head to check if the root user has a password. Have the students run the commands on the screen. • Root doesn’t have a password, or you would see the encrypted password where the ! Is. • As you can see, the –n 1 option prints out only the first line of the file. © 2018 Air Force Association Page 197 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 72 • Tail is useful for monitoring log files. • Type: sudo tail -f /var/log/auth.log • In a new console window, type su, but fail the authentication on purpose by pressing Enter twice. • You should see tail automatically print out your failed logon attempt. © 2018 Air Force Association Page 198 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 73 • The wc command stands for “word count” but can also be used for counting lines in a file with the –l option. • Say you wanted to list total number of user accounts on the system. You can do this by counting the number of lines in the password file. • There are 62 user accounts on the system. © 2018 Air Force Association Page 199 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 74 • Let’s take a moment to talk about program input and output. All processes are given three open “character streams”, one for input, and two for output. • When a program prompts you for input on the terminal, it is reading from “standard input.” • When a program prints regular information to the terminal it is printing to “standard output.” • When a program prints error information to the terminal is printing to “standard error.” © 2018 Air Force Association Page 200 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 75 • These input and output streams can be redirected to and from different locations using the following operators. • The less-than operator redirects standard input to read from a file (instead of the keyboard). • The greater-than operator redirects standard output to print to a file (instead of the screen). - Be careful using this because it will Truncate/Overwrite the file if it exists, deleting any existing data. • The greater-than greater-than operator redirects standard output to append to a file (instead of the screen). • The pipe operator is named thusly because it pipes output from the standard output of one command, to the standard input of another command. © 2018 Air Force Association Page 201 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 76 • Let’s look at some examples. Have the students run the commands on the screen. • The echo command prints “I don’t like Spam!” to standard output, but standard output has been redirected to “testfile” so the text ends up there instead of the screen. • The – argument to the cat command tells cat to read from standard input. • Therefore, cat concatenates the contents of all files name Documents/menu* and standard input, because standard input has been redirected to come from testfile, it reads from there instead of the keyboard. • You can see that the contents of testfile are printed to the screen last. © 2018 Air Force Association Page 202 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 77 • Many commands will automatically read from standard input if you don’t specify a file argument. • For example, say you wanted to count the total number of main functions in the Quake source code. Have the students run the commands on the screen. • The Quake source code has seven different main functions because there are several different programs in the code including clients and servers. © 2018 Air Force Association Page 203 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 78 • A useful command to view the last ten users to log on is: lastpipe-head Have the students run the commands on the screen. The result of the command will not match the screenshot because it is based on the log on activity of each image. © 2018 Air Force Association Page 204 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 79 Give students about 20 minutes to complete the tasks listed on Pages 9 of their workbooks. This lab will review the advanced command line commands covered in this section. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. G 2. sausage 3. /home/cyberpatriot/Music/Nutcracker.mp3, /home/kleinrock/Desktop/4.mp3, /home/knuth/Music/1812.mp3 4. /var/spool/ 5. /usr/bin/find/ 6. 21 7. print the character counts © 2018 Air Force Association Page 205 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 80 Devote 30 minutes to slides 81-108. Allow the students 20 minutes to complete the activity on slide 108. Throughout this section, students should follow along in the Advanced Ubuntu Demo Image. In this section, you will learn multiple methods to determine what processes are being run on your system, how to kill unwanted processes, and methods for bypassing rootkits on a compromised machine. © 2018 Air Force Association Page 206 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 81 • The current processes running on your system can be listed using the ps command. • Ps by itself with no options is probably not what you want. - By default, it shows only process running as your current user ID and associated with your current terminal. • There are two ways to list all processes with ps, and we’re going to cover them here because you may run into a Linux or Unix distribution that is less friendly and only supports one of these methods. • ps –ef is the standard Linux syntax, e lists “every process” and f tells it to do a “full-format” listing (which displays more information on each process). • pa aux is the traditional “BSD” style syntax. It displays mostly same thing as ps –ef but does display a little bit more information on memory statistics. © 2018 Air Force Association Page 207 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 82 • ps orders the processes on your computer by PID. • To view the first 10 lines output by ps, type ps -ef and pipe it through head. Have the students run the commands on the screen. © 2018 Air Force Association Page 208 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 82 • Ps orders the processes on your computer by PID. • To view the first 10 lines output by ps, type ps -ef and pipe it through head. Have the students run the commands on the screen. © 2018 Air Force Association Page 209 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 83 • The PID column is where the process identifier or PID is displayed for that process. • A PID is unique for running processes, but can be reused after a process dies. • The Kernel starts assigning PID’s starting at 1. • You can see the first process that was created by the Kernel is init with a PID of 1. • Ps prints out Kernel threads surrounded by square brackets []. - These threads are part of the kernel and have different responsibilities such as managing different pieces of hardware. © 2018 Air Force Association Page 210 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 84 • The PPID is the parent PID. This is the PID of the process that created this process. • The PPID of init and [kthreadd] is 0, indicating that the kernel created this process on it’s own. • kthreadd is the kernel thread daemon that manages the kernel threads. • UID is the user the process is running as, this determines what the process is allowed to do. © 2018 Air Force Association Page 211 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 85 • STIME is the starting time of the process, in this example the virtual machine was booted at 3:26, hence init and all the kernel threads were started at 3:26 as well. • TIME is the cpu time that this process has used, this is not the time that the process has been alive, but rather the total time that the process has been actively using the CPU. - You can see that most of these processes are fairly lightweight and in this example the init thread has used about one second of CPU time since we powered on the system. © 2018 Air Force Association Page 212 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 86 • TTY is the name of the console or terminal the process is running under, in this case these processes have no associated terminal. • CMD is the command line used to start the process. - However, this can be changed by programs for various reasons – some . For example, you might want to prevent users from seeing potentially sensitive command line options that were passed to your program. © 2018 Air Force Association Page 213 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 87 • How do you kill a process? • If a process is running in the foreground, you can often kill it by typing Ctrl+C. - Ctrl is often represented by a caret (^). • The kill command does more than just kill processes, it will send the signal to every PID you specify on the command line. - It defaults to SIGTERM, but you could specify SIGKILL as the signal if the program isn’t dying with SIGTERM. • Kill can be tedious to use because you must specify the PID on the command line. - The killall command can help with that by killing all processes that match a specific name. © 2018 Air Force Association Page 214 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 88 • So how do you kill a process? • If a process is running in the foreground, you can often kill it by typing Ctrl+C (lowercase c). - Ctrl is often represented by a caret. • The kill command does more than just kill processes, it will send the specified signal to every PID you specify on the command line. - It defaults to -SIGTERM, but you could specify –SIGKILL as the signal if the program isn’t dying with SIGTERM. • Kill can be tedious to use sometimes because you have to specify the PID on the command line. - The killall command can help with that by killing ALL processes that match a specific name. © 2018 Air Force Association Page 215 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 89 • Here’s an example of how to use Ctrl+C to kill a program in the foreground. • The sleep infinity command will do nothing forever. Have the students run the commands on the screen. • You can see that the command will hang forever until you kill it. - In this case, we killed it with Ctrl+C. © 2018 Air Force Association Page 216 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 90 • If you want to start a program, but you don’t want your console to wait for it to die, you can start that process in the background with an &. • When you start a process in the background, the PID of that process is printed on the screen. Have the students run the commands on the screen. • In this example, the PID of sleep is 2206. • By typing kill 2206, we are killing the sleep process we just started. • We don’t get a notification that the process died right away because our shell doesn’t want to interrupt us while we type a command, so we have to press Enter again before we are notified. © 2018 Air Force Association Page 217 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 91 • Sometimes a process won’t die with the default SIGTERM. • In this case you need to specify a signal of SIGKILL. Have the students run the commands on the screen. © 2018 Air Force Association Page 218 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 92 • The killall command works just like kill, except you specify a process name instead of PID. • Killall is very useful, but be careful when running it because it is possible to unintentionally kill important processes. © 2018 Air Force Association Page 219 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 93 • Sometimes you want a real-time view of resource utilization and what processes are running on your system. • In that case, the top command is what you need. • By default, top sorts processes by CPU usage, so you can easily see which processes might be hung, slowing down your system, or where any bottlenecks might be. © 2018 Air Force Association Page 220 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 94 • The overall CPU usage is displayed here and is divided into three main parts. • The user usage is the % of CPU cycles spent on “user space” applications. • The system usage is the % of CPU usage spent on “kernel space.” - A lot of the actions that applications take are performed in “kernel space” such as file input and output. • The idle CPU usage is the % that is not being used; this is probably the first number you want to look at when determining if your CPU is under heavy load. © 2018 Air Force Association Page 221 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 95 • System memory usage information is shown as well. • The total amount of memory in kilobytes is shown on the left; here we have one gigabyte of system memory. • Next the amount of free memory is shown; but here it says we only have 20 megabytes free. • After that, the amount of memory that is used by applications is shown. Here we are using about 560 megabytes of memory. • Those numbers don’t exactly add up, so where is the rest of the memory going? • The rest of the memory is being used by the kernel to cache recently used files on the filesystem, so if we need to use those files again, they will be readily available. © 2018 Air Force Association Page 222 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 96 • The next line of top shows the swap space. • Swap space is virtual memory, and the kernel will move infrequently accessed memory there to free up more memory in case we need it. • Here we can see swap statistics including the total amount of swap space, the amount of swap space free, and the amount of used swap space. - We’re not using much swap space since we have plenty of memory available to be used (even though that memory is currently allocated to caching files). © 2018 Air Force Association Page 223 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 97 • Top also shows the percentages of CPU capacity and memory that a process is using, and the amount of CPU time it has used. - Remember CPU time is the total amount of time that the process has been actively running on the CPU. - Each logical core of a CPU can only run one process at a time, so it needs to quickly switch between processes to make it appear like they are all running simultaneously. © 2018 Air Force Association Page 224 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 98 • What if your system has been compromised? • Can you trust these programs? Click to reveal answer. • ps and top are extremely useful programs, but an adversary that has compromised your computer can easily replace these (and other) programs. • What can you do about it? - You can check your executables to see if they match the executables on a trusted computer. - You can run trusted executables from a removable drive that is preferably read-only. - You could get this information directly from the kernel. • These are all good starting strategies; however, it’s important to note that you cannot fully trust anything on a system that has been compromised, so an offline analysis using a trusted computer is sometimes required. © 2018 Air Force Association Page 225 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 99 • How do we get this information directly from the kernel? • The kernel provides the proc filesystem for this purpose. • Let’s take a look at the proc filesystem. Have the students run the commands on the screen. © 2018 Air Force Association Page 226 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 100 • Inside the proc filesystem, there are many numbered directories. • There is a numbered directory for every PID running on the system. • We know that PID 1 is init, so let’s look inside that directory. Have the students run the commands on the screen. • You can see there are lots of files in this directory that represent parts of the process that you can view or even modify if you have permissions. • For example, the exe file in this directory points to the actual process executable which is: /lib/systemd/systemd • Remember how ps said that PID 1 was: /sbin/init - /sbin/init is actually just a symlink to /lib/systemd/systemd © 2018 Air Force Association Page 227 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 101 • Exploring the proc filesystem more, the cmdline file contains the command line that was used to execute the program. • However, the command line arguments are separated by null characters which don’t print to the screen, making the output hard to read. • To get around this you can use cat –v to print the null characters as ^@ • Or you can use strings -1 to print each argument on a different line. Have the students run the commands on the screen. • You can see systemd was started as /sbin/init with the auto and noprompt command line arguments. © 2018 Air Force Association Page 228 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 102 • How do scheduled tasks get executed in Linux? • All processes get spawned by an existing process, and scheduled tasks are no different. These are started by services such as at, cron, and anacron. • At is no longer installed on most Linux distributions by default, but it can be used to execute a program at a specified time. • Cron is designed for running tasks on a regularly repeating schedule, and is very configurable allowing you to specify complex schedules to fit most needs. • Cron is an important system service, so it’s usually not a good idea to remove it. • Anacron is another system service that can work in conjunction with cron. - Designed to run programs on a schedule that is specified in days. Unlike cron you can’t specify times. - What makes anacron special is that it will run tasks if they were previously missed, which often happens when a system is powered off. © 2018 Air Force Association Page 229 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 103 • The primary cron configuration file that tells cron what to run is located at: /etc/crontab • Lines that begin with # are comments and are ignored by cron. • Let’s examine this file more closely on the next slides. © 2018 Air Force Association Page 230 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 104 • The first column is minutes; specifies the minutes portion of the day and time that the command will be run. Click to reveal Hours. • The second column is hours, and specifies the hours portion. • A star means the command will be executed for any value. Click to reveal day of month. • The next column is the day of the month, as a number, from 1-31. Click to reveal month. • The next column is the month, specified as a number, from 1-12. Click to reveal day of week. • The next column is the day of week, specified as a number from 0-7; Sunday is represented by either 0 or 7. Click to reveal user. • User displays name of user that initiated a process. Click to reveal Command. • Finally, the last column is the command that is run. © 2018 Air Force Association Page 231 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 105 • The first line runs the specified command every hour of every day at 17 minutes after the top of the hour. • This command runs all of the commands in: /etc/cron.hourly Click to reveal cron.daily. • The next line runs all commands in /etc/cron.daily everyday at 6:25 a.m. Click to reveal cron.weekly. • The next line runs all commands in /etc/cron.weekly every Sunday at 6:47 a.m. Click to reveal cron.monthly. • The last line runs all commands in /etc/cron.monthly on the first of every month at 6:52 a.m. © 2018 Air Force Association Page 232 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 106 • Additional cron files are located in: /etc/cron.d/ Have the students run the commands on the screen. • Here, the php sessionclean command is run twice every hour, at nine minutes after, and 39 minutes after. © 2018 Air Force Association Page 233 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 107 • Additionally, every user has their own crontab that can be edited by typing the command: crontab –e - User crontab files don’t specify a user to run the command, since they will always run as the user that the crontab belongs to. Have the students run the commands on the screen. • This is a default blank crontab that does nothing. Note: All the lines that begin with # are comments and are ignored. © 2018 Air Force Association Page 234 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 108 Give students about 20 minutes to complete the tasks listed on page 10 of their workbooks. This lab will review processes and scheduled tasks. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. -r /usr/bin/nc -k -l -p 1337 -w 300 -e /bin/bash Every minute 3 --no-debug /bin/ls © 2018 Air Force Association Page 235 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 109 Devote 40 minutes to slides 110-149. Allow the students 20 minutes to complete the activity on slide 149. Throughout this section, students should follow along in the Advanced Ubuntu 16 Demo Image. In this section we’ll take a long look at a few of the many Kernel parameters that can affect the security of your system, and the best way to modify them. In the second part of this section we will break down PAM and explain how it works step-by-step so you know how to enable secure account and password policies. © 2018 Air Force Association Page 236 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 110 • Some of the commands in this section are harder to execute if you’re not root; in particular, output redirection is more complicated using sudo. • For this purpose we are going to be root for the remaining sections. • In order to become root, type sudo su and type your password if prompted. Have the students run the commands on the screen. • When you’re root, you can see that your username to the left side of your prompt changes to root, and the symbol on the right side if your prompt changes to a #. • This is done to help you know if you’re root or not. © 2018 Air Force Association Page 237 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 111 • Kernel parameters are options that affect many parts Linux, including kernel modules. • The parameters are accessible in: /proc/sys - Many parameters can be directly changed through the /proc/ filesystem. • These values are loaded on boot from the file /etc/sysctl.conf, and all of the files in the directory: /etc/sysctl.d/ © 2018 Air Force Association Page 238 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 112 • There are many security-related kernel parameters, and we can’t cover them all. That’s up to you to research on your own, but we will cover a few prominent examples. • TCP Syncookies is a technique that can help prevent SYN flood attacks. • To check if we are using TCP SYN cookies, enter: cat /proc/sys/net/ipv4/tcp_syncookies • This isn’t a “real” file on the hard drive, but rather an interface to the Linux kernel that can be accessed the same way as a file. © 2018 Air Force Association Page 239 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 113 • In order to enable TCP SYN cookies, all we have to do is write 1 to the tcp_syncookies file. Have the students run the commands on the screen. • You can see that now the file contains a 1 and the Linux kernel is now using TCP SYN cookies to protect your computer against SYN flood attacks. © 2018 Air Force Association Page 240 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 114 • Unfortunately, our changes are not persistent. The next time the computer is shut off or rebooted, tcp_syncookies will go back to its default value. • To simulate this, we can use the sysctl command, which reloads the values stored in the sysctl configuration files. • Side note: the sysctl command is completely unrelated to systemctl and systemd. Have the students run the commands on the screen. • After running sysctl --system we can see that the tcp_syncookies value was restored to 0. © 2018 Air Force Association Page 241 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 115 • All we have to do is set this parameter in the sysctl configuration files. • Before setting a kernel parameter, you should check if and where it is currently being set in /etc/sysctl.conf or /etc/sysctl.d/ - Using grep –R can help with this. • In this case, tcp_syncookies is being set in the file /etc/sysctl.d/10network-security.conf • As root, use gedit to edit this file. Have the students run the commands on the screen. © 2018 Air Force Association Page 242 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 116 • Change the last line in the file to set tcp_syncookies to 1 instead of 0. • Now save the file and exit. © 2018 Air Force Association Page 243 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 117 • Reload the sysctl settings again using the sysctl --system command. Have the students run the commands on the screen. • You can see that tcp_syncookies is set to 1 by sysctl, which tells the kernel to use TCP SYN cookies. © 2018 Air Force Association Page 244 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 118 • PAM stands for Pluggable Authentication Modules, and is used for authentication by almost all Linux distributions. - The only notable Linux distribution that does not currently use PAM is Slackware. • PAM is extremely complicated and any typo, no matter how small, can lock you out of your system permanently. • It’s also very easy to accidentally make your computer less secure if you don’t know precisely what you are doing. • Pam defines four facilities for managing four different activities (or realms). • The auth facility handles authentication. • The account facility handles account restrictions, such as time of day a user is allowed to be logged in. • The password facility handles password updates. • And the session facility handles various session resources that need to be allocated when a user logs on. © 2018 Air Force Association Page 245 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 119 • Before we go on, let’s look at the different PAM configuration files. Have the students run the commands on the screen. © 2018 Air Force Association Page 246 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 120 • You probably recognize some of the file names in the pam.d directory as program names. - This is because every program that makes use of PAM, has its own configuration file in: /etc/pam.d/ • What if a program doesn’t have a configuration file? - In that case, it uses the configuration file named other. - Other is also a fallback for programs that have a configuration file, but don’t define the requested facility. © 2018 Air Force Association Page 247 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 121 Have the students run the commands on the screen. • Lines beginning with # are comments and are ignored. © 2018 Air Force Association Page 248 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 122 • Looking at the “other” PAM configuration file, you can see that it includes four different configuration files, one for each facility. © 2018 Air Force Association Page 249 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 123 • These included files aren’t just used by programs without a configuration file. • In fact, these included files are also used by most programs in their configuration files. Have the students run the commands on the screen. • You can see that common-auth appears in many configuration files including sudo, su, and sshd. © 2018 Air Force Association Page 250 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 124 • Password updates are performed by the password facility. • To see how password updates are handled, open the commonpassword file. Have the students run the commands on the screen. • Be careful not to make any changes to this file unless directed to. © 2018 Air Force Association Page 251 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 125 • Again, all the lines beginning with # are comments and are ignored. • The first column is the facility; this defines the facility that the rule applies to. Click to reveal Control. • The second column is the control. Control determines what to do based on the return value of the PAM module. Click to reveal PAM module. • The PAM module is the shared object (.so) file that executes code. Click to reveal Parameters. • The last column, if it exists, specifies parameters to pass to the PAM module. © 2018 Air Force Association Page 252 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 126 • PAM requests are processed from top to bottom in their respective configuration files. • The Control column may have different values, and we will cover the five main ones • If control is set to required, and the PAM module returns “failure,” then the request will ultimately be denied, but the request is allowed to continue processing in case more work needs to be done. • If control is set to requisite, and the PAM module returns “failure,” then the request is immediately denied and stops processing. • If control is set to sufficient and the module succeeds, and no earlier module failed, then the request is granted and immediately stops processing. © 2018 Air Force Association Page 253 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 127 • If control is set to option, then the module is executed, but the return value is ignore. • If control is surrounded by square brackets [], then this is the advanced syntax, and it is commonly used to tell PAM to skip x number of lines when the module returns success. © 2018 Air Force Association Page 254 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 128 • Let’s go through the password policy PAM file line by line. • The first line runs the password facility of pam_unix.so. - Authenticates user by asking for their current password, and asks them enter a new password. - The obscure option tells pam_unix to apply some additional checks to improve the password strength. - The sha512 option specifies the encryption (or hash) algorithm used to encrypt passwords • The control of success=1 specifies, that if pam_unix succeeds, then skip the next (1) line © 2018 Air Force Association Page 255 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 129 • This line skipped if pam_unix succeded. • Therefore, we know if this line is executed, then pam_unix failed. • Pam_deny always returns failure. • Since the control is set to requisite, the request is immediately denied, and processing immediately stops. © 2018 Air Force Association Page 256 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 130 • If we get to this line, then we know that pam_unix succeeded, since the line above this (pam_deny) stops processing. • This line runs the password facility of the pam_permit module, which always returns success. • Since the control is listed as required the request will eventually be granted, but we continue processing in case more work needs to be done. © 2018 Air Force Association Page 257 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 131 • The last line uses a control of optional, which means the return of pam_gnome_keyring module is ignored. • The purpose of this line is to notify the GNOME keyring that a password has been updated. © 2018 Air Force Association Page 258 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 132 • As you can see, the majority of the work in commonpassword is done by the pam_unix module. • In order to learn more about the pam_unix module. Have the students run the commands on the screen. © 2018 Air Force Association Page 259 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 133 • The man page states that obscure enables some extra checks on password strength, which ensure that the password: - Is at least six characters in length. - Is not a palindrome (or reversal) of the old password. - Is not a rotated version of the old password. - Is not just a case change of the previous password. - Has at least three of four of the following character types: lower-case, upper-case, number, and symbol. © 2018 Air Force Association Page 260 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 134 • Don’t close gedit until you are instructed to. • A minimum password length of six isn’t very good, let’s change it to 10. - Append minlen=10 to the pam_unix option. • There is currently no password history being enforced, let’s institute one now. - Append remember=5 to the pam_unix option. © 2018 Air Force Association Page 261 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 135 • Now save the file, but don’t close gedit yet. - We need to test it first to make sure there is not an error. - Testing it before we close the file will ensure we don’t lock ourselves out. Have the students run the commands on the screen. © 2018 Air Force Association Page 262 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 136 • As you can see, passwd wouldn’t let us change our password to TesPass2 because it is not long enough. • However, the password CyberPatriot! was acceptable. • Trying to change turing’s password back to turing results in the request denial because a password history is being enforced. • Close the second terminal instance. • It’s also now safe to exit gedit. © 2018 Air Force Association Page 263 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 137 • Authentication is handled by the auth facility. • The default configuration for this facility is in the common-auth file. • Open the common-auth file with gedit. Have the students run the commands on the screen. © 2018 Air Force Association Page 264 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 138 • In common-auth you can see that all of the work is again done by using the auth facility of the the pam_unix module. • However, the pam_unix module is not capable of handling account lockout functions. © 2018 Air Force Association Page 265 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 139 • In order to handle account lockout functionality we are going to use the pam_tally2 module. • First, read the manual page of pam_tally2. Have the students run the commands on the screen. © 2018 Air Force Association Page 266 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 140 • Pam_tally2 is described as a login counter module. • When a request is denied, the counter is incremented. • When a request is granted, the counter is reset to 0. • Looking at the pam_tally2 manual, there are also some important options. • The deny option will automatically deny the authentication request if the counter exceeds n. • The unlock time option will allow a single additional authentication attempt after a specified number of seconds. © 2018 Air Force Association Page 267 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 141 • Further down on the pam_tally2 manual page, it shows an example implementation which places pam_tally2 module above the pam_unix module. © 2018 Air Force Association Page 268 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 142 • Add the pam_tally2 module directly above the pam_unix module. - Using the auth facility. - And a control of: required • A deny value of four is a little low, but it will allow us to test our configuration more easily. • An unlock_time of 60 is generally acceptable since it will only allow 1 additional logon attempt every minute, but a more secure value would be a little higher. © 2018 Air Force Association Page 269 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 143 • Unfortunately, as mentioned in the pam_tally2 module, some programs do not call pam_setcred correctly, thus resetting the lockout counter. - Some of these programs include sudo and sshd. • In order to prevent these programs from locking you out, we have to edit the common-account file. Have the students run the commands on the screen. © 2018 Air Force Association Page 270 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 144 • Add the pam_tally2 module directly above the pam_unix module. - Using the account facility and a control of required. • No options are necessary this time. • This will ensure the lockout counter is reset after a successful authentication. © 2018 Air Force Association Page 271 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 145 • Save the file in gedit, but don’t close it in case there is an error. Have the students run the commands on the screen. • The pam_tally2 command tells us that the user turing has 1 failed login. © 2018 Air Force Association Page 272 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 146 • Go ahead and fail authentication four more times. Have the students run the commands on the screen. • Your last authentication attempt should give you an account lockout warning message. • The pam_tally2 command now shows that we have five failed login attempts. © 2018 Air Force Association Page 273 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 147 • The counter will not be reset for that user until a successful authentication, but a single authentication attempt will be allowed after unlock_time. • You can manually reset the account lockout counters (as root) with the pam_tally2 module. © 2018 Air Force Association Page 274 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 148 • It is extremely important that you always test your changes before closing your editor. That way, if you made an error, you can quickly undo all the changes you made and easily restore your system to a working state. • It looks like we didn’t break anything so go ahead and close gedit and your second terminal now. © 2018 Air Force Association Page 275 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 149 Give students about 20 minutes to complete the tasks listed on page 11 of their workbooks. This lab will review security policies and PAM. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. 9. 1 /etc/sysctl.conf 4.4.0-21-generic /etc/security/opasswd pam_wheel (or pam_wheel.so) Even_deny_root - © 2018 Air Force Association Page 276 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 150 Devote 30 minutes to slides 151-167. Allow the students 20 minutes to complete the activity on slide 167. Throughout this section, students should follow along in the Advanced Ubuntu Demo Image. In this section, we’ll wrap things up by looking at two different sets of networking utilities available on most modern Linux systems, and discuss how to easily enable the firewall and modify firewall rules from the command line. © 2018 Air Force Association Page 277 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 151 • The traditional Linux command for configuring your network interface is the ifconfig command. - Any changes made with ifconfig are not persistent and will be reset to their default configured values upon reboot. • The ifconfig command with no arguments will show the status of active network interfaces. • Ifconfig –a will show the status of all network interfaces, not just active ones. • Ifconfig can show the status of a specific network interface by using the interface name as an argument. • Ifconfig can also activate a network interface by specifying the interface name followed by up. • Similarly, specifying the interface name followed by down will shut down the network interface. © 2018 Air Force Association Page 278 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 152 • You can configure network interface by first specifying the interface name, followed by the desired IP address, then the word netmask followed by the desired netmask. • Show the active connections now by typing ifconfig. Have the students run the commands on the screen. • The first interface in this example is named “ens33” and is our physical network interface. • The second interface labeled “lo” is your “loopback” device. - This is a virtual network interface that is used by your computer to communicate with itself. © 2018 Air Force Association Page 279 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 153 • Let’s take a closer look at the output of ifconfig. • Ifconfig displays the MAC address, which is hardcoded into the device and not normally intended to be changed. Click to reveal IPv4 Address. • Your IPv4 address is shown by the label inet addr. Click to reveal IPv6 Address. • The IPv6 address is shown by the label inet6 addr. • IPv6 is a replacement for IPv4 that does not yet have widespread adoption. Click to reveal Netmask. • Netmask is shown by the mask label, and specifies the range of IP addresses you can (and can’t) talk to directly. Click to reveal Received packets. • Ifconfig also shows the number of received packets; RX is an abbreviation for received. Click to reveal Transmitted packets. • The number of transmitted packets; TX is an abbreviation for transmitted. Click to reveal Received bytes. • The number of received bytes is shown. Click to reveal Transmitted bytes. • Displays the number of transmitted bytes. © 2018 Air Force Association Page 280 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 154 • The route command is used to display or modify routes. • Route without any options will display the current routes. • The –n option tells route to not resolve IP addresses to names, which can significantly speed up route if you have incorrect routes. • You can use route to set a default gateway by running the command route add default gw followed by the IP address of the default gateway you want to use. • You can also set routes to networks by using route add –net. - Here the target is the network you want to add a route to, and mask is the netmask of the target network. - You can specify the route by specifying an IP address with gw or a network interface with dev. © 2018 Air Force Association Page 281 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 155 • Let’s look at your current routes. Have the students run the commands on the screen. • Your values will be different, since VMware uses different IP address ranges on different computers. • The destination is the network that is the destination of this route. • A value of 0.0.0.0 indicates this is the default route. Have the students run the commands on the screen. • The gateway is the IP that our packets must go through to get to the destination network. • A gateway of 0.0.0.0 indicates that the network is directly reachable without going through a gateway. • The interface is the network interface used to reach the destination network. © 2018 Air Force Association Page 282 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 156 • Routes are processed from most specific to least specific. • In this example, the bottom line is evaluated first and specifies that we do not need to go through a gateway to get to our local network. © 2018 Air Force Association Page 283 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 157 • The next line is the link-local address, which is used to communicate with any devices that did not receive a DHCP address. • This defines another local network with a different IP address range. Click to reveal default gateway. • The default gateway says that all remaining packets must go through our default gateway (192.168.157.2) in order to go anywhere (0.0.0.0). © 2018 Air Force Association Page 284 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 158 • The netstat command can be used to display open sockets or current routes. • The netstat command by itself prints all open sockets. This contains a lot of information you may not be interested in, such as UNIX domain sockets. • An example set of netstat options: –A inet,inet6 –anp - This shows all IPv4 and IPv6 sockets, including established connections and listening ports. - Does not resolve addresses to names. - Prints out the PID/process name associated with this socket. © 2018 Air Force Association Page 285 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 159 Have the students run the commands on the screen. • In this example you can see that the mysqld process, with a PID of 1006 is listening on port 3306 on the local address: 127.0.0.1 • Since it is listening on localhost, only programs running on this computer can connect to it. © 2018 Air Force Association Page 286 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 160 • The ifconfig and netstat commands are a bit older and don’t incorporate some newer functionality and features. • There is a newer set of commands intended to replace ifconfig and netstat called the iproute2 utility suite. • The ip command can be used to show interface or route configuration, or configure network interfaces. • The ss command is similar to netstat. © 2018 Air Force Association Page 287 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 161 Have the students run the commands on the screen. • Here you can see the IP address and netmask of the interface ens33, as well as a lot of the same information printed out by ifconfig. © 2018 Air Force Association Page 288 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 162 Have the students run the commands on the screen. • Here we can see network routes, which is basically the same information printed by the route command. © 2018 Air Force Association Page 289 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 163 Have the students run the commands on the screen. • The ss command for printing network connections is a little simpler than netstat, but the output is harder to read if you include the -p option. © 2018 Air Force Association Page 290 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 164 • Ubuntu comes with the uncomplicated firewall which is easily configurable from the command line. • To turn on the firewall, type: ufw enable • To turn off the firewall, type: ufw disable • Ufw status shows the status of the firewall. Can be configured to allow programs or ports through the firewall using ufw allow. © 2018 Air Force Association Page 291 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 165 Have the students run the commands on the screen. • After enabling the firewall you can see that the default rule is to deny all incoming connections and allow all outgoing connections. • This is a good default rule for workstations. © 2018 Air Force Association Page 292 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 166 • We enabled the ssh service at the beginning of this module, let’s make sure let it through the firewall. Have the students run the commands on the screen. • Now you can see that port 22 is allowed through the firewall. © 2018 Air Force Association Page 293 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Slide 167 Give students about 20 minutes to complete the tasks listed on page 12 of their workbooks. This lab will review networking and firewalls. Stress that the students should not change any passwords or settings unless they are expressly directed to do so in the activity. The students should not need to use any other user names or passwords to complete the activities. Here are the passwords to some administrative accounts just in case. Username: neumann Password: vN_@rchit3cture Username: hopper Password: ENIAC.TurC0mp Answers: 1. 2. 3. 4. 5. 6. 7. 8. 127.0.0.1, 255.0.0.0 (or 8) 139, 445 68 127.0.1.1 ufw logging on 139, 145 137, 138 © 2018 Air Force Association Page 294 Ubuntu 16 AFA Advanced CyberCamp Instructor’s Guide Instructor’s Guide Table of Contents Cisco Networking Content Overview (5 mins) ………………………….…………………………….…………...Pages 295-297 Module 1: “What is this thing called the Internet?” (45 mins) ………………...Pages 298-321 Module 2: The TCP/IP Stack! (75 mins) ………………………….………………………..Pages 322-347 Module 3: The Link Layer(75 mins)……………………………………………..……………Pages 348-364 Student Workbook Activities Activity 3-1: Cisco Baseline Knowledge Quiz (10 mins) ..……………………..……..….…Page 299 – Student Workbook page: 13 Activity 3-2: Draw the Internet (15 mins) ………………..……………………………....………Page 300 – Student Workbook page: 14 AFA Advanced CyberCamp Instructor’s Guide Slide 0 Cisco Networking Three modules • Hyperlinks connect Instructor to NetAcademy diagrams and example. • Separate files to be downloaded to student computers beforehand: • Packet Tracer file https://www.netacad.com/group/offerings/packet-tracer • Packet Tracer Wireless Configuration • Packet Tracer Final Competition Instructors should be logged into Cisco NetAcad before starting Module 1. © 2018 Air Force Association Page 295 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 1 • Instructors should be logged into Cisco NetAcad before starting Module 1. • Instructors will need to send each student attending the advanced camp a link to the self-enroll page found at the following link. Link: https://www.netacad.com/web/self-enroll/course-671717 • Ideally, students should be sent this self-enroll page before the first day of the camp session. Students should have their parent or guardian sign and return the Parental Permission form (which can be found on the Camp Coordinator dashboard) when they arrive for the first day of camp and ideally students should self-enroll before the first day to save time. • The Parental Permission form can be found on the Camp Coordinator dashboard and should be emailed or passed along in a hard copy to students before utilizing the Cisco Networking portion of the AFA Advanced CyberCamps. • Parental Permission forms are to be kept on file with the camp instructor for the site and DO NOT get returned to CyberPatriot. • Students can follow the diagrams and examples on their individual computers as instructors lead OR the instructor can utilize the NetAcad portions as a teaching tool only. © 2018 Air Force Association Page 296 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 2 • There are three modules in the Cisco Networking portion of AFA Advanced CyberCamps: • Networking Module 1: What is this thing called “The Internet” • Networking Module 2: The TCP/IP Stack • Networking Module 3: The Link Layer © 2018 Air Force Association Page 297 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 3 Module 1: What is this thing called “The Internet?” © 2018 Air Force Association Page 298 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 4 • On page 13 of your Student Workbook answer each question to the best of your abilities. You will have 10 minutes to answer the baseline quiz. After everyone has finished, we will go over the answers as a group. Answer Key: 1. What protocol allows computers to learn IP addresses from ‘friendly’ website names? b. DNS 2. Which of the following devices acts as a “hop” for internet traffic? d. Router 3. 192.168.1.254 is a ___________ IP address. c. Private 4. In order for traffic to leave the local network, it must know the IP address of its ______. d. Default Gateway 5. The layers of the TCP/IP stack, from lowest to highest, are: b. Link, Internet, Transport, Application 6. A wireless access point is most like a __________: b. Switch 7. IP Address is to Router as __________ is to Switch: c. MAC Address 8. A web browser asks for the content on a web page by sending a ________ request. c. GET © 2018 Air Force Association Page 299 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 5 • On page 14 of the Student Workbook, students will draw their idea of the Internet in as much detail as possible. • Items should include: devices, equipment, media (cabling), link addresses or names, sources and destinations, and Internet service providers. • Students should be prepared to explain some of the reasoning they used. A few students should be selected to share their drawings. • The goal of today is for every student to gain a detailed understanding of what the Internet is and how it works. © 2018 Air Force Association Page 300 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 6 • The Internet is a network or networks. Simply put, a network is a group of computers that can talk to one another. • But how does data get from one computer to another? • On a local network? • On the Internet? © 2018 Air Force Association Page 301 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 7 • Click on the screenshot to launch video: 3:29 minutes https://www.youtube.com/watch?v=ewrBalT_eBM © 2018 Air Force Association Page 302 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 8 • "Host" is a general term for any kind of computer on a network. • Clients and servers are both called “hosts,” “end hosts,” or “endpoints.” • Hosts are computers that use the network. • Laptops, desktops, smartphones, servers where websites live—these are all hosts. • ”Client” and “server” are jobs that a host can have. • Clients are devices that ask for content. • Servers are hosts that provide content. © 2018 Air Force Association Page 303 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 9 • In order for hosts to communicate across the networks, it’s important that they have unique addresses. • Similar to how you send and receive mail; you need a unique address yourself, and you must know the address of the recipient. • IP stands for Internet Protocol. • You’ll sometimes see IP addresses referred to as “IPv4 Addresses.” • IPv4 (Internet Protocol version 4) is the most common system of so-called “logical addressing,” and is currently the de facto standard. • Other systems such as IPX and AppleTalk used to be major competitors to IPv4, but are no longer in widespread use. © 2018 Air Force Association Page 304 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 10 • In the future, IPv4 will be replaced by IPv6 because we have started to run out of free IPv4 addresses! • An IPv4 address consists of four parts called “octets.” Octets are separated by dots and each can contain a value between 0 and 255. • Example: 10.0.2.15 • First three octets describe the network. • Last octet refers to the specific device. • Similar to a mailing address. • On most networks, the first three octets describe the network, and the last octet refers to the specific device. • Like a home address, The IP address is kind of like a home address (where the first three octets are like a street, followed by the last octet, which is like a house number). • The address gets more specific as you move to the right. © 2018 Air Force Association Page 305 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 11 • Students: open a command prompt and type: ipconfig • Find your IP address, which is designated by “IPv4 Address.” • This might look familiar—you’ll see a lot of computers with IP addresses like 192.168.X.X. This is a private IP address. • This address can either be manually assigned by a computer user (static IP address) or automatically assigned by your router (DHCP). © 2018 Air Force Association Page 306 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 12 • DHCP stands for “Dynamic Host Control Protocol,” and most networks use DHCP to auto-assign IP addresses to clients. • This saves individual users the trouble of manually assigning an IP address. • It also prevents two hosts from accidentally assigning the same IP address to themselves and creating a conflict. © 2018 Air Force Association Page 307 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 13 • Open up a web browser and navigate to WhatIsMyIP.com or click the hyperlink in the slide to launch the site directly. • You’ll notice that the IP address you get from this web service is different from the address given in your command prompt. • The address you see displayed on this webpage is your public IP address. © 2018 Air Force Association Page 308 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 14 • Public IP address -- visible to the whole Internet. • Private IP address -- only visible on your local network. © 2018 Air Force Association Page 309 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 15 • An IPv4 Address is made of four 8-bit octets. • 8*4=32 bits per IPv4 address. • A bit has 2 possible states (1/0). • There are 2^32 possible Ipv$ addresses or 4,294,967,296 IPv4 addresses. • Did you know? • IPv4 was deployed in 1981. • Not enough unique IPv4 addresses for all of the devices in the world. The United States IP Address Registry exhausted on September 24, 2015. © 2018 Air Force Association Page 310 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 16 • Slowly, the internet moving to IP version 6 (IPv6). • IPv6 was designed to scale, and was first deployed in 1999. • An IPv6 address is 128 bits, so... there are 2^128 possible IPv6 addresses. OR 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses. © 2018 Air Force Association Page 311 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 17 • As we just discussed, IP addresses are used to indicate where something is located on the Internet so we can send traffic to it. • [Mini-exercise]: You can get to a website just by entering its IP address into your web browser’s address bar. • Open a browser and type in: 216.58.217.78 • What site did it bring you to? • Answer: www.google.com. • But we hardly ever type IP addresses into web browsers; it’s much more common to type a website’s URL, because a URL is much easier to remember. • How does my laptop know to go to 216.58.217.78 when I put http://www.google.com in my browser? • Your computer needs an IP address for its destination—there’s no getting around this requirement. • The solution is Domain Name System or DNS. • DNS servers store mappings of IP addresses to “friendly” web addresses. • Anytime you navigate to a URL in your browser’s address bar, your computer automatically sends a DNS request to a DNS server to get the IP address for that URL. • Even when you enter a “friendly” name, your computer gets the IP address of the destination—this process is known as “resolving” the IP address. © 2018 Air Force Association Page 312 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 18 • • When you send request for the data that makes up a website, where does that request go? • Ultimately, it ends up at the destination web server. • But how does it get there? When you request a web page from your house, your computer first sends that request to your home router. • • • Reminder: Your router is the device in your home which “owns” your public IP address. To the Internet, you “are” your router. Your router then forwards that packet on to another router in your Internet Service Provider's (ISP’s) local data center. • Take a look at this visualization: 1.2.4.2 (Links to an external site) NetAcad example. • That router forwards your request to another router, and another, and another after that, until the packet eventually arrives at the web server. Link: https://static-courseassets.s3.amazonaws.com/ITN51/en/index.html#1.2.4.2 © 2018 Air Force Association Page 313 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 19 • Most homes have a single device doing four major jobs for the home network. • This device, usually provided by your ISP, is acting as a modem, a router, a switch, and a wireless access point. • This device is a router in that it serves as the default gateway for traffic on the home network and forwards that traffic over the Internet. • This device is a modem in that it does conversion (i.e., modulates and demodulates) between analog (cable or DSL) signal and digital signal (0’s and 1’s, the language packets are written in). • This device is a switch in that it has several ethernet ports which allow connection to a wired Local Area Network (LAN). • This device is a wireless access point (WAP) in that it broadcasts a wireless network which clients can connect to. Source: https://static-courseassets.s3.amazonaws.com/ITN51/en/index.html#4.1.1.1 © 2018 Air Force Association Page 314 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 20 Click on the screenshot to launch the NetAcad Home Router example or copy and paste: https://www.netacad.com/?p_p_id=58&p_p_lifecycle=0&p_p_state=norma l&saveLastPath=false&_58_struts_action=%2Flogin%2Flogin&redirect=%2F c%2Fportal%2Fsaml%2Fsso • Home networking devices are not always all contained in the same piece of hardware. • Example: In a large office building with dozens of employees spread across many floors, there may be one router and multiple wireless access points. • Why do you think this is? © 2018 Air Force Association Page 315 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 21 • If the class needs additional background on Packet Tracer, cover the following course, which will take about 60 minutes to complete. • Click on the phrase Packet Tracer to go directly to the site or cut and paste the following URL: https://www.netacad.com/courses/packettracer • NOTE: NetAcad login required. © 2018 Air Force Association Page 316 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 22 Directions for Instructors Only NOTE: When you first launch Packet Tracer, it will ask you to log into NetAcad. If you don't have a NetAcad account, it's easiest to continue as a guest. If you continue as a guest, you'll want to follow this procedure to log in: 1) Packet Tracer will open a new window. You'll need to grab this window by the top-bar and move it around in order to resize it. 2) Once the window is resized, a button will appear at the bottom of it giving you the option to continue as a guest. Click on it. 3) Packet Tracer will then open a browser that takes you to the Packet Tracer/Netacad website. Close this; it's not necessary. 4) There should be a smaller window open, and this window will be part of the Packet Tracer application. There will be a button at the bottom of this window allowing you to launch Packet Tracer as a guest. It may be grayedout with a decreasing timer; if so, wait for the timer to run out. The button will then become clickable. Click that button and Packet Tracer should launch. © 2018 Air Force Association Page 317 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 23 To download the Packet Tracer practice file, click on the hyperlink on the slide, or cut and paste the following URL into your browser’s address bar: https://150566673.netacad.com/courses/487683/files/46796296/download? wrap=1 Instructions: 1. Open the Packet Tracer practice file on your laptop. 2. Click on the PC (on the far left). Open the "Desktop Applications" tab at the top, and then open the "Command Prompt" application. 3. We will use a website we've set up inside this application, www.afa.com. 4. Find the IP address for www.afa.com with nslookup. What IP address was returned? 5. Ping the website's IP address to see if you can reach it. Did it work? © 2018 Air Force Association Page 318 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 24 • Two very important tools for network engineers are nslookup and ping. • nslookup is used to check what the IP address is for a website's "friendly" name. • Proper usage looks like this: nslookup google.com • The result will be displayed under the line reading "Nonauthoritative answer:" © 2018 Air Force Association Page 319 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 25 • ping is used to check if a given IP address is reachable. • Proper usage looks like this: ping 192.168.1.1 • Your computer will send four "requests." If the IP address is reachable, the device at the destination address will send back four "replies." • If your computer cannot reach the IP address you ping, then you will usually see that the requests "timed out." © 2018 Air Force Association Page 320 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 26 Click on the logo to go directly to the site or cut and paste the following URL: https://goo.gl/g2R3F4 • When you click on the logo a start screen will appear. • Instructor will have the option to choose 1:1 playing where students use their individual devices or shared devices for small groups. For more information on how to play Kahoot! visit: https://files.getkahoot.com/academy/Kahoot_Academy_Getting_Started_ Guide_2nd_Ed_-_June_2016.pdf © 2018 Air Force Association Page 321 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 27 Module 2: The TCP/IP Stack © 2018 Air Force Association Page 322 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 28 • Break into three even groups. • Take 15 minutes to review yesterday's material. Each group will focus on one of the following topics: • • IP addressing (public/private IP addresses, DHCP vs. static addressing) • Domain Name System (DNS) • Routers, Switches, and Access Points At the end of 15 minutes, you will be asked some questions about your group's subject. Don't be afraid to ask questions if you're having a hard time remembering things. © 2018 Air Force Association Page 323 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 29 • Click on the screenshot to launch video: 3:33 minutes https://youtu.be/7_-qWlvQQtY © 2018 Air Force Association Page 324 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 30 • Click on the screenshot to launch video: 5:20 minutes https://youtu.be/LpuPe81bc2w © 2018 Air Force Association Page 325 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 31 • Say we have an IP address of: 192.168.1.100 • As we saw in some of the review videos, computers and routers read an IP address as a series of 1’s and 0’s (because a packet arrives as a series of electrical signals). • What does our IP address look like in binary? Work it out for yourself. Did you get it right? • 192.168.1.100 = 11000000.10101000.00000001.01100100 • This is why we call these four groups "octets." Each one has eight bits in it. © 2018 Air Force Association Page 326 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 32 Bits vs. Bytes • This point comes up a lot, and it's important to understand the difference! • A bit is the smallest unit of digital data. It can either be on or off; I/O; 1 or 0. • A byte is eight bits. • How many bits in an IPv4 address? • How many bytes? © 2018 Air Force Association Page 327 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 33 • Now, let's look at an example subnet mask: 255.255.255.0 • 11111111.11111111.11111111.00000000 • The first three octets are Network bits. • What does that mean? • It means that only the last octet (the fourth number, in base 10) is used to differentiate hosts. The first three octets, taken together, describe the network. • This network can fit 2^8 (or 254) hosts on it. • Another example subnet mask: 255.255.0.0. In binary, that is: • 11111111.11111111.00000000.00000000 • This means that there are 2^16 (or 65,536) host addresses available in a network with this mask. © 2018 Air Force Association Page 328 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 34 • You've probably noticed the “subnet mask" in the output of the ipconfig command, or seen it elsewhere. • On most networks you've probably been on, it's likely: 255.255.255.0 • What does this mean? • A Subnet Mask tells us which bits in an IP address are used to identify the Network, and which bits are used to identify a Host. • It splits an address into two parts: the Network bits and the Host bits. • Using our example IP address of 192.168.1.100. In binary, that’s: • 11000000.10101000.00000001.01100100 © 2018 Air Force Association Page 329 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 35 https://play.kahoot.it/#/k/28e548e1-62ba-46de-992c-f972235377a1 • When you click on the logo a start screen will appear. • Instructor will have the option to choose 1:1 playing where students use their individual devices or shared devices for small groups. For more information on how to play Kahoot! visit: https://files.getkahoot.com/academy/Kahoot_Academy_Getting_Started_ Guide_2nd_Ed_-_June_2016.pdf © 2018 Air Force Association Page 330 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 36 Click on the screenshot to launch video: 4:48 minutes https://youtu.be/7_LPdttKXPc © 2018 Air Force Association Page 331 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 37 • Have you heard the term “packet” before? What do you think it means? • When we send information across a network (including the Internet), it must be ‘packaged’ into a format that allows routers to read its source and destination addresses along the way. • Remember: Every time your request gets sent to a new ‘hop’ in the route, that hop needs to read the source and destination addresses. • Similar to mailing a letter: You ‘package’ the letter in an envelope which displays the destination and return addresses so the Post Office knows where to send it and where to return it if necessary. • Routers are just specialized computers: • Computers are good at recognizing predefined patterns. • To say that data is in a ‘packet’ means that it’s been formatted in a special pattern that routers recognize. • This formatting is in the form of a “header,” a piece of data that is attached to the front (the “head”) of some data that we want to send over the internet. © 2018 Air Force Association Page 332 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 38 • Any time we send a packet over a network, it’s wrapped (or “encapsulated”) in several layers; from inside to outside, these are: • Application • Transport • Internet (aka Network) • Link • Each layer serves a specific purpose. • The following example compares sending a data packet to shipping a valuable, fragile vase through the mail. • The vase is the core data which necessitates packaging. In this example, the application layer; the substantive data being transmitted in the packet. • Since the vase is fragile, you would likely want to protect it with bubble-wrap. The protection provided is the transport layer, which protects the sensitive contents of the packet. • The Post Office needs to know where the vase is going and where it came from, so you affix a shipping label with the destination and return addresses. This is how the Internet (network) layer tells a router where to direct a packet. • To contain the vase and its packing materials, you put everything in a box. This is like the link layer that contains and protects the preceding three layers. © 2018 Air Force Association Page 333 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 39 • One way that packets are different from packages: whenever your packet reaches a new router (or “hop”) on its journey, that router has to open up (“decapsulate”) the packet. • It needs to remove the link layer so that it can read the information inside the Internet layer. It then adds link headers to the packet again and sends it on its way. © 2018 Air Force Association Page 334 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 40 • Packets are different from packages: whenever your packet reaches a new router (or “hop”) on its journey, that router has to open up (“decapsulate”) the packet. It needs to remove the link layer so that it can read the information inside the Internet layer. It then adds link headers to the packet again and sends it on its way. • From top to bottom, this diagram shows what it looks like when a packet is sent. • From bottom to top, this diagram shows what it looks like when a packet is received. Click on the bottom screenshot to launch the website directly or copy and paste: https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.1.3 © 2018 Air Force Association Page 335 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 41 • HTTP stands for Hypertext Transfer Protocol. • HTTP is a sort of language that clients and servers can use to communicate with each other and to send content back and forth. • HTTP communication is at the Application layer. • This is the core of a message sent over a network. • Headers will be added to it in several layers to ensure that it is transmitted correctly. © 2018 Air Force Association Page 336 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 42 • To access the contents of a website, your computer sends an HTTP “GET” request. • If the server has the web page the client is asking for, it sends back a status code of 200 “OK,” along with the content of the web page. • If the server doesn’t have the page that the client is requesting, it can respond with a code of 404 “Not Found.” • There are other status codes too: • Codes starting with 2xx indicate success. • 3xx codes redirect the client to a different page. • 4xx codes indicate that the client has sent a bad request of some kind. • 5xx codes indicate a problem with the server. © 2018 Air Force Association Page 337 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 43 • The application content is the core of a message that gets sent over the network. • It is then wrapped in transport-layer headers. • There are two main kinds of transport-layer headers for our purposes: • TCP traffic is slower but more reliable. • UDP traffic is faster but less reliable (more prone to packet loss). • HTTP traffic uses TCP. • VoIP phone calls and streaming videos use UDP. • Why do you think this is? • For the sake of our example, we would wrap our HTTP GET message in a TCP header, because HTTP traffic uses TCP at the Transport layer. © 2018 Air Force Association Page 339 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 44 https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.2.1 • IP Source and Destination addresses are stored in the Internet-layer header. This is also called the network layer. • The IP-header (Internet Protocol) is wrapped around the packet after the transport-layer header is attached—the process of adding multiple layers of headers is called “encapsulation.” • For another visualization of how this works, check out this illustration! • To follow along with the example, our Network-layer IP header for this packet would have our computer’s IP address as the source address and the web server’s IP address as the destination address. Click on the bottom screenshot to launch the website directly or copy and paste: https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.2.1 © 2018 Air Force Association Page 340 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 45 https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.2.2 • How do we know what physical device “owns” the IP address of your computer? Of your router? • Physical addresses are also called MAC Addresses. • Every network device has a unique physical address, a MAC address that no other device in the world has. • When we send a packet over a network connection, whether it is wireless or wired, we need to address that packet to the MAC address of our default gateway, the router. • The source and destination MAC addresses for a packet are stored in the link layer header for traffic. The specific name for this header format is Ethernet (when we're using a wired connection). • Just like we use TCP or UDP at the transport layer, or IP at the Internet layer, we use Ethernet at the link layer. © 2018 Air Force Association Page 341 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 46 • Every time we transmit a packet across a network, we need to rewrite the source and destination MAC addresses, because the packet will be transiting between new physical devices. • Click on the screenshot to launch the website directly or copy and paste for an illustration of how this works: https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.2.2 © 2018 Air Force Association Page 342 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 47 https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.1.3 https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.1.4 • A switch is the wired equivalent of a wireless access point. • You can think of a switch's job in the following ways: • It turns one Ethernet port into many. • It allows multiple devices to "talk to" each other over a wired network. • A switch defines a local area network (LAN). • Enterprise switches can have 24 ports, 48 ports, or even more ports. • Smaller switches exist too. Most home combo modem/routers have 1-4 switch ports available for wired clients. • By default, hosts connected to the Ethernet ports on a switch can communicate with one another. • Switches can be configured to separate traffic into separate domains. • How does this work? It involves MAC addresses (the address for the link layer on the TCP/IP stack). © 2018 Air Force Association Page 343 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 48 https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.1.3 https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#3.3.1.4 Review: • When you send a packet to your router, recall that you wrap it up (“encapsulate” it) in various layers to help it get where it needs to go. • Your home router opens that packet up (i.e., “decapsulate” it) as far as the Internet layer on the TCP/IP stack so that it can read the destination IP address. • To recap with an animation, check out these two slides: Click on the individual screen shots or click 3.3.1.3 (Links to an external site.) & 3.3.1.4 (Links to an external site.) • A switch does something similar, but it only decapsulates a packet up to the link layer, that is, just enough to read the MAC address. • Recall how, with IP routing, several hops are necessary to get from a source to a destination. • A switch acts as an extra hop between your computer and your router, but at the link layer instead of the Internet layer. © 2018 Air Force Association Page 344 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 49 • A switch does something similar to a router, but it only decapsulates a packet up to the link layer, that is, just enough to read the MAC address. • Recall how, with IP routing, several hops are necessary to get from a source to a destination. • A switch acts as an extra hop between your computer and your router, but at the link layer instead of the Internet layer. © 2018 Air Force Association Page 345 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 50 • We start with the actual message we want to send to the web server. This is an HTTP GET request, and is at the application layer. • We then add transport-layer headers. For our HTTP traffic, we use a TCP header. • Then, we wrap an IP header around that. This header has the Source IP address (our computer’s IP address), and the Destination IP address (the IP address of our default gateway). This is at the Internet/network layer. • Finally, at the link layer, we wrap the packet in an ethernet header by encoding our Source MAC address (the physical address of our computer) and Destination MAC address (the physical address of our default gateway). © 2018 Air Force Association Page 346 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 51 • Divide students into four even groups. • Take 15 minutes to review the TCP/IP stack among each group. • Assign one of the four layers of the TCP/IP stack to each group: • Application • Transport • Internet • Link • Each group will be responsible for explaining the role of their layer in the stack. • We will then walk through the process of encapsulating an HTTP GET request, sending it off, and decapsulating the reply. Each group will explain what their layer does when the packet hits their layer of the stack. © 2018 Air Force Association Page 347 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 52 Module 3: The Link Layer © 2018 Air Force Association Page 348 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 53 https://play.kahoot.it/#/k/0ecf4263-b94e-47dc-9a80-521d8b2b4bc6 When you click on the logo a start screen will appear. Instructor will have the option to choose 1:1 play where students use their individual devices or shared devices for small groups. For more information on how to play Kahoot! visit: https://files.getkahoot.com/academy/Kahoot_Academy_Getting_Started_Guide _2nd_Ed_-_June_2016.pdf © 2018 Air Force Association Page 349 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 54 • There are two primary methods of connecting hosts to a LAN: Wired and Wireless. Wired Connections • Wired connections generally occur over Ethernet cables. • Ethernet cables look like landline phone cables, except the connector is wider. • Inside an Ethernet cable, there are eight individual wires, each of which connects to a separate “pin” at both ends of the cable. © 2018 Air Force Association Page 350 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 55 • Most home routers have about four Ethernet ports available for device connections. • These ports are technically a built-in switch. • It is generally possible to set up wired connectivity to a network using only the home router. • Ethernet tends to be considerably faster than wireless connections. © 2018 Air Force Association Page 351 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 56 Wireless Connections • Wireless connections occur over the air. • The standard for wireless communication is 802.11, and there are several revisions to this standard. • These revisions are denoted by letters (a/b/g/n/ac). • Each revision supports different transfer speeds. • 802.11g is about 14 years old (it was introduced in 2003). • 802.11ac is relatively new. • 802.11ac connections can be over 10 times faster than 802.11g connections. © 2018 Air Force Association Page 352 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 57 Wireless Connections • A wireless network is identified by an SSID, “Service Set Identifier.” You can think of this as being the wireless network’s “name.” • Is your laptop connected to a wireless network right now? What's the SSID for that network? • Important: If a client is trying to connect to a wireless network, it must use the same SSID that the wireless access point is broadcasting. • If there is a mismatch, the client will be unable to join the network. • Wireless networks may be unsecured. Any host can join an unsecured network. • If you can avoid it, do not join a wireless network which is not secured by a password! • Your traffic will be visible to anyone connected to the network—and on an unsecured network, that could be anyone at all. © 2018 Air Force Association Page 353 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 58 • Wireless networks may be unsecured. Any host can join an unsecured network. • If you can avoid it, do not join a wireless network which is not secured by a password! • Your traffic will be visible to anyone connected to the network—and on an unsecured network, that could be anyone at all! • Wireless networks may also be secured, and there are a few different types of security. © 2018 Air Force Association Page 354 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 59 • The WEP (“Wired Equivalent Privacy”) standard was introduced about 20 years ago. • WEP is not considered secure anymore. • A WEP password can be broken by an attacker in less than three seconds. • The replacement for WEP is called WPA2. • Why “2”? • WPA (“WiFi Protected Access”) was introduced as a transitional standard, compatible with older hardware that had previously only been used for WEP. Once older hardware was transitioned out of the marketplace, WPA was replaced with WPA2. • Today, WPA2 is the de facto standard. • WPA2 is most often specified with the PSK option. PSK stands for “Pre-Shared Key,” and this just means that you must enter a password for access to a Wi-Fi network secured in this way. • Rule of thumb: if you are setting up a home wireless network, you should almost always specify WPA2 PSK. © 2018 Air Force Association Page 355 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 60 • In this exercise, we will configure a simple wireless network with Packet Tracer using the best practices we discussed in the last module. • Open the PT_WirelessPractice file. • Click on the Wireless Router. • Click on the tab at the top marked "GUI." • This page is pretty similar to what you'll find on most home wireless access points. • Give the wireless access point an internal IP address of: 192.168.0.254 • The subnet mask should be set to: 255.255.255.0 • Set the static DNS server to: 60.50.40.100 • Make sure that DHCP Server is enabled. • This will allow the wireless access point to automatically hand out IP addresses to devices that connect to the wireless network. • Remember: Automatic address assignment is normal for many networks, but it is also possible to set IP addresses manually (called static addressing). • The DHCP server should start handing out addresses with: 192.168.0.5 • When you're finished making those settings changes, scroll to the bottom of the GUI page and click "Save Settings." • At the top of the GUI, you should see a link labeled "Wireless.“ Click here to modify wireless settings. • Configure an SSID for the network. It can be anything you like. • Make sure to scroll down and save when you're done adding an SSID. © 2018 Air Force Association Page 356 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 61 • • • • • Make sure that DHCP Server is enabled. • This will allow the wireless access point to automatically hand out IP addresses to devices that connect to the wireless network. • Remember: Automatic address assignment is normal for many networks, but it is also possible to set IP addresses manually (and this is called static addressing). The DHCP server should start handing out addresses with 192.168.0.5. When you're finished making those settings changes, scroll to the bottom of the GUI page and click "Save Settings." At the top of the GUI, you should see a link labeled "Wireless". Click here to modify wireless settings. Configure an SSID for the network. It can be anything you like. • Make sure to scroll down and save when you're done adding an SSID. © 2018 Air Force Association Page 357 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 62 https://150566673.netacad.com/courses/487683/files/46796301/download? wrap=1 • Underneath the "Wireless" link, you should see a smaller link labeled "Wireless Security." Click on it--we're about to set some security options. • For "Security Mode", select WPA2 Personal. Recall that this is the most secure mode available for most consumer hardware. • Choose a passphrase--but be sure to remember it! • Be sure to scroll down and save when you're finished. • Close the window and click on the "Smartphone" device underneath the wireless router. We're going to connect to our wireless network. • At the top of the window that opens, click "Config." • In the pane on the left, click on "Wireless0." If this is not visible, click on INTERFACE and it should be displayed. • For the SSID, replace "Default" with the SSID you created on the Wireless Router. © 2018 Air Force Association Page 358 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 63 https://150566673.netacad.com/courses/487683/files/46796301/download?wrap=1 • For Authentication, select WPA2-PSK (recall that "PSK" stands for "Pre-Shared Key", which is appropriate here because you are authenticating with a key that you came up with earlier). • On the right, enter the password you created in the "PSK Pass Phrase" box. • Your wireless network should be all set to go. © 2018 Air Force Association Page 359 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 64 https://150566673.netacad.com/courses/487683/files/46796301/download?wrap=1 • Click on the "Desktop" tab at the top of the Smartphone window. • Open the "Command Prompt" application. • You should be able to ping 60.50.40.100. Does it work? PT_WirelessPractice.pkt • Underneath the "Wireless" link, you should see a smaller link labeled "Wireless Security." Click on it--we're about to set some security options. • For "Security Mode", select WPA2 Personal. Recall that this is the most secure mode available for most consumer hardware. • Choose a passphrase--but be sure to remember it! • Be sure to scroll down and save when you're finished! • Close the window and click on the "Smartphone" device underneath the wireless router. We're going to connect to our wireless network! • At the top of the window that opens, click "Config". • In the pane on the left, click on "Wireless0". (If this is not visible, click on INTERFACE and it should be displayed). • For the SSID, replace "Default" with the SSID you created on the Wireless Router. • For Authentication, select WPA2-PSK (recall that "PSK" stands for "Pre-Shared Key", which is appropriate here because you are authenticating with a key that you came up with earlier). • On the right, enter the password you created in the "PSK Pass Phrase" box. • Your wireless network should be all set to go! © 2018 Air Force Association Page 360 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 65 Https://play.kahoot.it/#/k/e781e168-5e89-42d0-939c-303dbdded245 When you click on the logo a Start screen will appear. Instructor will have the option to choose 1:1 playing where students use their individual devices or Shared devices for small groups. Need more information on how to play Kahoot? Visit: https://files.getkahoot.com/academy/Kahoot_Academy_Getting_Started_Guide_ 2nd_Ed_-_June_2016.pdf © 2018 Air Force Association Page 361 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 66 There are three pages dedicated to Cisco Slide 66 https://150566673.netacad.com/courses/487683/files/46885892/download?wrap=1 https://150566673.netacad.com/courses/487683/files/46676792/download Open the Packet Tracer Final file on your computer and follow the on-screen instructions to proceed. The instructor will provide guidance on how to get started. --------------------------------------------------------------------Read instructions and test software before the activity. Overview: Instructors must download required software on to computers before activity. Ensure students have correct peer assignments with . Open the Packet Tracer server .pka software. Have students open client .pka files for their peer. When connected to the Packet Tracer server the Peer icon will turn blue. Start game on provided Packet Tracer server .pka file. Students begin the exercise. Stop game when the time is up. Check scores. Note: To function correctly, the Packet Tracer server and clients must be on the same network. Because all networks are different, in some cases the scoring server could have issues connecting to the students’ clients and not show scores. If so, the instructors will check each student client for the individual scores. © 2018 Air Force Association Page 362 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 66 Continued Instructions for the Instructor: Pre-work: 1- Download the latest version of Packet Tracer on each computer at https://www.netacad.com/group/offerings/packet-tracer 2- Assign each laptop a peer number e.g., peer 1, 2, 3, 4, 5,...29, etc. 3- Download the client .zip file below and put the client .pka file on the laptops, or make available for each team to download. There are 30 .pka files (0-29), one for each team. Each laptop needs to have a unique file (e.g. P1, P2, P3... P29) that aligns with the peer assignment give in the step above. 4- Load the server .pka file on the instructor’s laptop (below). Advanced Camp 2017 client v19 Clients.zip Advanced Camp 2017 Server v2.pka 5- All laptops need to be on the same network. https://www.netacad.com/group/offerings/packet-tracer/ Instructor launches the server on this computer. Students launch client. • Locate the cloud icon that reads “Peer followed by a number (e.g., Peer33 -- with NO space between Peer and number)” and double click on it. • Connection Type: don’t change, should be “Outgoing” • Enter the IP address of the Packet Tracer server (on server host computer, type “ipconfig” to find IP address) • Peer port number remains the same (38000) • Enter in the Peer Network Name = the peer number you assigned to each laptop. “Peer1”, “Peer2”, “Peer3”, etc, The peer number will also be the same as the peer cloud in the packet tracer when it is open as well as in the .pka file name (...P1.pka) • Password = “cisco” • Click “connect” The cloud will turn blue on both the client and the server. If the information is entered wrong, it will show as red. If red, check that all the above is correct. © 2018 Air Force Association Page 363 Cisco Networking AFA Advanced CyberCamp Instructor’s Guide Slide 66 Continued Once all clients are connected (blue on the server), then click the “Start Game” button on the server (a separate little window that opens up). The instructions will pop up on the client and the students and now click on the “Game” cloud to open the scenario. NOTE: A timer is not built in. You can start a timer on your own, so the students know how long they have to complete the task. It is recommended you give at least 1 hour. You will be able to track the progress of the players. Once the time has passed, click the “Stop Game” button. During the competition, you will see progress bars for each user. It may not start at 0 and that is OK because everyone should start at the same place. Everyone can see each other students progress so keep in mind that scoring is not instantaneous. The last task is to have each student save the file with a new name (File -->Save As -->name it with their name and peer number – no space.). The winner is determined by who completed the most tasks in the time given. The scoreboard should give the percentage for each student, but it does take time for the scores to become available. The team with the highest percentage wins. If there is a scoring problem, you can open the Packet Tracer in question on the student’s laptop (or copy the file to another laptop) and grade it manually. If no scores show up on the scoreboard you will need to grade each Packet Tracer manually. Extensions -->Activity Wizard --> password “Cyb3rCamp2017” --> check activity, check activity (again) -- > Check Results (on smaller window) -- > Assessment Items and Connectivity tests. This will tell you what the students did or did not get right based on the grading. Some of the activities they do will not be graded command-by-command but rather by a connectivity test. NOTE: Chat is enabled. This allows players to chat with each other as well as the server. It is recommended that they do not use the chat. © 2018 Air Force Association Page 364 Cisco Networking Instructor Post-Survey Dear Camp Coordinators & Instructors, Thank you again for taking the time to give us your valuable feedback on our AFA CyberCamp program. The Camp Coordinator/Instructor Post-survey should take 510 minutes. See you all next Summer! 2018 Instructor Post-Survey https://www.surveymonkey.com/r/MZ7MBJH SECURING NETWORKS, SECURING FUTURES For more information on how to participate in the CyberPatriot National Youth Cyber Defense Competition, visit www.uscyberpatriot.org or contact info@uscyberpatriot.org Scan to join our mailing list.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : No Page Count : 382EXIF Metadata provided by EXIF.tools