Background

The exam for the Network Security lecture is approaching and by eavesdropping a conversation with Prof. Schmitt's teaching assistant, you learned that the exam is on a private web server in the DISCO network which is only accessible via a secret URL.  Since you are the infamous hacker H4X0R, you managed to trick Prof. Schmitt into revealing his password for an SSH server in his lab by using social engineering techniques. Unfortunately, Prof. Schmitt does not use this password for his personal computer, which is the actual target since the secret URL for the exam is only stored in Prof. Schmitt's browser. The only things you know is that the web server and Prof. Schmitt's personal computer are in the same network as the compromised SSH server and that Prof. Schmitt is a control freak and is checking the exam for updates on a regular basis.

Hack Challenge

Since you are too lazy to study properly for the exam, you are desperately trying to get the exam from the web server. Therefore, the first steps of this hack challenge are:

• Break into the private DISCO network using the stolen password.
• Find Prof. Schmitt's personal computer.
• Eavesdrop on Prof. Schmitt's communication with the web server.
• Steal the secret URL and download the exam.

After you managed to steal the exam, you figured out that the webserver's configuration is really bad and allows certain denial of service attacks. Since you are an evil master mind and like to troll people, you decide to launch a denial of service attack to prevent Prof. Schmitt from checking the exam. The final step of this hack challenge is:

• Launch a denial of service attack on the web server and prevent Prof. Schmitt from checking the exam for at least 1 minute (will be detected by our IDS). You can check if it works by simply trying to access the webserver yourself (with your browser).

Since H4X0R is a poser and wants to show off with what he has achieved, send an email to the teaching assistant Carolina with the secret exam attached (do not change the filename!) and the time when you launched the denial of service attack. Also mention the IP addresses of Prof. Schmitt's PC and the Webserver in the mail.

Organization

You will still work in the same group as for the PhyLiSec workshop. To make sure that groups do not interfere with each other while hacking on the server, we have to make sure that only one group is working on it at a time. Therefore, you have to make reservations for the server in this Doodle poll: http://doodle.com/poll/u7cp74wkxznczkhy. Please enter the matriculation numbers of all your group members (comma separated) in the name field. The server can be booked in 2h slots. In order to give each group a chance to work on the server, groups are only allowed to make two reservations for now. If you need more time after these two slots, please contact This email address is being protected from spambots. You need JavaScript enabled to view it.. You will receive the IP and the credentials for your timeslot via email when your session starts.

Once you finished the challenge, one of your group must send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. as a proof of success. The email must contain the matriculation numbers of your group, the stolen PDF, the date and time when you launched the DoS attack, and the IP addresses of Prof. Schmitt's PC and the secret URL. When we received this email and verified your success, you passed this part of the Network Security exercise and you are one step closer to the exam.

If you encounter any problems or if you get stuck, first check the Network Security slides and try using Google. Only if you really tried solving the problem yourself without success, ask Carolina. She can give you hints or (if necessary) meet with you and assist you in solving the challenge.

Tools

To provide you a starting point, here is a list of linux commands and tools installed on the compromised server:

• ifconfig: network configuration
• hping3: send (almost) arbitrary TCP/IP packets to network hosts
• ettercap: multipurpose sniffer/content filter for man in the middle attacks
• slowhttptest: HTTP Denial Of Service attacks simulator
• nmap: Network exploration tool and security / port scanner
• arp: manage ARP cache
• tshark: command-line version of Wireshark (supports filtered output, e.g. tshark "not port 22" for filtering SSH traffic generated by you)

If you want to know how these tools work, enter "man COMMAND" or use Google. There is plenty of good documentation around! Also "COMMAND --help" usually gives you a good overview of the respective tool.