Lab 1 - Getting Acquainted with the IPv6 Security Class Lab Environment Quizes And aAnswers

Lab 1 - Getting Acquainted with the IPv6 Security Class Lab Environment DESCRIPTION This lab is the first in a series of labs that will be performed in this course. It serves as a primer for some key tasks that will be undertaken repeatedly during the training session, such as connecting to a system, or running Wireshark. It also serves as a chance to fully explore the network topology and systems present within the environment. IMPORTANT NOTE: These lab instructions are written from the perspective of site 1 Athens. There are ten sites in the lab environment (athens, rome, berlin, paris, etc...). Each site has its own IP address scheme. If you are using a site other than Athens to perform this or subsequent labs for this course, be sure to reference the topology diagram and IP tables for that site so you will be able to make proper IP address adjustments. WHAT TO TURN IN: Submit the following in the separate Lab 1 Deliverables document provided in Canvas. ⦁ Your completed table in EXERCISE 1, TASK 1.C ⦁ Your Wireshark output from EXERCISE 1, TASK 8.G OBJECTIVES ⦁ Get initial hands-on with the lab environment ⦁ Learn how to access the site router (athens-rtr) ⦁ Learn how to access the site Windows7 PC (athens-pc) and open a command window ⦁ Learn how to access the site server (athens-srv) ⦁ Learn how to access the site “Attacker” system (athens-sec1) ⦁ Learn how to launch Wireshark and filter packets captured and displayed EXERCISES ⦁ Prepare for the lab ⦁ Lab cleanup TOOLS/AIDS The standard IPv6 Security Lab environment, consisting of ten sites, each equipped with a Windows7 PC, a Fedora Linux server, a Fedora Linux “attacker”, and a head-end Cisco router. There is also a core network and a datacenter with systems that play various roles in the training. LAB STARTING CONDITIONS You will need a reservation in the IPv6 training lab environment to perform this lab. You may use any of the ten sites in the lab environment for this lab. Note that the IP addresses in the instructions that follow are from the Athens site. If you are using any site other than Athens, refer to the master lab topology and IP tables for the proper IP addresses for your site. EXERCISE 1: Prepare for the Lab EXERCISE DESCRIPTION: This exercise will prepare the lab environment for the start of the security class labs. Verification or changes will be made to athens-rtr, athens-pc, athens-srv, and athens-sec1 (Attacker). TASK 1: Prepare Site Router for Lab TASK DESCRIPTION: Configure the lab router for the exercises to come, as discussed below. ⦁ Connect to the site router for your site using the method and credentials provided by the instructor. When done a terminal window, for the Cisco Command-line Interface (CLI), should be ready to accept commands. ⦁ At the router # prompt, load the clean dual-stack configuration with the “conf replace nvram:” command, entering “Y” to confirm. Then save the configuration using “wr mem”. ⦁ Next, collect and note the router interface (IF) L2 MAC addresses. Write the information in the area provided, and plan to keep this information handy to refer to throughout the class. Only the step of gathering information for “g0/3/0” is shown, but collect information for all the router interfaces. Site Name: Node Global Static IID Global and Link- Local IID L2 MAC rtr (G0/0) rtr (G0/1) rtr (G0/3/0) pc srv sec1 TASK 2: On athens-pc, Configure Static Address TASK DESCRIPTION: Configure a global-scope IPv6 static address for the LAN interface. ⦁ Click on the “Windows Start icon”, then “Control Panel”, then “Network and Sharing Center”, and then “Change adapter settings”.    Click on “Local Area Connection 3” (number may be different on each PC), and then “Properties”.  ⦁ Highlight “Internet Protocol Version 6 (TCP/IPv6) (it is already checked – do not change that), and then “Properties”. ⦁ Configure the correct static IPv6 address for the PC in the given student site. For athens-pc the address is “2001:db8:11:10::10”. Set the “Subnet prefix length” to 64. Do not set anything for “Default gateway”, as the PC will use Stateless Address AutoConfiguration (SLAAC) to dynamically learn the default route. Then click on “OK”, then “close”.   ⦁ Finally, close the dialog window for the Control Panel Network Connections by clicking the red “X”.  TASK 3: On athens-pc, Launch an Administrative-mode Command Prompt TASK DESCRIPTION: Open a command window. ⦁ Right-click on the “Command Prompt” icon, and then right-click on the popup where it reads “Command Prompt”. Finally, right click on “Run as administrator”. EXAMINE: In the training labs always open the Command Prompt with Administrator privileges. Most tasks performed on the labs require this level of permission. ⦁ This dialog will be displayed, asking for confirmation to launch the program at the higher (Administrator) privileges. Click on “Yes”. ⦁ The command window opens. TASK 4: Prepare athens-pc for Lab (Win7) TASK DESCRIPTION: Prepare the PC for the lab. There are multiple individual tasks which need to be performed. Once all tasks have been performed the PC will be rebooted. ⦁ Prepare to turn off Microsoft Windows “Random IIDs”. This will make it simpler to keep track of various system messages and IP packets by L2 address. Examine the current state and address information for the Local Area Network connection using the command “ipconfig /all”. Notice in this view that the Interface IDs (IIDs) for the autoconfigured “IPv6 Address” and the “Link-Local IPv6 Address” do not embed the L2 MAC in EUI-64 format. Notice there is also a “Temporary IPv6 Address”, which is the Privacy Address. Figure 1: Screen Capture taken from Athens-PC ⦁ Disable these two features using these commands listed below, and also shown in the command window shown below. “netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent” “netsh interface ipv6 set privacy state=disabled store=persistent” (Note:It may take serval reboots before Windows uses the EUI IID based on the MAC. You may have to try using the first command by itself for it to work.) ⦁ Reboot the PC using the command “shutdown /r /t 2” typed into the command window. Windows will shut down and reboot. While the PC reboots proceed to the next task, which takes place on a different lab machine. EXPLAIN: During development sometimes these steps did not “take” the first time, and the process to run the “netsh” command had to be done again, and the reboot done again. Very strange – no explanation yet. TASK 5: On athens-srv, Connect to Server to Note Addresses TASK DESCRIPTION: Connect to the site Linux server (athens-srv) and complete the steps below. ⦁ Connect to the site Linux server for the student site using the method and credentials provided by the instructor. When done a terminal window, and a command prompt should be present. ⦁ Connect to athens-srv and record the IPv6 and L2 MAC addresses attached to the eth0 interface in the space provided. Figure 2: Screen Capture taken from Athens-Srv TASK 6: On athens-srv, Eliminate Static Default Route TASK DESCRIPTION: Complete the steps below. ⦁ Examine the IPv6 routing table using the command netstat –rn –A inet6. There should be 2 default routes, one is statically assigned and the other is learned via SLAAC. Figure 3: Sceen Capture taken from Athens-Srv (partial in length and in width – the actual command window has more columns) ⦁ Edit the configuration file for the static route using the command “vi /etc/sysconfig/network- scripts/ifcfg-eth0”. Figure 4: Screen Capture taken from Athens-Srv ⦁ Once in the editor, comment out the line with the “IPV6_DEFAULTGW” directive. Then save the file and quit the editor. Comment out the line by adding a “#” character in front of the line. ⦁ Position the cursor to the front of the line ⦁ Type “i” to insert, then type the “#” character ⦁ Prese <Esc> to return to command mode ⦁ To save and quit vi type “zz” ⦁ Restart the networking subsystem using the command service network restart. Then examine the IPv6 routing table again. There should now be only one default route through “fe80::1”. Figure 5: Screen Capture taken from Athens-Srv (partial) EXPLAIN: By the way, both Linux and Windows support, in terminal windows, using the “up arrow” to recall previous commands. This can be a real timesaver when running the labs. TASK 7: Prepare “sec1” (Attacker) PC for Lab (Linux) TASK DESCRIPTION: Prepare the Linux system playing the role of the attacker for the lab. There are multiple tasks to perform. ⦁ Connect to the athens-sec1 Linux “Attacker” platform (Linux Fedora) for the student site using the method and credentials provided by the instructor. When done a terminal window, and a command prompt should be present. ⦁ Verify that there is a static default route plumbed through “fe80::1”, using the command “more /etc/sysconfig/network-scripts/ifcfg-eth0 | grep DEFAULTGW” to check the relevant configuration file. The line with the directive “IPV6_DEFAULTGW” should not be commented out. Because the Attacker Linux system will sometimes be acting as a router it should either have a plumbed static route or be running a routing protocol. Figure 6: Screen Capture taken from Athens-Sec EXPLAIN: When Linux has IPv6 forwarding enabled it does not learn routes via a received Router Advertisement (RA). ⦁ Verify that IPv6 forwarding is enabled on the “eth0” interface, using the command sysctl -a | grep 6 | grep ".forwarding". This is a real-time look at the kernel parameter controlling IPv6 forwarding. The value “1” means that forwarding is enabled. Figure 7: Screen Capture taken from Athens-Sec ⦁ Check the “eth0” interface. There should be global-scope static and link-local IPv6 addresses. Note that when Linux has IPv6 forwarding enabled the host is acting more like a router, so it does not perform SLAAC, in the same manner that a router does not perform SLAAC. Figure 8: Screen Capture taken from Athens-Sec ⦁ Record the interface information for athens-sec1 on the worksheet, including the IPv6 addresses and the MAC address. TASK 8: Reconnect to the athens-pc to Check Addresses, Note Addresses TASK DESCRIPTION: Reconnect to the Site-PC and verify that the randomized IIDs and temporary addresses are no longer in use. Record the IPv6 addresses on the PC for later reference. Open a command window and examine the interfaces. Record the IPv6 addresses in the space provided. Figure 9: Screen Capture taken from Athens-PC TASK 9: On athens-pc, Launch Wireshark and Observe Arriving RAs – Wireshark Primer TASK DESCRIPTION: Launch Wireshark and learn about how it works, as described below. ⦁ Click on the Wireshark icon to launch the program. ⦁ Choose “Capture” to define capture parameters. ⦁ Choose “Interfaces”. ⦁ Choose “Options”. ⦁ Enter “icmp6” for the “Capture Filter”. Click on “Start” to start the capture. ⦁ This is the resulting Wireshark view. Figure 10: Screen Capture taken from Athens-PC EXPLAIN: Wireshark is capturing all ICMPv6 packets, per the capture filter applied earlier. Note the mix of echo-request, echo-reply, Router Advertisement (RA), Neighbor Solicitation (NS), and Neighbor Advertisement (NA) messages. These are all ICMPv6 messages. The specific messages displayed in the lab are a little different each time, so your results will not be exactly the same.