SDN Penetration Testing (PART1) : A Step-by-Step Guide for Setting Up DELTA Framework

-


Introduction:

This is a detailed step-by-step guide for setting up DELTA Framework for SDN security evaluation purposes.
Developped by :
  • Seungsoo Lee (KAIST)
  • Jinwoo Kim (KAIST)
  • Seungwon Woo (KAIST)
  • Changhoon Yoon (KAIST)
  • Sandra Scott-Hayward (Queen's University Belfast)
  • Seungwon Shin (KAIST)
Github repository:
PS: The authors have already provided a guide for installing this framework but in this article I will take you through all the steps and problems I faced during this process.
Environnement:
DELTA is a SDN-Aware penetration testing framework that regenerates known attack scenarios for diverse test cases. This framework also provides the capability of discovering unknown security problems in SDN by employing a fuzzing technique.
  • Agent-Manger is the control tower. It takes full control over all the agents deployed to the target SDN network.
  • Application-Agent is a legitimate SDN application that conducts attack procedures and is controller-dependent. The known malicious functions are implemented as application-agent functions.
  • Channel-Agent is deployed between the controller and the OpenFlow-enabled switch. The agent sniffs and modifies the unencrypted control messages. It is controller-independent.
  • Host-Agent behaves as if it was a legitimate host participating in the target SDN network. The agent demonstrates an attack in which a host attempts to compromise the control plane.

Prerequisites

In order to build and run DELTA, the following tools are required:
  • An agent manager based on Ubuntu 14.04 LTS 64 bit
    • Ant build system
    • Maven v3.3.9
    • Vagrant
    • JDK 1.7 and 1.8
  • Target Controller (for application agent)
    • Floodlight: 0.91, 1.2
    • ONOS: 1.1, 1.6, 1.9
    • OpenDaylight: Helium-sr3, Carbon
  • Cbench (for channel agent)
  • Mininet 2.1+ (for host agent)
In the case of All-In-One Single Machine (which is this article is about), three virtual machines based on Ubuntu 14.04 LTS 64bit.
  • VM-1: Target controller + Application agent
  • VM-2: Channel agent
  • VM-3: Host agent
Installation process:

  1. Installing dependencies:

  • Installing Java JDK 8:
Add JDK repositories to your machine to be able to locate JDK 8 dependencies:
$ sudo add-apt-repository ppa:openjdk-r/ppa $ sudo apt-get update

$ sudo apt-get install openjdk-8-jdk

Type the next command in order to list the java packages installed in your machine. As we can see in the next figure we only have installed JDK version 8.
$ sudo update-alternatives --config java

Install Maven 3.3.9: 
$ wget http://apache.mirrors.lucidnetworks.net/maven/maven3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz

$ sudo mkdir -p /usr/local/apache-maven
$ sudo mv apache-maven-3.3.9-bin.tar.gz /usr/local/apache-maven
$ cd /usr/local/apache-maven
$ sudo tar -xzvf apache-maven-3.3.9-bin.tar.gz

$ nano ~/.bashrc
Add this to the file:
export M2_HOME=/usr/local/apache-maven/apache-maven-3.3.9
export M2=$M2_HOME/bin
export MAVEN_OPTS="-Xms256m -Xmx512m"
export PATH=$M2:$PATH

Installing DELTA :

STEP 1: Download the source files
Get the source code of DELTA on the agent manager machine
$ git clone https://github.com/OpenNetworkingFoundation/DELTA.git
Make sur that you’re in root directory.

STEP 2. Install DELTA dependencies 
$ cd DELTA/tools/dev/delta-setup/
$ ./delta-setup-devenv-ubuntu

During the installation of DELTA dependencies, the framework will need to install JDK 7 to support OpenDayLight Helium but It appears Oracle has moved the download link, you can still fetch the tar ball from the oracle website after jumping through some hoops. The WebUpd8 installer is currently broken. The official explanation can be found at http://www.webupd8.org/2017/06/why-oracle-java-7-and-6-installers-no.html

Note: Installing oracle-java7-installer and oracle-java7-set-default is important because DELTA is going to use OpenDayLight Helium Controller which is based on java 7
Download & Intall JDK7
If you want to download jdk-7u80-linux-x64.tar.gz from a script without logging into to oracle it hosted locations include:
http://ftp.osuosl.org/pub/funtoo/distfiles/oracle-java/
http://ftp.heanet.ie/mirrors/funtoo/distfiles/oracle-java/

Install JDK7 after downloading the tar.gz file
$ sudo add-apt-repository ppa:webupd8team/java
$ sudo apt-get update
#put the file in a temporary location: $ sudo mv jdk-7u80-linux-x64.tar.gz /tmp/ #set local path to /tmp (or any other path) $ echo oracle-java7-installer oracle-java7-installer/local select /tmp | \ sudo /usr/bin/debconf-set-selections #then install normally: $ sudo apt-get install oracle-java7-installer

STEP 3. Install DELTA using maven build 
$ cd DELTA/
$ source ./tools/dev/delta-setup/bash_profile
$ mvn clean install

For the next step you need to install virtualbox 5.0 before running the script that creates the Vms using Vagrant because the version supported by the one installed by DELTA supports Virtualbox 5.0 and previous ones.
https://github.com/hashicorp/vagrant/issues/7593
Go to :
https://www.virtualbox.org/wiki/Download_Old_Builds_5_0
and download the version compatible with Ubuntu 14.04 Trusty. After that go the directory where it was downloaded and install it:

You gonna get an error because the package libsdl1.2debian is not installed:
$ sudo apt-get install libsdl1.2debian
Then install Virtualbox 5.0
$ dpkg -i virtualbox-5.0_5.0.40-115130~Ubuntu~trusty_amd64.deb


STEP 4: Install three virtual machines using vagrant system 
$ cd ~/DELTA/tools/dev/delta-setup/
$ ./delta-setup-vms-ubuntu

$ cd ../vagrant/
$ vagrant up
Vagrant manages the process of creating a virtual machine based on your definitions, and uses automation tools such as Ansible and Puppet for provisioning the machine customization - installing packages, gathering information, performing tasks, etc. By running a simple vagrant up, a virtual machine will be prepared according to what was setup on the project’s configuration, and in a few minutes the project shall be up and running.




Rerun vagrant up in case of encountering errors
Now all the VMs were downloaded and the setup of vagrant file is done.
STEP 5: Configuring your own experiments.
Execute sudo without the password : 
$ sudo visudo
In the bottom of the file, type the follow:
username ALL=(ALL) NOPASSWD: ALL

Configure passwd-less ssh login for the agents
First, we verify that the bashfile is well defined and contains the next code lines after typing
$ nano DELTA/tools/dev/delta-setup/bash_profile

$ source DELTA/tools/dev/delta-setup/bash_profile
$ cd ~
Log in on your host machine (in our case “sun”) as user a and generate a pair of authentication keys. Do not enter a passphrase:
$ ssh-keygen -t rsa # keep pressing enter
Now use SSH to create a directory ~/.ssh as user 10.100.100.11 on vagrant. (The directory may already exist, which is fine):
$ ssh vagrant@10.100.100.11 mkdir -p .ssh
Now you gonna be asked to give the password of the remote machine, by default its “vagrant”

Finally append your machine's new public key to vagrant@10.100.100.11:.ssh/authorized_keys and enter vagrant's password one last time:

Repeat the same process for the other two machines and test if it works.
The agent-manager automatically reads a configuration file and sets up the test environment based on the file. DELTA/tools/config/manager_vm.cfg contains the All-In-One Single Machine configuration by default. If you want to test a real SDN environment, you should specify your own configuration file.


Setting up the controllers:
In this section we going to demonstrate how to setup the floodlight 1.2 controller, ONOS 1.9 controller and OpenDayLight Carbon controller in DELTA:
  • Floodlight 1.2
$ cd DELTA/tools/dev/app-agent-setup/floodlight
$ ./floodlight-1.2-scp
  • ONOS 1.6 or 1.9
$ cd DELTA/tools/dev/app-agent-setup/onos
$ ./delta-setup-onos 1.9
  • OpenDaylight Carbon
$ cd DELTA/tools/dev/app-agent-setup/opendaylight
$ ./odl-carbon-scp
After the download of the necessary dependencies you will need to setup the ODL controller in the Controller VM. To do so, log into the vagrant@10.100.100.11 controller machine usine ssh and type the command:
$ ./odl-carbon-setup
If it is not executable use chmod +x to make it so.
Or you can run the virtual machine directly by typing “virtualbox &” and login by typing both for the username and the password “vagrant” then run the command ./odl-carbon-setup

The app-agent (on the controller machine) needs 'agent.cfg' file to connect to the agent-manager. After setting up the controllers in DELTA, verify that the /DELTA/tools/config/agent.cfg contains the following configuration:


2. Running DELTA

STEP 1: Distribute the executable files to VMs 
$ cd DELTA/
$ source ./tools/dev/delta-setup/bash_profile
$ ./tools/dev/delta-setup/delta-agents-scp

STEP 2: Modify VMs configurations
Before running DELTA we need to adjust some the parameters of the virtual machines:
  1. Turn off the VMs
  2. On the virtual machine add a netcard


3. Change the VM3 (mininet) settings as shown below:

Since these VMs came preconfigured in a vagrant file (8GB of RAM for the Controller VM, 2GB of RAM for the Channel Agent VM and 2GB of RAM for the Host Agent VM) you might need to change the RAM Memory parameters to suite you computer capabilities.
STEP 3: Execute Agent-Manager first
Rerun the Vms then run DELTA by typing:
$ cd DELTA/
$ bin/run-delta tools/config/manager_vm.cfg

Go to your browser and go to http://0.0.0.0:7070 to login to the WebGUI of DELTA:

One last problem you might face!
lets try and launch an attack on Floodlight 1.2
1. Set up the configuration settings :
  • Target controller: Floodlight
  • Target Version: 1.2
  • OpenFlow port: 6633
  • Openflow version : 1.3
2. Chose the attack : Packet_IN Flooding.
3. Click: Run Selected Entries.
4. Click “Ok”

There is a chance that this problem might appear:



This means that the Host Agent can't find the openvswitch. I solved this problem by simply login into the Mininet VM using SSH and type the password “vagrant”:
$ ssh vagrant@10.100.100.13
Inside the terminal of the vagrant machine 10.100.100.13 install openvswitch dependencies:
$ sudo apt-get install openvswitch-*
Then the problem will be solved and you can start your SDN security pen-testing experience.

Comments

Post a Comment

Popular posts from this blog

SDN Penetration Testing (PART2) : Setting up the attack scenario

-
Image
Introduction : In this article we used DELTA framework for SDN penetration testing. See Part1 on how to set it up. One of the major benefits of SDN environnements is control logic centralization and network programmability which create new threats that did not exist before and give more chances to other attacks that were hard to execute before, for instance DoS attacks that were stopped from affecting the entire network in a distributed control plane implementation. In this document, we will introduce a detailed explanation of DoS attack that targets data plane switches or/and SDN controllers via OpenFlow message PACKET_IN . Setting up the scenario This document’s material is done in consideration of OpenFlow 1.3 specifications so we’re going to differentiate between some notions to specifically describe the circumstances for the execution of our attack scenario. OpenFlow Communications: OpenFlow is an open and standardized protocol for southbound co
Read more