Lab #2: Red Team Exercise - ackSec/DC26 GitHub Wiki
Lab #2 - Red Team Exercises
Navigate to DC26/red-team-exercises by typing
cd ~/DC26/red-team-exercises
Run the script to build the environment:
sudo -E python buildRedTeam.py
It should look something like this:
Now open a new tab and copy/paste the url from the workstation tab into it. This will open a new terminal window as such:
Now check that our attacker Docker images were started by typing the command
sudo docker ps -a
It should look something like the screenshot below. Once you identify that both mn.attacker1 and mn.attacker2 are running, you interact with them by entering the command:
sudo docker attach mn.attacker1
Here's the running docker images and the root command prompt when you attach to the docker image:
Today we're going to be using a couple kits developed by some awesome security folks. First we'll be looking at sdnpwn. Maintainer Site
Navigate to the sdnpwn.py directory and run the command:
./sdnpwn.py mods
This will show you the modules available for our use as shown below:
As an attacker we are first going to try and explore our environment. Let's see if we can figure out that we're actually inside an SDN. Run the following two commands. The first will show you information about the module, and the second will actually run it:
As you can see, based on the RTT of the packets, the system was able to detect that we are inside an SDN. The controller-detect module will now help us fingerprint the SDN controller. Run the following command:
./sdnpwn.py controller-detect -i attacker1-eth0 --lldp -v -d
This will take a minute or two to run as it's capturing, timing and fingerprinting LLDP messages. The output should look like this:
There are many other attacks that can be done within this system using these frameworks. Feel free to explore them and try some things out!
For the next few parts of this exercise we are going to attack the controller via the command channel. Exit out of the docker image by typing.
exit
Your command prompt should look like this:
Change to the sdnpwn directory and run the setup script as shown above.
To test that the installation worked, as well as to see some of the other capabilities, run the below command:
./sdnpwn.py of-gen info
This is a toolkit for crafting packets which enables us to perform fuzzing on the controller to fingerprint flows, or force unexpected behavior.
Next - we're just going to have a very brief look at the core code that can assist in spoofing an openflow switch. This tool can be used to gather info on flows, to "lie" to the controller, or to add rogue devices on the network. The following command will navigate out of the sdnpwn directory and run a separate program. This was developed by Gregory Pickett, and more information can be found commented inside the code.
python ~/DC26/red-team-exercises/of-switch.py $CONTROLLER_IP -p 6653
This will set up a temporary switch, and with minimal modifications to the code, it can be used to host any number of rogue devices as shown below:
Feel free to explore the other tools in the kit. Some require tweaking, some require Openflow version changes, but it's a great framework and starting point for developing your own SDN attack tools and methods.