| Number | Name | User | |
|---|---|---|---|
| 1103808 | João Miguel Nogueira | https://github.com/Dageus | mailto:joao.miguel.nogueira@tecnico.ulisboa.pt |
| 1103145 | Nathaniel Prazeres | https://github.com/NathanPrazeres | mailto:nathaniel.prazeres@tecnico.ulisboa.pt |
| 1102948 | Alexandre Duarte | https://github.com/Crashim03 | mailto:alexandreteloduarte@tecnico.ulisboa.pt |
This repository contains documentation and source code for the Network and Computer Security (SIRS) project.
The REPORT document provides a detailed overview of the key technical decisions and various components of the implemented project. It offers insights into the rationale behind these choices, the project's architecture, and the impact of these decisions on the overall functionality and performance of the system.
This document presents installation and demonstration instructions.
To see the project in action, it is necessary to setup a virtual environment, with 3 networks and 4 machines.
The following diagram shows the networks and machines:
All the virtual machines are based on: Linux 64-bit, Kali 2024.4
Download and install a virtual machine of Kali Linux 2024.4. If the pre-built machine does not work, download the iso and install it manually. Clone the base machine to create the other machines.
For each machine, there is an initialization script with the machine name, with prefix init- and suffix .sh, that installs all the necessary packages and makes all required configurations in the a clean machine. These scripts must be ran with bash init-(...).sh.
Next we have custom instructions for each machine.
Download controller.zip from the repos's latest release.
Unzip it to a folder.
unzip controller.zip -d controllerIf needed, modify the .env file.
Run the init-script:
bash init-controller.shRunning init-controller.sh will add go-server 192.168.0.100 to /etc/hosts, change if needed.
The server and database could be in their own machine, in a separate network, but for simplicity they all are in this one.
The server will have a exposed API, with endpoints for clients and others for admins.
The database is MongoDB.
The control panel is a cli for admin.
First, download server.zip and control-panel.zip from the repo's latest release.
Unzip both files to a folder of your choice. (They must be in different folders)
unzip server.zip -d server
unzip control-panel.zip -d control_panelIf needed, modify each .env file (changing ports, hostnames, etc.)
In the server folder run:
bash init-server.shRunning init-server.sh will add go-controller 192.168.2.100 to /etc/hosts, change if needed.
This will setup the machine, start the database and the server. If you close the server, run:
./server.binIn another terminal run:
bash init-control-panel.shRunning init-control-panel.sh will add go-server 192.168.0.100 to /etc/hosts, change if needed.
Then you can use control-panel.bin to execute commands.
Example:
./control-panel.bin access-level (username) (accessLevel)
./control-panel.bin revoke (accessLevel)Download client.zip from the repo's latest release.
Unzip it to a folder:
unzip client.zip -d clientChange .env if needed (server port, server url, etc.).
Run init-client.sh
bash init-client.shThis script will also add go-server 192.168.0.100 to /etc/hosts, change if needed.
If the server is up, you can register a user:
./client.bin register (username)Run ./client.bin for more commands.
We will try a diverse number of attacks. To follow our scenarios, download client.zip and control-panel.zip and follow the previous instructions to install them.
Now that all the networks and machines are up and running, you can use the client to create, edit and list notes.
Use example:
./client.bin create "To-do list" "Get groceries"
The note can be read with ./client.bin read "To-do list"
All the app state is stored in ~/.local/state/notist/ including all the notes. A note when created is automatically encrypted. Calling ./client read note decripts the file at runtime and prints it.
Now, if I want to edit the note, I can just call ./client.bin edit "To-do list" "Get groceries\nFeed the cat"
Notice that the modification date and version changed.
To sync with the server use ./client.bin sync
An attacker got the controller app that should only be available to admins. They found out that it sends commands to protected endpoints. Their plan is to create a user and then grant them the highest level of access.
First they create a user named test.
./client.bin register test
Then they try to give to that user access level 2
./control-panel.bin access-level test 2But it failed
This due to the server having enabled ufw and making that the port used for the admin only API is not exposed outside of their machine.
Bellow is the tcpdump of the attacker trying to access that port:
We use SemVer for versioning.
This project is licensed under the MIT License - see the LICENSE.txt for details.