Setting Up Websites in virtnet
virtnet allows for quick deployment of Linux nodes in a virtual network using VirtualBox. Then those nodes, which are setup in a chosen network topology, can be used to explore different network and security technologies. To test software and protocols, having a website on one of the nodes is useful. In the the following I show some quick ways to deploy simple demo websites within virtnet.
Apache web server and MySQL database server are already installed on every node. When you deploy a website in the following sections the servers are automatically started. However if you need to manually start (or stop) a server you can use the following commands.
To start Apache web server:
sudo systemctl start apache2.service
To start MySQL database server:
sudo systemctl start mysql.service
You can also stop or restart either server by replacing start in the above commands.
To deploy a simple, static website on any node run:
sudo bash ~/virtnet/bin/vn-deploywebindex
This creates demo web pages in the directory /var/www/html and starts the Apache web server. The demo web pages consist of:
The pages have links between each other. They are all static HTML (there is no PHP or use of MySQL).
MyUni is a slightly more complex website, using PHP and MySQL, to provide logins and forms for staff/students to access course grades. It was built to demonstrate web application attacks, such as SQL injection, CSRF and cookie stealing.
Deploying (the real) MyUni
Although the MyUni website can be deployed on any node, the web application attack demos use topology 7, with MyUni deployed on node4. In the following I assume you have already created topology 7.
On node4, run:
sudo bash ~/virtnet/bin/vn-deployrealmyuni
This copies the web pages to /var/www/html, loads data into the necessary databases, and starts the Apache and MySQL servers.
Deploying the Fake MyUni and FreeStuff Websites
Some of the web application attack demos involve a malicious user running a fake MyUni site and another website called FreeStuff. Again, this assumes you use topology 7. These two sites should be deployed on node5.
On node5, run:
sudo bash ~/virtnet/bin/vn-deployfakemyuni
This copies the web pages (for both the fake MyUni and FreeStuff) to /var/www/html and starts the Apache servers.
Inside virtnet all nodes have IP addresses, but there is no DNS. However since it is an internal internet, we can use any domain name for hosts by using the /etc/hosts file. Note however that every node that will make a request (e.g. run client software) must have the domain/IP mappings set in the /etc/hosts file. In latest versions of virtnet, the /etc/hosts file includes the following mappings for the websites:
192.168.2.21 www.myuni.edu 192.168.2.22 www.freestuff.com 192.168.2.22 www.myuni.edu.gr
In topology 7 this corresponds to MyUni on node4 and fake MyUni and FreeStuff on node5. If you use a different topology you may have to change the IP addresses.
If the /etc/hosts file does not contain the above values, or you want to change them, then you can edit the file with a text editor:
sudo nano /etc/hosts
Change the IP addresses and domain names as you wish. Remember that you should make the changes on all nodes (or at least the nodes that will run clients).
On node 1, visit http://www.myuni.edu/grades/. The grading system has the following features:
- Login: a set of users and passwords are stored in the MySQL database. The initial values are (username,password):
- Grading system that allows students to view their grades, and faculty (steve) to both view and edit grades. The initial courses are: its323, its335, css322, coit20262, coit20263, coit20264.
- Desired Security Policy:
- A user that is authenticated (logged in) can see the scores for either a selected course (by entering the course code) or for all of their courses (by leaving the course code blank).
- Non-authenticated users cannot see any scores.
- Authenticated users cannot see scores of other users, with the exception of (4).
- User steve (a faculty member) can see the scores of any users. He is the special user that can enter the student ID of another user and see their scores.
There is also a special web page that redirects users to external websites: www.myuni.edu/grades/redirect.php?url=www.example.com
Adding New Users or Courses
When the database for MyUni is created, an initial set of users and grades for courses are created. If you want to add more, then you can use SQL commands. To start MySQL client on node4:
mysql -u root -p webdemo_grades
The password is network.
Now in the MySQL prompt you can run queries. Below is sample output that illustrates how to insert a new user and grades.
network@node4:~$ mysql -u root -p webdemo_grades Enter password: network Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show tables; +--------------------------+ | Tables_in_webdemo_grades | +--------------------------+ | coursegrades | | users | +--------------------------+ 2 rows in set (0.00 sec) mysql> insert into users values ('scott','s3cr3T'); Query OK, 1 row affected (0.01 sec) mysql> select * from users; +------------+----------+ | username | password | +------------+----------+ | 5000000000 | student | | 5012345678 | student | | s0000000 | student0 | | s1234567 | student7 | | scott | s3cr3T | | steve | mysecret | +------------+----------+ 6 rows in set (0.00 sec) mysql> insert into coursegrades values ('scott','coit20262','F'); Query OK, 1 row affected (0.01 sec) mysql> select * from coursegrades; +------------+------------+-------+ | studentid | coursecode | grade | +------------+------------+-------+ | 5000000000 | css322 | D+ | | 5000000000 | its335 | B+ | | 5012345678 | css322 | B | | 5012345678 | its323 | C | | 5012345678 | its335 | A | | s0000000 | coit20262 | F | | s0000000 | coit20263 | C | | s1234567 | coit20262 | D | | s1234567 | coit20263 | D | | s1234567 | coit20264 | C | | scott | coit20262 | F | +------------+------------+-------+ 11 rows in set (0.00 sec)
Created on Fri, 03 Mar 2017, 11:17am
Last changed on Fri, 03 Mar 2017, 11:17am