Tero Karvinen - Learn Free software with mehttps://terokarvinen.com/Tero Karvinen - Learn Free software with meen-usThu, 11 Feb 2021 15:14:38 +0200https://terokarvinen.com/img/favicon.pngTero Karvinen - Learn Free software with mehttps://terokarvinen.com/Tunkeutumistestaus 2024https://terokarvinen.com/2024/eettinen-hakkerointi-2024/Wed, 13 Mar 2024 11:12:20 +0200https://terokarvinen.com/2024/eettinen-hakkerointi-2024/ <p>Learn to hack computers to protect your own. In the course, you will break into target computers.</p> <p>Excellent feedback, reached 5.0 out of 5. <img src="https://terokarvinen.com/img/five-stars-15.png" alt="Full five stars"></p> <table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Course name and code</td> <td>Tunkeutumistestaus <a href="https://opinto-opas.haaga-helia.fi/course_unit/ICI005AS3A">ici001as3a</a>-3005</td> </tr> <tr> <td>Timing</td> <td>2024 <strong>period 4</strong> late spring, w13-w20</td> </tr> <tr> <td>Credits</td> <td>5 cr</td> </tr> <tr> <td>Classes</td> <td><strong>Mon 08:15</strong> - 13:45, Pasila <strong>pa2004</strong></td> </tr> <tr> <td>Max students</td> <td>30</td> </tr> <tr> <td>Language</td> <td>Finnish (+reading material in English)</td> </tr> <tr> <td>Remote</td> <td>No, fully contact in Pasila classroom pa2004</td> </tr> <tr> <td>Feedback</td> <td><strong>5.0</strong> / 5 Excellent feedback* <img src="https://terokarvinen.com/img/five-stars-15.png" alt="Five star experience"></td> </tr> <tr> <td>Services</td> <td><a href="https://hhmoodle.haaga-helia.fi/course/view.php?id=40262">Moodle: Tunkeutumistestaus</a>, Laksu. Voluntary extra: <a href="https://terokarvinen.com/newsletter/">Tero's list</a>.</td> </tr> <tr> <td>First class</td> <td><strong>2024-03-25 w13 Mon</strong>, pa2004</td> </tr> </tbody> </table> <p>* Best instance 5.0/5, every student gave feedback and every feedback was 5. Lowest 4.5/5 excellent, typical 4.9/5 excellent. </p> <p><em>Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws.</em></p> <p><em>Teaching is in Finnish, so the rest of this page will be in Finnish.</em></p> <p><em>Tunkeutumistestaus on eettisen hakkeroinnin kurssi. Opit, miten murtaudutaan tietokoneille, jotta voisit suojata omat ja toimeksiantajan järjestelmät. Nämä tekniikat, ohjelmat ja taktiikat ovat luvallisia vain tietyissä tilanteissa. Usein pitää hankkia lupia ja tehdä sopimuksia. Lisäksi näiden tekniikoiden turvalliseen käyttöön tarvitaan teknistä taitoa. Perehdy itse paikallisiin lakeihin.</em></p> <!--more--> <img src="https://terokarvinen.com/2024/eettinen-hakkerointi-2024/its-raining-shells_hu2c3b7a67c2932fbb741bb11b3701e922_3206_200x200_fit_box_3.png" width="139" height="134" alt=" " class="imgOne center"> <h2 id="oppimistavoitteet">Oppimistavoitteet</h2> <p>Opintojakson suoritettuaan opiskelija</p> <ul> <li>Tuntee tunkeutumistestauksen prosessin pääpiirteissään</li> <li>Tietää, että tunkeutumistestaukselle on lailliset ja eettiset rajat</li> <li>Osaa kartoittaa kohdejärjestelmän haavoittuvuuksia</li> <li>Osaa hyödyntää valmiita hyökkäyksiä (exploit) ja liittää niihin hyötykuorman käyttäen kurssille valittua työkalua</li> <li>Osaa soveltaa tavallisimpia hyökkäyksiä weppisovelluksia vastaan, kun kohdeohjelmistot ovat helppoja ja haavoittuvia.</li> <li>Osaa hankkia tunkeutumistestauksessa tarvittavia ohjelmistoja</li> </ul> <p>Kurssilta ei saa mukaansa ilmaista pakettia nollapäivähaavoittuvuuksia, eikä kurssi anna mitään erityisoikeuksia eikä ammattinimikkeitä.</p> <h2 id="aikataulu">Aikataulu</h2> <p>Maanantaisin 08:15 Pasilassa luokassa pa2004. Aloitamme aina 08:15, vaikka joku vierailija tulisikin mukaan myöhemmin.</p> <table> <thead> <tr> <th>Päivä</th> <th>Aihe</th> </tr> </thead> <tbody> <tr> <td>2024-03-25 w13 ma</td> <td>Tunkeutumisen yleiskuva. Järjestäytyminen. Kybertappoketju.</td> </tr> <tr> <td>(2024-04-01 w14 ma)</td> <td>(Toinen pääsiäispäivä, ei opetusta.)</td> </tr> <tr> <td>2024-04-08 w15 ma</td> <td>Aktiivinen tiedustelu. Porttiskannaus ja oheistekniikat. Valvonta snifferillä.</td> </tr> <tr> <td>2024-04-15 w16 ma</td> <td>Salasanojen murtaminen. Valmiiden hyökkäysten käyttö. Etähallinta.</td> </tr> <tr> <td>2024-04-22 w17 ma</td> <td>Nikita Ponomarev, WithSecure: 9-13:45 Attacking Windows and Active Directory *.</td> </tr> <tr> <td>2024-04-29 w18 ma</td> <td>Otto Ebeling, Critical Section: 10-11:30 Cracking Cryptocurrency. Weppipalveluihin murtautuminen.</td> </tr> <tr> <td>2024-05-06 w19 ma</td> <td>Riku Juurikko, Elisa: 9-11 Social Engineering (en). Mika Rautio: 12-13:45? Incident of/in the Cloud. Weppihyökkäyksen apuvälineitä: Välimiesproxy, fuzzeri.</td> </tr> <tr> <td>2024-05-13 w20 ma</td> <td>Lipunryöstö, arvioitava laboratorioharjoitus.</td> </tr> </tbody> </table> <p>Tämä on edistynyt kurssi, joten tuntien aiheisiin voi tulla muutoksia kurssin edetessä.</p> <p>* Prerequisites you should have for Nikita's presentation</p> <ul> <li><a href="https://terokarvinen.com/2022/cracking-passwords-with-hashcat/">Breaking passwords</a></li> <li>Controlling a computer with RDP, the remote desktop protocol</li> <li>Generate reverse shell with msfvenom</li> <li>Receiving a reverse shell using meterpreter or ncat</li> </ul> <h2 id="kertausmateriaalia">Kertausmateriaalia</h2> <p>Tämä materiaali on vapaaehtoista, jos osaat ne jo. Lähteet ovat esimerkkejä, voit osata/opetella nuo asiat mistä vain haluat.</p> <ul> <li>TCP/IP-pino: <a href="https://en.wikipedia.org/wiki/Internet_protocol_suite">Wikipedia: Internet protocol suite</a></li> <li>Linuxin komentokehote: <a href="https://terokarvinen.com/2020/command-line-basics-revisited/">Command Line Basics Revisited</a> (ja Linuxin asennus <a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Install Debian on VirtualBox</a>)</li> <li>Tietokantojen alkeet (millä vain alustalla): <a href="http://terokarvinen.com/2016/postgresql-install-and-one-table-database-sql-crud-tutorial-for-ubuntu">PostgreSQL Install and One Table Database - SQL CRUD tutorial for Ubuntu</a></li> <li>Ohjelmoinnin alkeet (millä vain kielellä): FreeCodeCamp.org: Javascript Algorithms And Data Structures Certification: Basic JavaScript: <a href="https://learn.freecodecamp.org/javascript-algorithms-and-data-structures/basic-javascript">Introduction to JavaScript</a></li> </ul> <h2 id="luettavaa-ja-linkkeja">Luettavaa ja linkkejä</h2> <p>€ Maksulliset aineistot saattavat näkyä ilmaiseksi <a href="http://libguides.haaga-helia.fi/az.php">Haaga-Helian tunnuksilla kirjaston</a> kautta. <a href="https://www.oreilly.com/library/view/temporary-access/">Haaga-Helialla on käyttöoikeus O'Reilly Learning -kirjoihin (ent. Safari)</a>.</p> <p>Työkaluja kurssille</p> <ul> <li><a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Install Debian on VirtualBox</a></li> <li><a href="https://terokarvinen.com/2020/remote-learning-tools-for-my-courses/">Remote Learning Tools for Tero's Courses</a></li> <li><a href="https://www.kali.org/">Kali Linux</a>. Uusi levykuva <a href="https://cdimage.kali.org/kali-2021.1/kali-linux-2021.1-live-amd64.iso">kali-linux-2021.1-live-amd64.iso</a> (vanha levykuva <a href="https://cdimage.kali.org/kali-2020.3/kali-linux-2020.3-live-amd64.iso">kali-linux-2020.3-live-amd64.iso</a>). Kun linkki menee vanhaksi, etsi Kalin kotisivulta tuorein amd64-arkkitehtuurin live-tikun iso-kuva.</li> </ul> <p><a id="L2">L2 weppihyökkäyksiä - tukee läksyä h2</a></p> <ul> <li> <p><a href="https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010-2017%20(en).pdf">OWASP 10 2017 (pdf)</a>, erityisesti ne hyökkäykset, joita aiot kohta tehdä eli A2 Broken Authentication, A3 Sensitive Data Exposure, A7 Cross Site Scripting; sekä viime kerralla harjoiteltu A1 Injection.</p> </li> <li> <p>€ Santos et al 2018: Hacking Web Applications The Art of Hacking Series LiveLessons (video): Security Penetration Testing for Today's DevOps and Cloud Environments: <a href="https://learning.oreilly.com/videos/hacking-web-applications/9780135261422/9780135261422-hwap_01_06_03_00">6.3 Understanding SQL Injection</a> ja <a href="https://learning.oreilly.com/videos/hacking-web-applications/9780135261422/9780135261422-hwap_01_06_04_00">6.4 Exploiting SQL Injection Vulnerabilities</a> sekä <a href="https://learning.oreilly.com/videos/hacking-web-applications/9780135261422/9780135261422-hwap_01_05_00_00">Lesson 5: Authentication and Session Management Vulnerabilities</a></p> </li> <li> <p>€ Percival &amp; Samancioglu 2020: The Complete Ethical Hacking Course (video): <a href="https://learning.oreilly.com/videos/the-complete-ethical/9781839210495/9781839210495-video21_1">Chapter 21: Cross Site Scripting</a></p> </li> <li> <p><a href="https://lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf">Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains</a></p> </li> </ul> <p>Yleiskuva, harjoitusmaaleja, web</p> <ul> <li><a href="https://attack.mitre.org/">MITRE ATT&amp;CK</a></li> <li><a href="https://darknetdiaries.com/">Darknet Diaries</a> . Podcastien kuunteluun kännykällä <a href="https://f-droid.org/en/packages/de.danoeh.antennapod/">AntennaPod löytyy F-Droidista</a></li> <li><a href="http://terokarvinen.com/2019/mitmproxy-on-kali-and-xubuntu-attack-and-testing">MitmProxy on Kali and Xubuntu</a></li> <li><a href="http://terokarvinen.com/2020/install-webgoat-web-pentest-practice-target">Install Webgoat 8 - Learn Web Pentesting</a>. (It's also possible to install <a href="http://terokarvinen.com/2019/install-webgoat-pentest-learning-tool-on-ubuntu-with-docker">old version</a> 7 of WebGoat with Docker).</li> <li><a href="https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010-2017%20(en).pdf">OWASP 10 2017 (pdf)</a>. Tällä hetkellä 2021-02-02 uusin versio.</li> </ul> <p>Aktiivinen tiedustelu. HackTheBox.</p> <ul> <li> <p>€ Santos et al: <a href="https://learning.oreilly.com/videos/the-art-of/9780135767849">The Art of Hacking (Video Collection)</a>: [..] <a href="https://learning.oreilly.com/videos/security-penetration-testing/9780134833989/9780134833989-sptt_00_04_03_00">4.3 Surveying Essential Tools for Active Reconnaissance: Port Scanning and Web Service Review</a></p> </li> <li> <p>man nmap (laaja, silmäily riittää)</p> </li> <li> <p>Kokonaisia blogeja ja videokanavia, vilkaise, ei tarvitse katsoa 200 h videota:</p> <ul> <li><a href="https://tools.kali.org/tools-listing">https://tools.kali.org/tools-listing</a></li> <li>0xdf <a href="https://0xdf.gitlab.io/">https://0xdf.gitlab.io/</a></li> <li>ippsec <a href="https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/videos">https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/videos</a></li> <li>John Hammond <a href="https://www.youtube.com/user/RootOfTheNull/videos?sort=p">https://www.youtube.com/user/RootOfTheNull/videos?sort=p</a></li> <li>Youtube-videoiden katseluun kännykällä <a href="https://f-droid.org/packages/org.schabi.newpipe/">NewPipe F-Droidista</a>. Youtube-videoiden nopeuden säätöön <a href="https://addons.mozilla.org/en-US/firefox/addon/videospeed/">codebicycle Video Speed Controller</a> addon Firefoxille.</li> </ul> </li> </ul> <p>Passwords, Learning to Learn tools</p> <ul> <li>infosecn1nja 2020: <a href="https://github.com/infosecn1nja/Red-Teaming-Toolkit">Red-Teaming-Toolkit</a></li> <li>Taylor et al 2018: The Art of Hacking: <a href="https://learning.oreilly.com/videos/the-art-of/9780135767849/9780135767849-SPTT_06_00">Hacking User Credentials</a> €</li> </ul> <p>Web Fuzzing, Second to Last Words</p> <ul> <li>Hoikkala &quot;joohoi&quot; 2020: <a href="https://github.com/ffuf/ffuf">ffuf - Fast web fuzzer written in Go</a></li> <li>Hoikkala &quot;joohoi&quot; 2020: Still Fuzzing Faster (U fool). In <a href="https://www.twitch.tv/helsec">HelSec Virtual Meetup #1</a>.</li> <li>Miettinen 2020: iPhone BFU Acquisition and Analysis. In <a href="https://www.twitch.tv/helsec">HelSec Virtual Meetup #1</a>.</li> </ul> <p>Metasploit</p> <ul> <li> <p>€ Jaswal 2020: Mastering Metasploit - 4ed: <a href="https://learning.oreilly.com/library/view/mastering-metasploit-/9781838980078/B15076_01_Final_ASB_ePub.xhtml#_idParaDest-30">Chapter 1: Approaching a Penetration Test Using Metasploit</a> (kohdasta &quot;Conducting a penetration test with Metasploit&quot; luvun loppuun)</p> </li> <li> <p>Karvinen 2018: <a href="https://terokarvinen.com/2018/install-metasploitable-3-vulnerable-target-computer/">Install Metasploitable 3 – Vulnerable Target Computer</a> (Article uses rapid7/metasploitable3-ub1404 , see also &quot;rapid7/metasploitable3-win2k8&quot;)</p> </li> </ul> <h2 id="laksyt">Läksyt</h2> <p>Palauta linkki Laksuun 24 h ennen seuraavaa lukujärjestykseen merkittyä kurssivarausta. Tehtävät ovat pakollinen ja tärkeä osa kurssia.</p> <p>Läksyt ovat virallisia vasta, kun ne on vahvistettu (yleensä oppitunnin päätteeksi). Tämä on edistynyt kurssi, joten ohjelmaan tulee yleensä muutoksia kurssin aikana. Osa tehtävistä edellyttää huolellisuuden lisäksi tietoja ja taitoja työkalujen käytöstä, jottei synny vahinkoja - tee vasta, kun tiedät oikeat työtavat.</p> <p>Läksyt käydään läpi seuraavalla tapaamiskerralla, ratkotaan yhdessä ongelmia ja annetaan suullista palautetta. Arvosana kotitehtäväpaketista tulee vasta kurssin lopuksi, mutta tehtävät tulee silti palauttaa aina vuorokautta ennen seuraavia tunteja. Julkaiseminen on vapaaehtoista, mutta erittäin suositeltavaa. Jos et jostain syystä uskalla tai muuten halua julkaista, voit laittaa työn weppisivulle salasanan taakse (kaikille kotitehtäville sama salasana) ja jakaa tämän salasanan kurssilaisten kanssa. Jos tuntien yhteydessä järjestetään testejä läksyjen aiheista, niiden pisteet sisältyvät arvostelun kohtaan läksyt.</p> <p>Läksyt pitää tehdä tietokoneella kokeilemalla ja raportoida tapahtumien kulku, ellei kyseisessä alakohdassa erikseen muuta lue. Raportti tulee kirjoittaa samalla, kun työskentelee.</p> <p>Kaikki käytetyt lähteet tulee merkitä raporttiin: kurssin tehtäväsivu, kurssikavereiden raportit, man-sivut, kirjat. Mikäli tekoälyltä kysyy neuvoa, se on merkittävä lähteeksi. Tekoälyt hallusinoivat, tiedot on suositeltavaa tarkistaa. Tiivistelmiä tai esseitä ei saa generoida tekoälyllä eikä muilla vastaavilla tekniikoilla, vaan ne on kirjoitettava itse.</p> <p>Tehtäviä saa aloittaa vasta, kun on hyväksynyt kurssin säännöt.</p> <h3 id="h0">h0</h3> <h3 id="h1">h1</h3> <h3 id="h2">h2</h3> <h3 id="h3">h3</h3> <h3 id="h4">h4</h3> <h3 id="h5">h5</h3> <h3 id="h6">h6</h3> <h3 id="h7">h7</h3> <h3 id="h8">h8</h3> <h2 id="adminstrivia">Adminstrivia</h2> <p>Sprial shell icon by Emoji One, received under CC-by 4.0 international license.</p> <p>This page will keep updating during course.</p>Final Lab for Linux Palvelimet 2024 Springhttps://terokarvinen.com/2024/arvioitava-laboratorioharjoitus-2024-linux-palvelimet/Tue, 12 Mar 2024 07:52:28 +0200https://terokarvinen.com/2024/arvioitava-laboratorioharjoitus-2024-linux-palvelimet/ <p>This is the evaluated lab exercise for Linux Server course. Student had an empty virtual Linux installation and free use of public Internet.</p> <p>Course <a href="https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/">Linux palvelimet</a> is in Finnish, so the rest of this page is in Finnish.</p> <h2 id="ohjeita">Ohjeita</h2> <p>Tervetuloa <a href="https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/">Linux-kurssin</a> viimeiseen labraan!</p> <p><strong>Tasatunnein tavataan</strong> kurssin videokonffassa.</p> <p>Tehtävä alkaa <strong>tyhjästä Linux-virtuaalikoneesta</strong>. Koneella saa olla virtualisointiympäristön tuki (esim VirtualBox Guest additions), tulimuuri ja oletuksena asennuksen mukana olevat paketit. Kaikki ohjelmat saavat olla päivitettynä. Muita paketteja ei saa olla. Jos koneellasi on vahingossa joitain muuta, keskustele siitä Teron kanssa.</p> <p>Harjoituksessa <strong>saa käyttää julkisista lähteistä löytyvää materiaalia</strong>. Sallittuja lähteitä ovat esimerkiksi kaikki julkiset kotitehtäväraportit ja Teron kotisivut. Omia paikallisia muistiinpanoja ei saa käyttää. Harjoitus on yksilötyö, joten tehtävistä keskustelu ja yhteistyö kesken harjoituksen on kielletty.</p> <p>Harjoituksen on tarkoitus olla hauska loppuhuipennus ja tarjota paljon haasteita kaikille kolmeksi tunniksi. Jotta luokan nopeimmillakin on tekemistä koko ajaksi, tehtäviä on enemmän kuin mitä useimmat ehtivät ratkoa. Siksi harjoituksesta voi siis saada erinomaisen tuloksen, vaikka ei ratkoisikaan kaikkia kohtia täydellisesti.</p> <p><strong>Testaamatta == tekemättä</strong>. Tee ja raportoi jokaisesta tekemästäsi asiasta testi, joka osoittaa, että tehty asia toimii. Tee sellainen testi, joka on mahdollisimman lähellä loppukäyttäjän tai tilaajan käyttöä.</p> <p>Tallenna raportti kotihakemistoosi nimellä <strong>report/index.md</strong> . Laita samaan kansioon jpg tai png -muotoiset kuvat. Oikeaan paikkaan tallennettu raportti näkyy komennolla 'ls /home/*/report/index.md'.</p> <p>Huomaa: tässä ei tarvitse raportoida kaikkia askelia, <strong>vain testit</strong> että asiat toimivat, tai maininta, että tätä ei ole tehty. Tämä on siis paljon lyhempi raportti kuin kotitehtävässä. Älä julkaise raporttia kesken harjoituksen.</p> <h2 id="tehtavat">Tehtävät</h2> <ul> <li>a) Taustatiedot <ul> <li>Oma nimi</li> <li>Opiskelijanumero</li> <li>Linkki omaan kotitehtäväpakettiin</li> </ul> </li> <li>b) Tiivistelmä koko työstä lopuksi <ul> <li>Vastaa tähän kohtaan aivan viimeisenä</li> <li>Mikä toimii, mikä ei <ul> <li>Tämä toimii: toimivien palveluiden osoitteet tai polut komentoihin</li> <li>Tämä ei vielä toimi: luettelo kohdista, joita ei ratkaistu. <ul> <li>Huomaa, että nopeimpienkin viihdyttämiseksi tässä tehtävässä on enemmän kohtia kuin mitä muutamassa tunnissa ehtii ratkoa.</li> </ul> </li> </ul> </li> </ul> </li> <li>c) Ei kolmea sekoseiskaa <ul> <li>Suojaa raportti Linux-oikeuksilla niin, että vain oma käyttäjäsi pystyy katselemaan raporttia</li> </ul> </li> <li>d) 'howdy' <ul> <li>Tee kaikkien käyttäjien käyttöön komento 'howdy' <ul> <li>Tulosta haluamaasi ajankohtaista tietoa, esim päivämäärä, koneen osoite tms</li> <li>Pelkkä &quot;hei maailma&quot; ei riitä</li> </ul> </li> <li>Komennon tulee toimia kaikilla käyttäjillä työhakemistosta riippumatta</li> </ul> </li> <li>e) Etusivu uusiksi <ul> <li>Asenna Apache-weppipalvelin</li> <li>Tee yrityksellemme &quot;AI Kakone&quot; kotisivu</li> <li>Kotisivu tulee näkyä koneesi IP-osoitteella suoraan etusivulla</li> <li>Sivua pitää päästä muokkaamaan normaalin käyttäjän oikeuksin (ilman sudoa). Liitä raporttiisi listaus tarvittavien tiedostojen ja kansioiden oikeuksista.</li> </ul> </li> <li>g) Salattua hallintaa <ul> <li>Asenna ssh-palvelin</li> <li>Tee uusi käyttäjä omalla nimelläsi, esim. minä tekisin &quot;Tero Karvinen test&quot;, login name: &quot;terote01&quot;</li> <li>Automatisoi ssh-kirjautuminen julkisen avaimen menetelmällä, niin että et tarvitse salasanoja, kun kirjaudut sisään. Voit käyttää kirjautumiseen localhost-osoitetta</li> </ul> </li> <li>h) Djangon lahjat <ul> <li>Asenna omalle käyttäjällesi Django-kehitysympäristö</li> <li>Tee tietokantaan lista tekoälyistämme, jossa on nämä ominaisuudet <ul> <li>Kirjautuminen salasanalla</li> <li>Tietokannan muokkaus wepissä Djangon omalla ylläpitoliittymällä (Django admin)</li> <li>Käyttäjä Erkille, jossa ei ole ylläpito-oikeuksia</li> <li>Taulu Assistants, jossa jokaisella tietueella on nimi (name)</li> <li>Jos haluat, voit lisäksi bonuksena laittaa mukaan kentän koko (size)</li> </ul> </li> </ul> </li> <li>h) Tuotantopropelli <ul> <li>Jos olet tässä kohdassa, olet kyllä työskennellyt todella nopeasti (tai sitten teet tätä tehtävää huviksesi kurssin jälkeen). Mutta älä huoli, tässä haastetta, jotta et joudu pyörittelemään peukaloita.</li> <li>Tee tuotantotyyppinen asennus Djangosta</li> <li>Laita Django-lahjatietokanta tuotantotyyppiseen asennukseen</li> <li>Voit vaihtaa tämän sivun näkymään etusivulla staattisen sivun sijasta</li> </ul> </li> </ul> <p>Hauskaa labraa!</p> <h2 id="lopuksi">Lopuksi</h2> <p>Palauta kurssin Moodle-sivulle.</p> <p>Paketti tiedostoista:</p> <pre><code>sudo rm $HOME/pack.tar.gz; mkdir $HOME/pack; sudo cp -r /var/log/apache2/ /var/log/boot.log /var/log/installer/syslog /etc/ /home/*/report* /home/*/*.bash_history $HOME/pack/; sudo ss -lptn &gt; $HOME/pack/ss-lptn; sudo ls -lR /var/ /etc/ /home/ &gt; $HOME/pack/ls-lR; sudo find /var/ /etc/ /home/ -printf '%T+ M %m %M %k kB %p\n' &gt; $HOME/pack/find; sudo journalctl&gt;$HOME/pack/journalctl; sudo chown -R $(whoami) $HOME/pack/; tar -zcf pack.tar.gz $HOME/pack/; ls -lh pack.tar.gz </code></pre> <h2 id="palaute">Palaute</h2> <p>Kiitos kaikesta palautteesta! Olen iloinen, että piditte kurssista, ja otan kaikki kehitysideat käyttöön.</p> <p>Jos joltain vielä puuttuu palaute, niin <a href="https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/#anna-palautetta">&gt;&gt; anna palautetta &gt;&gt;</a>.</p>Linux Palvelimet 2024 alkukeväthttps://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/Thu, 11 Jan 2024 16:14:01 +0200https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/ <img src="https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/tux_hud0c70f4796d7176ca6380c7b07287d17_11913_100x100_fit_box_3.png" width="84" height="100" alt="Tux the Linux penguin" class="imgOne right"> <p>Learn to manage your own Linux server – in 8 weeks.</p> <p>100% remote. Weekly video conference + a lot of individual work. Beginners welcome. Excellent feedback. In Finnish.</p> <table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Course name and code:</td> <td><strong>Linux palvelimet</strong> ICI003AS2A-<strong>3004</strong></td> </tr> <tr> <td>Timing</td> <td>2024 period 3, <strong>early spring</strong>, w03-w11, ei w08</td> </tr> <tr> <td>Credits</td> <td>5 cr</td> </tr> <tr> <td>Classes</td> <td><strong>Tue 08:15 - 13:45</strong> online, mandatory participation (<a href="#agenda">agenda</a>)</td> </tr> <tr> <td>Max students</td> <td>50</td> </tr> <tr> <td>Language</td> <td>Finnish (+reading material in English)</td> </tr> <tr> <td>Remote</td> <td>Yes, <strong>fully remote</strong></td> </tr> <tr> <td>Feedback</td> <td>4.7 / 5 <strong><a href="https://terokarvinen.com/2023/linux-palvelimet-2023-alkusyksy/#comments">Excellent feedback</a></strong> <img src="https://terokarvinen.com/img/five-stars-15.png" alt="Five star experience"></td> </tr> <tr> <td>Services</td> <td><a href="https://hhmoodle.haaga-helia.fi/course/view.php?id=39840">Moodle</a>, Jitsi, Laksu. Optionally <a href="https://terokarvinen.com/newsletter/">Tero's list</a>.</td> </tr> <tr> <td>First class</td> <td><strong>2024-01-16 w03 Tue 08:15</strong>, Video conference link is in Moodle</td> </tr> </tbody> </table> <p>The course is in Finnish (and requires full fluency in Finnish), so the rest of this page is in Finnish.</p> <h1 id="tavoite">Tavoite</h1> <p>Opiskele 8 viikkoa ja hallitset omaa Linux-palvelinta.</p> <p>Opintojakson suoritettuaan opiskelija:</p> <ul> <li>Osaa hallita Linuxia palvelimena</li> <li>Osaa tehdä tärkeimmät asetukset tärkeimmille palvelimille (Apache, OpenSSH)</li> <li>Osaa asentaa www-ohjelmointiin sopivan alustan</li> <li>Osaa tehdä itselleen uusia asetuksia palvelinohjelmistoihin ohjeiden avulla</li> <li>Tietää esimerkkejä palvelintilan tarjoajista ja hinnoista sekä fyysisten palvelinten vastaavista ominaisuuksista</li> </ul> <h1 id="osallistumiseen-tarvitaan">Osallistumiseen tarvitaan</h1> <ul> <li>Jitsi-videokonfferenssiin: tietokone, kuulokemikrofoni, kamera, internet-yhteys.</li> <li>Linux-käyttöön: tietokone, jolla voit ohjeiden mukaan asentaa virtuaalikoneen ja Linuxin (edistyneemmät voivat toki asentaa Linuxin ihan oikean, erillisen koneen raudalle). Koneella tarvitaan noin 30 GB kovalevytilaa ja 2-4 gigatavua vapaata RAM-muistia. Tarvitset pääkäyttäjän oikeudet, jotta voit asentaa virtuaalikoneen ja Linuxin ohjeiden avulla. Toki myös raudalle asennettu Linux kelpaa, jos olet edistyneempi. Suosittelen tavallista PC-tietokonettta. Uudella Macintoshilla (M1, M2, M3) virtuaalikoneiden asentamisessa on enemmän työtä.</li> <li>Aikaa: 8 iltapäivää oppitunteihin + joka viikko runsaasti aikaa läksyihin (oppitunneille pitää osallistua aktiivisesti ja kaikki läksyt palauttaa)</li> </ul> <p>Linuxia ei tarvitse osata yhtään. Omalle tietokoneelle pitäisi osata asentaa ohjelmia, esimerkiksi virtuaalikone. Ja tietysti ratkoa tavallisia tietokoneongelmia kokeilemalla ja wepistä tietoa hakemalla.</p> <h2 id="aikataulu">Aikataulu</h2> <p>Kurssin kahdeksan kertaa jakautuvat neljään osaan: peruskäyttö, demonit, automatisointi ja loppuhuipennus. Oppitunnit edellyttävät aktiivista osallistumista oppitunteihin lukkariin merkittynä aikana.</p> <p>Oppitunnit ovat <strong>tiistaisin 08:15</strong> - 13:45 videokonfferenssina. <a name="agenda"></p> <table> <thead> <tr> <th>Viikko</th> <th>Aihe</th> </tr> </thead> <tbody> <tr> <td><strong>Peruskäyttö</strong></td> <td></td> </tr> <tr> <td>2024-01-16 w03</td> <td>1. Asennus, lisenssit.</td> </tr> <tr> <td>2024-01-23 w04</td> <td>2. Komentokehote. Ylläpito, paketinhallinta.</td> </tr> <tr> <td><strong>Demonit</strong></td> <td></td> </tr> <tr> <td>2024-01-30 w05</td> <td>3. Apache-weppipalvelin.</td> </tr> <tr> <td>2024-02-06 w06</td> <td>4. Julkisen palvelimen vuorkaaminen.</td> </tr> <tr> <td>2024-02-13 w07</td> <td>5. Nimen vuokraaminen.</td> </tr> <tr> <td><em>2024-02-20 w08</em></td> <td><em>(talviloma, ei oppitunteja)</em></td> </tr> <tr> <td><strong>Automatisointi</strong></td> <td></td> </tr> <tr> <td>2024-02-27 w09</td> <td>6. Ohjelmat weppipalvelimella, hei Python Django.</td> </tr> <tr> <td>2024-03-05 w10</td> <td>7. Ohjelmointi.</td> </tr> <tr> <td><strong>Loppuhuipennus</strong></td> <td></td> </tr> <tr> <td>2024-03-12 w11</td> <td>8. Kertaus. Arvioitava lopputehtävä.</td> </tr> </tbody> </table> <p>Oppituntien aiheisiin voi tulla muutoksia kurssin aikana.</p> <h3 id="peruskaytto">Peruskäyttö</h3> <p>1. <strong>Asennus, työpöytä ja lisenssit</strong> <a href="https://www.gnu.org/philosophy/free-sw.html">FSF Free Software Definition</a>, <a href="http://lib.tkk.fi/Diss/2005/isbn9529187793/isbn9529187793.pdf">Rise of Open Source: Chapter 5</a>. <a href="http://terokarvinen.com/2006/raportin-kirjoittaminen-4">Raportin kirjoittaminen</a>.</p> <p>2. <strong>Komentokehote, ylläpito ja paketinhallinta</strong> w04 <a href="http://terokarvinen.com/2009/command-line-basics-4">Command Line Basics</a>, <a href="http://terokarvinen.com/2008/commands-for-admin-4">Commands for Admin</a>.</p> <h3 id="demonit">Demonit</h3> <p>3. <strong>Apache-weppipalvelin</strong> <a href="http://terokarvinen.com/2008/install-apache-web-server-on-ubuntu-4">Install Apache Web Server on Ubuntu</a> <a href="http://terokarvinen.com/2016/instant-firewall-sudo-ufw-enable">Instant Firewall – sudo ufw enable.</a></p> <p>4. <strong>Julkisen palvelimen ja nimen vuokraaminen</strong> <a href="https://jvaris.wordpress.com/2014/03/03/linux-server-task-5-apache-name-based-virtual-hosting/">Apachen oletussivu</a>, <a href="https://jvaris.wordpress.com/2014/03/03/linux-server-task-5-apache-name-based-virtual-hosting/">Monta nimeä samaan IP-osoitteeseen</a>. Virtuaalipalvelimia vuokrataan: <a href="http://www.linode.com/?r=16774ec53118157d3f5d6e9be9147875cdb167bb">Linode (associate link)</a>, <a href="https://www.digitalocean.com/">Digitalocean</a>, <a href="http://aws.amazon.com/vpc/">Amazon</a> (monet Amazonin palvelut skaalautuvat automaattisesti, maksimihinnan rajoittaminen voi olla tarpeen). Julkisia nimiä vuokrataan: <a href="https://www.namecheap.com/">NameCheap</a>, (I don't recommend Gandi anymore). Harjoittelua varten voit kokeilla myös <a href="http://www.dot.tk/">http://www.dot.tk/</a> (ei tärkeille nimille). <a href="http://terokarvinen.com/2017/first-steps-on-a-new-virtual-private-server-an-example-on-digitalocean">First Steps on a New Virtual Private Server – an Example</a>.</p> <h3 id="automatisointi">Automatisointi</h3> <p>5. <strong>Ohjelmat weppipalvelimella</strong>. Palvelinpään ohjelmointi, Python Flask framework. Flask-asennus.</p> <p>6. <strong>Shell scriptit</strong>, bash-skriptaus. <a href="http://terokarvinen.com/2007/shell-scripting-4" title="Permalink to Shell Scripting">Shell Scripting</a>, <a href="http://terokarvinen.com/2006/aboutusers-4" title="Permalink to aboutusers">aboutusers.sh</a>, <a href="http://overthewire.org/wargames/bandit/">Over the Wire: bandit</a></p> <h3 id="loppuhuipennus">Loppuhuipennus</h3> <p>7. <strong>Kertaus</strong></p> <p>8. <strong>Arvosteltava lopputehtävä</strong></p> <h2 id="anna-palautetta">Anna palautetta</h2> <p>Palaute on minulle todella tärkeää, kiitos jo nyt. Hyödynnän palautetta heti seuraavilla kursseillamme &quot;Palvelinten hallinta&quot; ja &quot;Tunkeutumistestaus&quot;. Sekä soveltuvin osin kahdella uudella tietoturvakurssilla.</p> <p><strong>1) <a href="#comments">Vapaamuotoinen palaute kommenttina</a> tämän kurssisivun perään.</strong></p> <p>Vapaamuotoiseen palautteeseen saa kirjoittaa mitä vain, eikä kysymyksiä tarvitse toistaa. Mutta tässä vinkiksi:</p> <ul> <li>Opitko jotakin – eli osaatko nyt sellaista, mitä et osannut ennen kurssia?</li> <li>Teitkö jotain ensimmäistä kertaa? Vuokrasit koneen julkiseen Internetiin, asensit Linuxin, löysit tunkeutumisyrityksen...</li> <li>Oliko opittu hyödyllistä? Luuletko, että sille on käyttöä esim. tulevaisuudessa töissä tai kotona?</li> <li>Viihdyitkö kurssilla?</li> <li>Mitä pidit läksyistä?</li> <li>Miten voisin parantaa kurssia?</li> <li>Suosittelisitko kurssia tai oletko jo suositellut? Kenelle kurssi sopisi? Koulutoverille tai kollegalle?</li> </ul> <p><strong>2) Numeerinen palaute <a href="https://mynet.haaga-helia.fi">Haaga-Helian palautejärjestelmään MyNetissa</a>.</strong></p> <p>Numeerisen palautteen avulla mm. verrataan Haaga-Helian kursseja toisiinsa.</p> <p>Numeeriset: Asteikko 1-välttävä (huonoin) ... 5-kiitettävä (paras)</p> <ul> <li>Oma aktiivisuutesi opiskelussa 1-5</li> <li>Osaamistavoitteiden saavuttaminen 1-5</li> <li>Työskentelytavat tukivat oppimista 1-5</li> <li>Opiskeluympäristö tuki oppimista 1-5</li> <li>Hyödyllisyys työelämään 1-5</li> </ul> <p>Avoimet kysymykset (näihin voi myös kopioida samat vastaukset jotka kirjoitit aiemmin)</p> <ul> <li>Mitkä asiat edistivät oppimistasi?</li> <li>Miten kehittäisit toteutusta / toteutuskokonaisuutta, jotta osaamistavoitteet saavutettaisiin paremmin?</li> </ul> <p>Kokonaisarviosi toteutuksesta / toteutuskokonaisuudesta 1-5</p> <p>Suosittelisitko 1 - 10 (1 en varmasti, 10 aion varmasti suositella tai olen jo suositellut)</p> <p>Kiitos palautteesta ja jännittävästä kurssista!</p> <p>Missä nähdään?</p> <ul> <li>Palvelinten hallinta ICI001AS3A (sopii kaikille tämän kurssin läpäisseille)</li> <li>Tunkeutumistestaus ICI005AS3A (sopii haasteita etsiville)</li> <li>Python weppipalvelu - ideasta tuotantoon ICT8TN034 (8 päivän kurssi)</li> <li><a href="https://terokarvinen.com/newsletter/">Teron uutiskirje</a> (Voit poimia rusinat pullasta, mm. kutsuja vierailuluennoille. Viestejä harvoin, joka viestissä unsubscribe-nappi.)</li> </ul> <h2 id="suhde-muihin-kursseihin">Suhde muihin kursseihin</h2> <p>Tälle kurssille ei vaadita mitään kursseja esitietoina. Linuxia ei tarvitse osata yhtään. Omalle tietokoneelle pitäisi osata asentaa ohjelmia, esimerkiksi virtuaalikone. Ja tietysti ratkoa tavallisia tietokoneongelmia kokeilemalla ja wepistä tietoa hakemalla.</p> <p>Tämä kurssi (Linux palvelimet ict4tn021) on esitietona monille kursseille, esimerkiksi</p> <ul> <li><a href="https://terokarvinen.com/tags/configuration-management/">Palvelinten hallinta</a></li> <li><a href="https://terokarvinen.com/tags/monialaprojekti/">Monialaprojekti</a></li> <li><a href="https://terokarvinen.com/tags/tunkeutumistestaus/">Tunkeutumistestaus</a></li> </ul> <p>Ja pilvessähän palvelimet ovat pääosin Linuxeja, joten noilla kursseilla tästä lienee hyötyä.</p> <h2 id="vanhoja-kurssitoteutuksia">Vanhoja kurssitoteutuksia</h2> <p>Vanhoilta kurssitoteutuksilta löytyy runsaasti opiskelijoiden palautteita ja linkkejä kotitehtävien esimerkkiratkaisuihin. Opiskelijoiden palaute kurssista on sivun lopussa kommenteissa.</p> <ul> <li><a href="https://terokarvinen.com/2023/linux-palvelimet-2023-alkusyksy/">Linux Palvelimet 2023 alkusyksy ici003as2a-3006</a></li> <li><a href="https://terokarvinen.com/2023/linux-palvelimet-2023-alkukevat/">Linux Palvelimet 2023 alkukevät ici003as2a-3002</a></li> <li><a href="https://terokarvinen.com/2022/linux-palvelimet-ict4tn021-3020/">Linux Palvelimet 2022 alkusyksy - ict4tn021-3020</a></li> <li><a href="https://terokarvinen.com/2020/linux-palvelimet-2021-alkukevat-kurssi-ict4tn021-3014/">Linux Server Course - Linux palvelimet ict4tn021-3014 - alkukevät 2021</a></li> <li><a href="https://terokarvinen.com/2020/linux-palvelimet-2020-alkukevat-kurssi-ict4tn021-3010/">Linux Server Course - Linux palvelimet ict4tn021-3010 Aikataulu</a></li> <li><a href="http://terokarvinen.com/2018/aikataulu-linux-palvelimet-ict4tn021-3004-ti-alkukevat-2019-5-op" title="Permalink to Aikataulu – Linux palvelimet ict4tn021-3004 ti – alkukevät 2019 – 5 op">Aikataulu – Linux palvelimet ict4tn021-3004 ti – alkukevät 2019 – 5 op</a></li> <li><a href="http://terokarvinen.com/2017/aikataulu-linux-palvelimet-ict4tn021-7-ti-ja-6-to-alkukevat-2018-5-op" title="Permalink to Aikataulu – Linux palvelimet ict4tn021 8-ma, 7-ti ja 6-to – alkukevät 2018 – 5 op">Aikataulu – Linux palvelimet ict4tn021 8-ma, 7-ti ja 6-to – alkukevät 2018 – 5 op</a></li> <li><a href="https://terokarvinen.com/2017/aikataulu-linux-palvelimet-ict4tn021-2-ti-ja-3-ke-alkukevat-2017-5-op/?fromSearch=aikataulu%20linux%20palvelimet%20ict4tn021%202%20ti%20ja%203%20k">Aikataulu – Linux palvelimet ict4tn021 4-ti ja 5-to – alkusyksy 2017 – 5 op</a></li> <li><a href="http://terokarvinen.com/2016/aikataulu-linux-palvelimet-alkusyksy-2016" title="Permalink to Aikataulu – Linux palvelimet ict4tn021-1 – 5 op – alkusyksy 2016">Aikataulu – Linux palvelimet ict4tn021-1 – 5 op – alkusyksy 2016</a>.</li> </ul> <h3 id="vanhoja-arvioitavia-laboratorioharjoituksia">Vanhoja arvioitavia laboratorioharjoituksia:</h3> <ul> <li><a href="http://terokarvinen.com/2017/arvioitava-laboratorioharjoitus-linux-palvelimet-ict4tn021-4-tiistai-alkusyksy-2017-%E2%80%93-5-op">Final lab test for group 4-Tuesday</a>.</li> <li><a href="http://terokarvinen.com/2017/arvioitava-laboratorioharjoitus-%e2%80%93-linux-palvelimet-ict4tn021-5-torstai-%e2%80%93-alkusyksy-2017-%e2%80%93-5-op">Final lab test for group 5-Thursday</a>.</li> <li><a href="http://terokarvinen.com/2017/arvioitava-laboratorioharjoitus-%e2%80%93-linux-palvelimet-ict4tn021-2-uusi-ops-alkukevaalla-2017-p1">Arvioitava laboratorioharjoitus – Linux palvelimet ict4tn021-2 (uusi OPS) alkukeväällä 2017 p1</a></li> <li><a href="http://terokarvinen.com/2017/arvioitava-laboratorioharjoitus-%e2%80%93-linux-palvelimet-ict4tn021-3-uusi-ops-alkukevaalla-2017-p1">Arvioitava laboratorioharjoitus – Linux palvelimet ict4tn021-3 (uusi OPS) alkukeväällä 2017 p1</a></li> </ul> <h2 id="suoritukset">Suoritukset</h2> <ul> <li>Läksyt</li> <li>Aktiivinen etäosallistuminen opetukseen</li> <li>Lopputehtävä (ilmoitetaan myöhemmin)</li> </ul> <p>Arvosana perustuu kokonaisarvioon kurssisuorituksista.</p> <h2 id="laksyt">Läksyt</h2> <p>Kotitehtäväraporttien linkit palautetaan 24 h ennen lähiopetuskerran alkua Laksuun. Oman tehtävän palautuksen jälkeen riistiinarvioidaan kahden kurssikaverin tehtävät.</p> <p>Läksyt tehdään ja raportoidaan kunkin tunnin jälkeen. Tehtävät saa julkaista missä haluaa ja palauttaa linkin Laksuun. Kotitehtäväraportin tulee olla suoraan selaimella katseltavassa muodossa, tavallisena HTML-weppisivuna. Ei odt, ei odp, ei ppt, ei docx, ei doc, ei pdf. Kotitehtäviä ei voi palauttaa sähköpostitse. Linkit palautetaan Laksuun ja sen jälkeen ristiinarvioidaan kaksi työtä. Maksutonta kotisivutilaa saa esimerkiksi WordPress.com, GitHub.com ja Gitlab.com.</p> <p>Läksyt käydään läpi seuraavalla tapaamiskerralla, ratkotaan yhdessä ongelmia ja annetaan suullista palautetta. Arvosana kotitehtäväpaketista tulee vasta kurssin lopuksi, mutta tehtävät tulee silti palauttaa aina vuorokautta ennen seuraavia tunteja. Kurssilta poistetaan ne, jotka eivät ala suorittaa kurssia palauttamalla tehtäviä. Julkaiseminen on vapaaehtoista, mutta erittäin suositeltavaa. Jos et jostain syystä uskalla tai muuten halua julkaista, voit laittaa työn weppisivulle salasanan taakse (kaikille kotitehtäville sama salasana) ja jakaa tämän salasanan kurssilaisten kanssa. Jos tuntien yhteydessä järjestetään testejä läksyjen aiheista, niiden pisteet sisältyvät arvostelun kohtaan läksyt.</p> <p>Läksyt pitää tehdä tietokoneella kokeilemalla ja raportoida tapahtumien kulku, ellei kyseisessä alakohdassa erikseen muuta lue. Raporteista tulee ilmetä tiedot, josta voi todeta että harjoitukset on tehty eikä sepitetty.</p> <p>Tekoälyn käyttö: Tällä kurssilla on samat AI säännöt kuin YAMK:n kurssillani: &quot;AI and large language models (LLM): You can ask AI or LLM a question and use the answer as facts for your own answer, written in your own words. AI must be marked as a reference, with details such as prompt (and for advanced users system prompts, temperature, jailbreaks...). LLMs tend to hallucinate, so you should check answers from more reliable sources. It's not allowed to generate text with AI or similar technologies. For example, it's not allowed to generate essay answers or summaries with AI, LLM or similar technologies.&quot;</p> <h3 id="h0-hei-weppi">h0 Hei weppi</h3> <p>a) Julkaise oma sivu weppiin.</p> <p><a name="h1-virtuaali-linux"></a></p> <h3 id="h1-oma-linux">h1 Oma Linux</h3> <ul> <li>x) Lue ja tiivistä (Muutama ranskalainen viiva kustakin artikkelista riittää. Tässä alakohdassa ei tarvitse tehdä testejä tietokoneella) <ul> <li><a href="http://terokarvinen.com/2006/raportin-kirjoittaminen-4">Raportin kirjoittaminen</a></li> <li>FSF: <a href="https://www.gnu.org/philosophy/free-sw.html">FSF Free Software Definition</a> (eritoten neljä vapautta)</li> </ul> </li> <li>a) Asenna Linux virtuaalikoneeseen. (Tee raporttia varten uusi virtuaalikone, vaikka olisit asentanut sen aiemmin)</li> <li>k) Vapaaehtoinen bonus: suosikkiohjelmani Linuxilla. Tee ja raportoi jokin yksinkertainen toimenpide haluamallasi Linux-ohjelmalla.</li> </ul> <p>Vinkkejä</p> <ul> <li>Tee täsmällinen ja toistettava raportti. Kuvaile myös ympäristö (host OS, rauta...). Sellainen, millä voi aiheuttaa samat virheet joita löysit, ja korjata ne samalla tavalla.</li> <li><a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Install Debian on Virtualbox - Updated 2023</a></li> <li>Viimeisin Debian Live -levykuva tavalliselle PC:lle <a href="https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-xfce.iso">debian-live-12.1.0-amd64-xfce.iso</a></li> <li>Kirjoita raporttia samalla kun työskentelet</li> <li>Jos jäät jumiin, tee vielä tarkempi raportti hankalasta kohdasta. Ota kaikki virheilmoitukset talteen. Luettele eri valitsemasi lähestymistavat. Ja katsotaan tunnilla yhdessä lisää.</li> <li>Arvioi kaksi tehtäväpalautusta, kun olet palauttanut omasi. (kuten aina)</li> <li>Weppisivun tekeminen Githubiin <a href="https://terokarvinen.com/2023/create-a-web-page-using-github/">https://terokarvinen.com/2023/create-a-web-page-using-github/</a></li> <li>Ota ruutukaappauksia. <a href="https://github.com/terokarvinen/dreamhugmonkey#adding-images-to-markdown">Kuvia on helppo lisätä Markdowniin</a>.</li> <li>Palautus aina 24 h ennen seuraavaa tapaamiskertaa.</li> <li>Kohta sinulla on oma Linux-harjoitusympäristö, kokonaan omassa hallussa. Perjantaina nähdään!</li> <li>Muista lähdeviitteet <ul> <li>Kurssi</li> <li>Tehtävänannot <a href="https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/#h1-oma-linux">https://terokarvinen.com/2024/linux-palvelimet-2024-alkukevat/#h1-oma-linux</a></li> <li>Manuaalisivut</li> <li>Weppisivut</li> <li>ja kaikki muutkin käyttämäsi lähteet</li> </ul> </li> </ul> <h3 id="h2-komentaja-pingviini">h2 Komentaja Pingviini</h3> <ul> <li>x) Lue ja tiivistä (Muutama ranskalainen viiva riittää. Tässä alakohdassa ei tarvitse tehdä testejä tietokoneella) <ul> <li>Karvinen 2020: <a href="https://terokarvinen.com/2020/command-line-basics-revisited/?fromSearch=command%20line%20basics%20revisited">Command line basics revisited</a> (nämä komennot ja hakemistot kannattaa myös opiskella ulkoa ja harjoitella automaatiotasolle)</li> </ul> </li> <li>a) Micro. Asenna micro-editori</li> <li>b) Rauta. Listaa testaamasi koneen rauta (‘sudo lshw -short -sanitize’). Asenna lshw tarvittaessa. Selitä ja analysoi listaus.</li> <li>c) Apt. Asenna kolme itsellesi uutta komentoriviohjelmaa. Kokeile kutakin ohjelmaa sen pääasiallisessa käyttötarkoituksessa. Ota ruutukaappaus. Kaikki terminaaliohjelmat kelpaavat, TUI (text user interface) ja CLI (command line interface). Osaatko tehdä apt-get komennon, joka asentaa nämä kolme ohjelmaa kerralla?</li> <li>d) FHS. Esittele kansiot, jotka on listattu &quot;Command Line Basics Revisited&quot; kappaleessa &quot;Important directories&quot;. Näytä kuvaava esimerkki kunkin tärkeän kansion sisältämästä tiedostosta tai kansiosta. Jos kyseessä on tiedosto, näytä siitä kuvaava esimerkkirivi. Työskentele komentokehotteessa ja näytä komennot, joilla etsit esimerkit.</li> <li>e) The Friendly M. Näytä 2-3 kuvaavaa esimerkkiä grep-komennon käytöstä. Ohjeita löytyy 'man grep' ja tietysti verkosta.</li> <li>f) Pipe. Näytä esimerkki putkista (pipes, &quot;|&quot;).</li> <li>g) Tukki. Aiheuta lokiin kaksi eri tapahtumaa: yksi esimerkki onnistuneesta ja yksi esimerkki epäonnistuneesta tai kielletystä toimenpiteestä. Analysoi rivit yksityiskohtaisesti.</li> </ul> <p>Vinkkejä:</p> <ul> <li>Ohjelmien asennus <ul> <li>sudo apt-get update</li> <li>apt-cache search version control</li> <li>apt-cache show git</li> <li>sudo apt-get -y install git</li> </ul> </li> <li>Loki <ul> <li>journalctl -f</li> <li>sudo journalctl</li> </ul> </li> <li>Selitä ja analysoi - rautatehtävässä tärkeää on siis oma analyysi ja selitys, ei pelkkä listaus</li> </ul> <h3 id="h3-hello-web-server">h3 Hello Web Server</h3> <p><em>Tästä alkaa demonien osuus. Opit rakentamaan weppipalvelun ja vuokraamaan sille paikan julkisesta pilvestä.</em></p> <ul> <li>x) Lue ja tiivistä (Muutama ranskalainen viiva kustakin artikkelista riittää. Tässä alakohdassa ei tarvitse tehdä testejä tietokoneella) <ul> <li>The Apache Software Foundation 2023: Apache HTTP Server Version 2.4 Documentation: <a href="https://httpd.apache.org/docs/2.4/vhosts/name-based.html">Name-based Virtual Host Support</a></li> <li>Karvinen 2018: <a href="https://terokarvinen.com/2018/04/10/name-based-virtual-hosts-on-apache-multiple-websites-to-single-ip-address/">Name Based Virtual Hosts on Apache – Multiple Websites to Single IP Address</a></li> </ul> </li> <li>a) Testaa, että weppipalvelimesi vastaa localhost-osoitteesta. Asenna Apache-weppipalvelin, jos se ei ole jo asennettuna.</li> <li>b) Etsi lokista rivit, jotka syntyvät, kun lataat omalta palvelimeltasi yhden sivun. Analysoi rivit (eli selitä yksityiskohtaisesti jokainen kohta ja numero, etsi tarvittaessa lähteitä).</li> <li>c) Etusivu uusiksi. Tee uusi <em>name based virtual host</em>. Sivun tulee näkyä suoraan palvelimen etusivulla http://localhost/. Sivua pitää pystyä muokkaamaan normaalina käyttäjänä, ilman sudoa. Tee uusi, laita vanhat pois päältä. Uusi sivu on hattu.example.com, ja tämän pitää näkyä: asetustiedoston nimessä, asetustiedoston ServerName-muuttujassa sekä etusivun sisällössä (esim title, h1 tai p).</li> <li>e) Tee validi HTML5 sivu.</li> <li>f) Anna esimerkit 'curl -I' ja 'curl' -komennoista. Selitä 'curl -I' muutamasta näyttämästä otsakkeesta (response header), mitä ne tarkoittavat.</li> <li>m) Vapaaehtoinen, suosittelen tekemään: Hanki GitHub Education -paketti.</li> <li>n) Vapaaehtoinen, vaikea: Tee Apachelle nimipohjainen virtuaalipalvelu (name based virtual host). Voit simuloida nimipalvelun toimintaa hosts-tiedoston avulla.</li> <li>o) Vapaaehtoinen, vaikea: Laita sama tietokone vastaamaan kahdellla eri sivulla kahdesta eri nimestä. Eli kaksi weppisiteä samalla koneelle, esim. foo.example.com ja bar.example.com.</li> </ul> <p>Ensi kerralla vuokrataan kone pilvestä. Kannattaa ottaa luottokortti mukaan. Myös debit-luottokortti käy. Vaikka käyttäisit ilmaisia Github Education -krediittejä, nekin tarvitsevat yleensä luottokortin. Suosittelen kokeilemaan oikeiden, tuotantoon kelpaavien palveluiden vuokraamista, mutta voin keksiä jonkin vaihtoehtotehtävän jos et halua.</p> <p>Vinkit</p> <ul> <li>Esimerkkisivun poistaminen lienee lienee ainoa kohta, jossa ikinä muokkaat weppisivua pääkäyttäjän oikeuksin. 'echo hello|sudo tee /var/www/html/index.html'</li> <li>'sudo tail /var/log/apache2/access.log', 'sudo tail /var/log/apache2/error.log',</li> <li>'tail -f /var/log/apache2/access.log', ctrl-C</li> <li>sudo systemctl enable --now apache2</li> <li>Kotisivu kielletty (403 Forbidden)? 'chmod ugo+x $HOME $HOME/public_html/', 'ls -ld $HOME $HOME/public_html/'</li> <li>Karvinen 2012: <a href="https://terokarvinen.com/2012/short-html5-page/">Short HTML5 page</a></li> <li>Onko weppisivu validi <a href="https://validator.w3.org">https://validator.w3.org</a></li> <li>sudo systemctl restart apache2</li> <li>Github Education <ul> <li>Aloita rekisteröimällä @haaga-helia.fi tunnus Githubiin.</li> <li>Jos sinulla on jo Github-tunnus, Haaga-Helian sähköpostiosoitteen voi liittää vanhaan tunnukseen.</li> <li>Muista klikata vahvistussähköposti.</li> <li><a href="https://education.github.com/">GitHub Education</a>.</li> </ul> </li> </ul> <h3 id="h4-maailma-kuulee">h4 Maailma kuulee</h3> <ul> <li>x) Lue ja tiivistä. Tiivistelmäksi riittää muutama ranskalainen viiva per artikkeli. (Tässä alakohdassa ei tarvitse tehdä testejä tietokoneella) <ul> <li><a href="https://susannalehto.fi/2022/teoriasta-kaytantoon-pilvipalvelimen-avulla-h4/">Susanna Lehto 2022: Teoriasta käytäntöön pilvipalvelimen avulla (h4)</a> (opiskelijan esimerkkiraportti), kohdat <ul> <li>a) Pilvipalvelimen vuokraus ja asennus</li> <li>d) Palvelin suojaan palomuurilla</li> <li>e) Kotisivut palvelimelle</li> <li>f) Palvelimen ohjelmien päivitys</li> </ul> </li> <li>Karvinen 2012: <a href="https://terokarvinen.com/2017/first-steps-on-a-new-virtual-private-server-an-example-on-digitalocean/">First Steps on a New Virtual Private Server – an Example on DigitalOcean and Ubuntu 16.04 LTS</a></li> </ul> </li> <li>a) Vuokraa oma virtuaalipalvelin haluamaltasi palveluntarjoajalta. (Vaihtoehtona voit käyttää ilmaista kokeilujaksoa, GitHub Education krediittejä; tai jos mikään muu ei onnistu, voit kokeilla ilmaiseksi vagrant:ia paikallisesti. Suosittelen kuitenkin harjoittelemaan oikeilla, tuotantoon kelpaavilla julkisilla palveluilla).</li> <li>b) Tee alkutoimet omalla virtuaalipalvelimellasi: tulimuuri päälle, root-tunnus kiinni, ohjelmien päivitys.</li> <li>c) Asenna weppipalvelin omalle virtuaalipalvelimellesi. Korvaa testisivu. Kokeile, että se näkyy julkisesti. Kokeile myös eri koneelta, esim kännykältä.</li> <li>d) Vuokraa domain-nimi ja aseta se osoittamaan virtuaalipalvelimeesi.*</li> </ul> <p>Vinkit:</p> <ul> <li>Aina hyvät salasanat. Salasana on todella tärkeä kohta tietoturvassa.</li> <li>Muista tehdä reikä tulimuuriin. sudo ufw allow 22/tcp; sudo ufw enable; sudo ufw allow 80/tcp</li> <li>Käyttäjälle saa sudo-oikeudet lisäämällä ryhmään &quot;sudo&quot;. Muita artikkelissa mainittuja ryhmiä &quot;adm&quot;, &quot;admin&quot;... ei välttämättä ole koneellasi.</li> <li>sudo apt-get update; sudo apt-get dist-upgrade; sudo systemctl reboot</li> <li>Nykyisin demonin uudelleenkäynnistys 'sudo systemctl restart apache2' (ei enää service)</li> <li>Perinteisesti lokit ovat olleet tekstitiedostoissa /var/log/ alla. Nyt ne ovat siirtymässä journalctl:n. <a href="https://wiki.archlinux.org/title/Systemd/Journal">Archwiki: systemd/Journal</a>. Tunnilla jonkun palveluntarjoajan valmiskuvaa käyttäessä lokien löytämisessä oli kummallisuuksia.</li> <li>Julkisia nimiä vuokraa mm <a href="https://www.namecheap.com/">NameCheap</a></li> <li>Nimen säätäminen <ul> <li>&quot;Advanced DNS&quot;</li> <li>A-tietue, @ (tarkoittaa sitä nimeä, jota ollaan käsittelemässä), virtuaalipalvelimen julkinen IP</li> <li>Toinen A-tietue www:lle</li> <li>Muut tietueet (esim palveluntarjoajan mainokset) kannattaa poistaa</li> <li>Muutokset tulevat näkyviin 5 min - 4 tunnin kuluttua</li> </ul> </li> <li>Raportteja palvelimen vuokraamisesta ja nimen säätämisestä <a href="https://www.google.com/search?q=namecheap+karvinen">https://www.google.com/search?q=namecheap+karvinen</a> (muista lähdeviitteet)</li> <li>* Jos et jostain syystä halua vuokrata oikeaa nimeä, voit vaihtoehtotehtävänä kokeilla nimipalvelua tai sen simulointia hosts-tiedoston avulla. Tällöin voit tehdä nimipalvelutietojen analysoinnin mistä vain julkisessa käytössä olevasta nimestä.</li> <li>Suosittelen kuitenkin oikean nimen vuokraamista ja asettamista. Github Education -paketin mukana saattaa tulla ilmaisia nimiä. Ilmaiset tai halvat nimet ovat usein edullisia vain ensimmäisen vuoden.</li> <li>Tuotantoon yleensä .com nimi on sopivin.</li> </ul> <h3 id="h5-koko-juttu">h5 Koko juttu</h3> <ul> <li>a) Koko juttu. Asenna uusi, tyhjä virtuaalikone. Tee koneelle tavalliset alkutoimet. Asenna sille Apache-weppipalvelin ja SSH-etähallintapalvelin. Tee uusi etusivu weppipalvelimelle niin, että sivuja voi muokata normaalikäyttäjän oikeuksin. Käytä tässä <em>name based virtual host</em> -tekniikkaa. (Raportoi työskennellessä. Tämän harjoituksen voi hyvin tehdä VirtualBoxissa tai muussa paikallisesssa ympäristössä.)</li> <li>b) Pubkey. Automatisoi kirjautuminen julkisella SSH-avaimella.</li> <li>c) Digging host. Tutki domain-nimesi nimesi tietoja 'host' ja 'dig' -komennoilla. Analysoi tulokset. Vertaa tuloksia nimen vuokraajan (namecheap.com, name.com...) weppiliittymässä näkyviin asetuksiin. (Jos sinulla ei ole omaa nimeä käytössä, voit tutkia jotain muuta nimeä).</li> <li>m) Vapaaehtoinen: Asenna vagrant, asenna sillä uusi virtuaalikone.</li> </ul> <p>Vinkit</p> <ul> <li>On hyvä idea kokeilla koko jutun asentamista useamman kerran. Itse tehtävässä tämä raportoidaan vain kerran. Voit halutessasi tehtävän tehtyäsi kokeilla tätä useamman kerran raportoimatta. Yleensä eka kerta vie tunteja, toka 1-2 h ja kymmenes kerta 15-20 minuttia. Samalla aivokapasiteettia vapautuu nippeleiden ja nappeleiden vahtaamisesta suurempiin ja haastavampiin kysymyksiin.</li> <li>ssh-keygen, ssh-copy-id</li> <li>journalctl --since yesterday|grep -i ssh</li> <li>sudo apt-get -y install bind9-dnsutils bind9-host # asentaa komennot 'host' ja 'dig'</li> <li>Vagrantilla on todella nopea tehdä ja poistaa virtuaalikoneita. Helpottaa harjoittelua. Ulkomuistista: <ul> <li>Asennus <ul> <li>Asennus Linux: sudo apt-get update; sudo apt-get -y install virtualbox vagrant</li> <li>Asennus Windows: <a href="https://developer.hashicorp.com/vagrant/install?product_intent=vagrant">https://developer.hashicorp.com/vagrant/install?product_intent=vagrant</a> &quot;Windows&quot; &quot;Binary download&quot; &quot;AMD64&quot;, kaksoisklikkaus ja eteneminen next-next velhon kanssa</li> </ul> </li> <li>Käyttö <ul> <li>vagrant init debian/bookworm64</li> <li>vagrant up</li> <li>vagrant ssh</li> <li>ja lopuksi, kun haluat tuhota virtuaalikoneen ja kaikki sen sisältämät tiedostot: 'vagrant destroy'</li> </ul> </li> </ul> </li> </ul> <h3 id="h6-dj-ango">h6 DJ Ango</h3> <ul> <li>x) Lue ja tiivistä. Tiivistelmäksi riittää muutama ranskalainen viiva per artikkeli. (Tässä alakohdassa ei tarvitse tehdä testejä tietokoneella. Nämä ovat pitkiä artikkeleita, tässä pääpaino on lukemisella, jotta saat tehtävät tehtyä. Voit laittaa muutaman ranskalaisen viivan esim. omista huomoioista artikkelista. Eli tällä kertaa ei tarvita laajaa eikä kattavaa tiivistelmää.) <ul> <li>Karvinen 2021: <a href="https://terokarvinen.com/2022/django-instant-crm-tutorial/">Django 4 Instant Customer Database Tutorial</a></li> <li>Karvinen 2021: <a href="https://terokarvinen.com/2022/deploy-django/">Deploy Django 4 - Production Install</a></li> </ul> </li> <li>a) Tee yksinkertainen esimerkkiohjelma Djangolla. <ul> <li>Voit käyttää testipalvelinta, kunhan se ei näy Internetiin.</li> <li>Riittää, kun ohjelmasi näkyy esimerkiksi Django Adminsissa.</li> <li>Voit halutessasi tehdä aivan samanlaisen kuin Teron CRM-esimerkissä.</li> </ul> </li> <li>b) Tee Djangon tuotantotyyppinen asennus <ul> <li>Voit tehdä asennuksen omalle, paikalliselle virtuaalikoneelle. Sen ei tarvitse näkyä Internetiin.</li> </ul> </li> </ul> <p>Vinkit</p> <ul> <li>Käytä systemaattista työtapaa</li> <li>Tee muistiinpanot samalla kun työskentelet</li> <li>Lue virheilmoitukset lokeista</li> <li>Pienin testattava kokonaisuus kerralla</li> <li>Varmista paikkasi ajoissa <ul> <li>ICI001AS3A-3004 Palvelinten hallinta (sopii jatkoksi tälle kurssille)</li> <li>ICI001AS3A-3005 Palvelinten hallinta (sopii jatkoksi tälle kurssille)</li> <li>ICI005AS3A-3001 Tunkeutumistestaus (haastava)</li> <li>ICT8TN034-3004 Python weppipalvelu - ideasta tuotantoon (kahdeksan päivää w21-w22)</li> </ul> </li> </ul> <h3 id="h7-maalisuora">h7 Maalisuora</h3> <ul> <li>a) Käännä &quot;Hei maailma&quot; haluamallasi kielellä.</li> <li>b) Laita Linuxiin uusi komento niin, että kaikki käyttäjät voivat ajaa sitä.</li> <li>c) Ratkaise vanha arvioitava laboratorioharjoitus soveltuvin osin.</li> <li>d) Asenna itsellesi tyhjä virtuaalikone arvioitavaa labraa varten. Suosittelen Debian 12-Bookworm amd64, riittävästi RAM ja kovalevyä. Koneella saa olla päivitetyt ohjelmistot (apt-get dist-upgrade) ja tulimuuri. Koneella ei saa olla mitään muita demoneja tai ohjelmia asennettuna kuin nuo ja asennuksen mukana tulevat.</li> </ul> <p>Vinkit:</p> <ul> <li>Vanhoja arvioitavia laboratorioharjoituksia löytyy Teron sivujen omalla hakutoiminnolla, Googlella ja DuckDuckGolla.</li> <li>Vanhoissa labroissa voi olla osia, joita ei ole käsitelty tällä toteutuksella. Voit soveltaa, vaihtaa tai hypätä yli noista osista.</li> <li>Muista aina hyvät salasanat. Älä jätä käyttäjien kotihakemistoihin root:in omistamia tiedostoja. Testaa kaikki mitä olet tehnyt.</li> </ul> <h3 id="h8-bonus">h8 Bonus</h3> <p>Vapaaehtoinen: Bonus: luettele ja linkitä tähän tekemäsi</p> <ul> <li>a) Vapaaehtoiset tehtävät</li> <li>b) Arvioinnin jälkeen olennaisesti parannetut tehtävät</li> </ul> <h2 id="adminstrivia">Adminstrivia</h2> <p>This has been updated after publishing, and will be updated as needed.</p> <p>Tux logo by Larry Ewing.</p>Information Security 2024 Springhttps://terokarvinen.com/2024/information-security-2024-spring/Thu, 11 Jan 2024 11:02:04 +0200https://terokarvinen.com/2024/information-security-2024-spring/ <img src="https://terokarvinen.com/2024/information-security-2024-spring/shield-check-line_hu732098b6b41c8c792c0929bd905e1b34_9956_100x100_fit_box_3.png" width="100" height="100" alt=" " class="imgOne right pad"> <p>Data security course, in English as you asked.</p> <p>Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.</p> <table> <thead> <tr> <th></th> <th></th> </tr> </thead> <tbody> <tr> <td>Course name and code:</td> <td><strong>Information Security ICI002AS2AE-3002</strong></td> </tr> <tr> <td>Timing</td> <td>2024 period 3, <strong>early spring</strong>, w03-w11, not w08</td> </tr> <tr> <td>Credits</td> <td>5 cr</td> </tr> <tr> <td>Classes</td> <td><strong>Mondays 08:15</strong> - 13:45, in Pasila <strong>pa5001</strong>, bring your <strong>laptop</strong></td> </tr> <tr> <td>Max students</td> <td>30</td> </tr> <tr> <td>Language</td> <td>English</td> </tr> <tr> <td>Type</td> <td><strong>Contact</strong>, in physical classroom, mandatory participation [as requested]</td> </tr> <tr> <td>Feedback</td> <td>4.2 - 4.6 / 5 <strong><a href="#previous-courses">Excellent feedback</a></strong> <img src="https://terokarvinen.com/img/five-stars-15.png" alt="Five star experience"> *</td> </tr> <tr> <td>Services</td> <td><a href="https://hhmoodle.haaga-helia.fi/course/view.php?id=39839">Moodle</a>, Laksu. Optionally <a href="https://terokarvinen.com/newsletter/">Tero's list</a>.</td> </tr> <tr> <td>First class</td> <td><strong>2024-01-15 w03 Monday 08:15, classroom pa5001</strong>, physically present with your laptop</td> </tr> </tbody> </table> <p>* Feedback average of each course instance: from 4.2 &quot;good&quot; to 4.6 &quot;excellent&quot;, including the same course under the name Data Security from the previous curriculum. I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached excellent 5.0 /5, with every participant giving feedback and each feedback being 5. And Master level (YAMK) Trust to Blockchain has reached excellent 4.9 /5.</p> <h2 id="agenda">Agenda</h2> <p>Eight security Mondays in Pasila. All classes require active participation.</p> <p>I have changed this course to contact (physically in the class) as requested in the feedback.</p> <p>Mondays from 08:15 to 13:45 in Pasila pa5001.</p> <table> <thead> <tr> <th>Date</th> <th>Theme</th> </tr> </thead> <tbody> <tr> <td>2024-01-15 w03</td> <td>1. Organizing. Fundamentals. Practice environments.</td> </tr> <tr> <td>2024-01-22 w04</td> <td>2. Threath modeling. Cyber kill chain. (Optional: a bit of ATT&amp;CK.)</td> </tr> <tr> <td>2024-01-29 w05</td> <td>3. Web security. OWASP 10.</td> </tr> <tr> <td>2024-02-05 w06</td> <td>4. Encryption. Asymmetric vs symmetric. GPG. SSH.</td> </tr> <tr> <td>2024-02-12 w07</td> <td>5. Passwords. Hashes. Cracking hashes.</td> </tr> <tr> <td>2024-02-19 w08</td> <td>(Winter holiday, no classes)</td> </tr> <tr> <td>2024-02-26 w09</td> <td>6. Chelsea: The threat of deepfake technology. Applied. (E.g. cryptocurrencies or darknet)</td> </tr> <tr> <td>2024-03-04 w10</td> <td>7. Kiana: How to convince AI to help us in hacking? Bishwas: RATs and Phishing Attack Demo. Ruwan: Bitwarden. Andrew: ILOVEYOU worm. Daniel: Pegasus – between law enforcement, total surveillance, and modern warfare. Presentations. Recap.</td> </tr> <tr> <td>2024-03-11 w11</td> <td>8. Roope: Darknet markets and OPSEC. Panagiotis: Ransomware. Sille: How to be Invisible Online. Wrapping up.</td> </tr> </tbody> </table> <p>There will likely be updates to the contents of the classes as the course advances.</p> <h2 id="goals">Goals</h2> <p>After completing this course, you will</p> <ul> <li>Understand adversarial view on security</li> <li>Recognize key concepts of security</li> <li>Be able to safely practice hands-on with security tools</li> </ul> <p>Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.</p> <h2 id="assessment">Assessment</h2> <ul> <li>Active participation in classes</li> <li>Homework (66%)</li> <li>Presentation (33%)</li> </ul> <p>Evaluation of the course is based on totality of the work presented.</p> <h2 id="previous-courses---student-feedback-old-homework">Previous courses - student feedback, old homework</h2> <ul> <li><a href="https://terokarvinen.com/2023/information-security-2023-autumn/">Information Security ICI002AS2AE-3003</a> <ul> <li><a href="https://terokarvinen.com/2023/information-security-2023-autumn/#comments">Feedback</a></li> </ul> </li> <li><a href="https://terokarvinen.com/2023/information-security-2023/">Information Security 2023 Spring</a> <ul> <li><a href="https://terokarvinen.com/2023/information-security-2023/#comments">Feedback</a></li> </ul> </li> <li><a href="https://terokarvinen.com/2021/data-security-2022p3-ict4tf022-3008/">Data Security ICT4TF022-3008, 2022 early spring</a> <ul> <li><a href="https://terokarvinen.com/2021/data-security-2022p3-ict4tf022-3008/#comments">Feedback</a></li> </ul> </li> <li><a href="https://terokarvinen.com/2022/data-security-ict4tf022-3009/">Data Security 2022 ict4tf022-3009, 2022 early autumn</a> <ul> <li><a href="https://terokarvinen.com/2022/data-security-ict4tf022-3009/#comments">Feedback</a></li> </ul> </li> </ul> <h2 id="feedback">Feedback</h2> <p>Thanks already! Your feedback is very important to me. I will read it all (twice+) and make improvements. Please give your feedback to two channels.</p> <h3 id="1-free-form-feedback-as-a-comment-on-this-page">1) Free form feedback as a comment on this page</h3> <p><a href="#comments">Write your comment on this page</a>.</p> <p>You can write what ever you want. No need to repeat the questions, but they are here to get you started.</p> <ul> <li>Did you learn something? Do you now know something you did not know before the course? (Models, frameworks, ideas, tools?)</li> <li>Did you do something for the first time? (Broke passwords, broke into web service, create treath models, used password manager, encrypted messages? Used some technique or a tool for the first time?)</li> <li>Is this useful? Are these skills useful in companies?</li> <li>How did you like the presentations? Interesting subject? Did you like presenting? Useful information? Actionable?</li> <li>How did you like comments and feedback? Did you get answers to your questions? (from classmates, teacher; to your homework, presentations)</li> <li>Feelings: did you enjoy the course?</li> <li>How could I improve the course? (I can make almost any change here, if it's important)</li> <li>Would you recommend the course? Have you already recommended it? Who would benefit from the course (a colleague, a fellow student)?</li> </ul> <h3 id="2-numeric-feedback-to-haaga-helia-feedback-system-peppi">2) Numeric feedback to Haaga-Helia feedback system (Peppi)</h3> <p><a href="https://mynet.haaga-helia.fi">Feedback in MyNet (Peppi)</a></p> <p>1-worst, 5-best</p> <ul> <li>Your active participation in studies</li> <li>Achieving the learning goals</li> <li>The study methods supported learning</li> <li>The study environment supported learning</li> <li>Benefits to your career</li> </ul> <p>Open, you can copy the same answer you gave earlier</p> <ul> <li>What promoted your learning?</li> <li>How would you develop the implementation / group of implementations further so that the learning goals could be achieved better?</li> </ul> <p>Your overall assessment of the implementation, 1-worst, 5-best</p> <p>How likely would you recommend the course to your fellow students? 1-worst, 10-best.</p> <p>Thank you for your feedback, and thank you for our course!</p> <p>Optional: Keep up with Linux &amp; security, <a href="https://terokarvinen.com/newsletter/">join Tero's list</a>. (And get invitations to visitors on security)</p> <p>See you in my future courses!</p> <h2 id="homework">Homework</h2> <p>Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.</p> <p>Each homework is returned</p> <ul> <li>24 h before start of next lecture</li> <li>you can publish your homework report in any website you like</li> <li>return a link to Laksu</li> <li>cross-evaluate two other homeworks</li> </ul> <p>To save everyone's time, I will remove those from the course who don't return homework.</p> <p>Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work, it seems to help getting job offers. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group.</p> <p>AI and large language models (LLM): You can ask AI or LLM a question and use the answer as facts for your own answer, written in your own words. AI must be marked as a reference, with details such as prompt (and for advanced users system prompts, temperature, jailbreaks...). LLMs tend to hallucinate, so you should check answers from more reliable sources. It's not allowed to generate text with AI or similar technologies. For example, it's not allowed to generate essay answers or summaries with AI, LLM or similar technologies.</p> <p>The homeworks are official after they are given in the class. Don't start them before, because they might change.</p> <h3 id="h1-first-steps">h1 First steps</h3> <p><em>Become a hacker, step 0</em></p> <p><em>Start the homework only after you've accepted the rules in course Moodle.</em></p> <ul> <li>x) Read (or listen) and summarize. (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary) <ul> <li>Any episode from <a href="https://darknetdiaries.com/">Darknet Diaries Podcast</a>.</li> <li><a href="https://lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf">Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains</a>, chapters <em>Abstract</em>, 3.2 <em>Intrusion Kill Chain</em> and 3.3 <em>Courses of Action</em></li> </ul> </li> <li>b) Bookworm. Install Debian 12-Bullseye virtual machine in VirtualBox. (See also: Karvinen 2021: <a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Install Debian on VirtualBox</a>)</li> <li>o) Voluntary bonus: My fundaments. What do you consider the fundamentals of security? What would you teach the first day?</li> <li>q) Voluntary multi-week bonus, requires programming: Ptacek et al: <a href="https://www.cryptopals.com/">Cryptopals</a>.</li> </ul> <p>Tips:</p> <ul> <li><a href="https://f-droid.org/en/packages/de.danoeh.antennapod/">AntennaPod</a> is convenient Android program for listening podcasts. It's available in <a href="https://f-droid.org/en/packages/de.danoeh.antennapod/">F-Droid</a> and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.</li> <li>Pick any episode. Check descriptions, and pick one that's likely to be suitable here.</li> <li>Why are these tasks just the right level? To prepare you for learning hacker skills in this course.</li> <li>Why are these tasks so hard? =&gt; See below, &quot;If you get stuck&quot;.</li> <li>Why are these tasks so easy? =&gt; Because you've practiced before, good for you. Also do voluntary bonus tasks above for some challenge and development. Still too easy? Contact me for special arrangements, I want you to spend your time efficiently.</li> <li>In &quot;Read and summarize&quot;: <ul> <li>read first, then summarize</li> <li>summarize key content <ul> <li>not just headings</li> <li>don't just describe the article, tell the main things it says</li> </ul> </li> <li>add a question, an idea or a comment of your own to each article</li> </ul> </li> <li>Yes, you're expected to read the friendly manuals, Google/Duck, and try multiple approaches</li> <li>Refer &amp; link any sources you use <ul> <li>Course / the classes</li> <li>Homework task page <a href="https://terokarvinen.com/2024/information-security-2024-spring/#homework">https://terokarvinen.com/2024/information-security-2024-spring/#homework</a></li> <li>Homework reports by other students</li> <li>Any web pages</li> <li>Manuals, Articles, Man pages...</li> <li>Referencing your sources is required</li> </ul> </li> <li>When reporting tests on a computer <ul> <li>Write while you work</li> <li>Save often</li> <li>Explain why</li> <li>Have some screenshots</li> <li>If some command output is very long, only quote relevant parts (if you want, you can put the long text as an appendix or behind a link)</li> </ul> </li> <li>If you get stuck <a name=stuck> <ul> <li>Don't worry: Computers are cranky, that's why they pay hackers well</li> <li>Solve and report all parts you can do</li> <li>Return your partial report in time</li> <li>Google/Duck. That's what the pros do, too. Write down a reference to the sources you used.</li> <li>If you need to look at a walktrough (an exact solution to this homework, task or flag), clearly mark where you needed it.</li> <li>Solve the trouble part as far as you can. Report all approaches taken.</li> <li>Ask about the challenges in the class, likely someone else had the same thing</li> </ul> </li> <li>Bandit uses SSH. In Linux, that's 'ssh <a href="mailto:tero@example.com">tero@example.com</a>', and it might also work in new Windowses. For older Windowses, you can also use Putty SSH.</li> <li>Read my (Tero's) articles on how to install Debian before you start</li> <li>To see some example solutions for homeworks, Google/Duck my name + course name, e.g. &quot;Tero Karvinen Penetration Testing&quot; without the quotes.</li> </ul> <h3 id="h2-should-tero-wear-a-helmet">h2 Should Tero wear a helmet?</h3> <ul> <li>x) Read / watch and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like) <ul> <li>Braiterman et al 2020: <a href="https://www.threatmodelingmanifesto.org/">Threat modeling manifesto</a></li> <li>Shostack 2022: <a href="https://www.youtube.com/playlist?list=PLCVhBqLDKoOOZqKt74QI4pbDUnXSQo0nf">Welcome to the Worlds Shortest Threat Modeling Course</a> (12 parts, about 15 min total, audio is enough for all except video 7 &quot;Data flow diagrams&quot;)</li> <li>Shostack 2014: <a href="https://learning.oreilly.com/library/view/threat-modeling-designing/9781118810057/9781118810057c01.xhtml#c1">Chapter 1 - Dive In and Threat Model!</a> €</li> <li>OWASP CheatSheets Series Team 2021: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html">Threat Modeling Cheat Sheet</a></li> </ul> </li> <li>a) Security hygiene. What basic security practices should everyone follow? Are there some security hygiene practicies that you consider useful, but might be above an average Joe? (This subtask does not require tests with a computer. A bullet list is enough)</li> <li>b) Make-belief boogie-man - a threat model for imaginary company. <ul> <li>This subtask does not require tests with a computer.</li> <li>A long, extensive answer with narrative, analysis and a diagram is expected.</li> <li>Create an imaginary company and create threat model.</li> <li>Business requirements come from business, technical specialist help with tech. Inlude this in your narrative.</li> <li>Your analysis should cover all parts of the four question model (four key questions in Threat modeling manifesto) <ul> <li>(1) What are we working on? <ul> <li>Our assets <ul> <li>Priorization, key assets</li> <li>E.g. customer health data is a crown jevel, personel gaming server is probably not</li> </ul> </li> <li>Security supports business</li> <li>Draw a diagram of the company systems</li> <li>Write a description.</li> </ul> </li> <li>(2) What can go wrong? <ul> <li>Apply one or more named models: Attack trees, STRIDE, ATT&amp;CK... <ul> <li>Give some examples of identified risks - you don't need to find all risks or likely vulnerabilites, as there would be too many for this homework.</li> </ul> </li> <li>Priorize biggest risks <ul> <li>High expected value (or other very high risk)</li> <li>Expected value = probability * monetary value</li> <li>Expected value is a tool for discussion, it's not exact science as we have to guestimate the input numbers</li> </ul> </li> <li>Are you targetted by specific threat actors? <ul> <li>Known TTPs? (tactics, techniques, procedures)</li> <li>COI - Capability, Opportunity, Intent</li> </ul> </li> </ul> </li> <li>(3) What are we going to do about it? <ul> <li>Can you: reduce attack surface, limit entry points...</li> <li>Reduce, transfer, avoid, accept</li> </ul> </li> <li>(4) Did we do a good enough job? <ul> <li>Security audits, pentests, assesments, continous threat modeling and evaluation</li> </ul> </li> </ul> </li> </ul> </li> </ul> <p>Tips:</p> <ul> <li><a href="https://www.oreilly.com/library/view/temporary-access/">O'Reilly Learning € (former Safari)</a> is a bit pricey, but Haaga-Helia students get free access trough <a href="https://libguides.haaga-helia.fi/az.php">Haaga-Helia library A-Z page</a>.</li> <li>When cross evaluating <ul> <li>Give comments</li> <li>Use the whole scale (5 is every non-voluntary task solved and reported clearly)</li> </ul> </li> </ul> <h3 id="h3-web">h3 Web</h3> <p>Remember to keep it safe, legal and ethical. Especially if you grasp OWASP 10, you still can't try these to machines you don't own. You can only start doing the excercises after accepting course rules in Moodle.</p> <p>You're only allowed to start these tasks after accepting course rules in Moodle.</p> <ul> <li>x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like) <ul> <li>OWASP: OWASP 10 2021 <ul> <li><a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">A05:2021-Security Misconfiguration</a></li> <li><a href="https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/">A06:2021-Vulnerable and Outdated Components</a></li> <li><a href="https://owasp.org/Top10/A03_2021-Injection/">A03:2021-Injection</a></li> </ul> </li> </ul> </li> <li>a) Goat. <a href="https://terokarvinen.com/2023/webgoat-2023-4-ethical-web-hacking/">Install WebGoat 2023.4</a>. This subtask does not need to be reported, unless there are technical problems.</li> <li>b) F12. Solve Webgoat 2023.4: General: Developer tools.</li> <li>c) Not outdated. Update all operating system and all applications in your Linux.</li> <li>d) Sequel. Solve <a href="https://sqlzoo.net/wiki/SQL_Tutorial">SQLZoo</a>: <ul> <li>0 SELECT basics</li> <li>2 SELECT from World, from first two subtasks.</li> </ul> </li> <li>e) Johnny tables. Solve Portswigger Labs: <a href="https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data">Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data</a></li> <li>m) Voluntary bonus: WebGoat: SQL Injection</li> <li>n) Voluntary bonus: solve some <a href="https://portswigger.net/web-security/all-labs">Portswigger labs</a> marked as Apprentice (easy level)</li> <li>o) Voluntary multi-week bonus, requires programming: Ptacek et al: <a href="https://www.cryptopals.com/">Cryptopals</a>.</li> </ul> <p>Tips:</p> <ul> <li><a href="#stuck">If you get stuck</a></li> <li>F12 Developer tools: I'm using Firefox F12. But it probably works on Chromium, too.</li> <li>You can update all software in Linux with <ul> <li>Open terminal</li> <li>'sudo apt-get update'</li> <li>'sudo apt-get dist-upgrade'</li> <li>If this is your first full upgrade, reboot (it's only needed for kernel upgrades)</li> </ul> </li> <li>SQLZoo <ul> <li>If you've got a lot of experience with databases already and SQLZoo is too easy, you can instead install a relational database (Postgre, Mariadb...) and show CRUD operations using command line client and SQL.</li> <li>Yes, I think they really run your queries on database management system</li> <li>In SQL, you can often write long numbers in engineering notation, nine zeroes after two as 2e9 instead of 2000000000</li> </ul> </li> <li>Johnny tables <ul> <li>You only need your browser (even though the official example solution uses a paid tool by the makers of the lab)</li> <li>Try different places. But if you're completely out of options: peek the solution, apply it to use just browser (no mitm proxy needed), mention in your report the hints used - and try to explain <em>how</em> the solution works.</li> </ul> </li> <li>WebGoat <ul> <li>What kind of quotes did SQL have?</li> <li>If you raise everyone's salaries, are you the richest anymore?</li> <li>The names here are the same as in OWASP 10 2021 and OWASP 10 2017.</li> <li>In injections, it's nice to know: <ul> <li>SQL string delimiter (single quote, aphostrophe) &quot;'&quot; (end of user input, start of my hostile injection)</li> <li>SQL comment (double dash) &quot;--&quot; (end of my evil injection, you can ignore the rest, dear database management system)</li> <li>There are many ways to do SQL injection</li> </ul> </li> </ul> </li> <li>b) Injected. Solve WebGoat: <ul> <li>A1 Injection (intro)</li> </ul> </li> </ul> <h3 id="h4-etaoin">h4 ETAOIN</h3> <ul> <li>x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like) <ul> <li>€ Schneier 2015: Applied Cryptography: <a href="https://learning.oreilly.com/library/view/applied-cryptography-protocols/9781119096726/08_chap01.html#chap01-sec006">Chapter 1: Foundations</a></li> <li>Disobey 2023: <ul> <li>Watch and summarize a presetation of Disobey 2023 conference</li> <li>Presentation videos are on <a href="https://www.youtube.com/@Disobey/videos">Disobey Youtube Channel</a></li> <li>Skill level and background knowledge required varies a lot, choose a video you can understand.</li> </ul> </li> </ul> </li> <li>a) Encrypt and decrypt a message. Explain the purpose of each step. Explain why you choose the tool you're using. (You can use any tool you want. You must do and report the encryption at the same time, it's not enough to try to remember what we did in the class. )</li> <li>m) Voluntary bonus: send and receive encrypted message over email.</li> <li>n) Voluntary bonus: Find out frequency distribution of letters for a language that you know (other than English). What are the six most common letters? (This subtask y does not require tests with a computer if the question can be answered without them)</li> <li>o) Voluntary bonus: ETAOIN. Crack this ciphertext: <ul> <li>HDMH'B TH. KWU'YI AWR WSSTOTMJJK M OWQINYIMLIY! MB KWU BII, BTGPJI BUNBHTHUHTWA OTPDIYB OMA NI NYWLIA RTHD SYIEUIAOK MAMJKBTB. BII KWU MH DHHP://HIYWLMYCTAIA.OWG</li> </ul> </li> <li>p) Voluntary bonus, easy: try rot13, the military grade top-secret encryption of the top-2 empire of year zero. Could double rot13 provide extra security?</li> <li>q) Voluntary difficult bonus, requries coding skills: Cryptopals (recommended, if you have what it takes).</li> </ul> <p>Tips:</p> <ul> <li>Frequency distributions for most languages can be found in search engines and probably Wikipedia</li> <li>ETAOIN <ul> <li>This challenge can be solved with pen and paper, no coder skills required. (Like most things, it's faster with a computer, though.)</li> <li>Just like this course, the cleartext is in English</li> <li>Looking at word lengths and spaces, this ciphertext is likely using a simple substitution cipher.</li> <li>Use your eyes - can you identify possible common words or parts of them?</li> <li>After ruling out Caesar (e.g. rot13), we can use <a href="https://en.wikipedia.org/wiki/Frequency_analysis">frequency analysis</a></li> <li><a href="https://en.wikipedia.org/wiki/Letter_frequency">Most common letter in English is E</a>, the second most common is T... The frequency table is ETAOIN shrdlu. <ul> <li>Frequency is about statistics and probability. It's not guaranteed that E is the most common, it's just likely. Especially short texts make statistical analysis less efficient.</li> <li>It's much more likely that most common letters are from ETAOIN than the from the least frequent j, x or z.</li> </ul> </li> <li>Use your sisu <ul> <li>If first guess does not crack it, try another one.</li> <li>Make notes as you work.</li> <li>Document your approaches and how far you can get, even if you couldn't crack the whole thing.</li> </ul> </li> </ul> </li> <li><a href="https://www.oreilly.com/library/view/temporary-access/">O'Reilly Learning € (former Safari)</a> is a bit pricey, but Haaga-Helia students get free access trough <a href="https://libguides.haaga-helia.fi/az.php">Haaga-Helia library A-Z page</a>.</li> </ul> <h3 id="h5-spring2024">h5 Spring2024!</h3> <ul> <li>x) Read or watch and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like) <ul> <li>€ Schneier 2015: Applied Cryptography: <a href="https://learning.oreilly.com/library/view/applied-cryptography-protocols/9781119096726/10_chap02.html#chap02-sec003">2.3 One-Way Functions</a> and 2.4 One-Way Hash Functions.</li> </ul> </li> <li>a) Install Hashcat. Test it with a sample hash. See Karvinen 2022: <a href="https://terokarvinen.com/2022/cracking-passwords-with-hashcat/">Cracking Passwords with Hashcat</a></li> <li>b) Crack this hash: 8eb8e307a6d649bc7fb51443a06a216f</li> <li>c) Choose a password manager. (This subtask b does not require tests with a computer). First, create a short list of some password managers; then pick one. Explain: <ul> <li>What threats does it protect against?</li> <li>What information is encrypted, what's not?</li> <li>What's the license? How would you describe license's effects or categorize it?</li> <li>Where is the data stored? If in &quot;the cloud&quot;, which country / juristiction / which companies? If on local disk, where?</li> <li>How is the data protected?</li> </ul> </li> <li>d) Demonstrate the use of a password manager, the one you picked in previous subtask.</li> <li>m) Voluntary: Compile John the Ripper, Jumbo version. Karvinen 2023: <a href="https://terokarvinen.com/2023/crack-file-password-with-john/">Crack File Password With John</a>.</li> <li>n) Voluntary: Crack a zip file password</li> <li>o) Voluntary: create a password protected file other than ZIP. Crack the password. How many formats can you handle?</li> </ul> <p>Tips:</p> <ul> <li>Some examples of password managers include 'pass' (<a href="https://www.passwordstore.org/">https://www.passwordstore.org/</a>) and <a href="https://keepassxc.org/">KeePassXC</a>. There are also many others.</li> <li>O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough <a href="https://libguides.haaga-helia.fi/az.php">Haaga-Helia library A-Z page</a>.</li> </ul> <h3 id="h6-a-nynomous">h6. A. Nynomous</h3> <p><em>In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.</em></p> <p><em>If you are currently in a juristiction where using TOR is illegal, you obviously can't install it and do the related tasks. For those cases, alternative task is: based on literature only (no hands on tests, no installation), compare anonymous/pseudonymous networks, such as TOR, I2P, Freenet and others. How do their goals, technology and other features differ? How are they similar?</em></p> <p>x) Read and summarize (briefly, e.g. with some bullets)</p> <ul> <li>Quintin 2014: <a href="https://www.eff.org/deeplinks/2014/07/7-things-you-should-know-about-tor">7 Things You Should Know About Tor</a></li> <li>Shavers &amp; Bair 2016: <a href="https://learning.oreilly.com/library/view/hiding-behind-the/9780128033524/XHTML/B9780128033401000021/B9780128033401000021.xhtml#s0010">Hiding Behind the Keyboard: The Tor Browser €</a>; subchapters: &quot;Introduction&quot;, &quot;History and Intended Use of The Onion Router&quot;, &quot;How The Onion Router Works&quot;, &quot;Tracking Criminals Using TOR&quot;.</li> </ul> <p>a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).</p> <p>b) Browse TOR network, find, take screenshots and comment</p> <ul> <li>search engine for onion sites</li> <li>marketplace</li> <li>forum</li> <li>a site for a well known organization that has a physical street address in the real world</li> </ul> <p>c) Voluntary or alternative task: No onion. You can do this task in place of a and b. Install a darknet browser other than TOR, such as I2P or Freenet. Search, screenshot and describe examples of contents there.</p> <p>d) Voluntary: Crypto hunter. Find Bitcoin address from a darknet site. Use the public ledger to find out if money has been transferred to that address.</p> <p>Tips</p> <ul> <li>Alternatives for installing TOR <ul> <li><a href="https://www.torproject.org/download/">https://www.torproject.org/download/</a> (probably easiest)</li> <li>sudo apt-get update; sudo apt-get install torbrowser-launcher</li> <li><a href="https://tails.net/">https://tails.net/</a></li> <li><a href="https://www.whonix.org/">https://www.whonix.org/</a></li> </ul> </li> <li>OPSEC is hard, any single tool will not magically make you untraceable</li> <li>Be cautious: don't trust anonymous sites, don't enter your name or other personal details anywhere.</li> <li>O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough <a href="https://libguides.haaga-helia.fi/az.php">Haaga-Helia library A-Z page</a>.</li> <li>Bitcoin explorer</li> <li>Other darknets include <ul> <li>GNUnet</li> <li>Hypanet</li> <li>I2P</li> </ul> </li> </ul> <h3 id="h7-free-tickets">h7. Free Tickets</h3> <p><em>Time to plan how you keep up to date on cyber after the course ends. You also need something to keep you entertained until</em> ICT Infrastructure project pro4tf023 <em>starts.</em></p> <ul> <li>x) Free tickets. View and summarize a hacker or security conference presentation. It should be a full length (&gt;30 min) presentation. Brief summary with some bullets is enough.</li> <li>a) Voluntary: Feed me. Set up RSS feed reader and follow some security related feeds.</li> </ul> <p>Tips</p> <ul> <li>Security conferences <ul> <li><a href="https://infocondb.org/">https://infocondb.org/</a></li> <li>Disobey</li> <li>RSA Conference</li> <li>Black Hat</li> <li>DEFCON</li> <li>HOPE</li> </ul> </li> <li>Helsinki has very active hacker scene, consider HelSec</li> <li>Feel free to join <a href="https://terokarvinen.com/newsletter/">Tero's list</a> - know when hackers visit my courses</li> </ul> <h2 id="adminstrivia">Adminstrivia</h2> <p><em>I will keep updating this page during and after the course.</em></p>Format Dates Calendar.Txt Stylehttps://terokarvinen.com/2024/format-date-calendar-txt/Thu, 04 Jan 2024 17:14:47 +0200https://terokarvinen.com/2024/format-date-calendar-txt/ <p>Format your dates <a href="https://terokarvinen.com/2021/calendar-txt/">Calendar.txt</a> style, everywhere! Like <em>2024-01-04 w01 Thu</em>.</p> <p>I printed every day from year 1700 to 2400, using Python 3, Go, PHP, Django templates and 'date'. Then I checked that results match.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-py" data-lang="py"><span style="display:flex;"><span>day<span style="color:#555">.</span>strftime(<span style="color:#c30">&#34;%Y-%m-</span><span style="color:#a00">%d</span><span style="color:#c30"> w%V </span><span style="color:#a00">%a</span><span style="color:#c30">&#34;</span>) <span style="color:#09f;font-style:italic"># Python</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#033">$date</span><span style="color:#555">-&gt;</span><span style="color:#309">format</span>(<span style="color:#c30">&#39;Y-m-d \wW D&#39;</span>) <span style="color:#09f;font-style:italic">// PHP </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>date +<span style="color:#c30">&#34;%Y-%m-%d w%V %a&#34;</span> <span style="color:#09f;font-style:italic"># Linux &#39;date&#39;</span> </span></span></code></pre></div><p><a href="#django-templates---dategen-djangopy">Django Templates</a> and <a href="#golang-gobin---dategen-gogo">Go</a> are a bit more verbose, read the full programs below. Or <a href="calendartxt-date-2024-01-04.zip">download them all (calendartxt-date-2024-01-04.zip, 5.5 MB)</a>.</p> <p><em>Looking for <a href="https://terokarvinen.com/2021/calendar-txt/">Calendar.txt</a>? This article is just about date formats. If you want to <a href="https://terokarvinen.com/2021/calendar-txt/">keep your calendar in a plain text file</a>, head to <a href="https://terokarvinen.com/2021/calendar-txt/">Calendar.txt</a></em></p> <h2 id="test-output">Test output</h2> <p>For each language or command, a test script is generated.</p> <p>Test script prints each date to standard output.</p> <ul> <li>Start date: 1700-01-01 w53 Fri (inclusive)</li> <li>End date: 2400-01-01 w52 Sat (inclusive)</li> </ul> <p>Rationale for the testing period</p> <ul> <li>Must be considerably longer than the lifetime of any living person now (2024).</li> <li>Should not go near the edge of clearly defined dates, e.g. dates outside gregorian calendar. This is to avoid irrelevant errors outside the range of real-life usable dates.</li> </ul> <p>Rationale for dates</p> <ul> <li>Start date 1700-01-01 w53 Fri <ul> <li>1700 is much later than &quot;Inter gravissimas&quot; bulla in 1582</li> <li>1700 is over 300 years ago</li> <li>Conveniently, it's on w53 (most years have only 52 weeks)</li> </ul> </li> <li>End date 2400-01-01 w52 Sat <ul> <li>2400 is over 300 years into the future</li> </ul> </li> </ul> <h3 id="corrrect-output-file">Corrrect output file</h3> <p>The <a href="dategen-go.txt">correct output file is dategen-go.txt</a>. 4.7 MB, 255 670 dates, 255 670 lines. SHA256 hash is 343b12bae2b459f0bfe2f676f7350210fae9a19aa54f756cc0a4063098b29b37.</p> <p>When test output is saved into a file, this is the correct result.</p> <p>The file ends with a newline &quot;\n&quot;. There are no other empty lines. There must be no whitespace at the end of lines.</p> <pre><code>$ sha256sum out/* 343b12bae2b459f0bfe2f676f7350210fae9a19aa54f756cc0a4063098b29b37 out/dategen-django.txt 343b12bae2b459f0bfe2f676f7350210fae9a19aa54f756cc0a4063098b29b37 out/dategen-go.txt 343b12bae2b459f0bfe2f676f7350210fae9a19aa54f756cc0a4063098b29b37 out/dategen-php.txt 343b12bae2b459f0bfe2f676f7350210fae9a19aa54f756cc0a4063098b29b37 out/dategen-python.txt 343b12bae2b459f0bfe2f676f7350210fae9a19aa54f756cc0a4063098b29b37 out/dategen-sh.txt </code></pre> <p>As all correct output files are identical, we can further look at any one file</p> <pre><code>$ wc -l dategen-go.txt 255670 dategen-go.txt </code></pre> <p>So it has 255 670 lines, each representing a date.</p> <pre><code>$ head -1 dategen-go.txt; tail -1 dategen-go.txt 1700-01-01 w53 Fri 2400-01-01 w52 Sat </code></pre> <h3 id="debugging-incorrect-output">Debugging incorrect output</h3> <p>If sha256sum does not match, the file is incorrect.</p> <p>A count of diff lines gives an idea if all lines are bad. If all are bad, you can look at the first line to see if there is a major problem. Also, white space at the end of line is a hard to see candidate.</p> <pre><code>diff correct.txt new.txt |wc -l </code></pre> <p>If only some lines are incorrect, check if zero padding in weeks is missing.</p> <p>In addition to these obvious things, there could be incorrect or weird date calculations.</p> <h2 id="full-date-format-programs">Full Date Format Programs</h2> <h3 id="python---dategenpy">Python - dategen.py</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-py" data-lang="py"><span style="display:flex;"><span><span style="color:#09f;font-style:italic">#!/usr/bin/python3</span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># Copyright 2024 Tero Karvinen https://TeroKarvinen.com</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">from</span> <span style="color:#0cf;font-weight:bold">datetime</span> <span style="color:#069;font-weight:bold">import</span> datetime </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">from</span> <span style="color:#0cf;font-weight:bold">dateutil.relativedelta</span> <span style="color:#069;font-weight:bold">import</span> relativedelta </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>start <span style="color:#555">=</span> datetime(<span style="color:#f60">1700</span>, <span style="color:#f60">1</span>, <span style="color:#f60">1</span>) </span></span><span style="display:flex;"><span>end <span style="color:#555">=</span> datetime(<span style="color:#f60">2400</span>, <span style="color:#f60">1</span>, <span style="color:#f60">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>day <span style="color:#555">=</span> start </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">while</span> day <span style="color:#555">&lt;=</span> end: </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># &#34;%W&#34; is not ISO8601 week, as it includes week zero (0). </span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># Correct ISO8601 week is &#34;%V&#34;, https://bugs.python.org/issue12006 fixed in 2015. </span> </span></span><span style="display:flex;"><span> <span style="color:#366">print</span>(day<span style="color:#555">.</span>strftime(<span style="color:#c30">&#34;%Y-%m-</span><span style="color:#a00">%d</span><span style="color:#c30"> w%V </span><span style="color:#a00">%a</span><span style="color:#c30">&#34;</span>)) </span></span><span style="display:flex;"><span> day <span style="color:#555">+=</span> relativedelta(days<span style="color:#555">=+</span><span style="color:#f60">1</span>) </span></span></code></pre></div><h3 id="php---dategenphp">PHP - dategen.php</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#09f;font-style:italic">#!/usr/bin/php </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span><span style="color:#555">&lt;?</span>php </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># Copyright 2024 Tero Karvinen https://TeroKarvinen.com </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span> </span></span><span style="display:flex;"><span><span style="color:#033">$format</span> <span style="color:#555">=</span> <span style="color:#c30">&#39;Y-m-d \wW D&#39;</span>; <span style="color:#09f;font-style:italic">// https://terokarvinen.com/2021/calendar-txt/ </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span><span style="color:#033">$start</span> <span style="color:#555">=</span> <span style="color:#069;font-weight:bold">new</span> DateTime(<span style="color:#c30">&#39;1700-01-01&#39;</span>); </span></span><span style="display:flex;"><span><span style="color:#033">$end</span> <span style="color:#555">=</span> <span style="color:#069;font-weight:bold">new</span> DateTime(<span style="color:#c30">&#39;2400-01-02&#39;</span>); <span style="color:#09f;font-style:italic">// one day past last date to make it inclusive, 2400-01-01 </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span> </span></span><span style="display:flex;"><span><span style="color:#033">$interval</span> <span style="color:#555">=</span> <span style="color:#069;font-weight:bold">new</span> DateInterval(<span style="color:#c30">&#39;P1D&#39;</span>); <span style="color:#09f;font-style:italic">// one day </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span><span style="color:#033">$period</span> <span style="color:#555">=</span> <span style="color:#069;font-weight:bold">new</span> DatePeriod(<span style="color:#033">$start</span>, <span style="color:#033">$interval</span>, <span style="color:#033">$end</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">foreach</span> (<span style="color:#033">$period</span> <span style="color:#069;font-weight:bold">as</span> <span style="color:#033">$date</span>) { </span></span><span style="display:flex;"><span> <span style="color:#069;font-weight:bold">echo</span> <span style="color:#033">$date</span><span style="color:#555">-&gt;</span><span style="color:#309">format</span>(<span style="color:#033">$format</span>) <span style="color:#555">.</span> <span style="color:#c30">&#34;</span><span style="color:#c30;font-weight:bold">\n</span><span style="color:#c30">&#34;</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#099">?&gt;</span><span style="color:#a00;background-color:#faa"> </span></span></span></code></pre></div><h3 id="bash--date---dategensh">Bash / date - dategen.sh</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#099">#!/usr/bin/bash </span></span></span><span style="display:flex;"><span><span style="color:#099"></span><span style="color:#09f;font-style:italic"># Copyright 2024 Tero Karvinen https://TeroKarvinen.com</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#033">STARTDATE</span><span style="color:#555">=</span><span style="color:#c30">&#34;1700-01-01&#34;</span> <span style="color:#09f;font-style:italic"># first date, inclusive, YYYY-MM-DD, e.g. &#34;1700-01-01&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># STARTDATE=&#34;2399-12-01&#34; # for testing the last date</span> </span></span><span style="display:flex;"><span><span style="color:#033">ENDDATE</span><span style="color:#555">=</span><span style="color:#c30">&#34;2400-01-02&#34;</span> <span style="color:#09f;font-style:italic"># one day past last date, YYYY-MM-DD, it&#39;s inclusive &#34;2400-01-01&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># OUTFILE=&#34;out/dategen-sh-out.txt&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#033">FORMAT</span><span style="color:#555">=</span><span style="color:#c30">&#34;%Y-%m-%d w%V %a&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#033">DATE</span><span style="color:#555">=</span><span style="color:#069;font-weight:bold">$(</span>date -d <span style="color:#c30">&#34;</span><span style="color:#033">$STARTDATE</span><span style="color:#c30">&#34;</span> +<span style="color:#c30">&#34;</span><span style="color:#033">$FORMAT</span><span style="color:#c30">&#34;</span><span style="color:#069;font-weight:bold">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># echo &#34;&#34; &gt; &#34;$OUTFILE&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">until</span> <span style="color:#555">[</span> <span style="color:#c30">&#34;</span><span style="color:#033">$ENDDATE</span><span style="color:#c30">&#34;</span> <span style="color:#555">==</span> <span style="color:#c30">&#34;</span><span style="color:#069;font-weight:bold">$(</span><span style="color:#366">echo</span> <span style="color:#c30">&#34;</span><span style="color:#033">$DATE</span><span style="color:#c30">&#34;</span>|head -c10<span style="color:#069;font-weight:bold">)</span><span style="color:#c30">&#34;</span> <span style="color:#555">]</span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">do</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># echo &#34;$DATE&#34; &gt;&gt; &#34;$OUTFILE&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#366">echo</span> <span style="color:#c30">&#34;</span><span style="color:#033">$DATE</span><span style="color:#c30">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#033">DATE</span><span style="color:#555">=</span><span style="color:#069;font-weight:bold">$(</span>date -d <span style="color:#c30">&#34;</span><span style="color:#033">$DATE</span><span style="color:#c30"> + 1 days&#34;</span> +<span style="color:#c30">&#34;</span><span style="color:#033">$FORMAT</span><span style="color:#c30">&#34;</span><span style="color:#069;font-weight:bold">)</span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">done</span> </span></span></code></pre></div><h3 id="golang-go---dategen-gogo">Golang Go - dategen-go.go</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go"><span style="display:flex;"><span><span style="color:#09f;font-style:italic">// Copyright 2020-2024 Tero Karvinen http://TeroKarvinen.com </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">package</span> main </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">import</span> ( </span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;fmt&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#c30">&#34;time&#34;</span> </span></span><span style="display:flex;"><span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">func</span> <span style="color:#c0f">main</span>() { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic">/* Print dates */</span> </span></span><span style="display:flex;"><span> weekdays <span style="color:#555">:=</span> []<span style="color:#078;font-weight:bold">string</span>{<span style="color:#c30">&#34;Sun&#34;</span>, <span style="color:#c30">&#34;Mon&#34;</span>, <span style="color:#c30">&#34;Tue&#34;</span>, <span style="color:#c30">&#34;Wed&#34;</span>, <span style="color:#c30">&#34;Thu&#34;</span>, <span style="color:#c30">&#34;Fri&#34;</span>, <span style="color:#c30">&#34;Sat&#34;</span>} </span></span><span style="display:flex;"><span> day <span style="color:#555">:=</span> time.<span style="color:#c0f">Date</span>(<span style="color:#f60">1700</span>, time.January, <span style="color:#f60">1</span>, <span style="color:#f60">0</span>, <span style="color:#f60">0</span>, <span style="color:#f60">0</span>, <span style="color:#f60">0</span>, time.UTC) </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic">// day := time.Date(2399, time.December, 1, 0, 0, 0, 0, time.UTC) // for testing </span></span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"></span> end <span style="color:#555">:=</span> time.<span style="color:#c0f">Date</span>(<span style="color:#f60">2400</span>, time.January, <span style="color:#f60">1</span>, <span style="color:#f60">0</span>, <span style="color:#f60">0</span>, <span style="color:#f60">0</span>, <span style="color:#f60">0</span>, time.UTC) </span></span><span style="display:flex;"><span> <span style="color:#069;font-weight:bold">for</span> !day.<span style="color:#c0f">After</span>(end) { </span></span><span style="display:flex;"><span> _, w <span style="color:#555">:=</span> day.<span style="color:#c0f">ISOWeek</span>() </span></span><span style="display:flex;"><span> weekday <span style="color:#555">:=</span> weekdays[day.<span style="color:#c0f">Weekday</span>()] </span></span><span style="display:flex;"><span> fmt.<span style="color:#c0f">Printf</span>(<span style="color:#c30">&#34;%v w%02d %s\n&#34;</span>, day.<span style="color:#c0f">Format</span>(<span style="color:#c30">&#34;2006-01-02&#34;</span>), w, weekday) </span></span><span style="display:flex;"><span> day = day.<span style="color:#c0f">Add</span>(time.Hour <span style="color:#555">*</span> <span style="color:#f60">24</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="django-templates---dategen-djangopy">Django Templates - dategen-django.py</h3> <p>Django Template solution is not that pretty.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f0f3f3;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-py" data-lang="py"><span style="display:flex;"><span><span style="color:#09f;font-style:italic">#!/usr/bin/python3</span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># Copyright 2024 Tero Karvinen https://TeroKarvinen.com</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># sudo apt-get install python3-django</span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># django-admin --version # prints &#34;3.2.19&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">from</span> <span style="color:#0cf;font-weight:bold">datetime</span> <span style="color:#069;font-weight:bold">import</span> datetime </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">from</span> <span style="color:#0cf;font-weight:bold">dateutil.relativedelta</span> <span style="color:#069;font-weight:bold">import</span> relativedelta </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">from</span> <span style="color:#0cf;font-weight:bold">django.template</span> <span style="color:#069;font-weight:bold">import</span> Template, Context </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">from</span> <span style="color:#0cf;font-weight:bold">django.conf</span> <span style="color:#069;font-weight:bold">import</span> settings </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">import</span> <span style="color:#0cf;font-weight:bold">django</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic">## Set up Single file Django</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>settings<span style="color:#555">.</span>configure(TEMPLATES<span style="color:#555">=</span>[ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#c30">&#39;BACKEND&#39;</span>: <span style="color:#c30">&#39;django.template.backends.django.DjangoTemplates&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#c30">&#39;APP_DIRS&#39;</span>: <span style="color:#069;font-weight:bold">False</span>, <span style="color:#09f;font-style:italic"># we have no apps</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span>]) </span></span><span style="display:flex;"><span>django<span style="color:#555">.</span>setup() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic">## Print dates</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>start <span style="color:#555">=</span> datetime(<span style="color:#f60">1700</span>, <span style="color:#f60">1</span>, <span style="color:#f60">1</span>) </span></span><span style="display:flex;"><span><span style="color:#09f;font-style:italic"># end = datetime(1700, 1, 18)</span> </span></span><span style="display:flex;"><span>end <span style="color:#555">=</span> datetime(<span style="color:#f60">2400</span>, <span style="color:#f60">1</span>, <span style="color:#f60">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>day <span style="color:#555">=</span> start </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#069;font-weight:bold">while</span> day <span style="color:#555">&lt;=</span> end: </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># https://docs.djangoproject.com/en/3.2/ref/templates/builtins/#date picks, dashes added, reordered &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># - Uses a similar format to PHP’s date() function with some differences.</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># - o ISO-8601 week-numbering year, corresponding to the ISO-8601 week number (W) which uses leap weeks. See Y for the more common year format. &#39;1999&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># - W SO-8601 week number of year, with weeks starting on Monday. 1, 53</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># Not the same as in PHP. This works in PHP &#34;Y-m-d \wW D&#34;, but lacks week zero padding in Django.</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># It seems that Django template filter &#34;date&#34; does not have a zero padded week number as of 2024-01-04 w01 Thu.</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># To get zero padded ISO week number, &#39;day | date:&#34;W&#34;&#39; prints week number as a string without padding &#34;2&#34;,</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># which is then converted to integer &#39;| add:&#34;0&#34;&#39; and padded with leading zero &#39;stringformat:&#34;02d&#34;&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#09f;font-style:italic"># &#34;Y&#34; seems to be the correct year for ISO8601 dates. The suggested &#34;o&#34; gives nonsensical results.</span> </span></span><span style="display:flex;"><span> t <span style="color:#555">=</span> Template(<span style="color:#c30">&#39;{{ day | date:&#34;Y-m-d&#34; }} w{{ day | date:&#34;W&#34; | add:&#34;0&#34; | stringformat:&#34;02d&#34;}} {{ day | date:&#34;D&#34; }}&#39;</span>) </span></span><span style="display:flex;"><span> c <span style="color:#555">=</span> Context({<span style="color:#c30">&#39;day&#39;</span>: day}) </span></span><span style="display:flex;"><span> s <span style="color:#555">=</span> t<span style="color:#555">.</span>render(c) </span></span><span style="display:flex;"><span> <span style="color:#366">print</span>(s) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> day <span style="color:#555">+=</span> relativedelta(days<span style="color:#555">=+</span><span style="color:#f60">1</span>) </span></span></code></pre></div><h2 id="next-steps">Next Steps</h2> <p><a href="https://terokarvinen.com/2021/calendar-txt/">Keep your calendar in a plain text file</a>, head to <a href="https://terokarvinen.com/2021/calendar-txt/">Calendar.txt</a>.</p> <h2 id="adminstrivia">Adminstrivia</h2> <p>2024-01-11 w02 Thu: fixed some typos.</p>J-P Won My CTFhttps://terokarvinen.com/2023/jari-pekka-won-ethical-hacking-ctf/Mon, 11 Dec 2023 12:26:35 +0200https://terokarvinen.com/2023/jari-pekka-won-ethical-hacking-ctf/ <p>Jari-Pekka Ollikainen won my Capture the Flag. It was a hacking challenge, on the last day of my <a href="https://terokarvinen.com/2023/eettinen-hakkerointi-2023/">ethical hacking course</a>. He was the first to break all eight challenges.</p> <p>The game tested penetration testing skills. It included mapping the attack surface using port scanning and fuzzing, cracking password protected files and breaking web applications using multiple approaches.</p> <p>J-P is also one of the authors of PhishSticks (<a href="https://www.youtube.com/watch?v=bDzVevtZiWE">video</a>, <a href="https://github.com/therealhalonen/PhishSticks">git</a>). Suffice to say: never connect an unknown USB device to your computer.</p>PGP - Send Encrypted and Signed Message - gpghttps://terokarvinen.com/2023/pgp-encrypt-sign-verify/Fri, 17 Nov 2023 09:59:36 +0200https://terokarvinen.com/2023/pgp-encrypt-sign-verify/ <p>Send a secret message over untrusted Internet. Encryption prevents anyone from reading your message. Signing protects your message from modification. Public keys allow you to establish trust without meeting physically.</p> <p>This article shows how you can use PGP encryption with 'gpg' tool. We'll simulate two users to make it easy to practice. PGP is well known, highly secure standard for encryption.</p> <p>Alice will send a signed, encrypted message to Tero. This is the most obvious, basic use of PGP.</p> <h2 id="background">Background</h2> <p>GNU privacy guard, 'gpg', is a popular way to encrypt and sign. You're likely already depending on it, as Linux kernel development uses uses PGP signatures.</p> <p>This article directly uses 'gpg' on the command line. To encrypt your everyday messaging, additional tools are often used to automate this. For example, email applications can be made to automatically encrypt your messages.</p> <p>This article requires knowledge of <a href="https://terokarvinen.com/2020/command-line-basics-revisited/">Linux command line</a>. I've tested the commands on <a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Debian 12 Bookworm</a>. They likely work on many other Linuxes too. Probably they could be adapted to lesser operating systems, such as Windows.</p> <p>Alice will send an encrypted message to Tero.</p> <p>Alice needs Tero's public key to encrypt. Tero needs Alice's public key to verify Alice's singature.</p> <h2 id="setting-up-trust">Setting Up Trust</h2> <p>These inital key exchange and verification steps need to be done only once. They establish trust between parties.</p> <h3 id="generate-teros-keypair">Generate Tero's Keypair</h3> <p>Let's install required tools. We interested in 'gpg' encryption tool. The others, 'micro' text editor and 'killall' from psmisc are just helpful extras.</p> <pre><code>$ sudo apt-get update $ sudo apt-get install gpg micro psmisc </code></pre> <p>Let's create a keypair.</p> <pre><code>$ gpg --gen-key </code></pre> <p>I gave my full name. &quot;Tero Karvinen DEMO KEY&quot; and my email address &quot;tero@example.com.invalid&quot;. As I'm actually using PGP, I added the text to make it clear this is not my real key.</p> <p>I did not protect this key with a password. I simply gave empty password (twice) and confirmed that I don't want a password for my key (twice).</p> <p>I now have a keypair. I have picked only interesting lines of the output.</p> <pre><code>$ gpg --fingerprint pub rsa3072 2023-11-17 [SC] [expires: 2025-11-16] B624 CDED 2430 252D 298D 7EC4 A8D8 1658 00B3 84A3 uid [ultimate] Tero Karvinen DEMO KEY &lt;tero@example.com.invalid&gt; sub rsa3072 2023-11-17 [E] [expires: 2025-11-16] </code></pre> <p>The keypair consists of public key and secret key. Secret key is, well, secret. If someone ever sees it, I would have to go to each service where it's used and disable it. Public key is, well, public. I can put it on a web page and upload it to key servers.</p> <p>Publicity of the public key is the magic of the whole system. Now I can exchange key with someone without meeting them.</p> <h3 id="export-my-public-key">Export My Public Key</h3> <p>Alice want's to send me a message. For this, she needs my public key. I'll export it. Plain 'cd' goes to our home directory.</p> <pre><code>$ cd $ gpg --export --armor --output tero.pub </code></pre> <p>Parameters to export are</p> <ul> <li>--export Export my public key</li> <li>--armor Only use ASCII characters, so that the output can be viewed and copy -asted.</li> <li>--output tero.pub Save the output into the file &quot;tero.pub&quot;</li> </ul> <p>Let's have a look at our public key</p> <pre><code>$ ls tero.pub $ head -4 tero.pub -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGVXHrkBDADaY1iRTfmb9Zl/XZFUVG1LaL9A9y2eGvAehckzcQOQTNaYVBEC sH+YRyT4np1FdPwDAWkJBUaOzz0DwmQtzRY6exizxG2vF95fsreiNQsuMu+YwkBK </code></pre> <p>So, here is the public key in ASCII armor. Notice how it says &quot;PUBLIC KEY&quot; at the start. Then there are some 40 lines of gibberish, the actual key in ASCII armor, base64 encoded. And at the end, it says &quot;END PGP PUBLIC KEY&quot;.</p> <h3 id="alice-simulated">Alice, Simulated</h3> <p>Let's create Alice. We could create another user in the operating system or use another computer. But to make our practice easier, we'll just use a folder to simulate Alice.</p> <pre><code>$ cd $ mkdir alice/ $ chmod og-rwx alice/ </code></pre> <p>We created a folder in our home directory. It was protected so that only the owner (us) can use it, because otherwise 'gpg' complains all the time.</p> <p>To simulate Alice, we can just work inside this folder, and replace 'gpg' with 'gpg --homedir .' This way, Alice has her own settings and own keyring, separate from the one we actually use.</p> <pre><code>$ cd alice/ $ gpg --homedir . --fingerprint gpg: keybox '/home/tero/alice/pubring.kbx' created gpg: /home/tero/alice/trustdb.gpg: trustdb created $ gpg --homedir . --fingerprint </code></pre> <p>So, every command as Alice will run in Alice's directory 'cd ~/alice', and start with 'gpg --homedir .'.</p> <p>On the first run, the 'gpg' command created Alice's configuration files. They would be automatically created anyway when we first run some 'gpg' commands.</p> <p>The use of &quot;--homedir .&quot; means use current working directory to save gpg configuration files. You can always give the command 'pwd' to see the current working directory, the dot &quot;.&quot; in the command.</p> <p>Listing the fingerprints of all keys prints nothing, because Alice does not yet have any keys. Not her own, and no imported keys.</p> <p>It's time for Alice to create her own keypair.</p> <pre><code>$ gpg --homedir . --gen-key </code></pre> <p>Real name &quot;Alice&quot;, email &quot;alice@example.com.invalid&quot;, empty passphrase, yes really (x2). And the key is generated.</p> <p>We can see Alice's key in her keyring. I've abbreviated the output.</p> <pre><code>$ gpg --homedir . --fingerprint pub rsa3072 2023-11-17 [SC] [expires: 2025-11-16] B20F D80B 705C 791D C878 0030 7BAA 4F13 2645 134F uid [ultimate] Alice &lt;alice@example.com.invalid&gt; sub rsa3072 2023-11-17 [E] [expires: 2025-11-16] </code></pre> <h3 id="alice-imports-and-verifies-teros-key">Alice Imports and Verifies Tero's key</h3> <p>In most crypto stories, Alice is chatting with Bob. But today, she'll send me, Tero, a message. To send messages, Alice needs Tero's public key.</p> <p>The public key is literally public. Alice could get it from a web page, key server, unencrypted email - anywhere. The only important thing is to verify that this key really belongs to Tero. Here, we can just copy the exported public key as Alice is simulated.</p> <pre><code>$ cd $ cp -v tero.pub alice/ 'tero.pub' -&gt; 'alice/tero.pub' $ cd alice/ $ gpg --homedir . --import tero.pub gpg: key A8D8165800B384A3: public key &quot;Tero Karvinen DEMO KEY &lt;tero@example.com.invalid&gt;&quot; imported </code></pre> <p>Alice can check the fingerprint to verify that this is indeed Tero's key. This step is needed if Tero's public key was obtained over insecure channel, like unencrypted email, a web page or a key server.</p> <pre><code>$ gpg --homedir . --fingerprint pub rsa3072 2023-11-17 [SC] [expires: 2025-11-16] B624 CDED 2430 252D 298D 7EC4 A8D8 1658 00B3 84A3 uid [ unknown] Tero Karvinen DEMO KEY &lt;tero@example.com.invalid&gt; sub rsa3072 2023-11-17 [E] [expires: 2025-11-16] </code></pre> <ul> <li>[Nokia ringtone <a href="https://www.youtube.com/watch?v=jvFMtMAxGSw">Säkkijärven polkka</a> playing]</li> <li>Tero: Hi Alice!</li> <li>Alice: Hi Tero! Let's chat for a moment so I know it's you.</li> <li>[blah blah]</li> <li>Alice: OK, would you read your fingerprint.</li> <li>Tero: bravo-six-two-four, charlie-delta-echo-delta...</li> <li>Alice: Great, it matches! I'll send you a message soon.</li> </ul> <p>Alice signs Tero's key to mark it as trusted. Obviously, Tero's key in your test will have a different fingerprint. Alice could also refer to keys with their email addresses. As Alice is verifying the fingerprint, using it in the command protects against mistakes.</p> <pre><code>$ gpg --homedir . --sign-key &quot;B624 CDED 2430 252D 298D 7EC4 A8D8 1658 00B3 84A3&quot; </code></pre> <p>Keys could also be verified using singatures from trusted third parties.</p> <p>We can now see the trust</p> <pre><code>$ gpg --homedir . --fingerprint uid [ultimate] Alice &lt;alice@example.com.invalid&gt; uid [ full ] Tero Karvinen DEMO KEY &lt;tero@example.com.invalid&gt; </code></pre> <p>So Alice has <em>ultimate</em> trust for her own key. It's been like this since the beginning, when Alice generated her keypair on her own computer with &quot;--gen-key&quot;.</p> <p>Now, after verifying and signing Tero's key, Alice has <em>full</em> trust on Tero's key.</p> <p>Now that Alice has Tero's key, she can encrypt messages to Tero.</p> <h3 id="tero-needs-alices-public-key-to-know-its-her">Tero needs Alices Public Key to Know It's Her</h3> <p>Alice wants to sign her messages. Tero needs Alice's key to know that it's really her.</p> <p>The process for exporting, importing, verifying and trusting the key is the same as before. Only the roles have been swapped.</p> <p>Alice:</p> <pre><code>$ gpg --homedir . --export --armor --output alice.pub $ cp -v alice/alice.pub . 'alice/alice.pub' -&gt; './alice.pub' </code></pre> <p>Key is sent over untrusted channel</p> <pre><code>$ cd $ cp -v alice/alice.pub . </code></pre> <p>Tero imports the key</p> <pre><code>$ gpg --import alice.pub </code></pre> <p>Nokia ringtone, chat, verify fingerprint...</p> <pre><code>$ gpg --sign-key &quot;B20F D80B 705C 791D C878 0030 7BAA 4F13 2645 134F&quot; $ gpg --fingerprint uid [ full ] Alice &lt;alice@example.com.invalid&gt; </code></pre> <h3 id="trust-established">Trust Established!</h3> <p>The initial steps of establishing trust are completed. Tero and Alice have exchanged keys, and verified that they have the correct keys.</p> <p>Note that Tero and Alice only needed to verify that they have the correct public keys. The keys could be sent over untrusted and hostile network, such as the Internet. In fact, public key encryption allows establishing trust over untrusted channel.</p> <h2 id="alice-sends-a-secret-message">Alice Sends a Secret Message</h2> <p>Alice writes a message:</p> <pre><code>$ cd ~/alice/ $ micro message.txt </code></pre> <p>In the message, Alice writes the message, then saves Ctrl-S and quits Ctrl-Q.</p> <pre><code>Hi Tero, This is my secret message. I'm so happy we have PGP to protect our communications! The right to private communication is important in a free society. -- Alice </code></pre> <p>She encrypts and signs the message</p> <pre><code>$ gpg --homedir . --encrypt --recipient tero@example.com.invalid --sign --output encrypted.pgp --armor message.txt </code></pre> <p>The parts of the command are</p> <p>Simulation:</p> <ul> <li>--homedir . Use gpg configuration and keyring from working directory 'pwd'. We already did 'cd ~/alice', so that's what we're using. This is just for our Alice simulation here</li> </ul> <p>Encrypt to Tero using Tero's public key</p> <ul> <li>--encrypt Encrypt the message</li> <li>--recipient <a href="mailto:tero@example.com.invalid">tero@example.com.invalid</a> To key identified by email address. Only keys within our keyring are considered, so it's safe to use email addresses here. Of course, fingerprints work, too. Encryption only needs one key, the public key for the recipient.</li> </ul> <p>Sing using Alice's secret key</p> <ul> <li>--sign Sign the message using Alice's secret key. Recipient of this message can use Alice's public key to verify that it's really her sending the message.</li> </ul> <p>Output file, encrypted</p> <ul> <li>--armor Use normal, printable ASCII characters for the message. This way, we can copy-paste it, and it does not break if we send it in email body. It uses base64 to show binary data using normal letters.</li> <li>--output encrypted.pgp Save the encrypted message to this file</li> </ul> <p>Input file, plain text</p> <ul> <li>message.txt The plain text file we wish to encrypt</li> </ul> <p>Encrypted message was generated.</p> <pre><code>$ ls encrypted.pgp encrypted.pgp $ head -4 encrypted.pgp -----BEGIN PGP MESSAGE----- hQGMA8AvdpcLFVGWAQwAsyUo5zn4l0V7+Db8juusSpk7fll5FBs7aCxi4Obns92m PcfMaE8TP+slIP1ngw/Ljs8X7ODrHMdmRrXXMbM0cGTnJzxci4q30Fi1AIg1QLvC </code></pre> <p>The encrypted message starts with &quot;BEGIN PGP MESSAGE&quot; and ends with &quot;END PGP MESSAGE&quot;. The 20+ lines of gibberish in between is Alice's secret message, encrypted, signed and ASCII armored.</p> <p>Even Alice can't decrypt the message now. It's been encrypted with Tero's public key. Only Tero can open it, because only Tero has Tero's public key.</p> <p>Encrypted message can be sent over hostile, untrusted channel like the Internet. We'll simulate the transfer by copying the file.</p> <pre><code>$ cp -v alice/encrypted.pgp . 'alice/encrypted.pgp' -&gt; './encrypted.pgp' </code></pre> <h3 id="tero-decrypts-and-verifies-the-message">Tero Decrypts and Verifies the Message</h3> <p>Tero is happy to receive &quot;encrypted.pgp&quot;. I wonder what Alice could be writing in this secret message.</p> <pre><code>$ gpg --decrypt encrypted.pgp gpg: encrypted with 3072-bit RSA key, ID C02F76970B155196, created 2023-11-17 &quot;Tero Karvinen DEMO KEY &lt;tero@example.com.invalid&gt;&quot; Hi Tero, This is my secret message. I'm so happy we have PGP to protect our communications! The right to private communication is important in a free society. -- Alice gpg: Signature made Fri 17 Nov 2023 12:52:22 PM EET gpg: using RSA key B20FD80B705C791DC87800307BAA4F132645134F gpg: Good signature from &quot;Alice &lt;alice@example.com.invalid&gt;&quot; [full] </code></pre> <p>The message was decrypted with Tero's secret key. Now Tero can read the message: &quot;Hi Tero, This is my secret...&quot;.</p> <p>Alice's signature was verified using Alice's public key. Now Tero knows it's really her.</p> <pre><code>gpg: Good signature from &quot;Alice &lt;alice@example.com.invalid&gt;&quot; [full] </code></pre> <p>GPG says that the signature could be verified with a key already in Tero's keyring &quot;Good signature&quot;. It's 'from &quot;Alice ...'. The key used for signing is already trusted by us &quot;[full]&quot;.</p> <h2 id="well-done">Well Done</h2> <p>Well done, you have now</p> <ul> <li>Encrypted messages, so that attackers can't read them</li> <li>Signed messages, so that attackers can't impersonate your contacts</li> <li>Played with gpg, a critically important PGP tool</li> <li>Have a nice practice environment to learn more about PGP</li> </ul> <p>Next, you could try</p> <ul> <li>Send a message on the other direction, from Tero to Alice.</li> <li>Read Copeland et. al. 1999 <a href="https://www.gnupg.org/gph/en/manual.html">GNU Privacy Handbook</a></li> <li>Read how Linux kernel maintainers use PGP. Ryabitsev: <a href="https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html">Kernel Maintainer PGP guide</a></li> <li>Try some commonly used 'gpg' features on your own <ul> <li><a href="https://www.gnupg.org/gph/en/manual.html#AEN161">Detatched signatures</a>, often used for verifying ISO images and software downloads</li> <li><a href="https://www.gnupg.org/gph/en/manual.html#AEN464">Distributing keys</a>, using key servers. You still have to verify that the keys are really from the right person.</li> </ul> </li> </ul> <h2 id="troubleshooting">Troubleshooting</h2> <p>No trouble? No need for troubleshooting. Go encrypt some messages!</p> <h3 id="gpg-agent_genkey-failed-no-such-file-or-directory---solution-killall-gpg-agent">&quot;gpg: agent_genkey failed: No such file or directory&quot; - solution: 'killall gpg-agent'</h3> <pre><code>$ cd ~/alice/ $ gpg --homedir . --gen-key gpg: agent_genkey failed: No such file or directory Key generation failed: No such file or directory </code></pre> <p>With all the playing around, generating and deleting folders and keys, we have confused gpg-agent. It's a tool to remember our passphrase for the key for a while. Let's just kill the process, so it can automatically start and work normally.</p> <pre><code>$ killall gpg-agent </code></pre> <p>Killall kills processes by name. If you don't have it already installed, you can just use package manager: 'sudo apt-get update; sudo apt-get -y install psmisc'.</p> <p>Now let's run the same command again</p> <pre><code>$ cd ~/alice/ $ gpg --homedir . --gen-key pub rsa3072 2023-11-17 [SC] [expires: 2025-11-16] B20FD80B705C791DC87800307BAA4F132645134F uid Alice &lt;alice@example.com.invalid&gt; sub rsa3072 2023-11-17 [E] [expires: 2025-11-16] </code></pre> <p>Real name &quot;Alice&quot;, email &quot;alice@example.com.invalid&quot;, empty passphrase, yes really (x2). And the key is generated.</p> <h3 id="gpg-key-b624--84a3-not-found-no-public-key---solution-list-fingerprints">'gpg: key &quot;B624 ... 84A3&quot; not found: No public key' - solution: List fingerprints</h3> <pre><code>$ gpg --homedir . --sign-key &quot;B624 CDED 2430 252D 298D 7EC4 A8D8 1658 00B3 84A5&quot; gpg: key &quot;B624 CDED 2430 252D 298D 7EC4 A8D8 1658 00B3 84A3&quot; not found: No public key </code></pre> <p>You can't trust a key you don't have.</p> <p>Check which keys you actually have in your keyring</p> <pre><code>$ gpg --fingerprint # for your main keyring $ cd ~/alice/; gpg --homedir . --fingerprint # for alices keyring </code></pre> <p>To fix it:</p> <ul> <li>Import the key. You need to import the key from file to get it to your keyring. Exporting and importing public keys is described above.</li> <li>Use correct fingerprint. Your fingerprints will be different than what's demonstrated here. High quality, crypto level randomness is required for encryption to work. Use &quot;--fingerprint&quot; to show fingerprints of keys in your keyring.</li> <li>Are you being Alice or Tero? Commands that simulate Alice are run in &quot;~/alice&quot; and containt &quot;--homedir .&quot;.</li> </ul>Try Web Hacking on New Webgoat 2023.4https://terokarvinen.com/2023/webgoat-2023-4-ethical-web-hacking/Mon, 13 Nov 2023 16:07:11 +0200https://terokarvinen.com/2023/webgoat-2023-4-ethical-web-hacking/ <img src="https://terokarvinen.com/2023/webgoat-2023-4-ethical-web-hacking/webgoat-practice-web-hack_hu84f5e6b1717cfe195a81eddd8689be6d_92285_300x300_fit_box_3.png" width="300" height="245" alt=" " class="imgOne right"> <p>You can learn web penetration testing with Webgoat.</p> <p>Just download the latest version, install Java with apt-get, set port and run.</p> <p><em>Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws. My <a href="https://terokarvinen.com/2023/eettinen-hakkerointi-2023/">ethical hacking course</a> teaches this.</em></p> <h2 id="install-java-and-a-firewall">Install Java and a Firewall</h2> <p>This article has been tested on <a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Debian 12-Bookworm</a>, but you can likely make it work on any Linux.</p> <pre><code>$ sudo apt-get update $ sudo apt-get install openjdk-17-jre </code></pre> <p>This gives us the command 'java', so we can run Java archive files with 'java -jar foo.jar'. If you want, you can run 'java --version' to see that the command is installed. Mine printed &quot;openjdk 17.0.9 2023-10-17&quot;.</p> <p>To keep safe, you should have a firewall. Even when not installing highly vulnerable apps.</p> <pre><code>$ sudo apt-get install ufw $ sudo ufw enable </code></pre> <h2 id="download-webgoat-jar">Download WebGoat JAR</h2> <p>You can find latest WebGoat from projects <a href="https://github.com/WebGoat/WebGoat/releases">releases</a> page on Github. If it disappears, I have mirrored a <a href="https://terokarvinen.com/thirdparty/webgoat-2023.4.jar">local copy</a>.</p> <pre><code>$ wget https://github.com/WebGoat/WebGoat/releases/download/v2023.4/webgoat-2023.4.jar </code></pre> <h2 id="run-webgoat-in-an-alternative-port">Run Webgoat, in an Alternative Port</h2> <p>You're probably running man-in-the-middle proxy, like OWASP ZAP, on port 8080. So we should change the port when starting WebGoat.</p> <pre><code>$ java -Dfile.encoding=UTF-8 -Dwebgoat.port=8888 -Dwebwolf.port=9090 -jar webgoat-2023.4.jar </code></pre> <p>The URL for Webgoat and admin password are printed on standard output.</p> <p>Surf to <a href="http://127.0.0.1:8888/WebGoat">http://127.0.0.1:8888/WebGoat</a></p> <h2 id="profit">Profit</h2> <p>Did you get to WebGoat? Only use your new powers for good.</p> <p>Happy hacking!</p> <img src="https://terokarvinen.com/2023/webgoat-2023-4-ethical-web-hacking/webgoat-practice-web-hack_hu84f5e6b1717cfe195a81eddd8689be6d_92285_900x900_fit_box_3.png" width="684" height="559" alt=" " class="imgOne padSides"> <h2 id="all-labs---webgoat-20234-table-of-contents">All Labs - WebGoat 2023.4 Table of Contents</h2> <ul> <li>Introduction <ul> <li>WebGoat</li> <li>WebWolf</li> </ul> </li> <li>General <ul> <li>HTTP Basics</li> <li>HTTP Proxies</li> <li>Developer Tools</li> <li>CIA Triad</li> <li>Writing new lesson</li> </ul> </li> <li>(A1) Broken Access Control <ul> <li>Hijack a session</li> <li>Insecure Direct Object References</li> <li>Missing Function Level Access Control</li> <li>Spoofing an Authentication Cookie</li> </ul> </li> <li>(A2) Cryptographic Failures <ul> <li>Crypto Basics</li> </ul> </li> <li>(A3) Injection <ul> <li>SQL Injection (intro)</li> <li>SQL Injection (advanced)</li> <li>SQL Injection (mitigation)</li> <li>Path traversal</li> <li>Cross Site Scripting</li> </ul> </li> <li>(A5) Security Misconfiguration <ul> <li>XXE</li> </ul> </li> <li>(A6) Vuln &amp; Outdated Components <ul> <li>Vulnerable Components</li> </ul> </li> <li>(A7) Identity &amp; Auth Failure <ul> <li>Authentication Bypasses</li> <li>Insecure Login</li> <li>JWT tokens</li> <li>Password reset</li> <li>Secure Passwords</li> </ul> </li> <li>(A8) Software &amp; Data Integrity <ul> <li>Insecure Deserialization</li> </ul> </li> <li>(A9) Security Logging Failures <ul> <li>Logging Security</li> </ul> </li> <li>(A10) Server-side Request Forgery <ul> <li>Cross-Site Request Forgeries</li> <li>Server-Side Request Forgery</li> </ul> </li> <li>Client side <ul> <li>Bypass front-end restrictions</li> <li>Client side filtering</li> <li>HTML tampering</li> </ul> </li> <li>Challenges <ul> <li>Admin lost password</li> <li>Without password</li> <li>Admin password reset</li> <li>Without account</li> </ul> </li> </ul> <h2 id="troubleshooting">Troubleshooting</h2> <p>No trouble? No need for troubleshooting. Go hack your Webgoat.</p> <h3 id="port-8080-was-already-in-use---try--dwebgoatport8888">Port 8080 was already in use - try -Dwebgoat.port=8888</h3> <p>Running just like the example on Webgoat Github page says, it says the port is not free.</p> <pre><code>$ java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.4.jar ... *************************** APPLICATION FAILED TO START *************************** Description: Web server failed to start. Port 8080 was already in use. Action: Identify and stop the process that's listening on port 8080 or configure this application to listen on another port. </code></pre> <p>You're running something else listening on that port. Probably your MITM proxy, like OWASP ZAP. Run WebGoat in another port. Use command line parameter &quot;-Dwebgoat.port=8888&quot;.</p> <pre><code>java -Dfile.encoding=UTF-8 -Dwebgoat.port=8888 -Dwebwolf.port=9090 -jar webgoat-2023.4.jar </code></pre> <h3 id="webgoat-blank-page---add-webgoat">WebGoat Blank Page - add /WebGoat</h3> <p>The correct URL is printed on standard output when you run WebGoat. It's http://127.0.0.1:8888/WebGoat</p> <p>Without the path, you end up on the front page. Just like previous versions, it's only a blank page.</p> <h3 id="zap-proxy-does-not-work-on-localhost">ZAP Proxy Does Not Work on Localhost</h3> <p>It's probably your browser bypassing proxies on localhost. For example, current version of Firefox bypasses proxy for localhost and all IPv4 numbers starting with 127, and similar IPv6 numbers.</p> <p>Install Foxyproxy Standard Firefox addon. It allows you to proxy to localhost, too.</p>Web Hacking with Santerihttps://terokarvinen.com/2023/web-hack-santeri/Mon, 13 Nov 2023 11:01:09 +0200https://terokarvinen.com/2023/web-hack-santeri/ <img src="https://terokarvinen.com/2023/web-hack-santeri/santeri-siirila-white-hat-hacker_hud37e925d345586d41f555572dcebc04d_175446_300x300_fit_box.png" width="300" height="300" alt=" " class="imgOne right"> <p>Santeri shared his approach to web pen penetration testing. He visited my <a href="https://terokarvinen.com/2023/eettinen-hakkerointi-2023/">ethical hacking course</a>.</p> <p>Santeri's top 3 favourite vulnerabilities are</p> <ul> <li>IDOR (?id=123 =&gt; id=124, also OWASP 1.)</li> <li>Path traversal (../../../etc/passwd)</li> <li>Server Side Template Injection - My name is {{6*7}}</li> </ul> <p>We also learned about web pen testing process, favourite tools and learning materials. And many other ways of hacking the web.</p> <p>Santeri Siirilä works as a security consultant with WithSecure. He was also my student years ago. Santeri is one of the white hats, checking their customers' servers and apps before the bad guys do.</p>Fuffme - Install Web Fuzzing Target on Debianhttps://terokarvinen.com/2023/fuffme-web-fuzzing-target-debian/Mon, 30 Oct 2023 14:22:44 +0200https://terokarvinen.com/2023/fuffme-web-fuzzing-target-debian/ <p>Web fuzzers can find unlinked, hidden directories. They can also find vulnerabilities in query parameters.</p> <p>This article shows you how to install ffufme pratice target and ffuf, the leading web fuzzer.</p> <h2 id="background">Background</h2> <img src="https://terokarvinen.com/2023/fuffme-web-fuzzing-target-debian/fuff-ethical-hacking_huc49b36ca5fbb004c92764814f46941a0_53610_300x300_fit_box_3.png" width="300" height="278" alt=" " class="imgOne right padSides"> <p><em>Use of ethical hacking techniques requires legal and ethical considerations. To safely use these penetration testing tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws.</em></p> <p><em>BETA: this article has not yet been troughoutly tested. If you find or fix any bugs, leave a <a href="#comments">comment</a>.</em></p> <p>Fuff is the leading web fuzzing tool. This article teaches you how to install the tool, ffuf. We'll also install a local practice target, so you can practice safely. You can only legally fuzz your own computer, or practice targets with prior permission.</p> <p>This article is tested on <a href="https://terokarvinen.com/2021/install-debian-on-virtualbox/">Debian 12-Bookworm</a>, but probably works with minor modifications on other Linuxes, such as Kali or Ubuntu. You need to know <a href="https://terokarvinen.com/2020/command-line-basics-revisited/">Linux command line</a>, and you should have the skills and know the limits of <a href="https://terokarvinen.com/2023/eettinen-hakkerointi-2023/">ethical hacking</a> practice.</p> <h2 id="install-fuff-and-fuffme">Install Fuff and Fuffme</h2> <p>Install prerequisites for ffufme target, and fuff.</p> <pre><code>$ sudo apt-get update $ sudo apt-get install docker.io git ffuf </code></pre> <p>Build practice target Docker container</p> <pre><code>$ git clone https://github.com/adamtlangley/ffufme $ cd ffufme/ $ sudo docker build -t ffufme . </code></pre> <p>Run the target</p> <pre><code>$ sudo docker run -d -p 80:80 ffufme $ curl localhost </code></pre> <p>Test that it works. You can of course use a browser on the same computer, http://localhost/</p> <pre><code>$ curl -si localhost|grep title &lt;title&gt;FFUF.me&lt;/title&gt; </code></pre> <p>Did you get a web page titled FFUF.me? Well done, your target is up.</p> <h2 id="install-wordlists">Install wordlists</h2> <pre><code>$ mkdir $HOME/wordlists $ cd $HOME/wordlists $ wget http://ffuf.me/wordlist/common.txt $ wget http://ffuf.me/wordlist/parameters.txt $ wget http://ffuf.me/wordlist/subdomains.txt $ cd - </code></pre> <h2 id="practice">Practice</h2> <p>You can disconnect your computer from the Internet during practice to make sure that all fuzzing packets stay on your own computer.</p> <pre><code>$ ffuf -w $HOME/wordlists/common.txt -u http://ffuf.me/cd/basic/FUZZ </code></pre> <p>This command is from fuffme's instructions, found on http://localhost</p> <p>Did you find &quot;class&quot; and &quot;development.log&quot;? Well done, you're now a fuzzer!</p> <p>Stay safe, legal and ethical. Only use your new powers for good.</p> <h2 id="i-did-it-what-now">I did it! What now?</h2> <p>There are also many other exercises with Fuffme. They are listed on Fuffme homepage http://localhost</p> <img src="https://terokarvinen.com/2023/fuffme-web-fuzzing-target-debian/fuff-ethical-hacking_huc49b36ca5fbb004c92764814f46941a0_53610_900x900_fit_box_3.png" width="666" height="617" alt=" " class="imgOne right pad"> <h2 id="troubleshooting">Troubleshooting</h2> <p>No trouble? No need to do troubleshooting.</p> <p>If you already did all fuffme exercises, you can try <a href="https://terokarvinen.com/2023/fuzz-urls-find-hidden-directories/">Tero's other fuff article</a></p> <h3 id="80-bind-address-already-in-use">80: bind: address already in use</h3> <p>Only one daemon can listen to a port at one time.</p> <p>Problem:</p> <pre><code>$ sudo docker run -d -p 80:80 ffufme d58807c94227ecaf6eecc45194c8bf9c4c6d5a7f5e2c61fd600e722cf049f2d5 docker: Error response from daemon: driver failed programming external connectivity on endpoi nt competent_tharp (741f8c777be745a914e9cba97afb1d5eebe92a92a0e2b42f00b9f0eb36000229): Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use. </code></pre> <p>Solution:</p> <p>Shut down any other daemon listening to HTTP port 80/tcp. For example, if you're running Apache</p> <pre><code>$ sudo systemctl disable --now apache2.service </code></pre> <p>And try running ffufme Docker container again</p> <pre><code>$ sudo docker run -d -p 80:80 ffufme </code></pre> <p>You can see all your listening TCP ports and related processes with</p> <pre><code>$ sudo ss -lptn|tr -s ' ' </code></pre> <h3 id="did-not-find-anything">Did not find anything</h3> <p>Problem: Just ran ffuf against localhost, but found nothing.</p> <p>Solution 1: Use full URL. &quot;-u http://localhost/cd/basic/FUZZ&quot; works, partial URL without &quot;http&quot; does not.</p> <p>Solution 2: Use a directory with something to find. The command is in the manual you can find by browsing to http://localhost</p> <h2 id="references">References</h2> <ul> <li>ffuf by Joona &quot;joohoi&quot; Hoikkala</li> <li>ffuf.me instructions <a href="http://ffuf.me/wordlists">http://ffuf.me/wordlists</a> <a href="https://github.com/adamtlangley/ffufme">https://github.com/adamtlangley/ffufme</a></li> </ul>