April 18, 2025

10 thoughts on “TECH 581 W Computer Network Operations: Laboratory 7, Team 4

  1. As we all have learned throughout our undergraduate and graduate studies, you sacrifice security for usability. The abstract was not the required length as per the lab write-up given to us. BREAK UP YOUR PARAGRAPHS. Long paragraph make it harder for the audience to read. Break it up. The literature review was not cohesive in the least bit. It read like a list. The team just stated the articles name and then talked about the article. The professor told us numerous times NOT to do this. I don’t know about your comments that the professor gave you about your lab reports, but I know he has told other teams numerous times to not do this. For such long paragraphs and summaries about the articles, the team did not put citations in their literature review. What is NIST? Before putting acronyms you must spell out the acronym. I did not see the reasoning of putting the changes made in the lab report. This was done in previous labs and was not needed again. I am pretty sure that the system was supposed to be taken down before 5am on Sunday. The team did not follow the guidelines at all. From what team 4 states, they made a change on the system after the window started. This completely violates the rules for the lab experiment. Team 3 had every reason to cry foul. The professor was not even able to login to this team’s system. The account should have been made and tested before telling the professor that it existed. This means once again that the team did not follow the rules. I believe that with these problems, team 4’s lab report is invalid and nothing can be taken as word or as a learning program. Team 4 was not able to be stealthy when trying to put a file on team 5’s system. Team 5 was able to detect the attempted attacks. Team 4 stated issues that were already known. These were not real systems because they had no traffic running on them. The question is would traffic running make the systems more vulnerable? This team did not create a lab report that could be duplicated. The references were formatted oddly. The required tags were not included in the submission of the lab report. Overall, this team did not follow many of the requirements of a lab report. I would say that for next time to change the formatting, but there is not another lab report in the future.

  2. The final lab presented by team four suffers from same two major problems that most other labs have suffered from. To begin with, the abstract presented by team four is not the required length. It does explain the process to be completed by team four, but it is not the minimum two paragraph length. The syllabus states that any abstract shorter than two paragraphs will be judged as poor scholarship. The literature review provided by team four is also lacking. Team four has suffered from problems with their literature review since lab one. The literature review provided by team four is nothing more than a list of reviewed articles, a short explanation of each, and APA style citations. The extremely long paragraphs presented in team four’s literature review make the review very hard to read and understand. I also see no link between articles reviewed, or any indication of a connection to the steps of the lab process. By not being able to create any measure of cohesion among any of articles reviewed throughout the entire course I am forced to question the academic nature of their lab reports entirely, and their level of commitment to the graduate level of scholarship required in this course. Due to the size of the literature review paragraphs I found that I was not able to completely read through the literature review, as it was very easy to get distracted by lack of any break in their writing. Team four does a good job of explaining the how and the what, like team three, of their methods section. They do kind of gloss over the who and the why, and completely miss the when and where of their discussion of methods. The point of an academic and scholarly methods section is to allow the experiment to be reproduced by anyone reading the write up that has the requisite knowledge. Without direct and concise answers to the questions of who, what, where, when, why, and how then reproduction for validation of the experiment is not possible. In the methods section, I am forced to question the bullet point on changing the IP address since it makes no sense to me. “Changed the IP address from 192.168.4.1 to 192.168.4.44 and the IP address on the network was 205.215.116.33.” Was the IP address changed from 192.168.4.1 to .4.44 or 205.215.116.33? This point makes no sense, and I question team fours understanding of IP networks. The findings section provided by team four show an overview of the items that team four found throughout the course of the lab, I agree with their findings as they are valid, and consistent with most findings from the reports by the other teams in the course. In the issues section of team four’s lab report, they list systems being hardened to the point of uselessness. I disagree with that issue. The VM locked down by team two was actually still very usable at the completion of the step to secure it, and at the completion of the lab. The conclusions presented by team four do not list anything about patch policy, with a good patch policy, automated exploits are generally almost impossible.

  3. The abstract makes only passing mention about forensics at all. Since this lab is about forensics, or anti-forensics to be more precise, the activities of the lab should be related to anti-forensics. The literature review is, again, lengthy summaries of each of the assigned readings with little cohesion or comparison to the lab activities. Once exception to this was the discussion on the red teaming paper assigned in lab two. This showed good research on team four’s part. In addition to the summaries of the articles, team four does give their opinion on the content in the readings. The one paper that was tied to the lab activities was Eoghan Casey’s paper on security breaches, though the team makes the statement that it seemed to be a secondary article. This particular reading was what lab seven was all about.

    Team four’s methodology described in detail the steps used to secure the machine and, unlike other groups, referenced the specific document that was used to select the specific security settings (though an APA in-text citation was not present.) The attacking details were also very well documented as to the specific commands or tools used but there was little detail or reasoning given for the specific exploits that were being attempted. The ordered lists are a good way of visualizing the various attack methods used but should be backed up with text describing what the purpose of each attack was. Also, in the methodologies, there are frequent mentions of “passive reconnaissance” being employed against the target system but no further detail is given. Is this just simply packet captures?

    I agree with the issue that the target machines weren’t used enough to be considered “active” so that they generated network traffic. Had this been a requirement, it would have been possible to, at least, determine the operating system and possibly patch levels. This same idea is echoed again in the conclusion. The group mentions the lack of usability of their system but never makes any specific mentions of what particularly was difficult to use on it. Judging from the security methods implemented the system should have been able to browse the web, access file shares on other computers, and run standard productivity applications.

  4. Team 4 did a nice job with their abstract in that it discussed what they intended to do in lab 7. I think more detail would have been beneficial. The introduction to their literature review gave a good summary of what the articles were about and how they related to lab 7. Their literature review itself, however, read like a list and summary of the articles and didn’t compare and contrast the literature to the lab activities.
    The methods section is very detailed and does a good job of explaining how they plan to perform their testing. They did a real nice job of detailing their attacking methods. The way they listed their various attack methods was good in that it helped me to visualize what they were attempting to do.

  5. I found team fours report for this exercise rather well done. The literature review was lengthy, and some issues noted in the previous exercise’s review were corrected. Additionally, the review was more than just a summary of articles, and some comparing amongst the articles was present, along with application to the exercise itself. The methodologies section was sufficiently detailed: I was left with few questions as to what this team had done or how it was accomplished. I also thought this team’s idea of encrypting log files an interesting idea, one which appeared to be a unique innovation which stood out from the rest of the other teams.

    A few issues do exist with the write-up however. The literature review suffers from poor paragraph form: the massive paragraph style is still present from early writing, and is difficult to read. Further, it seems some of the information in the results section should be in the methodologies section. I realize this appears to be an issue in which all parties critiquing the writing will never be satisfied, as no consistent opinion emerges. We as team three have, due to criticism, moved nearly all “action based” activities into the ‘methodology’ section, and now receive complaints that items from the methodology sections belong in results: so, it truly may be a ‘no win’ situation for this team also in this regard.

    I must comment that I believe this team showed real effort in pursuing an attack against their target. I think this team realized, although it is not specifically mentioned, that very little was to be gained by using passive means against the target under the circumstances. I think this is specifically apparent when this team switched from obfuscated scanning methods (such as ‘IP spoofing’) to direct attack. It seems other teams did not realize that the limitations of the environment also provided opportunity. For instance, a VM’s MAC address could be changed at whim; coupled with the DHCP present on the network used for the exercise, IP addresses essentially became ‘disposable.’ One could perform an active attack from one IP address with a VM, shutdown and change the MAC configurations, and assume a new IP address identity on the network. This showed, as this team apparently realized, that no real gain was to be had in using stealth in scanning or attempting network based exploits.

    Finally, though I find the use of encryption for log files interesting, I wonder at the details of this arrangement. Did this team use the built in Windows EFS? If so, due to the automatic use of private keys associated with an account, this may have provided little additional security. See the description of the system here: http://technet.microsoft.com/en-us/library/bb457116.aspx . Specifically, if an attacker did succeed in gaining administrative privileges, assuming that these log files were encrypted using this account, they would have automatic access to these files. A further consideration: Microsoft indicates substantial overhead exists in maintaining an “on the fly” encrypted file; the overhead of this in conjunction with verbose recording settings might have opened up your system to an external logging induced denial of service attack. An interesting approach, nonetheless: I might investigate this matter further for practical application.

  6. Team 4 begins their lab 7 report by discussing the tradeoff between security and usability. They then state their objectives for this lab. The first objective is to harden a system that they had created in lab 1 using a NIST document. The second objective is to attempt penetration on another team’s system. The third and final objective is to conduct a forensic evaluation of the system to determine any attacks which may have occurred.

    Team 4 begins their literature review by stating that the assigned readings are somehow connected to forensics on penetration testing. This assessment I believe is a bit too specific. Although forensic evaluation is covered in the readings, the greater theme is on securing systems. The first article that they review is Defense of the Dark Arts (Bailey, Coleman, Davidson, 2008). They describe this article as proposing a computer course on computer security and defense. Because of the controversy involved in the class, students were taught more from a defense perspective than an attack perspective. They relate this article to our current course in the way that it teaches defense from the perspective of the attacker.

    The next article that they review is Cyberattacks: A Lab-Based Introduction to Computer Security (Minkley, 2006). They describe this article as teaching security from a defense perspective. They relate the article to Defense of the Dark Arts (Bailey, Coleman, Davidson, 2008) as both articles pertain to teaching how to defend a system. However Defense of the Dark Arts (Bailey, Coleman, Davidson, 2008) is geared toward IT professionals. They defend the use of a system security class for non-IT professionals by stating that everyone who uses a computer should know how to defend it.

    Team 4 continues their literature review with Breaking Blue: Automated Red Teaming Using Evolvable Simulations (Upton, Johnson, McDonald, 2004) and Red Teaming: A Proposed Framework for Military Application (Seng, Lian, Su-Han Victor, 2007). Team 4 takes the stand that automated red teaming can be used as a first step, but should not be the only method of analysis. I agree with this statement. A computer simulation cannot account for every possible way in which a system’s security can be breached. Human intervention is still needed for analysis.

    Team 4 reviews the article Investigating Sophisticated Security Breaches (Eoghan, 2006) next. They describe the article as giving an overview of system forensics and the limitations that impact its effectiveness. The article points out that most organizations are not properly configured to conduct a forensics operation. They relate this to our current lab assignment and explain how their own target system has been set to include several logging mechanisms.

    The last article that Team 4 reviewed is A Protocol Preventing Blackbox Tests of Mobile Agents (Hohl & Rothermel, 1999). They describe the article as offering two methods to prevent an attempted penetration using blackbox. They relate the article to our current lab, as we are attempting to prevent penetration from outside intruders.

    Team 4 begins their methodology section by restating the objectives of this lab; to attempt to penetrate an opposing teams system while defending their own. They state that they chose the Windows XP SP3 system to harden as their target system. They hardened the system using NIST document SP800-68. Team 4 described several methods that they used to harden the system in addition to those contained within the NIST document. They also described several methods that they used in attempting to penetrate the opposing teams system. They give a good explanation of each method used.

    In the results section Team 4 discusses the forensic evaluation of the system that they had set as a target. They detected numerous port scans of their system. They also mention that the team that was targeting their system questioned whether or not they had enabled a firewall during the exercise. Admittedly, some of the anomalous results of port scans may have been due to the massive amount of ARP poisoning and IP address spoofing that was occurring within the Citrix environment. Team 4 was able to prove that their system had the firewall enabled from the beginning of the exercise by the firewall logs.

    Team 4 continues their results section by discussing their attempts to breach the system they were targeting. Passive reconnaissance methods proved unfruitful due to the lack of network traffic generated from the target machine. They used active reconnaissance methods in the use of port scanning and discovered port 3389 was open. They attempted several exploits on port 3389 but were unsuccessful in penetrating the target system. They do not include an explanation of the service that may be using port 3389.

    Team 4 concludes by discussing how the target systems setup in this laboratory assignment were hardened to the point of being unusable. They conclude that operating systems left to themselves are secure. The systems become unsecure when applications and human intervention become involved. I agree with this assessment. Our own research through the various lab assignments has shown that security vulnerabilities come from the application layer of the OSI model, or from human interaction with the system.

  7. The team starts off with their abstract for this lab and explains what is going to occur. The abstract was simple and to the point. They did make a brief point about how security affects usability but it was one sentence and was the second sentence of the paragraph. This is an interesting subject that keeps occurring in security. This could have been defined clearly and better setup the abstract if this was the first sentence. Next the team moves onto the literature review. By writing this each week it is assumed that the peer reviews are not read by this group. When reading the literature it was again broken apart by each individual piece of literature. There was a small paragraph at the beginning that described an overall combined subject of the papers. This should be expanded and the literature as a stepping stones to discuses the topic and the literature. When reading the reviews there is some discussion about them but most of it is just regurgitating what the author wrote in a more condensed version. Next the group moves onto the methodology section. Within this section they describe the steps they took to secure their machine. Then they described their plans to exploit team 5’s machine. They included the exploits they were going to use and the commands for each exploit. The next section went on to their findings. Within the findings section they described the attacks against the target system. Then also listed an issue that they had with a firewall on the target system, this should have been included within the issues and problem section. They go onto say that they tried to exploit one port that they found but were unsuccessful. Was the team looking for newer exploits besides the ones that were already programmed into the tools that they where using? Could this have changed the outcome? They go onto to give their issues and then conclude. In their conclusion, I am going to agree that this is not a real representation of how systems are and users are sending and receiving traffic more often. But this was also something to show how when systems are to secure they give up usability and this lesson can be learned for future use in the workplace. Yes, companies want their systems secure but at what cost till the system is unusable?

  8. Team four’s abstract explains what will be done with the lab. It may be me, but something in the wording makes me uncomfortable. I can’t quite put my finger on it.

    The team’s literature review is verbose. It makes attempts to discuss the relevancy of the articles and even hints at evaluative thought, but misses the mark repeatedly. Did Bailey et al really give up on examining viruses, or just integrate other things? What was the point of using DOS scripts? There was a reason. Holland-Minkley is one person. Her whole last name is Holland-Minkley. Why do you think Upton et al’s description of red teaming was so broad? Were they even really studying IT security, or was the idea a little more abstract? I didn’t see any case studies in Hohl and Rothermel. Where were they?

    The team’s methods are repeatable where hardening the machine is concerned. Why did you have to uninstall applications? There should have been nothing on the machine. Did you make the account lockout 0 or 3? You state that there was an account set up for the professor to access the system. Was this originally configured and presented to Professor Liles as the lab instructed, or did the team do this retroactively in response to complaints?

    The attack plan is unclear. You list several tools but don’t explain how you used them in your attack plan. Is ARP poisoning really passive reconnaissance? Did you run this attack? If so, it may explain the confusion on the part of team five and two where exploiting team one is concerned.

    The team has information in their findings section that belongs in methods. You explain what you attempted and why passive scanning does not work. You need more separation when discussing the two sides of the lab. It is hard to tell who is scanning what.

    In your issues section you complain that you were forced to change settings. However your inability to follow directions impacted the usability of your machine.

  9. I think that group 4’s write-up for lab 7 was poor. The abstract for this lab was adequate and provided a short overview of the lab. The literary review was good and adequately reviewed the material. Group 2 answered all of the required questions for each reading. All of the citing for the literary review was done well and all of the pages were included. For this lab, the group answered all of the required questions and provided a good amount of detail the steps they used to attempt to exploit a system. However, what they did was wrong. The group played around with a lot of tools that they shouldn’t have, unless they know how to use them. As other groups have stated it appears that a lot of ARP poisoning had been done (also indicating IP conflicts), which wasn’t needed (passive scanning can be performed in Ettercap without the need to poison). In fact it could be detrimental to other groups. By performing MITM attacks, a DoS could have been brought about. Also, I think this is where our IP address mix-up came about. ARP poisoning can have packets sent to the “host in the middle” if they are not re-arped correctly after poisoning. Did the group use an XP SP0 machine to perform the attacks? If so, this might give some speculation to what virtual machine Teams 2 and 5 ACTUALLY attacked. Overall, I feel that this lab was not performed correctly and COULD be to blame for IP mix-ups. Finally, the conclusion was adequate and summarizes what was covered.

  10. Similar to other teams, this team also selected Windows XP SP3 as there machine to be exploited. This team followed two guidelines from NIST, SP800-68 and policy template that accompanies the document. The team gave a list of changes that were done to there machine. The team did what the other teams did to protect there Windows XP operating system. They disabled file and print sharing, turned on XP’s firewall, changed user accounts and passwords. This team did indicate that they changed the accounts lockout to zero and reset account lockout to reset after thirty minutes. Team three only had to accounts one admin and one user. This team renamed the administrator account, change the password, then disabled the account. It almost seems useless to modify the administrator account if the account is going to be disabled.
    The team used several tools for attacking there opposing teams machine. They used a combination of wireshark, p0f, EzPWN, Nmap, Ettercap, Nessus, TCP/IP commands, password crackers, metasploit and Cain and Abel. The last tool mentioned, Cain and Abel
    which does ARP poisoning, might explain why team one mentioned having problems with IP. This team reported no success with exploiting the other team’s machine.

Comments are closed.

Related Stories

blog_EDU23

A story about public education and outcomes

Sam September 13, 2024
CMPNG197

High-tech lay offs as an indicator of future tech companies demise or failure

Sam May 25, 2023
GNEWS095

Reading and irony

Sam February 16, 2023

You may have missed

blog_SBUS015

How High Tariffs Could Drown the Mid-Tier Yachting World and Leave American Cruisers Stranded

Sam April 5, 2025
SBUS001

The Hidden Storm: How Trump’s Latest Round of Tariffs and Economic Shifts Are Sinking the Mid-Sized Yacht Market

Sam March 29, 2025
IMG_5437

Sailing Through the Ages: How Cruising Has Changed Over the Last 20 Years

Sam March 27, 2025
IMG_8204

Plot twist: Same song second verse – chemo cycle 3

Sydney Liles March 26, 2025