vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: vasco:a17feb0e1b55ae02bf0492c015823de28d3fedab
Branches Tags
vasco:main vasco:secret_branch
..
compare: vasco:secret_branch
Branches Tags
vasco:main vasco:secret_branch

1 Commits
a17feb0e1b ... secret_bra

Author SHA1 Message Date
vascoalvesxyz
a91dd239ef secret branch 2026-03-21 19:57:55 +00:00
129 changed files with 160 additions and 15112 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -1,3 +0,0 @@
*.log
*.aux
*.synctex.gz

18
CLIENT.sh
View File

@@ -1,18 +0,0 @@
#/bin/bash
# CONFIGURACAO DO CLIENTE
# (KALI LINUX)
function instalar() {
apt list installed "$1" &>/dev/null && echo "$1 já instalado" || sudo apt install -y "$1"
}
IP="20.60.0.2"
sudo ifconfig eth1 $IP netmask 255.255.255.0
sudo route add default gw 20.60.0.1
sudo apt update
instalar zaproxy
# exploits

10
assignment1/DMZ.sh → DMZ.sh
View File

@@ -7,10 +7,10 @@ routerIp=23.214.219.254
mask25=255.255.255.128
dns=23.214.219.130
mail=23.214.219.134
vpn_gw=23.214.219.133
www=23.214.219.132
smtp=23.214.219.131
mail=23.214.219.131
vpn_gw=23.214.219.132
www=23.214.219.133
smtp=23.214.219.134
dnsPort=53
mailPort=888
@@ -26,7 +26,7 @@ sudo systemctl enable iptables
sudo iptables -F
sudo ifconfig enp0s8 $ip netmask $mask25
sudo ip route add 192.168.10.0/24 via $routerIp
sudo route add default gw $routerIp
sudo add default gw $routerIp
# alias dos ips
sudo ip addr add $dns dev enp0s8
sudo ip addr add $mail dev enp0s8

0
assignment1/INTERNAL.sh → INTERNAL.sh
View File

4
assignment1/INTERNET.sh → INTERNET.sh
View File

@@ -9,7 +9,7 @@ sudo systemctl disable firewalld
sudo systemctl mask firewalld
sudo systemctl enable iptables
sudo iptables -F
sudo ifconfig enp0s8 $dns2 netmask $mask24
sudo ifconfig enp0s8 $dn2 netmask $mask24
sudo route add default gw $routerIp
#sudo ip addr add $dns2 dev enp0s8
sudo ip addr add $dns2 dev enp0s8
sudo ip addr add $eden dev enp0s8

0
assignment1/Practical Assignment 1.pdf → Practical Assignment 1.pdf
View File

6
README.md
View File

@@ -1,6 +0,0 @@
# Coisas para leres que sao fixes wowowowowowow !!!!! (Assignment 2)
- Os slides (duh)
- Okay o mais importante é os slides.
- [X.509 (ssl.com)](https://www.ssl.com/faqs/what-is-an-x-509-certificate/)
- [X.509 (youtube)](https://www.youtube.com/watch?v=kAaIYRJoJkc)

69
ROUTER.sh Normal file
View File

@@ -0,0 +1,69 @@
IF_DMZ="enp0s8"
IF_INT="enp0s9"
IF_EXT="enp0s10"
NET_DMZ="23.214.219.128/25"
NET_INT="192.168.10.0/24"
IP_EXT_FW="87.248.214.97"
IP_DMZ_FW="23.214.219.254"
IP_INT_FW="192.168.10.254"
IP_DMZ_DNS="23.214.219.130"
IP_DMZ_SMTP="23.214.219.131"
IP_DMZ_WWW="23.214.219.132"
IP_DMZ_VPN_GW="23.214.219.133"
IP_DMZ_MAIL="23.214.219.134"
IP_INT_FTP="192.168.10.2"
IP_INT_DATASTORE="192.168.10.3"
IP_DNS2="193.137.16.75"
IP_EDEN="193.136.212.1"
sudo yum install epel-release -y
sudo yum install suricata -y
sudo suricata-update
sudo ifconfig $IF_DMZ $IP_DMZ_FW netmask 255.255.255.128
sudo ifconfig $IF_INT $IP_INT_FW netmask 255.255.255.0
sudo ifconfig $IF_EXT $IP_EXT_FW netmask 255.255.255.0
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo modprobe nf_conntrack_ftp
sudo modprobe nf_nat_ftp
sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i $IF_INT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i $IF_DMZ -s $IP_DMZ_VPN_GW -p tcp --dport 22 -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -p udp -d $IP_DMZ_DNS --dport 53 -j ACCEPT
sudo iptables -A FORWARD -s $IP_DMZ_DNS -d $IP_DNS2 -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -s $IP_DNS2 -d $IP_DMZ_DNS -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_SMTP --dport 25 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 110 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 143 -j ACCEPT
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_WWW -m multiport --dports 80,443 -j ACCEPT
sudo iptables -A FORWARD -p udp -d $IP_DMZ_VPN_GW --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -i $IF_DMZ -s $IP_DMZ_VPN_GW -d $NET_INT -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j SNAT --to-source $IP_EXT_FW
sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p tcp -m multiport --dports 80,443,22,21 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i $IF_EXT -d $IP_EXT_FW -p tcp --dport 21 -j DNAT --to-destination $IP_INT_FTP
sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_FTP -p tcp --dport 21 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_EDEN -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_DNS2 -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_DATASTORE -p tcp --dport 22 -j ACCEPT

63
SERVER.sh
View File

@@ -1,63 +0,0 @@
#!/bin/bash
# SERVIDOR INTERNO
# (CentOS 9)
alias "s"="sudo systemctl"
function instalar() {
yum list installed "$1" &>/dev/null && echo "$1 já instalado" || sudo yum install -y "$1"
}
IP_EXTERNAL="20.60.0.1"
IP_INTERNAL="10.60.0.1"
sudo ifconfig enp0s8 $IP_EXTERNAL netmask 255.255.255.0
sudo ifconfig enp0s9 $IP_INTERNAL netmask 255.255.255.0
# instalar packages
if ! command -v node &> /dev/null || [[ "$(node -v)" != v24.* ]]; then
echo "Configurando repositório do Node.js 24..."
curl -fsSL https://rpm.nodesource.com/setup_24.x | sudo bash -
sudo yum remove -y nodejs
fi
instalar nodejs
# instalar mod security e apache
instalar epel-release
instalar httpd
instalar mod_security
instalar mod_security_crs
instalar iptables-services
s stop firewalld
s disable firewalld
s mask firewalld
s enable iptables
sudo iptables -F
# nat
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -F
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
sudo iptables-save > /etc/sysconfig/iptables
sudo cp conf/httpd.conf /etc/httpd/httpd.conf
# instalar juice-shop se nao existir
jspath="/var/juice-shop"
if [[ ! -f "$jspath/package.json" ]]; then
sudo mkdir -p "$jspath"
curl -L -o js.tar.gz "https://github.com/juice-shop/juice-shop/releases/download/v20.0.0/juice-shop-20.0.0_node24_linux_x64.tgz"
sudo tar -xzvf js.tar.gz -C "$jspath" --strip-components=1
rm js.tar.gz
sudo chown -R $USER:$USER "$jspath"
fi
# apache WAF (desativado por default)
s stop httpd
s disable httpd
# correr juice shop via npm
cd "$jspath"
npm start

106
assignment1/ROUTER.sh
View File

@@ -1,106 +0,0 @@
#!/bin/bash
dns2="87.248.214.99"
eden="87.248.214.100"
# Router 1
dmzIP="23.214.219.254"
internalIP="192.168.10.254"
externalIP="87.248.214.97"
# DMZ /25
dns="23.214.219.130"
smtp="23.214.219.131"
www="23.214.219.132"
vpn_gw="23.214.219.133"
mail="23.214.219.134"
# Internal
ftp="192.168.10.2"
datastore="192.168.10.3"
dhcpClient="192.168.10.4"
# Interfaces
dmzIF="enp0s8"
internalIF="enp0s9"
externalIF="enp0s10"
sudo ifconfig $dmzIF $dmzIP netmask 255.255.255.128
sudo ifconfig $internalIF $internalIP netmask 255.255.255.0
sudo ifconfig $externalIF $externalIP netmask 255.255.255.0
sudo yum install iptables-services -y
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask firewalld
sudo systemctl enable iptables
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo sysctl -w net.ipv4.ip_forward=1
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
#sudo iptables -t nat -A POSTROUTING -i $internalIF -o enp0s3 -j MASQUERADE #SUS
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
#DNS name resolution requests sent to outside servers and want a response:
sudo iptables -A INPUT -i $externalIF -p udp --dport 53 -j ACCEPT
#SSH connections to the router system that originate from the inside and want an answer:
sudo iptables -A INPUT -i $internalIF -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i $dmzIF -s $vpn_gw -p tcp --dport 22 -j ACCEPT
#The dns server should be able to resolve names using the internet (and others???)
sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
sudo iptables -I INPUT -j NFQUEUE --queue-bypass
sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p udp --dport 53 -j ACCEPT
#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $dns -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p tcp --dport 53 -j ACCEPT
#SMTP connections to the smtp server and returns
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $smtp -p tcp --dport 587 -j ACCEPT
#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
#POP and IMAP connections to the www server
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 143 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 110 -j ACCEPT
#HTTP and HTTPS connectins
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 443 -j ACCEPT
#OpenVPN connections to the vpn-gw server
sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $vpn_gw -p udp --dport 1194 -j ACCEPT
#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p udp --dport 1194 -j ACCEPT
#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $ftp -j ACCEPT
sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $datastore -j ACCEPT
#FTP da internet WORRIED ???
sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $ftp -p tcp --dport 21 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination $datastore
sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination $datastore
sudo iptables -t nat -A PREROUTING -i $externalIF -p tcp --dport 21 -j DNAT --to-destination $ftp
sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $eden -p tcp --dport 22 -j ACCEPT
#$internalIF to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $externalIF -j SNAT --to-source $externalIP
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 21 -j ACCEPT

BIN
assignment1/entrega.zip
View File

Binary file not shown.

2281
assignment1/entrega.zip.asc
View File

File diff suppressed because it is too large Load Diff

BIN
assignment1/relatorio.pdf
View File

Binary file not shown.

126
assignment1/relatorio.tex
View File

@@ -1,126 +0,0 @@
\documentclass[12pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\usepackage{listings}
\lstdefinestyle{mystyle}{
basicstyle=\ttfamily\footnotesize,
breakatwhitespace=false,
breaklines=true,
captionpos=b,
keepspaces=true,
numbers=left,
numbersep=5pt,
showspaces=false,
showstringspaces=false,
showtabs=false,
tabsize=2
}
\lstset{style=mystyle}
\title{Practical Assignment \#1}
\author{
João Neto -- 2023234004\\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\tableofcontents
\newpage
\section{Introduction}
O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10).
\begin{lstlisting}[language=bash]
Rede,Interface,Gama IP
DMZ,enp0s8,23.214.219.128/25
Internal,enp0s9,192.168.10.0/24
Internet,enp0s10,87.248.214.0/24
\end{lstlisting}
As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98).
Para facilitar a recriação deste sistema foi criado 4 ficheiros .sh (um para cada rede e o router), e disponibilizamos os ficheiros suricata.rules e suricata.yaml, para o suricata que estiver ligado ao Router. Os ficheiros .sh vão ter comandos para configurar o sistema para este exercicio.
\section{Firewall}
\subsection{Packet fileter without NAT}
O policy que foi escolhido foi:
\begin{lstlisting}[language=bash]
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
\end{lstlisting}
Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho.
Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos:
\begin{lstlisting}[language=bash]
sudo iptables -A INPUT -i enp0s10 -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
\end{lstlisting}
Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos:
\begin{lstlisting}[language=bash]
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
\end{lstlisting}
Inicialmente as implementações de respostas a forward eram especificas para cada regra isto é por exemplo:
\begin{lstlisting}[language=bash]
sudo iptables -A FORWARD -o enp0s8 -i enp0s10 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
\end{lstlisting}
No entanto isso facilmente originava confusão entre nós, então decimos utilizar estas duas regras:
\begin{lstlisting}[language=bash]
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
\end{lstlisting}
Neste cenario o uso destas regras faz sentido, mas pode existir outros cenarios no futuro que não queremos uma resposta, e nesse caso temos de criar as regras necessarias.
\subsection{Packet filtering with NAT}
Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que querer aceder a rede interna para não terem acesso ao edereço ip e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos:
\begin{lstlisting}[language=bash]
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT
sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT
\end{lstlisting}
\section{Intrusion Detection}
As regras que utilizamos para o suricata foram estas:
\begin{lstlisting}[language=bash]
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
\end{lstlisting}
A primeira é para port scaning, a segunda e a terceira é para o caso de SQL injection, e a ultima é para XSS atacks.
Também atualizamos o iptables para passar para o suricata os pacotes para analizar e bloquear com:
\begin{lstlisting}[language=bash]
sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
sudo iptables -I INPUT -j NFQUEUE --queue-bypass
\end{lstlisting}
\section{Tests utilizados}
Netcat foi utilizado para maior parte dos testes excepto para FTP, em que devido ás suas caracteristicas especificas, utilizamos os serviços para ter a certeza que funcionava com a nossa configuração. Utilizamos estes comandos curl para testar se eram bloqueados:
\begin{lstlisting}[language=bash]
curl -i "http://23.214.219.132/index.php?id=1%20union%20select%201,2,3"
curl -i "http://23.214.219.132/login.php?user='or%201=1"
curl -i "http://23.214.219.132/search.php?q=<script>alert('XSS')</script>"
\end{lstlisting}
\section{Conclusion}
Ao realizar-mos este projeto aprendemos sobre a criação de scenarios em VMs, a configuração de uma firewall utilizando IPTables e a configuração de um IDS/IPS system utilizando Suricata
\end{document}

8
assignment1/relatorio.toc
View File

@@ -1,8 +0,0 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introduction}{2}{}%
\contentsline {section}{\numberline {2}Firewall}{2}{}%
\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}%
\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}%
\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}%
\contentsline {section}{\numberline {4}Tests utilizados}{5}{}%
\contentsline {section}{\numberline {5}Conclusion}{5}{}%

5
assignment1/suricata.rules
View File

@@ -1,5 +0,0 @@
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)

2242
assignment1/suricata.yaml
View File

File diff suppressed because it is too large Load Diff

30
assignment2/VM_CONFIG.sh
View File

@@ -1,30 +0,0 @@
#!/bin/bash
# NOTA(vasco): feito para correr como root
if [[ "$USER" != "root" ]]; then
echo "corre o script como root"
exit 1
fi
yum install -y epel-release
yum install -y openvpn iptables-services dhcp-client ntpsec
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables
iptables -F
CA_DIR="/etc/pki/CA"
mkdir -p "${CA_DIR}/newcerts"
mkdir -p "${CA_DIR}/private"
touch "${CA_DIR}/index.txt"
cp ca/serial "${CA_DIR}/serial"
mkdir -p /etc/openvpn/server
mkdir -p /etc/openvpn/client
# NOTE(vasco): tive problemas com a sincronização de tempo
# se nao tiver sincronizado, o TOTP nao funciona
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd

52
assignment2/VM_OPENSSL_APACHE.sh
View File

@@ -1,52 +0,0 @@
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
# sim, é preciso fazer isto para carregar serviços
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
# mega paginas webs
cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/
httpd -X

20
assignment2/VM_ROAD_WARRIOR.sh
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# --- configuração --- #
source VM_CONFIG.sh
ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
route add default gw 193.136.212.1
if ! grep -q "apache" /etc/hosts; then
echo "10.60.0.1 apache" >> /etc/hosts
fi
# --- vpn client --- #
vpn_dir="/etc/openvpn/client/"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf"

48
assignment2/VM_VPN_GATEWAY.sh
View File

@@ -1,48 +0,0 @@
#!/bin/bash
# NOTE(vasco):
# Ao configurar a maquina virtual em si deixei a rede externa primeiro (enp0s8)
# E a rede interna como a segunda interface (enp0s9).
# --- configuração --- #
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
if_dentro="enp0s9"
ip_dentro="10.60.0.3"
mega_tunel="tun0"
ip_mega_tunel="10.8.0.0/24"
ifconfig $if_fora $ip_fora netmask 255.255.255.0
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/vpn.key $vpn_dir
cp ca/vpn.crt $vpn_dir
cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
openvpn --config /etc/openvpn/server/vpn.conf

74
assignment2/ca/1000.pem
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=gateway
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
7c:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
b6:00:f9:b9
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
+KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
-----END CERTIFICATE-----

74
assignment2/ca/1001.pem
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=warrior
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
8f:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
d3:09:27:84
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
-----END CERTIFICATE-----

74
assignment2/ca/1002.pem
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 12:33:59 2026 GMT
Not After : Apr 22 12:33:59 2027 GMT
Subject: CN=apache
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
32:60:ba:8c
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
-----END CERTIFICATE-----

77
assignment2/ca/1003.pem
View File

@@ -1,77 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 14:14:59 2026 GMT
Not After : Apr 22 14:14:59 2027 GMT
Subject: CN=apache.coimbra
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.60.0.1, DNS:apache
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
db:7b:fa:1a
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
-----END CERTIFICATE-----

77
assignment2/ca/apache.crt
View File

@@ -1,77 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 14:14:59 2026 GMT
Not After : Apr 22 14:14:59 2027 GMT
Subject: CN=apache.coimbra
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.60.0.1, DNS:apache
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9c:7e:99:3c:10:22:23:cd:d6:c7:96:be:82:5e:e5:7f:69:16:
5c:57:e1:68:e2:04:26:74:e9:72:ea:3b:03:5c:81:bd:21:15:
a3:e8:86:4d:93:6f:a4:d8:a1:47:de:e0:b5:a3:bb:aa:5b:24:
e9:9d:f7:9d:7d:e3:ba:38:39:af:c6:8b:36:5c:a8:3d:37:af:
79:be:8f:bf:ba:76:a5:d5:62:8e:37:c8:2e:6d:7e:24:fc:56:
d2:91:01:9e:05:4d:26:16:52:75:3d:28:7f:20:d0:88:25:96:
2a:d3:3a:8f:27:3d:99:46:4d:de:e2:a7:11:07:84:ff:ac:55:
54:4a:25:1b:b3:05:47:b5:d5:db:b9:69:e5:f6:d7:28:c9:54:
45:9c:a5:9a:86:74:37:33:7c:47:75:5a:dd:bf:50:23:be:95:
8e:cd:2c:ba:72:cc:41:95:1f:a0:67:78:61:de:38:89:18:c4:
0c:df:e0:be:f3:9d:3e:e7:72:9f:3c:a3:e0:06:9a:6c:28:d1:
e2:1d:d2:14:76:89:8a:d4:ca:e1:38:9c:b3:31:81:bb:ca:11:
ba:78:36:01:e5:db:bf:a0:82:36:d2:b4:65:01:60:bf:63:c2:
a8:86:54:cb:ac:59:52:31:bd:a2:cc:94:47:cc:0a:cc:d3:87:
db:7b:fa:1a
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjE0MTQ1OVoXDTI3MDQyMjE0
MTQ1OVowGTEXMBUGA1UEAwwOYXBhY2hlLmNvaW1icmEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQiPsyF5udlRVCpbMgDicavaoQalmcGEDLgYBwMxoi
NAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeGDqytrUit0bFuYSveBMFfz2D1pr09
/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI0ziODvLFllW1boZM8CKdGROuIyHq
1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71lmw3QflWNAukDr/59GSjvRmssAgQz
BS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJCh/+uwBgJqjuS2YvffR2JD5zgeR5
Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qiWXfAJBOpAgMBAAGjWzBZMBcGA1Ud
EQQQMA6HBAo8AAGCBmFwYWNoZTAdBgNVHQ4EFgQUE59kv8teL334CyaU2xed9FnO
eSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDQYJKoZIhvcNAQEL
BQADggEBAJx+mTwQIiPN1seWvoJe5X9pFlxX4WjiBCZ06XLqOwNcgb0hFaPohk2T
b6TYoUfe4LWju6pbJOmd951947o4Oa/GizZcqD03r3m+j7+6dqXVYo43yC5tfiT8
VtKRAZ4FTSYWUnU9KH8g0IgllirTOo8nPZlGTd7ipxEHhP+sVVRKJRuzBUe11du5
aeX21yjJVEWcpZqGdDczfEd1Wt2/UCO+lY7NLLpyzEGVH6BneGHeOIkYxAzf4L7z
nT7ncp88o+AGmmwo0eId0hR2iYrUyuE4nLMxgbvKEbp4NgHl27+ggjbStGUBYL9j
wqiGVMusWVIxvaLMlEfMCszTh9t7+ho=
-----END CERTIFICATE-----

74
assignment2/ca/apache.crt.old
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 12:33:59 2026 GMT
Not After : Apr 22 12:33:59 2027 GMT
Subject: CN=apache
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:88:fb:32:17:9b:9d:95:15:42:a5:b3:20:0e:
27:1a:bd:aa:10:6a:59:9c:18:40:cb:81:80:70:33:
1a:22:34:08:6f:94:0c:97:1c:68:d4:69:59:7e:50:
65:c1:46:2a:fd:9d:4e:96:13:47:58:da:87:86:0e:
ac:ad:ad:48:ad:d1:b1:6e:61:2b:de:04:c1:5f:cf:
60:f5:a6:bd:3d:fd:b3:eb:a0:db:8f:9f:67:5b:91:
76:aa:a5:87:9a:83:57:1a:84:3d:11:c2:b3:71:84:
51:48:d3:38:8e:0e:f2:c5:96:55:b5:6e:86:4c:f0:
22:9d:19:13:ae:23:21:ea:d5:fe:e4:1d:9c:fb:42:
3a:84:81:43:03:2e:c5:bd:ed:0b:7e:48:50:83:e0:
0b:15:87:bd:65:9b:0d:d0:7e:55:8d:02:e9:03:af:
fe:7d:19:28:ef:46:6b:2c:02:04:33:05:2e:73:94:
10:ae:54:25:d2:82:55:10:22:74:7b:44:7c:c6:d3:
e5:35:5e:10:af:9e:67:49:0a:1f:fe:bb:00:60:26:
a8:ee:4b:66:2f:7d:f4:76:24:3e:73:81:e4:79:53:
3c:30:e6:25:00:80:fb:d2:0c:fa:e7:db:01:15:52:
4e:c4:ec:9f:95:b4:1d:a0:e7:7a:a2:59:77:c0:24:
13:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:9F:64:BF:CB:5E:2F:7D:F8:0B:26:94:DB:17:9D:F4:59:CE:79:20
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a4:24:8d:a2:b8:b4:da:5c:a6:e0:75:2a:e0:71:aa:03:35:e8:
b4:64:49:90:b9:f3:09:a6:c6:99:0c:64:04:5e:65:e6:09:72:
13:11:e8:4c:29:a4:99:c5:dd:67:ff:49:fb:5f:8a:b3:cf:3a:
e5:b7:1c:a0:8a:59:ca:10:a9:dd:26:c3:3d:25:c7:82:b8:0d:
db:91:fe:45:d1:3b:ac:80:1d:11:49:85:13:9b:c2:86:fd:17:
81:5d:e3:a4:d1:64:2d:27:0c:c9:77:08:2a:89:ed:7e:2e:ac:
d2:86:f5:d5:fd:de:a6:c4:5d:18:33:ec:78:a1:ca:cf:64:68:
cb:1a:25:1e:a3:cf:e5:28:0b:a2:f8:45:bd:b6:99:54:17:62:
09:f0:ab:ba:d2:38:dc:bc:7b:1d:b8:f2:51:e5:d3:0c:1d:8d:
a3:3e:57:c2:0d:ef:93:5d:39:9c:ee:50:f1:e3:f8:fb:ff:94:
88:2c:37:f7:39:47:97:2c:fc:71:27:88:21:b3:da:68:ac:f4:
c6:a0:77:00:25:37:67:ea:ee:d1:a8:44:01:f6:40:79:68:4a:
94:24:d8:1a:d9:07:7d:73:0b:8c:b0:80:dd:b4:a9:49:3f:33:
73:7e:4d:5a:b6:f0:51:94:46:b2:81:a3:cb:81:a2:d9:7f:dd:
32:60:ba:8c
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEyMzM1OVoXDTI3MDQyMjEy
MzM1OVowETEPMA0GA1UEAwwGYXBhY2hlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0Ij7MhebnZUVQqWzIA4nGr2qEGpZnBhAy4GAcDMaIjQIb5QMlxxo
1GlZflBlwUYq/Z1OlhNHWNqHhg6sra1IrdGxbmEr3gTBX89g9aa9Pf2z66Dbj59n
W5F2qqWHmoNXGoQ9EcKzcYRRSNM4jg7yxZZVtW6GTPAinRkTriMh6tX+5B2c+0I6
hIFDAy7Fve0LfkhQg+ALFYe9ZZsN0H5VjQLpA6/+fRko70ZrLAIEMwUuc5QQrlQl
0oJVECJ0e0R8xtPlNV4Qr55nSQof/rsAYCao7ktmL330diQ+c4HkeVM8MOYlAID7
0gz659sBFVJOxOyflbQdoOd6oll3wCQTqQIDAQABo0IwQDAdBgNVHQ4EFgQUE59k
v8teL334CyaU2xed9FnOeSAwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9
W9UwDQYJKoZIhvcNAQELBQADggEBAKQkjaK4tNpcpuB1KuBxqgM16LRkSZC58wmm
xpkMZAReZeYJchMR6EwppJnF3Wf/SftfirPPOuW3HKCKWcoQqd0mwz0lx4K4DduR
/kXRO6yAHRFJhRObwob9F4Fd46TRZC0nDMl3CCqJ7X4urNKG9dX93qbEXRgz7Hih
ys9kaMsaJR6jz+UoC6L4Rb22mVQXYgnwq7rSONy8ex248lHl0wwdjaM+V8IN75Nd
OZzuUPHj+Pv/lIgsN/c5R5cs/HEniCGz2mis9MagdwAlN2fq7tGoRAH2QHloSpQk
2BrZB31zC4ywgN20qUk/M3N+TVq28FGURrKBo8uBotl/3TJguow=
-----END CERTIFICATE-----

17
assignment2/ca/apache.csr
View File

@@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxjCCAa4CAQAwVzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRcwFQYDVQQDDA5hcGFjaGUuY29p
bWJyYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCI+zIXm52VFUKl
syAOJxq9qhBqWZwYQMuBgHAzGiI0CG+UDJccaNRpWX5QZcFGKv2dTpYTR1jah4YO
rK2tSK3RsW5hK94EwV/PYPWmvT39s+ug24+fZ1uRdqqlh5qDVxqEPRHCs3GEUUjT
OI4O8sWWVbVuhkzwIp0ZE64jIerV/uQdnPtCOoSBQwMuxb3tC35IUIPgCxWHvWWb
DdB+VY0C6QOv/n0ZKO9GaywCBDMFLnOUEK5UJdKCVRAidHtEfMbT5TVeEK+eZ0kK
H/67AGAmqO5LZi999HYkPnOB5HlTPDDmJQCA+9IM+ufbARVSTsTsn5W0HaDneqJZ
d8AkE6kCAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDocECjwAAYIG
YXBhY2hlMA0GCSqGSIb3DQEBCwUAA4IBAQBzs+QEnIvT5ArumDP7/7TeEcOeTmfh
GkLMHKn2+lRH055KE+sv2k2l+PW4zrPLdEWw82CW7zy4ilpXjzywGIXZY0dCAWWH
wc/mRqbE6b4gdatU+LEqkcUiiCKkAh+stG1QOYB4yhISR0N/KWC4GIBsNIen8jjO
+qQunBa/wb7XRvHWCl4ihLMSA4PjijkxPOAjnGe6swPCo8gl39477bdAYL2Qrrr2
FxkZRZMZG1cSX2lV8DhBV4/AZAzZMGFHc4GOzcyzPNJ3PWFotv+jNQ1DxbTFmOYI
m6A0coUdCw87lYuWlH8J3s0CUUb7Swd1dKrTjk7UDOTG1VK7q7xYaMkJ
-----END CERTIFICATE REQUEST-----

28
assignment2/ca/apache.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQiPsyF5udlRVC
pbMgDicavaoQalmcGEDLgYBwMxoiNAhvlAyXHGjUaVl+UGXBRir9nU6WE0dY2oeG
DqytrUit0bFuYSveBMFfz2D1pr09/bProNuPn2dbkXaqpYeag1cahD0RwrNxhFFI
0ziODvLFllW1boZM8CKdGROuIyHq1f7kHZz7QjqEgUMDLsW97Qt+SFCD4AsVh71l
mw3QflWNAukDr/59GSjvRmssAgQzBS5zlBCuVCXSglUQInR7RHzG0+U1XhCvnmdJ
Ch/+uwBgJqjuS2YvffR2JD5zgeR5Uzww5iUAgPvSDPrn2wEVUk7E7J+VtB2g53qi
WXfAJBOpAgMBAAECggEAC8SDGlVLNoYEbF2h4U/zJHbp+yGpO14CAAnnh81WbvIt
PLCn0jor7zqfrnlWeKTfRa8EEYN2ffzc83NuCqHx7T8dSluI6G8vw1qWP96AJNil
d8k8wprN8BSiE+ih4ZYCSxCFyrQIQMJk/N1QfnG5AO3mGcYqJXrSlTdmTSgV4KTH
HMhcbE3oBi5sixfYuhz7JmoN2MtvUH7T1XQ93IK/EDANCHeOYfVDlQMv+VKqUsEA
4tB1j2Mk+MENIbxg2vswsDzi4X3geU9kDkZ+V/ahzQSKnoUJtC81QftGst7gia7i
Kl51DWvw3SXclDn//5ZSaWd6T0a0Gc8f73yC0vzKIQKBgQD9TVBrSTZTvJcJhhMQ
Tk7Epe96nWPw3PwKPntAaCcWaNi+AXOWw5oKX1Okilrsbxz5P6yH/jTvFZF33zpT
nhS30ew41GTSL0j3gCWK25I0SJOeth2dycyjd/yljotOGOz667vTGHleso7NYthD
s+iU6ceb7EuU9T0JjhHDsrVK8QKBgQDSwZmOwMAq0evNFgKB0QiipABIWhm7As1n
O0M439zA2bVo8Z3UAQb7YOBG/EoH+I/1HakJBM0BVyGRzkg4Krq0Dd8iL4gESj8E
niCtIC874AjhemVjHDPNwI/m93Czg8tqfd3r82rOa5HJWW4WYGeHPTjvd0puS8/6
SWTyBgSkOQKBgANxmKVMwoNS7g7AFuRC3ElKJD5bg29T4c1V2iEfCWEBnei/Zk3n
bOG1OBLlmqTaQd+VoQfcSeXyOh8SFt3qKUfyf66qHJDK+cf7owcHQy6YygD/Ytmx
U6npSLMLhBNUvWwP5mbRT10dOlnKfTw2ZvQXVZJmHQTybJkDqHQrqtFRAoGAA1t6
Kr//T69QZk/3ckH2NUEPkBd/WW9N/lr/UySdy6SsMyPGM95gUhjU+cyDEWVwRaNX
UgF1kpPkwQHcPKjRmJSv/Udsj0TvhA9QzfE5T2bePVlJzC5i1OBAapl+fh2XW/bt
Vhjmlqs4A1EdY9XdUFY1Vfs8gE1M3tvUc9aMtGECgYA3ebYLBwDB48gbYfnv8o3P
rY2hBfBsvfSKeYT/NPxG/XR035h9BnBcNG2L7U7GKmbxdULYZ2nEOSjqTxTvlHUO
ncGr7M00D9hpzTX+Yfr3em+lGsZxVfU7sKq1fWF/BdF7gCf8cdHk66gR19kYhi38
cEB0Z02sLDDP2AYOawrliA==
-----END PRIVATE KEY-----

21
assignment2/ca/ca.crt
View File

@@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIUHeUZwwOlaXM3yPbokh5CjXEFw/YwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0Nv
aW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQy
MjEwNDgwMloXDTI3MDQyMjEwNDgwMlowUzELMAkGA1UEBhMCUFQxEDAOBgNVBAgM
B0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRMwEQYDVQQD
DApDb2ltYnJhVlBOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1ft
wTq/HG1SavpgkRSP/ZO3hvW8lCR8e8ica/w7ogJwMoTAHz0axMpY9MQ6SmXXvXEh
/DY0wwM60jJ8f332fk3otcWzHznEK+EC2xrZSvnikWYSWcaDe6PzPtu0w9//y/Cl
Jt8ocvC1qyN20skhCP8nuTCW7o0nO+glPEHAl1fSuHuA/0tXbpROsxpi3cqzWypB
ufnDyIg4vxKbhQdtJn0UMvA2g92gTpxl9Dvt4L68L2e/Oz5B2l+USEIHxfkS+N1v
p8O22H+KV4+4Le76RJ/DOzV+pAieY4/bWIFQ5CsB6SvcHwP0CxOa1KOeHZbdyyDe
TBCmDTR3K4ZBy/ii2wIDAQABo1MwUTAdBgNVHQ4EFgQUrM15zIAXqo0WzJex6TZe
ACq9W9UwHwYDVR0jBBgwFoAUrM15zIAXqo0WzJex6TZeACq9W9UwDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlkndsM3ikWZibO3l5UBBVSQjgjdf
8CdE3UyrzuTOTFGWW8ALD1PTMjZ/uFR6mX5pn3Afd6CcRvm/SP/ybh4q+7oBlJCT
hjJo/r8NAsaN1TubFSaLsQTzilZDCK6Go+WvcNgar0pwgMunqphBycuLOkT3cxli
ubGzplv33gA6EPwZ7LaSfMRf/mVeLutUyP0SKyos3/Je1lAz8Wel245JPJ2mI8fT
HopjnVWScOPedFKt/nh//RVTjZDvPGH5Lvglg9ko+Lc62JF/5XIqIS25TwcUskXK
KfotGiwJM1VHyi49PWEC1Asu7C9ljMbHy/UsISPGxUOq/oy3OQoj7DXEng==
-----END CERTIFICATE-----

28
assignment2/ca/ca.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzV+3BOr8cbVJq
+mCRFI/9k7eG9byUJHx7yJxr/DuiAnAyhMAfPRrEylj0xDpKZde9cSH8NjTDAzrS
Mnx/ffZ+Tei1xbMfOcQr4QLbGtlK+eKRZhJZxoN7o/M+27TD3//L8KUm3yhy8LWr
I3bSySEI/ye5MJbujSc76CU8QcCXV9K4e4D/S1dulE6zGmLdyrNbKkG5+cPIiDi/
EpuFB20mfRQy8DaD3aBOnGX0O+3gvrwvZ787PkHaX5RIQgfF+RL43W+nw7bYf4pX
j7gt7vpEn8M7NX6kCJ5jj9tYgVDkKwHpK9wfA/QLE5rUo54dlt3LIN5MEKYNNHcr
hkHL+KLbAgMBAAECggEAPpkTUJ3LtQVnfhWUfS87LxxPM9k0EFVH6gDUsFBjFCJb
vRZe5Mh0PnoOYKjZW7x+eA4z+Y+GDQdkkZezouB5mA5jiobOBbkpAtPQJmARtjzQ
W0XQY+uJWy+XqLoRN0lJRIrjalT8Dlp8XpbLU7mGQVimKdqO5Ab6ycs2q/ibW3dj
am9L/AaV8YW99xWeRVi8OKn1Oyhpaplnb7IDdeDx8/nCSplVx1EggsV7XPStfL2R
us8/sE525OCo7mriXBLph62r7C1oFxxeASIjpPD5+gh09CCoMcodETlCBKPia7Q4
ha/nnsjXRPZIq4b2y4BYzlCVnCldwKzr+QW+s0EZKQKBgQDZRV2kR4k9ytF1kG85
DCW8ogk03BZ2x9Wk6sEU3lUtR3YfyHe3zFrZ2lDynknVAxXABPQ8XG8i24O0ZQ/h
oiRu9LtUIf+rYVrZke8DiPEuGUdTMLeLMBUhWtSpG5kNrpr/hdt/lXnnszTd5Xon
YGpa2qQAB2eki+uxnJMbAHopRQKBgQDTT9V2FEUa+GG5mbQXClbXqbd7+8LoKH7l
VYzQxaWSWgW1o9/0NOBY5Jw6PoWdhbf0IzA2bYeKIChp6IwhEh9+A+Vdp0Hupz/Z
tDlHThWXUBqYTPM1mXX1KyEoNjGQiMMpeuOc0sUJZvMfFWrzkn0kG8VsB9u8n1ND
CQ+O3MaNnwKBgEQJ5+ApEr5KBDvnphzcQ/kFWRK3lUVPIQVLCnnpggzy4vfjBDKH
iS/NoSnJDd/p3mbKZl18qMTmryDPwSBscTJZ60vWdcUKcLPPcmTN/pDsE5zmlaO9
w/A1DIGEhfJ16k34chtLCOjZAsY2NYGdPNEExPTJXNh3hLCTErIS/S5tAoGAITum
A6sObz5vCCSPOSxsGgDcFYizz5VG18SLn+3lq02zJiz+tMZ4HiLeGx7oHq0AEEpU
c8roDSYflQB4wV67SzNLqF38tY7iMNfyRi+Wn7R+akN34I8hCQzeaxeS1ftcTjLA
h1JyoJbrV5Ejv+ji+4HOm73kphacnqdXJg28wFsCgYEAs4VbAruXv3thxJ8a7Y4n
8FRwdDV2nJRGYRR6WdE8qCLFi5rhoI2/sqblp2i/j8e419YWzj+pRqDMCWlePg+i
7Ne5swH3UQXb+3sS/q0BUnYuJDnpmae/qJ4gDU1NvHZnrqz047hfvHw9gAcCh4a2
IZGzyqYAUSqhzm9epjEZ9+w=
-----END PRIVATE KEY-----

12
assignment2/ca/cheese.cfg
View File

@@ -1,12 +0,0 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial
copy_extensions = copy
new_certs_dir = .
default_md = sha256
policy = policy_any
[ policy_any ]
commonName = supplied

22
assignment2/ca/create_all_keys.sh
View File

@@ -1,22 +0,0 @@
#!/bin/bash
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
[[ -e "serial" ]] || echo 1000 > serial
[[ -e "index.txt" ]] || touch index.txt
[[ -e "ca.key" ]] || openssl genrsa -out "ca.key" 2048
[[ -e "ca.crt" ]] || openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
[[ -e "vpn.key" ]] || openssl genrsa -out "vpn.key" 2048
[[ -e "vpn.csr" ]] || openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
[[ -e "vpn.crt" ]] || openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
[[ -e "dh2048.pem" ]] || openssl dhparam -out "dh2048.pem" 2048
[[ -e "ta.key" ]] || openvpn --genkey secret "ta.key"
[[ -e "user.key" ]] || openssl genrsa -out user.key
[[ -e "user.csr" ]] || openssl req -new -key user.key -out user.csr -subj "$cert_user"
[[ -e "user.crt" ]] || openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
[[ -e "apache.key" ]] || openssl genrsa -out apache.key
[[ -e "apache.csr" ]] || openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
[[ -e "apache.crt" ]] || openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg

8
assignment2/ca/dh2048.pem
View File

@@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBDAKCAQEAvqMnND0GPZb1287Irc8grekth4JCb5Mfz4iig9GR0AJNzIj+/hf6
Cnz3+5F6OD7XDyY7Prgq/dZ6KhZAnKOSQ4r6rDbgcVqPoU5g8ykKuhI3daAOr/Ut
EauKJN4kcTDARvdk9gebWNIDRrbuV0wv7QDsO3TIznn24MTnYUm3ReExv58fmqX6
Ttr74clxnUC660HX084sxhxAA9Mfewy+8KCxy1MF2MttZP6DY3IWEVokfK2W/ZlE
UsFIMNlblKK/JBn7Y/6/FZN/V8zwxFCQBhuvOvaNbtraejkeUnl7VdqQ6T4Rmvid
0jN5ddbuyyu+pm7WPU94ilLyPQECexnx7wIBAgICAOE=
-----END DH PARAMETERS-----

4
assignment2/ca/index.txt
View File

@@ -1,4 +0,0 @@
V 270422105026Z 1000 unknown /CN=gateway
V 270422105026Z 1001 unknown /CN=warrior
V 270422123359Z 1002 unknown /CN=apache
V 270422141459Z 1003 unknown /CN=apache.coimbra

1
assignment2/ca/index.txt.attr
View File

@@ -1 +0,0 @@
unique_subject = yes

1
assignment2/ca/index.txt.attr.old
View File

@@ -1 +0,0 @@
unique_subject = yes

3
assignment2/ca/index.txt.old
View File

@@ -1,3 +0,0 @@
V 270422105026Z 1000 unknown /CN=gateway
V 270422105026Z 1001 unknown /CN=warrior
V 270422123359Z 1002 unknown /CN=apache

2
assignment2/ca/revoke_user.sh
View File

@@ -1,2 +0,0 @@
#!/bin/bash
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

1
assignment2/ca/serial
View File

@@ -1 +0,0 @@
1004

1
assignment2/ca/serial.old
View File

@@ -1 +0,0 @@
1003

21
assignment2/ca/ta.key
View File

@@ -1,21 +0,0 @@
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
8ab6c529070f93ad262f6ba5ec506c5e
3e89f24851df40259a2e5fce5b98117c
4ccba0c1c5a045d802ee4638c1f047fb
f2537cb038f1faf976e1cf05ad2c5cc2
23be82d9bdd89180ff235bc995116c83
f08bc102313dd043fa3dcb924665fc36
408fd7bc620c6939e0a42f90e37a9ea7
078e323acbe6b844405b929fecbcc539
e5022c1e9a2b76503b63d35aeeb70cb4
cf260ac014c5914b30ee0020a737bcc5
d08a810e512769245993d9075572f1c0
4971992ba8782b2b7e6189b03c8e1448
842e42983c9af8c32d007237e9b597db
2c6cf399d16f153136307605297e3bbb
cb1b9b1cc9c4cb2f2684ad5d50dd0448
3480fb0a4cc3af1553e5b40645eae3f0
-----END OpenVPN Static key V1-----

74
assignment2/ca/user.crt
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=warrior
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:5e:36:38:85:bb:f8:15:29:90:2a:03:47:26:
36:ad:47:b8:80:c2:1c:b2:35:53:34:a3:c8:79:73:
1a:7b:c5:06:f9:0e:fb:61:e9:16:81:81:4d:55:ac:
25:7d:96:f4:a4:1a:46:d0:0a:af:48:65:b7:1e:9b:
02:4a:4a:af:53:64:20:4f:af:d8:ab:f7:99:c2:b7:
80:b2:80:24:00:7c:a7:43:f7:35:69:47:fc:bc:ce:
fa:1a:8e:81:c3:2b:55:ea:57:c8:ec:76:3b:1b:58:
e9:65:c1:66:97:c5:39:62:1f:c7:f2:64:b3:6a:31:
41:a9:66:00:f5:48:3c:31:9b:70:a7:ca:f0:b8:28:
d3:cf:fb:86:25:f0:93:17:ad:3f:c8:60:dd:a7:a1:
be:b4:e8:fc:79:47:53:68:ed:eb:21:b5:f7:aa:f5:
bf:22:45:d9:10:5a:db:be:41:c3:09:47:72:f4:6b:
d6:21:65:77:43:79:89:0d:cd:72:58:14:e2:25:55:
0b:17:e8:97:d4:d0:0e:9c:7d:9c:38:6e:52:50:cb:
25:a5:00:fc:cb:69:bb:09:f0:3a:f1:8a:83:e7:7c:
95:07:46:58:11:41:25:8d:5c:91:02:ec:d2:83:4c:
98:d0:aa:ad:b0:fa:67:6c:22:79:87:de:5a:f5:01:
8f:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
30:84:32:04:21:19:F0:A6:B7:C1:32:4C:1B:9F:7E:EF:EC:3C:D3:79
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
60:76:03:78:46:0e:db:33:a4:1a:13:67:11:66:b6:7e:bf:ba:
23:4e:01:9e:6b:28:dc:46:9c:5e:e8:a9:2a:72:d2:ae:c0:c7:
b7:68:6f:92:55:43:b7:cd:8f:6b:78:ad:86:d1:8a:bb:ba:7a:
a7:3b:fa:53:8f:1d:ec:75:0b:36:05:6b:14:91:c4:79:51:b2:
d0:2f:b9:17:0c:f1:6b:88:4d:24:6b:ae:15:36:2b:ac:4b:94:
67:04:f8:93:49:cc:c1:d7:ec:ae:a2:dc:32:c8:d1:f4:ee:4b:
0c:11:ad:4c:84:5d:96:97:31:d6:9f:c5:a7:79:b2:f1:b8:42:
5b:79:b8:12:d2:a3:56:a0:ae:3b:ba:7f:56:25:d4:ad:a7:fa:
39:52:e0:57:af:4f:d2:c6:3c:24:5d:d6:07:84:b0:a5:5f:d2:
3c:8b:36:2a:1f:24:55:cd:89:22:94:b7:f2:93:69:01:89:6e:
a4:67:2d:8b:d9:cd:af:29:70:09:83:69:e5:46:35:51:59:90:
71:c0:0a:8a:00:5c:55:c6:12:34:1a:b7:3d:a9:67:9c:0b:2f:
71:32:cb:87:92:b0:18:ff:fe:ec:f0:3e:cc:e3:1c:65:c8:24:
a9:bd:c9:8f:96:f7:19:af:95:a6:e0:e5:21:65:50:ad:69:da:
d3:09:27:84
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHd2FycmlvcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANheNjiFu/gVKZAqA0cmNq1HuIDCHLI1UzSjyHlzGnvFBvkO+2Hp
FoGBTVWsJX2W9KQaRtAKr0hltx6bAkpKr1NkIE+v2Kv3mcK3gLKAJAB8p0P3NWlH
/LzO+hqOgcMrVepXyOx2OxtY6WXBZpfFOWIfx/Jks2oxQalmAPVIPDGbcKfK8Lgo
08/7hiXwkxetP8hg3aehvrTo/HlHU2jt6yG196r1vyJF2RBa275BwwlHcvRr1iFl
d0N5iQ3NclgU4iVVCxfol9TQDpx9nDhuUlDLJaUA/MtpuwnwOvGKg+d8lQdGWBFB
JY1ckQLs0oNMmNCqrbD6Z2wieYfeWvUBj1kCAwEAAaNCMEAwHQYDVR0OBBYEFDCE
MgQhGfCmt8EyTBuffu/sPNN5MB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQBgdgN4Rg7bM6QaE2cRZrZ+v7ojTgGeayjc
Rpxe6KkqctKuwMe3aG+SVUO3zY9reK2G0Yq7unqnO/pTjx3sdQs2BWsUkcR5UbLQ
L7kXDPFriE0ka64VNiusS5RnBPiTSczB1+yuotwyyNH07ksMEa1MhF2WlzHWn8Wn
ebLxuEJbebgS0qNWoK47un9WJdStp/o5UuBXr0/SxjwkXdYHhLClX9I8izYqHyRV
zYkilLfyk2kBiW6kZy2L2c2vKXAJg2nlRjVRWZBxwAqKAFxVxhI0Grc9qWecCy9x
MsuHkrAY//7s8D7M4xxlyCSpvcmPlvcZr5Wm4OUhZVCtadrTCSeE
-----END CERTIFICATE-----

16
assignment2/ca/user.csr
View File

@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAd3YXJyaW9yMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2F42OIW7+BUpkCoDRyY2rUe4
gMIcsjVTNKPIeXMae8UG+Q77YekWgYFNVawlfZb0pBpG0AqvSGW3HpsCSkqvU2Qg
T6/Yq/eZwreAsoAkAHynQ/c1aUf8vM76Go6BwytV6lfI7HY7G1jpZcFml8U5Yh/H
8mSzajFBqWYA9Ug8MZtwp8rwuCjTz/uGJfCTF60/yGDdp6G+tOj8eUdTaO3rIbX3
qvW/IkXZEFrbvkHDCUdy9GvWIWV3Q3mJDc1yWBTiJVULF+iX1NAOnH2cOG5SUMsl
pQD8y2m7CfA68YqD53yVB0ZYEUEljVyRAuzSg0yY0KqtsPpnbCJ5h95a9QGPWQID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAKBuw6o5zucZ3cULpuQBZiBtvodrV1ht
V7NCqQe5UoFP0wywUCQyB1A4rAT+Of3yJxKLYiBrq8u9/ra6zGfXTOxZSSpm+1cN
iZMVb3c57Hir3cS3sG/tLi147168GpBxiV87WLgBozw2ki0x9fApx5crLZY9/FlM
qCwTF8g/Pu6c/gXf+y/aGzcElx0tTpR5FvJopFJ/PNNJSmJZ22Mtbynvztnk8xB6
vzX3+0lp9eNv7X1IwcaDk45B1Fv+7OiyVZ57hOrsUsr4whmb7jctpEm5UzL4cHuE
nMjY5Eqe9Gsct5g7PO+LVH8CF1joBLShgqOIH+1k797iS5maYWHdYW0=
-----END CERTIFICATE REQUEST-----

28
assignment2/ca/user.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYXjY4hbv4FSmQ
KgNHJjatR7iAwhyyNVM0o8h5cxp7xQb5Dvth6RaBgU1VrCV9lvSkGkbQCq9IZbce
mwJKSq9TZCBPr9ir95nCt4CygCQAfKdD9zVpR/y8zvoajoHDK1XqV8jsdjsbWOll
wWaXxTliH8fyZLNqMUGpZgD1SDwxm3CnyvC4KNPP+4Yl8JMXrT/IYN2nob606Px5
R1No7eshtfeq9b8iRdkQWtu+QcMJR3L0a9YhZXdDeYkNzXJYFOIlVQsX6JfU0A6c
fZw4blJQyyWlAPzLabsJ8DrxioPnfJUHRlgRQSWNXJEC7NKDTJjQqq2w+mdsInmH
3lr1AY9ZAgMBAAECggEAaYNcDqlM9pifWbHbQl2kyVDR7Vx78P3nMyLx1yQmFJiL
I3bGaUNpWcNMCsz1xW6Ro9s6kCa9vuD3cYHnFoKgSFrqFOIsmAQZZCbnqGSr6d7g
FNlfnxVfb1XCCqRXLG2cKrkffwzTGy17OEedt8KSjsLv10l7YvxdSHY5XmQZEpkU
l9O6olSvhaPQxx3RynR0rTdyESZMLMj2SqHpSlHg6TVvTjRH5EspMTpJiU/cNiqv
b57OH02gh1huS0DKV3aPvR8+6jlP0Ec0djcwXatQxzesFjHutVR1f5RBh36O6zJ0
9Nx2wxppFPsFVB5olJWzIkMH2MalYyIK5+0Lpl3PDwKBgQD04wRGe+EZrCcfLJy+
wpsBqoUeclhDtfz1aMlmhCurWdIQKiEn1lYVMopxn+FvZy3pyE9ymn7aSsmb6PT4
f1j3rOjYcWKceyUCdEsYDRq8ciW7bhKVwXd+763CI485x63ZkKcKe2b7v1GIhkII
7Kp/Nwh5tXxCp6ta+0hJO9nEqwKBgQDiL+CDlgkEVM0MsjuSS2arHwfolXEaoApy
CwX6abCOkV3RiMmuMGKidQJ3v0K+vI3WlG/fW9s6ZRe9mSj/Qu3hq3el5ozzSpW9
FOI41cTOHdvKDpN21Cgk9gMBt0Slp2+qrv+OT4zCheQV29mGZ0dudr5/fMzrAxnk
nbhkXlpUCwKBgQC5mgHYhfVypraz+vUF46rl1V61V8ar8xe4zGWwzEXoxdffJn8g
mWN/B2JEgf+zlokG4inM22l/eyVYhHR+js5YUXXc7frmTLMdLBTqMqxr3TvZ1bBC
TnKKA5A3TwozqbKK7gacfDDuZu+dwNv1taH3bzd+P13hiwDloQQFdVY0pwKBgEC1
S7i5apj3nbXdI5fFxHh+JygN4M6qLHLV3n72T5Fp2vo/9NrFcuJhMTSK3hBtJvLV
gm/W+o/pLfKK56SnRCDEijVHENnlY5M1b0atOWFyP1e99cgQB/ATBWcvRA9UKGkf
KXNQJMfdwBPU0pVV5KSgif00+fbd60FxMbhdGeBjAoGBAO4GIfg1FgIixd3BjuW8
vCcYqqyRphtiHUeZMoVeIVO+CwD4tm7Rj7mRux/3lU8qRFdD/5O5oFE5MR6gvyno
aBt/fPzA40/zjsDMdILaL6IoJUw1B3OsRUoNTupHxqkBl3gJV1WUnWMQftzNAYuy
GJzEUr6jpE6MJyt3osZwfurm
-----END PRIVATE KEY-----

74
assignment2/ca/vpn.crt
View File

@@ -1,74 +0,0 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PT, ST=Coimbra, L=Coimbra, O=UC, CN=CoimbraVPN
Validity
Not Before: Apr 22 10:50:26 2026 GMT
Not After : Apr 22 10:50:26 2027 GMT
Subject: CN=gateway
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:46:6b:0e:12:3f:c2:64:0d:dd:36:e7:86:a2:
f6:98:04:86:21:73:85:3b:cc:ce:7d:c5:74:f9:8d:
97:f8:c9:01:1c:e9:88:db:10:fc:40:a8:2a:44:76:
de:07:bd:39:58:c3:ba:b3:9a:d2:01:91:12:c8:7f:
0e:7a:51:56:f6:a4:ad:4e:63:92:8e:05:b9:9d:5a:
76:37:60:58:60:0a:10:f2:6e:15:6b:76:a1:34:91:
c5:cf:c7:86:00:cd:3f:53:c2:e9:45:8c:86:49:c2:
a1:36:f9:ca:3b:a5:30:76:92:ff:a6:e5:fa:40:67:
d9:91:ea:24:90:a5:a4:e0:15:2a:da:ce:1b:4e:f9:
86:7e:9f:33:de:e9:24:dc:b9:60:fa:c9:f0:e0:79:
83:a3:d3:b3:c9:61:37:9d:26:ab:e9:bd:21:68:74:
51:02:e0:a2:36:24:9e:c6:5d:22:f3:f6:76:8d:17:
ab:e3:46:a2:dc:a3:e4:f8:bc:a2:4b:59:8b:76:f4:
91:7e:2f:48:79:b6:72:1b:d5:45:e2:9f:d3:8d:b2:
f6:45:53:07:95:4d:8e:76:73:b8:54:10:17:63:c4:
07:bf:bf:a6:72:4f:ea:be:b7:1d:38:37:3a:95:26:
8f:36:81:a0:53:07:d3:49:32:7a:de:3c:7f:61:b6:
7c:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
96:52:2F:9E:1C:51:4D:A7:91:73:93:1B:E6:69:6C:06:99:28:2D:0B
X509v3 Authority Key Identifier:
AC:CD:79:CC:80:17:AA:8D:16:CC:97:B1:E9:36:5E:00:2A:BD:5B:D5
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9a:fd:c0:13:d2:8a:7d:8d:d6:79:d0:35:1f:a6:75:ea:ff:1b:
73:1a:4b:30:d9:c8:3b:9d:96:e5:a8:28:eb:74:26:0d:13:fa:
e1:89:ad:eb:38:d4:57:d1:72:af:c5:93:ab:ce:07:35:3a:b5:
34:9f:72:af:71:b7:79:23:c8:88:99:af:a9:bf:72:8f:01:f2:
cf:f8:a1:57:8e:2a:05:e7:05:c2:0e:ac:92:df:db:f4:fd:64:
16:01:28:5a:7b:8b:c1:e3:8b:49:48:58:b4:36:28:ed:a3:99:
60:9c:a7:a6:3b:eb:07:3d:42:36:29:f2:d2:ff:07:86:34:3c:
0a:b0:70:cb:23:d2:f3:f1:f7:88:74:a5:a6:c3:ee:4e:5f:d7:
6d:ba:a6:83:09:76:f5:e4:1a:3b:d5:58:e9:be:a8:80:cf:68:
13:82:95:b3:da:75:43:4b:e7:f3:fb:6b:0d:b3:d5:07:5e:1b:
7a:69:f4:77:1b:59:eb:c5:a1:84:fb:cc:3e:5c:26:f5:b3:b3:
4d:36:8d:40:d2:53:f9:1e:bd:cf:b9:4b:c3:a8:40:29:97:58:
48:c2:94:94:28:9d:3f:e7:e3:d2:a3:db:32:8d:fb:a9:bb:c3:
32:a5:b3:c0:8b:c5:e3:56:45:55:2d:fb:62:5a:c0:36:f1:df:
b6:00:f9:b9
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCUFQx
EDAOBgNVBAgMB0NvaW1icmExEDAOBgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVD
MRMwEQYDVQQDDApDb2ltYnJhVlBOMB4XDTI2MDQyMjEwNTAyNloXDTI3MDQyMjEw
NTAyNlowEjEQMA4GA1UEAwwHZ2F0ZXdheTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALxGaw4SP8JkDd0254ai9pgEhiFzhTvMzn3FdPmNl/jJARzpiNsQ
/ECoKkR23ge9OVjDurOa0gGREsh/DnpRVvakrU5jko4FuZ1adjdgWGAKEPJuFWt2
oTSRxc/HhgDNP1PC6UWMhknCoTb5yjulMHaS/6bl+kBn2ZHqJJClpOAVKtrOG075
hn6fM97pJNy5YPrJ8OB5g6PTs8lhN50mq+m9IWh0UQLgojYknsZdIvP2do0Xq+NG
otyj5Pi8oktZi3b0kX4vSHm2chvVReKf042y9kVTB5VNjnZzuFQQF2PEB7+/pnJP
6r63HTg3OpUmjzaBoFMH00kyet48f2G2fCECAwEAAaNCMEAwHQYDVR0OBBYEFJZS
L54cUU2nkXOTG+ZpbAaZKC0LMB8GA1UdIwQYMBaAFKzNecyAF6qNFsyXsek2XgAq
vVvVMA0GCSqGSIb3DQEBCwUAA4IBAQCa/cAT0op9jdZ50DUfpnXq/xtzGksw2cg7
nZblqCjrdCYNE/rhia3rONRX0XKvxZOrzgc1OrU0n3Kvcbd5I8iIma+pv3KPAfLP
+KFXjioF5wXCDqyS39v0/WQWAShae4vB44tJSFi0Nijto5lgnKemO+sHPUI2KfLS
/weGNDwKsHDLI9Lz8feIdKWmw+5OX9dtuqaDCXb15Bo71VjpvqiAz2gTgpWz2nVD
S+fz+2sNs9UHXht6afR3G1nrxaGE+8w+XCb1s7NNNo1A0lP5Hr3PuUvDqEApl1hI
wpSUKJ0/5+PSo9syjfupu8MypbPAi8XjVkVVLftiWsA28d+2APm5
-----END CERTIFICATE-----

16
assignment2/ca/vpn.csr
View File

@@ -1,16 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIClTCCAX0CAQAwUDELMAkGA1UEBhMCUFQxEDAOBgNVBAgMB0NvaW1icmExEDAO
BgNVBAcMB0NvaW1icmExCzAJBgNVBAoMAlVDMRAwDgYDVQQDDAdnYXRld2F5MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEZrDhI/wmQN3TbnhqL2mASG
IXOFO8zOfcV0+Y2X+MkBHOmI2xD8QKgqRHbeB705WMO6s5rSAZESyH8OelFW9qSt
TmOSjgW5nVp2N2BYYAoQ8m4Va3ahNJHFz8eGAM0/U8LpRYyGScKhNvnKO6UwdpL/
puX6QGfZkeokkKWk4BUq2s4bTvmGfp8z3ukk3Llg+snw4HmDo9OzyWE3nSar6b0h
aHRRAuCiNiSexl0i8/Z2jRer40ai3KPk+LyiS1mLdvSRfi9IebZyG9VF4p/TjbL2
RVMHlU2OdnO4VBAXY8QHv7+mck/qvrcdODc6lSaPNoGgUwfTSTJ63jx/YbZ8IQID
AQABoAAwDQYJKoZIhvcNAQELBQADggEBAAqV168ZttquI1P85iodBEo4pkefV9g7
DNOtjf/BQ4SZUmtMBSH95aH1o+EjhYy+522IJ7yTOke5uTsr4R0uD/D7EX9hKnp5
Qx2t/QZc+q3VKzOMV687VfBfq2RErMGSvJmk7cH40HyDlh4Ts5NZO3CAwaiIovKc
ddcZfrO3naktT8jwayWA16pk+vxf0G3jwJqbeizyS0hl12+dwPr/+ESRHCQoSkUH
wG5mL4eRW5E0NyuH9iGvOHms6WDrPU0qp2Rztql+FYZB+qGPJ3pdsajCIjJG7n4E
n3D5ofg5q3dlLHAwueMcMLGL9hpjXRGLZturgB5JdUp9+1fMhgxYfFY=
-----END CERTIFICATE REQUEST-----

28
assignment2/ca/vpn.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8RmsOEj/CZA3d
NueGovaYBIYhc4U7zM59xXT5jZf4yQEc6YjbEPxAqCpEdt4HvTlYw7qzmtIBkRLI
fw56UVb2pK1OY5KOBbmdWnY3YFhgChDybhVrdqE0kcXPx4YAzT9TwulFjIZJwqE2
+co7pTB2kv+m5fpAZ9mR6iSQpaTgFSrazhtO+YZ+nzPe6STcuWD6yfDgeYOj07PJ
YTedJqvpvSFodFEC4KI2JJ7GXSLz9naNF6vjRqLco+T4vKJLWYt29JF+L0h5tnIb
1UXin9ONsvZFUweVTY52c7hUEBdjxAe/v6ZyT+q+tx04NzqVJo82gaBTB9NJMnre
PH9htnwhAgMBAAECggEABIq6WGuOSDU7tGN3sGLMChzJ05LC2w90x8n0qXSF/wVy
Vm031PkS7MhhxKcNcihZcs+9+Ek62bjTOC0Af2jo7ShJ2gNC7NQshyRAh9N2LlLv
17laIO6Kswb1O673h5tr9KxWDkx2jN76HqZl/4xbn/Cp5C/WGqmmsQNyAF9Om+08
M/5jB3aVT4PFBoyOXd3WDkuxG1wEfFZPrrbOu7T06duzMH8yYnxFX42UyDOVNT73
iqZsxLzlOjLiAaVEZE+2WpZICnwaa04OaOimGHgYEcr4DFQwgUvkVQBvg6sDHVk2
R9GpBsf7BJceimpOAzw3zQaJ/BftFgli6/gHCZpJAQKBgQDgxxbBIxyVHYeaddAJ
cDMHTCr2wsk63gUxdqilDC/HZWpCtB1AI02IyxjPVQ87FxtQrCrGXAeztrqYRbKB
7bPu4UbYP1XCm8o0jNIsFObrMKv1KFLTycZEmvhjivFrQMXLunyPmciV1HKoPg1w
fZqJjn6X6nJyYEZBYDX6XmaX8QKBgQDWbVNxMEw4cpEdpl9lMTpry87XS1SpOKSR
YLqa5yhXMC+5l54B3a/xxoo3wY8YJLixWy67PXakKZ4iWhmAxzQocAJ4ML0ztLep
Z6fGjmE4XyBKQRIz4NaHZ76bh3SwSc07XirTahib6CPjpVc4b5h7+4JNcnmpIiq7
yFs0RfjXMQKBgAOQRHUVaGuYx0CUo5Kyu6xe8cNtvSD4yh5JokzTj6Jaoj+ieWA9
7wm/JoqK763hJOa3hAoXBWw89mJZoIXczeB4o9Xj0yk9rQv+O4rFXg/WerNtSzre
VQ1bY5q4ZjFsGnarYzQnnP17G8I9EZt58kxB/RHNfrj/e72nl9N7UacRAoGBAKeS
/t/5X8fJeTFTwT+i7kYqG/bTL1GkK7BViN/gAP3KcbG4FMrehk8L2x7hzMOQhypL
2USJLzvyLlwoT7/9bfygNL3bUTGkbNgeYtbglIfqh6CgI+qZLu7ZG/QOMxpGQva/
i/Z29s545/tTTsuTIvbZwqZl7UBJrF3eobBDcsoxAoGAbtIHtMulH7WJYu57DdC2
AD/xc0YBESCDN8wV73XZrOTluuCXDGOiQow4jWZM9SgFosVY0DrAM4pu6JWso93x
xAPexrca18YxCs2UwT66AYzDXOcijl1F9fUitf3WC/sZWmO3sd1FVFuLRGlq8mXY
kGgsbmgiuKROuuMqB2fHgWo=
-----END PRIVATE KEY-----

19
assignment2/conf/client.conf
View File

@@ -1,19 +0,0 @@
client
dev tun
proto udp
remote 193.136.212.1 1194 # ip da vpn gateway
persist-tun
persist-key
# certificados
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/user.crt
key /etc/openvpn/client/user.key
# auth
cipher AES-256-GCM
auth SHA256
auth-user-pass
tls-auth /etc/openvpn/client/ta.key 1
reneg-sec 0

3
assignment2/conf/httpd-totp
View File

@@ -1,3 +0,0 @@
auth required pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
auth required pam_unix.so use_first_pass
account required pam_unix.so

20
assignment2/conf/httpd.conf
View File

@@ -1,20 +0,0 @@
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule mpm_event_module modules/mod_mpm_event.so
User apache
Group apache
Listen 80
Listen 443
Include conf.d/*.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

15
assignment2/conf/ocsp-verify.sh
View File

@@ -1,15 +0,0 @@
#!/bin/bash
depth=$1
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ]; then
# é preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
if echo "$status" | grep -q "good"; then
exit 0 # sucesso
fi
exit 1 # revogado ou não encontrado
fi
exit 1
fi

64
assignment2/conf/ssl.conf
View File

@@ -1,64 +0,0 @@
<VirtualHost *:443>
ServerName 10.60.0.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# mutual authentication
SSLVerifyClient require
SSLVerifyDepth 1
# ocsp validation
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
SSLOCSPUseRequestNonce off
# session management
Session On
SessionCookieName session path=/;HttpOnly;Secure
# proteger
<Location "/">
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
AuthFormLoginRequiredLocation "/login.html"
Require valid-user
</Location>
# public login page
<Location "/login.html">
AuthType None
Require all granted
</Location>
# login handler
<Location "/dologin">
SetHandler form-login-handler
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
Require all granted
AuthFormLoginSuccessLocation "/index.html"
AuthFormLoginRequiredLocation "/login.html?error=1"
</Location>
# logout handler
<Location "/logout">
SetHandler form-logout-handler
AuthFormLogoutLocation "/login.html?loggedout=1"
</Location>
</VirtualHost>
# redirect para https
<VirtualHost *:80>
ServerName 10.60.0.1
Redirect permanent / https://10.60.0.1/
</VirtualHost>

3
assignment2/conf/totp
View File

@@ -1,3 +0,0 @@
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so

29
assignment2/conf/vpn.conf
View File

@@ -1,29 +0,0 @@
local 193.136.212.1
port 1194
proto udp
dev tun
verb 4
# Bro is too honorable
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.60.0.0 255.255.255.0"
# OCSP and Revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth
cipher AES-256-GCM
auth SHA256
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0

BIN
assignment2/entrega.zip
View File

Binary file not shown.

4702
assignment2/entrega.zip.asc
View File

File diff suppressed because it is too large Load Diff

BIN
assignment2/enunciado.pdf
View File

Binary file not shown.

143
assignment2/enunciado.txt
View File

@@ -1,143 +0,0 @@
FSI 2025/2026
Practical Assignment #2
1. Goals
Configure a VPN tunnel in the “road warrior” scenario.
Enable two-factor user authentication with OpenVPN and Apache services.
Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
2. General description
Figure 1 illustrates the scenario considered for our practical assignment. As illustrated, secure communications are
supported by a VPN tunnel established between a remote client (road warrior) and the VPN gateway, with the purpose of
enabling accesses to services in the Internal Network, particularly a web server running Apache. To enable the VPN tunnel,
we will use OpenVPN (https://openvpn.net).
Figure 1 Scenario for the Practical Assignment #1
Regarding authentication, the two communication entities participating in the VPN tunnel (road warrior and the VPN
gateway) should possess valid X.509 certificates, which are created with a private Certification Authority (CA). Users
establishing remote connections to the VPN gateway (road warriors), as well as users connecting to the Apache server, will
also use two-factor authentication, as described below. Apache must also implement client authentication via X.509
certificates. Figure 2 provides an illustration of the interactions between all the entities involved in this setup.
Figure 2 X.509 mutual authentication and OCSP
As we can observe in Figure 2, the VPN gateway and the Apache web server must verify the status of validity of certificates
using OCSP (Online Certificate Status Protocol) and revocation information from the CA. OCSP verification in not
required for the road warrior. Next, we describe the configuration requirements for the various components of the
assignment.
3. Configuration requirements
VPN tunnel for remote access (road warriors)
As illustrated in Figure 1, remote clients (road warriors) are able to connect to the Coimbra VPN gateway, and using the
tunnel remotely access hosts in the Internal network. The following configuration requirements should be considered:
In order to establish a VPN tunnel with the Coimbra gateway, the road warrior must be in the possession of a valid
X.509 certificate, issued by the private CA of the scenario.
The road warrior and the Coimbra VPN gateway must perform mutual authentication using X.509 digital certificates.
The Coimbra VPN gateway should verify the validity of the X.509 certificate presented by the road warrior using OCSP
and, in case the certificate is revoked, the gateway should refuse the connection.
In order to authorize the remote user, the Coimbra gateway should also enforce two other authentication steps: the user
must present a valid username and password, plus a one-time password (OTP, or an authentication token).
Web server
2
The road warrior user should be able to contact the Apache web server with HTTPS through the VPN tunnel. The
following configuration requirements should be considered:
Apache should enforce two-factor authentication in order to authorize accesses from clients: the client (browser) should
present a valid X.509 certificate (issued with the private CA of the scenario) and the user should also present a valid onetime password (or authentication token).
As in the VPN, the validity of the X.509 certificate presented by the client should be checked in the CA using OCSP.
Two-factor user authentication
As previously discussed, VPN establishment and HTTPS accesses to Apache make use of one-time passwords
(authentication tokens), which may be generated by an appropriate application. One-time passwords may be generated using
the TOTP (Time-based One-time Password Algorithm). This algorithm employs a secret key shared between the user
(client) and the remote service, plus a timestamp (obtained from the current system time), to obtain a one-time password.
In order to generate a one-time password, the user may use an application such as Google Authenticator, illustrated in
Figure 3. This application periodically generates a new one-time password that can be used to authenticate the user with the
remote service. This application is available for iOS and Android 1.
Certification authority
As already discussed, the goal is to use OpenSSL to configure a private Certification Authority, as well as to issue and revoke
X.509 digital certificates for the VPN gateways and remote users. The following configuration requirements should be
considered:
The Certification Authority is used to issue certificates for the VPN gateway, VPN client and Apache web server.
The Certification Authority allows the revocation of certificates previously issued.
The Certification Authority also supports a OCSP responder.
For Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en and
for Apple iOS: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
1
3
Figure 3 Google Authenticator app, to generate a one-time password to access services enabled with two-factor authentication
4. Delivery of the Practical Assignment
With the assignment, please deliver also a report, containing the following information:
Descriptions of the configurations for the implementation of the previous requirements.
A description of how the private Certification Authority was created using OpenSSL.
A description of how X.509 certificates were issued and revoked using the private Certification Authority.
A description of the tests performed to validate the functionalities implemented.
Remaining information considered relevant.
For the delivery of the assignment, put your report, as well as the relevant configuration files, in a single archive. This archive
should be signed using your PGP key and encrypted using the PGP key of your PL teacher.
Note: Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
Delivery deadline:
The deadline for the delivery of the assignment (configuration files and report) is May 3rd 2026.
Submission via Inforestudante.
4

BIN
assignment2/relatorio/google-authenticator.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

27
assignment2/relatorio/relatorio.aux
View File

@@ -1,27 +0,0 @@
\relax
\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
\@nameuse{bbl@beforestart}
\catcode `"\active
\providecommand\hyper@newdestlabel[2]{}
\providecommand\HyField@AuxAddToFields[1]{}
\providecommand\HyField@AuxAddToCoFields[2]{}
\babel@aux{portuguese}{}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introdução}{3}{section.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.1.1}Testes}{12}{subsubsection.5.1.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{13}{section.6}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{13}{section.7}\protected@file@percent }
\gdef \@abspage@last{13}

1
assignment2/relatorio/relatorio.listing
View File

@@ -1 +0,0 @@
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

1288
assignment2/relatorio/relatorio.log
View File

File diff suppressed because it is too large Load Diff

18
assignment2/relatorio/relatorio.out
View File

@@ -1,18 +0,0 @@
\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000\347\000\343\000o}{}% 1
\BOOKMARK [1][-]{section.2}{\376\377\000P\000r\000e\000p\000a\000r\000a\000\347\000\343\000o\000\040\000I\000n\000i\000c\000i\000a\000l}{}% 2
\BOOKMARK [2][-]{subsection.2.1}{\376\377\000C\000r\000i\000a\000\347\000\343\000o\000\040\000d\000e\000\040\000C\000e\000r\000t\000i\000f\000i\000c\000a\000d\000o\000s}{section.2}% 3
\BOOKMARK [2][-]{subsection.2.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000g\000e\000r\000a\000l}{section.2}% 4
\BOOKMARK [1][-]{section.3}{\376\377\000V\000P\000N\000\040\000G\000a\000t\000e\000w\000a\000y}{}% 5
\BOOKMARK [2][-]{subsection.3.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.3}% 6
\BOOKMARK [2][-]{subsection.3.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000o\000\040\000S\000e\000r\000v\000i\000\347\000o\000\040\000O\000p\000e\000n\000V\000P\000N}{section.3}% 7
\BOOKMARK [2][-]{subsection.3.3}{\376\377\000E\000r\000r\000o\000s}{section.3}% 8
\BOOKMARK [2][-]{subsection.3.4}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000r\000\040\000o\000\040\000u\000t\000i\000l\000i\000z\000a\000d\000o\000r\000\040\000c\000o\000m\000\040\000T\000O\000T\000P}{section.3}% 9
\BOOKMARK [1][-]{section.4}{\376\377\000V\000P\000N\000\040\000C\000l\000i\000e\000n\000t\000\040\000\050\000R\000o\000a\000d\000\040\000W\000a\000r\000r\000i\000o\000r\000\051}{}% 10
\BOOKMARK [2][-]{subsection.4.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.4}% 11
\BOOKMARK [2][-]{subsection.4.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000o\000\040\000C\000l\000i\000e\000n\000t\000e\000\040\000O\000p\000e\000n\000V\000P\000N}{section.4}% 12
\BOOKMARK [2][-]{subsection.4.3}{\376\377\000T\000e\000s\000t\000e\000s}{section.4}% 13
\BOOKMARK [1][-]{section.5}{\376\377\000S\000e\000r\000v\000i\000d\000o\000r\000\040\000A\000p\000a\000c\000h\000e\000\040\000e\000\040\000O\000C\000S\000P}{}% 14
\BOOKMARK [2][-]{subsection.5.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.5}% 15
\BOOKMARK [3][-]{subsubsection.5.1.1}{\376\377\000T\000e\000s\000t\000e\000s}{subsection.5.1}% 16
\BOOKMARK [1][-]{section.6}{\376\377\000T\000e\000s\000t\000e\000\040\000I\000n\000t\000e\000g\000r\000a\000d\000o}{}% 17
\BOOKMARK [1][-]{section.7}{\376\377\000C\000o\000n\000c\000l\000u\000s\000\343\000o}{}% 18

BIN
assignment2/relatorio/relatorio.pdf
View File

Binary file not shown.

575
assignment2/relatorio/relatorio.tex
View File

@@ -1,575 +0,0 @@
\documentclass[11pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\usepackage{style}
\setlength{\parindent}{0em}
\setlength{\parskip}{2ex}
\title{Practical Assignment \#2}
\author{
João Neto -- 2023234004\\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\newpage
\tableofcontents
\newpage
\section{Introdução}
Este projeto tem como âmbito implementar, uma rede virtual privada (VPN) num cenário
de road-warrior, configurar \textit{two-factor authentication} (2FA) com os serviços
OpenVPN e Apache, e gerir certificados X.509 utilizando OCSP.
% NOTE(vasco): Eu acho que basta explicar o cenario e explicar como decidimos
% implementar <- yeah agree, also esta introdução acho que é boa fala sobre o objetivo
% e o cenario, e porque é que o nosso cenario é como é. Não sei se a parte das razões de
%segurança devia estar nesta parte ou na conclusão como perpetiva futura e reflexão, mas aqui
%também não está mal.
% Para tal, foi implementado um servidor e um cliente OpenVPN, certificados por uma
% autoridade central (CA) que em si é \textit{self-signed}. Para além disto, foi implementado
% um sistema de autenticação de dois factores através do plugin
% \textit{google-authenticator} para o OpenVPN e para o servidor de Apache.
Decidimos utilizar apenas três máquinas virtuais: o cliente (ou \textit{road warrior}),
a \textit{gateway} que utiliza OpenVPN e um servidor interno com OpenSSL e Apache.
Isto simplifica a elaboração do projecto, mas por razões de segurança poderia querer
separar a máquina de OpenSSL de outras máquinas destinadas a serviços da rede interna,
pois esta contém o \textit{certificate authority} (CA).
% Ambos o OpenVPN eo servidor Apache utilizam 2FA,
% recebendo o utilizador, e uma password que é uma concatenação da palavra-passe do utilizador
% e de uma password temporária (TOTP) de 6 dígitos. O servidor de Apache implementa a mesma autenticação.
\begin{tabular}{l l l}
{\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule
Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\
VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\
OpenSSL / Apache & VM\_OPENSSL\_APACHE.sh & Rede Interna 10.60.0.0/24 \\
\end{tabular}
\section{Preparação Inicial}
\subsection{Criação de Certificados}
Os certificados utilizados foram auto-certificados por uma autoridade central que ``pertence''
à máquina de OpenSSL. Esta mesma faz a gestão da lista de revogação.
Todas as chaves foram criadas no mesmo computador, com as variáveis que estão
neste código. Aspetos importantes para mais tarde serão os parâmetros de Comon Name (CN)
pois servem para a validação do certificado ambos pelo OpenSSL e pelo browser.
Nós optamos por assumir que num cenário real, teríamos acesso físico às máquinas, por isso em vez
de utilizar, por exemplo SCP ou FTP, escolhemos partilhar os ficheiros a partir da máquina host. No entanto, outra abordagem também estaria correta.
\begin{codeblock}[bash]{create\_all\_keys.sh}
cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
openssl genrsa -out "ca.key" 2048
openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
openssl genrsa -out "vpn.key" 2048
openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
openssl dhparam -out "dh2048.pem" 2048
openvpn --genkey secret "ta.key"
openssl genrsa -out user.key
openssl req -new -key user.key -out user.csr -subj "$cert_user"
openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
openssl genrsa -out apache.key
openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg
openssl --genkey secret ta.key
\end{codeblock}
Como o CA foi criado ``\textit{in place}'', e não na sua pasta prédefinida, foi necessário utilizar
um configuração própria para definir os ficheiros \textit{index.txt} e \textit{serial}.
\begin{codeblock}[bash]{cheese.cfg}
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 365
database = index.txt
serial = serial
copy_extensions = copy
new_certs_dir = .
default_md = sha256
policy = policy_any
[ policy_any ]
commonName = supplied
\end{codeblock}
\subsection{Configuração geral}
Para evitar repetição e redundancia; e para garantir consistencia na elaboração do projeto criamos varios shell scripts, um destinado a cada maquina virtual.
Para configurar as VMs era preciso introduzir os mesmos comandos várias vezes, o que levava muitas vezes a erros de escrita,
ou a correr o mesmo comando várias vezes, por isso criamos vários ficheiros .sh para conseguir facilitar o processo.
A utilização de ficheiros .sh também vem com outros positivos pois facilita a testagem, e a recriação do cenário rapidamente.
No entanto para os serviços que configuramos, instalar, desativar e dar flush às iptables não foi suficiente, tivemos que criar
pastas e sincronizar os relógios de todas as VMs visto que elas estarem ligeiramente atrasadas nunca conseguíamos acertar na
password do google-authenticator visto que utiliza o tempo local para calcular a sua chave.
\begin{codeblock}[bash]{VM\_CONFIG.sh}
yum install -y epel-release
yum install -y openvpn iptables-services dhcp-client
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
systemctl enable iptables
iptables -F
CA_DIR="/etc/pki/CA"
mkdir -p "${CA_DIR}/newcerts"
mkdir -p "${CA_DIR}/private"
touch "${CA_DIR}/index.txt"
cp ca/serial "${CA_DIR}/serial"
mkdir -p /etc/openvpn/server
mkdir -p /etc/openvpn/client
# NOTE(vasco): tive problemas com a sincronizacao de tempo
# se nao tiver sincronizado, o TOTP nao funciona
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd
\end{codeblock}
\section{VPN Gateway}
\subsection{Configuração da Máquina}
Como já foi dito anteriormente, cada máquina vem com um \textit{script}
que instala toda a configuração necessária.
Para que a gateway funcione como router entre a rede externa e a rede interna,
foi necessário ativar o \textit{IP forwarding} no kernel e configurar as regras
de \textit{iptables} para permitir o tráfego da VPN e realizar o mascaramento
de IP (NAT).
% NOTA(vasco): Não temos regras de DROP a packets
% talvez deviamos mudar isso nao sei <- não diz nada no enunciado ¯\_(ツ)_/¯
% também o trabalho não é sobre ip tables por isso it does make sense não fazer drop
%e utilizar as regras apenas para encaminhar corretamente.
% Colocar isso na conclusão tho
\begin{codeblock}[bash]{VM\_VPN\_GATEWAY.sh}
#!/bin/bash
# --- configuracao --- #
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec
# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
if_dentro="enp0s9"
ip_dentro="10.60.0.3"
mega_tunel="tun0"
ip_mega_tunel="10.8.0.0/24"
ifconfig $if_fora $ip_fora netmask 255.255.255.0
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/vpn.key $vpn_dir
cp ca/vpn.crt $vpn_dir
cp ca/dh2048.pem $vpn_dir
cp conf/vpn.conf $vpn_dir
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
openvpn --config /etc/openvpn/server/vpn.conf
\end{codeblock}
\subsection{Configuração do Serviço OpenVPN}
O servidor OpenVPN utiliza um certificado X.509 assinado pelo nosso \textit{Certificate Authority} (CA).
E faz uso de um script \texttt{oscp-verify.sh} para validar ou revogar os certificados através do servidor OCSP.
\begin{codeblock}{vpn.conf}
local 193.136.212.1
port 1194
proto udp
dev tun
verb 4
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn.crt
key /etc/openvpn/server/vpn.key
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.60.0.0 255.255.255.0"
# ocsp and revocation
script-security 2
tls-verify /etc/openvpn/server/ocsp-verify.sh
# auth
cipher AES-256-GCM
auth SHA256
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
tls-auth /etc/openvpn/server/ta.key 0
\end{codeblock}
Foi criado o ficheiro \texttt{totp} com a configuração de autenticação a
ser utilizada pelo plugin de PAM para o openvpn.
\begin{codeblock}{totp}
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_unix.so
\end{codeblock}
Este script simplesmente comunica com o servidor OpenSSl
e verifica o resultado.
\begin{codeblock}{ocsp\_verify.sh}
#!/bin/bash
depth=$1
if [ "$depth" -eq 0 ]; then
if [ -n "$tls_serial_0" ]; then
# e preciso converter o serial para hexadecimal porque o openssl espera em hex
hex_serial=$(printf '%x' "$tls_serial_0")
status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
if echo "$status" | grep -q "good"; then
exit 0 # sucesso
fi
exit 1 # revogado ou nao encontrado
fi
exit 1
fi
\end{codeblock}
\subsection{Erros}
Um dos erros que encontramos pelo caminho foi que o OpenSSL OCSP espera que o
\textit{serial} esteja num formato diferente do que o esperado. Foi necessário
converter para hexadecimal primeiro.
Adicionalmente, devido às restrições de segurança do \textit{systemd},
tentamos desativar o \texttt{ProtectHome} no serviço do OpenVPN
para que o plugin PAM consiga ler os ficheiros de segredo do Google Authenticator
localizados nas diretorias \textit{home} dos utilizadores. Mas isto não
foi suficiente, por isso acabamos por correr os serviços pela linha
de comandoos.
\subsection{Configurar o utilizador com TOTP}
Primeiro, na gateway, entramos como o utilizador desejado e obtemos a chave
do gerador de palavras passes temporárias. Ao inserir a chave no
\texttt{google authenticator} podemos obter um código QR, a nossa primeira
chave de 6 dígitos.
\begin{figure}[h]
\centering
\includegraphics[width=8em]{google-authenticator}
\end{figure}
\begin{codeblock}[bash]{}
su john
google-authenticator
\end{codeblock}
\section{VPN Client (Road Warrior)}
\subsection{Configuração da Máquina}
Para a configuração da Máquina, configuramos o edereço, o default gateway e adicionamos apache aos Hosts:
\begin{codeblock}{VM\_ROAD\_WARRIOR.sh}
#!/bin/bash
# --- configuracao --- #
source VM_CONFIG.sh
ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
route add default gw 193.136.212.1
if ! grep -q "apache" /etc/hosts; then
echo "10.60.0.1 apache" >> /etc/hosts
fi
# --- vpn client --- #
vpn_dir="/etc/openvpn/client/"
cp ca/ta.key $vpn_dir
cp ca/ca.crt $vpn_dir
cp ca/user.key $vpn_dir
cp ca/user.crt $vpn_dir
cp conf/client.conf $vpn_dir
openvpn --config "${vpn_dir}/client.conf"
\end{codeblock}
% Esta configuração foi necessaria, porque sem edereço a VM não conseguia-se identificar na rede. Sem o default gateway
% os edereços desconhecidos seriam enviados para a porta da internet, e adicionamos apache aos Hosts para que fosse igual
% ao domain para não haver erros.
%(I dunno about this Apache part??) Also sinto que ainda precisa de mais um bocado.
Também foram movidos os certificados e chaves necessarias para as pastas do serviço openvpn, para que o Road Warrior
consiga comunicar e ser validado pela gateway.
\subsection{Configuração do Cliente OpenVPN}
O cliente encontra-se na rede externa (\texttt{193.136.212.10}) e liga-se à VPN
gateway na porta 1194. Para garantir a segurança, utilizamos autenticação mútua (os certificados X.509)
e um \textit{two factor authentication} (2FA) como palavras-passe temporárias, geradas através do
\textit{Google Authenticator}.
\begin{codeblock}{client.conf}
client
dev tun
proto udp
remote 193.136.212.1 1194
ca ca.crt
cert user.crt
key user.key
auth-user-pass
cipher AES-256-GCM
auth SHA256
\end{codeblock}
\subsection{Testes}
Para verificar que a autenticação foi corretamente implementada, inserimos a password de um utilizador sem os digitos do TOTP, e identificamos que utilizar somente a password não é suficiente para autenticar. Igualmente ao utilizar ambos a autenticação é bem sucedida.
Para verificar que o tunel foi estabelecido, primeiro corremos na linha de comandos \texttt{ip a}. Observamos a existencia de uma nova interface tun0, ou seja o tunel foi corretamente establecido. Depois demos ping ao route e depois ao servidor interno, que resultou em pacotes devolvidos para ambos.
% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
% TODO: erros ortograficos lol
Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o
cliente e o servidor já estavam correctamente configurados.
Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
\section{Servidor Apache e OCSP}
Para a configuração da ultima maquina, temos o OpenSSL e Apache no mesmo servidor, por isso temos de configurar
as pastas necessarias, os utilizadores do serviço, configurar os edereços e uma route:
\begin{codeblock}{VM\_OPENSSL\_APACHE.sh}
#!/bin/bash
# configuracao
source VM_CONFIG.sh
sudo yum install -y epel-release
sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator
sudo yum install -y mod_session
# utilizador
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
if_dentro="enp0s8"
ip_dentro="10.60.0.1"
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
# route de volta para comunicar com o warrior
route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
cp conf/openssl.cnf /etc/pki/tls/
# copiar ca para esta VM
cp ca/index.txt $CA_DIR
cp ca/ca.crt $CA_DIR
cp ca/ca.key $CA_DIR
cp ca/serial $CA_DIR
cp ca/dh2048.pem $CA_DIR
# correr oscp
killall openssl 2>/dev/null
openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
# apache
mkdir -p /etc/httpd/ssl
cp ca/ca.crt /etc/httpd/ssl/
cp ca/apache.crt /etc/httpd/ssl/
cp ca/apache.key /etc/httpd/ssl/
cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
cp conf/httpd.conf /etc/httpd/conf/httpd.conf
cp conf/httpd-totp /etc/pam.d/httpd-totp
echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
cp -r www/* /var/www/html/
chown -R apache:apache /var/www/html/
httpd -X
\end{codeblock}
\subsection{Configuração da Máquina}
Como já referimos a Máquina tem ambos o serviço OpenSSL e Apache, por isso vai precisar de dois .conf files para
configurar-los. O httpd.conf tem as portas e modulos enquanto o ssl.conf tem a configuração da autenticação mútua, e o OCSP:
\begin{codeblock}{httpd.conf}
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule mpm_event_module modules/mod_mpm_event.so
User apache
Group apache
Listen 80
Listen 443
Include conf.d/*.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
\end{codeblock}
\begin{codeblock}{ssl.conf}
<VirtualHost *:443>
ServerName 10.60.0.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
# mutual authentication
SSLVerifyClient require
SSLVerifyDepth 1
# ocsp validation
SSLOCSPEnable on
SSLOCSPDefaultResponder "http://10.60.0.1:8888"
SSLOCSPOverrideResponder on
SSLOCSPUseRequestNonce off
# session management
Session On
SessionCookieName session path=/;HttpOnly;Secure
# proteger
<Location "/">
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
AuthFormLoginRequiredLocation "/login.html"
Require valid-user
</Location>
# public login page
<Location "/login.html">
AuthType None
Require all granted
</Location>
# login handler
<Location "/dologin">
SetHandler form-login-handler
AuthType Form
AuthName "Coimbra VPN"
AuthFormProvider PAM
AuthPAMService httpd-totp
Require all granted
AuthFormLoginSuccessLocation "/index.html"
AuthFormLoginRequiredLocation "/login.html?error=1"
</Location>
# logout handler
<Location "/logout">
SetHandler form-logout-handler
AuthFormLogoutLocation "/login.html?loggedout=1"
</Location>
</VirtualHost>
# redirect para https
<VirtualHost *:80>
ServerName 10.60.0.1
Redirect permanent / https://10.60.0.1/
</VirtualHost>
\end{codeblock}
\subsubsection{Testes}
\begin{itemize}
\item \textbf{Domínio:} Verificou-se que o acesso só é permitido utilizando o endereço correto, pois se for inserido outro dominio, não é direcionado para o site do Apache.
\item \textbf{Redirecionamento HTTPS:} Ao testar quando colocamos http, e o dominio certo, era redirecionado para https.
\item \textbf{Autenticação com o Certificado:} O acesso foi negado ao apresentar certificados inválidos ou ausentes no browser, devolvendo um erro com sobre não conseguir establecer connexão porque falta de certificado.
\end{itemize}
Para testar o OCSP, fizemos os seguintes paços:
\begin{enumerate}
\item Estabelecer a ligação VPN e verificar a conectividade à rede interna.
\item No diretório da autoridade de certificação (máquina \textit{host}), revogar o certificado do utilizador:
\begin{codeblock}[bash]{revoke.sh}
openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
\end{codeblock}
\item Atualizar o ficheiro \texttt{index.txt} no servidor OCSP e reiniciar o serviço para carregar o novo estado de revogação.
\item Tentar estabelecer uma nova ligação VPN e verificar que a autenticação falha devido à resposta \texttt{revoked} do responder OCSP.
\end{enumerate}
\section{Teste Integrado}
Para validar, efetuámos um teste integrado englobando todos os requisitos:
\begin{enumerate}
\item Começamos por iniciar todas as máquinas com os devidos \textit{scripts}.
\item Na máquina \textit{Road Warrior}, iniciámos a ligação OpenVPN com o utilizador, a sua password e o \textit{token} TOTP.
\item O \textit{Gateway} OpenVPN verifica as credenciais e verifica o certificado cliente contra o servidor OCSP.
\item Antes de acedermos ao firefox, temos que verificar que já adicionámos a nossa a nossa CA e o certificado \texttt{p12}.
\item Através do túnel VPN, acedemos agora ao endereço \texttt{https://apache.coimbra} no browser.
\item O servidor Apache solicitou o certificado X.509 do utilizador e validou a sua autenticidade e estado de revogação no OCSP.
\item Finalmente, o Apache apresentou a página de login, onde inserimos as credenciais e o código TOTP.
\end{enumerate}
\section{Conclusão}
Atingimos o objetivo deste trabalho: conseguimos configurar o túnel VPN,
o \textit{two-factor authentication} em múltiplos serviços, e conseguimos gerir o ciclo de vida dos
certificados emitidos através de uma CA própria e OCSP. Utilizar mais máquinas para simular um cenário
maior seria redundante e apenas exigiria a emissão de mais certificados, não acrescentando muito ao nível de aprendizagem.
Aplicando conhecimentos de trabalhos anteriores,
poderíamos aplicar políticas mais restritas nas \textit{iptables} (ex: regras de DROP aos pacotes indesejados),
e implementar ferramentas como o Suricata para identificar possíveis anomalias e ataques aos serviços.
\end{document}

19
assignment2/relatorio/relatorio.toc
View File

@@ -1,19 +0,0 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introdução}{3}{section.1}%
\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}%
\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}%
\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}%
\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}%
\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}%
\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}%
\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}%
\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}%
\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}%
\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}%
\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}%
\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}%
\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}%
\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}%
\contentsline {subsubsection}{\numberline {5.1.1}Testes}{12}{subsubsection.5.1.1}%
\contentsline {section}{\numberline {6}Teste Integrado}{13}{section.6}%
\contentsline {section}{\numberline {7}Conclusão}{13}{section.7}%

64
assignment2/relatorio/style.sty
View File

@@ -1,64 +0,0 @@
\usepackage[margin=1in]{geometry}
\usepackage{raleway}
\renewcommand{\familydefault}{\sfdefault}
\usepackage{ulem}
\usepackage{wrapfig}
\usepackage{graphicx,tabularx,booktabs}
\usepackage{paracol}
\usepackage[dvipsnames]{xcolor}
\usepackage{enumitem,amssymb}
\usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
\graphicspath{{./img/}}
\usepackage{enumitem,amssymb}
\newlist{todolist}{itemize}{2}
\setlist[todolist]{noitemsep, topsep=0pt,label=$\square$}
\usepackage{pifont}
\usepackage{amssymb}
\usepackage[most]{tcolorbox}
\tcbuselibrary{listings, skins, breakable}
\lstdefinestyle{mystyle}{
basicstyle=\ttfamily\footnotesize,
breakatwhitespace=false,
breaklines=true,
captionpos=b,
keepspaces=true,
numbers=left,
numbersep=5pt,
showspaces=false,
showstringspaces=false,
showtabs=false,
tabsize=2,
commentstyle=\color{gray},
keywordstyle=\color{MidnightBlue}\bfseries,
stringstyle=\color{ForestGreen}
}
\newtcblisting{codeblock}[2][]{
enhanced,
breakable,
colback=gray!2!white,
colframe=gray!20!black,
attach boxed title to top left={yshift*=-\tcboxedtitleheight/2, xshift=4mm},
boxed title style={
colback=gray!20!black,
outer arc=0pt,
arc=0pt,
top=1pt,
bottom=1pt,
},
fonttitle=\bfseries\ttfamily\footnotesize,
title={#2},
listing only,
listing options={
style=mystyle,
language=#1,
}
}
\setlength{\parskip}{1em}%
\setlength{\parindent}{0em}%

BIN
assignment2/user.p12
View File

Binary file not shown.

13
assignment2/www/index.html
View File

@@ -1,13 +0,0 @@
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Coimbra VPN</title>
</head>
<body>
<h1>Coimbra VPN</h1>
<p>Lorem ipsum dolor, sit amet consectetur adipisicing elit.
Minima porro unde praesentium sint itaque optio, deserunt eum est voluptatum, natus nihil repellat amet impedit? Fugiat fugit ex quis molestiae sit.</p>
</body>
</html>

25
assignment2/www/login.html
View File

@@ -1,25 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Coimbra VPN</title>
</head>
<body>
<h1>Two-Factor Auth</h1>
<p>Enter your UNIX credentials and TOTP code</p>
<form action="/dologin" method="POST">
<label for="username">Username</label>
<input type="text" id="username" name="httpd_username" placeholder="username">
<br>
<label for="password">UNIX Password (password + 6 digit TOTP)</label>
<input type="password" id="password" name="httpd_password" placeholder="password + TOTP" required>
<button type="submit">Login</button>
</form>
</body>
</html>

65
chave-pgp-do-rogerio.txt
View File

@@ -1,65 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.1
mQGNBGmLZjwBDACvUK1m3UikneSbyYrP0vbHMz3Dt5u0+1+/UoFHKrcIF0TeLMmeOL6s3iRW
JoSuB0YEmiO01BMEtUHC3Bt6/fu1TjMTLGEwo4dltw/hakvjELfpKPecIo7NAX1XCmiw7f+M
2kTfRXGlu0F0kKc+AD+xPC0tunfpacPX/xGtquPz0xp2XbKktNkj8NoUBO7BRtwrfjBXL7ZV
irlVofs6j7w8Ka9SRtP8GLqsW+LFDQrbsDM2exvp7u61mKvTpuafOUqkqIIrXw4aDOIxjwON
gjunZ4k38kZADxR+uzzwNFnn15qtLNECUMpOJDPplBDg0uVRQjn1BJ44AkcdwLM3unMp9BvO
8DKg2Q6kmd5+qu3OH+BVaqDAD+5sED/LC+QGeTIEHGNbTP3hs6dGyeCcNQnORvn5JoMImUk0
mmV/KV+qpGhi9PSxN44Kau4fWsaWIO33w1vMSnPf/s77dBT0uLT45G/1/b1N3WbD6eKTt+iC
/+Ovp+MmWv6Fd2fPXEvwedUAEQEAAbQeUm9nZXJpbyBDIDxyb2djb3N0YUBkZWkudWMucHQ+
iHUEEBYKAB0WIQTzZrv2P/XfDSKZTqn605rfvJqhwQUCaZMIVAAKCRD605rfvJqhwW/8AQDq
k4kNVJOuOjHiq+F9K7X/QFJp3+z109x/ZpVGtP6aGgD6AlzWjGubsavImEMVN9QKr7tYEOWy
NHldePm87lnDuQSJAbMEEAEIAB0WIQSORfJtzGpnilRlTysk/REF2WdojAUCaZL1XwAKCRAk
/REF2WdojPPkC/40CesTUAcCnvKe/UHTbn483zcW8RSsXRzQZDE4iaOZQ2jCS9uzT+SaVNy5
J8n3PNfghq19yZeyfWZrBHQBCqFwEvYqXZ/z1Qmz8wFvtDX+B5o15kuGO28/epXR7iqx/v53
+le7VmuBR6ri2kq6uT1xzotd6NYcmZpRprnzaGvCUWtuPWhG7SHjZ1TZIJuJ5cmGG8bq/wu/
n+fcSwa3evCUR0ErkqpcC+Z9Ll8wGuSioov5A3B9UW+QWoC68VyC53RSyanNAYI3czJu5Ltq
qXNxOv1xC1gew8FvBuxCF/3z++h2W+E5HO02zRwtqglr5ZBr4UmI0E4s8xWq0DWBU+iLwwXq
GVNZFiJ+fNVHW6cu4deMOMVNrGJlVmlki+GkIFanlrVOwWq2+vsJFYYvHa5zBwjRRqhK5tRk
OOa0qD3KLsCzKpiCSNb+g7TEjHqmpB/h3/MFf5mVlIiOnGYTDWBlMwZLllpLMc/3/mFm5nfX
ofuPGl2BHUv0kdSKSa6QiEOJAbMEEAEIAB0WIQSTCl6/mmEFADoHYKEIKzRkXO0zjQUCaZMV
9QAKCRAIKzRkXO0zjZoDC/9fcB7uDf3QSrIGm+zO//sALNCe0FSOQ5Rn8ZzMOTn3HBI5i7ct
dZntTZuYFLa0HHWUxHBoCSwMnP5oNG91xpRTxsYpucFkKMljSiSKPgoOGxEaJDW2rK39CbzY
xDSa9bhnbXzLWn4laTI8n6iip95IWXuqfIqYc6jfVC3YOBg+8rJ8nAJr6CWIX/6k4bavKVQQ
4bWeuICqUlbNRhZF1BZtCPrFbrChcB+n7CqK0EGkOoySekMr/6VzwgNmuCa2m8Gi9YqzrLLd
AzPl0mfruNHhHLBrnM0rNMMOaR39/+0xSl6c3JcsQWmgBUM1lt0th1n/yKHJMM802IyQefhR
aJhg++xjP61vOLuJa7pb5UWiyupstKemX+8f6X970bvYPj0OaSwy4ewgxU2D5Paqd7qonnct
eYosMnB87ZfS67LcK6YRdqjJeThaQmFujta2hUM6ZczlqGaTsOmZ/GBxIvXGYBrcrnv4d6cj
nSGwXKKSHD2EWSNsxfIBILkQDEotD5uJAbMEEAEIAB0WIQS/yqosJXwrVXFgqQa1WXCyNLIK
ZQUCaZMSBAAKCRC1WXCyNLIKZeU7C/4t2QA7MGNJC+uDk4p/VMfqLFz4yoJOQmAyqI+jbJwn
T+cu2airiE74Nt77kEHjDzyD47LSGjsFe/ynK+Ey/9SeRrzA/NBngP919LW2nSwonfAIiDZ4
dHD/aeRVCdX6Ni6PY/dc5b5ztMEgu0XBlUtWMkrrPaTmiCQ1wX5IuxrSLwldbgA8ME2TZYh7
XQ1LUt1n15FipmdBaXxTK5FrqqWeLLxfPdntZVMQnh2nyaqAF6aEZBRj47UrcbJEIM399G8P
nVExdvOqcCi/CDY15BVBmx/EkWTnudta7fOQgiJiOJ3WLDXvMTEEG06I/dw+eZgGLwl7Ep/x
zrTP65tF032dxbNy1RONOijlj+l/NuOM7pFofx6yCzmRprbydyb9uM1ysRSV0GI1YW2krFzj
ZZosZvPB470svviF8adgIQBV5TZQCzWBY+Bc5gimpZwcWCI+ByQfRAimerOgPqz/r2jQglgP
u4PwnChSTrfNMKyAfpHIKgXAj2ar6X3IvHCkv/OJAdgEEwEIAEIWIQQ3eZDCVL86W7QFeUkd
N5xZDJkDjwUCaYtmPAIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ
HTecWQyZA49onAv9GbcIpT9a52ZfSLfoXUWAVsYrCwfPb6OG+7NwJXwUPf69gK2ZSWZLrcPl
7gLYKkWsQ2LS9Pb+kirfENk9Xvw+DMBk0KKlvsC3dOFl4srkdvuAoWvR4x5lCKBBusjM2ByR
kRtN68a3xhLrNIHF7uxFefMIyetCJhGl1Z4rgRzslFjsjeZqv5hs7lYBtodrKXvWOfyEvZRw
Zpibyu3v+6YgpZKdq/YQd/DNMBgCWJZOUvKbj/XiCVQ+zKBDEZpjM56TqSyqaTs7OyTXlZGX
WRYXbtOeEf5NFlUT57FetrSszStJKow7AlLBfPlcwFgDEEKNiLf0asfdnfHepR3MT5ULNdut
hLniGbN8HItqY94dipc0D2l3q/REY7VrsZa3vBmWdMecCLMDLO37CzIqjUO+tIGWOFhXpH86
ARRb3C4mi39aTk8XlAQ6nUctrQSHd+oRFKRqXznAGIHHo83L7z5XvRwZ/ehZww+h0QL4JEgm
Jaja3SZFkqf1/yGwT1EyqfVzuQGNBGmLZjwBDAC7UT7SgI/lKTAP5fyrDXDaIsVKCPZ0K+ui
BqR+Po765zZyuZnCd8IMaeGJZipa4Jc2HRBfb2t/4drDWChhjiMtSk2jA+Ke+z/Gg8yCskg2
aSjhiKb4dZkCWwg0+Avca3ad8F3G+pbP/aubTH2FydrJP0dQW7sPChKPEhDH83g4ek7w3CXs
tSLQ8f3orxxqNvDr3BuVK4Lej1zgXMhSUWcTNqFje1jUwG+V03FoHfvM67HTGmnOngu9fCX0
QbIc0x++zJg3MvPZ+hsSnJ3EemVMc5SMH/GCwIUTufEdpkCLmjETvCFT9JaVwBtgFvsF6adq
7JMD7wcogGMVXDqrWMONZJPhiLPK9AI57zi7a31AFJEfyMMaBT3io5KdzfM0LCkpI/VT/tsO
tM/adnID1cFt47WjeQQ0Ed0kH4fk91/wZaMAlgYeN2TSaYjb0v4RkSIWlYz2KyZ2XPaUtYyS
Md6CmOHchTUTJ9x/qvXD53FYjnkX309c1a9Z++76R+QU6IkAEQEAAYkBvAQYAQgAJhYhBDd5
kMJUvzpbtAV5SR03nFkMmQOPBQJpi2Y8AhsMBQkDwmcAAAoJEB03nFkMmQOPy/EL/2NTDXEI
6ZshBZgK1UOxIWLaKuK4LwMimz3IpfWH6E1acSV4oEn5S+kGCzCeWwbOqhjFP5YYlcN3IMJX
KddpFVn+LiN178qJZM+WxbJdRlc3n9+F2693zGMxmNtgjJ9TDCjar8nyoxWcpKXOtjxf204T
HZAq/r2l/NHvrqZ4KJ5RU5I1Gb43UcarxZHBHy6N1Z323Zt5UMgA3WWMeXB+r374IBg4g5/l
WCfhytvZtwVIDDERFMqpyikhlrOzLJQgVoPHUt7PCslvAaVlz1Mkj7JkF+gwizJ+zsCIkJ2Z
YYk5nfVtDf2xEasrZgs3XF6yhXKHIS1DyIELaLzr6UkLz0H/pwgjHGG9G6pcuMeuS4vR7MEE
7OssNRo43LjtGT9WglRhMqjqiqAIZUM6NFZ2AQQci5tOj3nNQQHovVaPm0PcC1fv99eMsDBX
o7LiabG3y38e2q2TzbNl7v3zTXimQKtYzoff6kGr9JnKr1pD/63qZlrTrVEq/SyMrKmWN3Aq
Rw==
=as3M
-----END PGP PUBLIC KEY BLOCK-----

85
conf/httpd.conf
View File

@@ -1,85 +0,0 @@
ServerRoot "/etc/httpd"
Listen 420
User apache
Group apache
Include conf.modules.d/*.conf
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted # Allow open access:
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
# reverse proxy for juice shop
ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:420>
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>
# EnableMMAP off
# EnableSendfile on
IncludeOptional conf.d/*.conf
ServerAdmin jeevacation@gmail.com
# ServerName www.coimbravpn.com:420

BIN
enunciado.pdf
View File

Binary file not shown.

153
enunciado.txt
View File

@@ -1,153 +0,0 @@
FSI 2025/2026
Practical Assignment #3
1. Goals
Explore the WSTG (Web Security Testing Guide)1 web security testing guidelines.
Configure and explore the usage of ModSecurity reverse proxy as a WAF (Web Application Firewall)
2. General description
The main goals of this assignment are to explore web application security and to implement a web application firewall to
secure a web application against application-layer attacks. The web application to be used in this assignment is the OWASP
JuiceShop2 3. This assignment is split in two phases: the first phase is dedicated to exploring the security of the JuiceShop
web application, and the second phase aims at monitor, filter, and block HTTP traffic to the JuiceShop, through the
implementation of a WAF using ModSecurity, with the aim to address the security issues identified in the first phase. Figure
1 illustrates the two phases of the assignment, depicting the JuiceShop web server, the penetration testing client and the
WAF.
Figure 1 Security testing and WAF phases of the Assignment
1
WSTG with v42 is available at: https://owasp.org/www-project-web-security-testing-guide/
2
OWASP JuiceShop: https://owasp.org/www-project-juice-shop/
For this assignment, it is recommended to use the most recent version of the JuiceShop. At the time of writing this document it is v17.2.0
3
3. Phase 1 - Web application security testing
In this phase the goal is to explore web application security using the JuiceShop website following the relevant and applicable
WSTG web security testing guidelines, and for this purpose any security tools can be used. In this context, OWASP ZAP
and security tools already available in Kali Linux are particularly relevant. This web security testing phase is described in
Figure 1, where the client has direct communications to the web server. As part of your tests, the OWASP ZAP penetration
tests must, at least:
a. Perform an automated scan to the website.
b. Perform an active scan to the website (explore the most effective policies).
c. Manage add-on required to improve the test and maximize threats identification.
d. Perform a Fuzz attack to the login form.
e. Perform a manual penetration test to explore logged in threats.
f.
Configure OWASP ZAP active scan to explore authenticated area.
The JuiceShop application can be installed via source code or using docker, as follows:
Installation through source code in one of the virtual machines
Using a docker approach (requires Docker Desktop)
As a result of your tests, you should prepare a web application security report, structured along the WSTG guidelines. The
report must document the identified vulnerabilities and on how these can be exploited (e.g., weak passwords, insecure
configurations).
4. Phase 2 Setup and testing of a WAF (web application firewall)
Based on the web application security report produced in the first phase of the assignment, deploy an WAF between the
client and the web server, as depicted in Figure 1. The goals of this WAF are to monitor, filter, and block HTTP traffic to
the Juice Shop. This WAF server should be composed of an Apache 2 service with ModSecurity, and the WAF
configuration should be optimized to prevent all possible attacks.
As a result of this phase of the Assignment, you should repeat all penetration tests performed in the previous task and assess
the performance of the WAF in detecting and blocking the attacks. You should update the web application security report
accordingly, by including the configurations, description of the tests and performance results in a separate section.
5. Delivery of the Practical Assignment
2
The deadline for the delivery of the assignment (configuration files and report, via Inforestudante) is 31/5/2026.
Notes:
o
Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
o
Submissions via Inforestudante.
The delivery of the practical assignment can document aspects regarding the methodology of testing, the analysis of results
and can be structured as follows:
1) Introduction
2) Arquitecture considered for the PA#3 (for both scenarios 1 and 2)
- Network structure
- Servers
- Services
3) Web application security testing
1 Information Gathering
2 Configuration and Deployment Management Testing
3 Identity Management Testing
4 Authentication Testing
5 Authorization Testing
6 Session Management Testing
7 Input Validation Testing
8 Testing for Error Handling
9 Testing for Weak Cryptography
10 Business Logic Testing
11 Client Side Testing
4) Web application security firewall
1 Information Gathering
2 Configuration and Deployment Management Testing
3 Identity Management Testing
4 Authentication Testing
5 Authorization Testing
6 Session Management Testing
7 Input Validation Testing
8 Testing for Error Handling
9 Testing for Weak Cryptography
10 Business Logic Testing
11 Client Side Testing
5) Conclusions
3
6. Important/relevant aspects
The Web Application Security Testing document includes several sections, providing guidelines for testing. The guideline
applicable to this assignment is mainly in Section 4, which must be analysed carefully, since testing tools may be suggested in
each section.
The practical assignment targets black-box testing, which is according to OWASP in WSTG “the art of testing a system or
application remotely to find security vulnerabilities, without knowing the inner workings of the target itself”. Thus, in this
type of testing strategy we focus on tools such as web application security scanners, vulnerability scanners and penetration
testing software.
The following aspects are relevant in what respects the WSTG guidelines and structure:
1. Section 4.7 should be considered as a whole, which can be tested with OWASP ZAP or a similar tool. There are
some subsections, that do not apply in this assignment. For instance, the Juice Shop does not include any support
for LDAP, so subsection 4.7.6 “Testing for LDAP injection” does not require any action/testing.
2. Section 4.11 should be considered as a whole, which can be tested with OWASP ZAP or a similar tool.
3. Section 4.9 should not be considered since communications with Juice Shop are not over HTTPS.
4. Section 4.10 should not be considered as well, as it is out of scope of this assignment.
5. Other subsections are out of scope of this assignment, and students should identify these in the report (and explain
why). For instance. subsection 4.2.9, 4.2.10 and 4.2.11 are not applicable in this assignment.
Regarding the second phase of the work, with the Web Application Firewall, the following aspects should be considered:
1. The main goal of the project in the second phase is to enable detection and prevention of the issues identified in the
first phase. Nonetheless, all the detection and prevention actions must be possible using Apache and ModSecurity
(with OWASP CRS), no other tools should be considered for this purpose.
2. The issues identified Section 4.3 of WSTG cannot be detected and solved with ModSecurity (with OWASP CRS),
so no action is required. ModSecurity is a WAF that operates at the HTTP level — it analyzes HTTP requests and
responses and blocks traffic based on patterns (malicious payloads, suspicious headers, etc.). Identity Management
issues are application logic flaws, not attacks with detectable patterns in HTTP traffic.
4

13
assignment1/relatorio.aux → relatorio.aux
View File

@@ -5,9 +5,10 @@
\babel@aux{portuguese}{}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {2}Firewall}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}Tests utilizados}{5}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusion}{5}{}\protected@file@percent }
\gdef \@abspage@last{5}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}External Network}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}Conclusion}{2}{}\protected@file@percent }
\gdef \@abspage@last{2}

137
assignment1/relatorio.log → relatorio.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17) 22 MAR 2026 22:27
This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17) 16 MAR 2026 16:24
entering extended mode
\write18 enabled.
%&-line parsing enabled.
@@ -89,80 +89,52 @@ LaTeX Info: Redefining \textulc on input line 49.
LaTeX Info: Redefining \oldstylenums on input line 163.
LaTeX Info: Redefining \textsw on input line 173.
)
(/usr/share/texmf-dist/tex/latex/listings/listings.sty
\lst@mode=\count273
\lst@gtempboxa=\box52
\lst@token=\toks19
\lst@length=\count274
\lst@currlwidth=\dimen143
\lst@column=\count275
\lst@pos=\count276
\lst@lostspace=\dimen144
\lst@width=\dimen145
\lst@newlines=\count277
\lst@lineno=\count278
\lst@maxwidth=\dimen146
(/usr/share/texmf-dist/tex/latex/listings/lstpatch.sty
File: lstpatch.sty 2024/09/23 1.10c (Carsten Heinz)
)
(/usr/share/texmf-dist/tex/latex/listings/lstmisc.sty
File: lstmisc.sty 2024/09/23 1.10c (Carsten Heinz)
\c@lstnumber=\count279
\lst@skipnumbers=\count280
\lst@framebox=\box53
)
(/usr/share/texmf-dist/tex/latex/listings/listings.cfg
File: listings.cfg 2024/09/23 1.10c listings configuration
))
Package: listings 2024/09/23 1.10c (Carsten Heinz)
LaTeX Font Info: Trying to load font information for OT1+EBGaramond-LF on in
put line 28.
put line 11.
(/usr/share/texmf-dist/tex/latex/ebgaramond/OT1EBGaramond-LF.fd
File: OT1EBGaramond-LF.fd 2023/03/19 (autoinst) Font definitions for OT1/EBGara
mond-LF.
)
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 12.0pt on input line 28.
(Font) scaled to size 12.0pt on input line 11.
(/usr/share/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
File: l3backend-pdftex.def 2024-05-08 L3 backend support: PDF output (pdfTeX)
\l__color_backend_stack_int=\count281
\l__pdf_internal_box=\box54
\l__color_backend_stack_int=\count273
\l__pdf_internal_box=\box52
)
(/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
\openout1 = `relatorio.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 28.
LaTeX Font Info: ... okay on input line 28.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 28.
LaTeX Font Info: ... okay on input line 28.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 28.
LaTeX Font Info: ... okay on input line 28.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 28.
LaTeX Font Info: ... okay on input line 28.
LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 28.
LaTeX Font Info: ... okay on input line 28.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 28.
LaTeX Font Info: ... okay on input line 28.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 28.
LaTeX Font Info: ... okay on input line 28.
\c@mv@tabular=\count282
\c@mv@boldtabular=\count283
\c@lstlisting=\count284
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
\c@mv@tabular=\count274
\c@mv@boldtabular=\count275
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 20.74pt on input line 29.
(Font) scaled to size 20.74pt on input line 12.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 14.4pt on input line 29.
(Font) scaled to size 14.4pt on input line 12.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <14.4> on input line 29.
(Font) <14.4> on input line 12.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <7> on input line 29.
(Font) <7> on input line 12.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 17.28pt on input line 30.
(Font) scaled to size 17.28pt on input line 13.
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 17.28pt on input line 30.
(Font) scaled to size 17.28pt on input line 13.
(/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.toc
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
@@ -183,62 +155,31 @@ LaTeX Font Info: External font `cmex10' loaded for size
{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fonts
/enc/dvips/ebgaramond/ebg_dacnth.enc}]
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2024/09/23 1.10c listings language file
)
(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2024/09/23 1.10c listings language file
)
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/m/n' will be
(Font) scaled to size 10.0pt on input line 37.
Overfull \hbox (7.49481pt too wide) in paragraph at lines 42--44
\OT1/EBGaramond-LF/m/n/12 As tr[]es re-des tem va-rios servi[]os, o DMZ tem dns
(23.214.219.130), mail(23.214.219.134),
[]
LaTeX Font Info: Font shape `OT1/EBGaramond-LF/b/n' will be
(Font) scaled to size 14.4pt on input line 45.
(Font) scaled to size 14.4pt on input line 19.
[2]
[3]
LaTeX Font Info: Font shape `OT1/cmtt/bx/n' in size <10> not available
(Font) Font shape `OT1/cmtt/m/n' tried instead on input line 93.
[4{/usr/share/texmf-dist/fonts/enc/dvips/cm-super/cm-super-ts1.enc}]
Overfull \hbox (23.24622pt too wide) in paragraph at lines 125--126
\OT1/EBGaramond-LF/m/n/12 Ao realizar-mos este pro-jeto apren-de-mos so-bre a c
ria[][]ao de sce-na-rios em VMs, a configura[][]ao
[]
[5] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
[2] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
***********
LaTeX2e <2024-11-01> patch level 2
L3 programming layer <2025-01-18>
***********
)
Here is how much of TeX's memory you used:
4439 strings out of 474546
72779 string characters out of 5749982
968296 words of memory out of 5000000
27469 multiletter control sequences out of 15000+600000
573916 words of font info for 59 fonts, out of 8000000 for 9000
2577 strings out of 474546
48289 string characters out of 5749982
436453 words of memory out of 5000000
25628 multiletter control sequences out of 15000+600000
572213 words of font info for 55 fonts, out of 8000000 for 9000
352 hyphenation exceptions out of 8191
57i,7n,99p,546b,1693s stack positions out of 10000i,1000n,20000p,200000b,200000s
57i,7n,65p,220b,231s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Bold.pfb></us
r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb></usr/s
hare/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt10.pfb></usr/share/texmf-dis
t/fonts/type1/public/cm-super/sftt1000.pfb>
r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb>
Output written on /home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/rela
torio.pdf (5 pages, 78451 bytes).
torio.pdf (2 pages, 42851 bytes).
PDF statistics:
42 PDF objects out of 1000 (max. 8388607)
26 compressed objects within 1 object stream
22 PDF objects out of 1000 (max. 8388607)
13 compressed objects within 1 object stream
0 named destinations out of 1000 (max. 500000)
1 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
relatorio.pdf Normal file
View File

Binary file not shown.

BIN
relatorio.synctex.gz Normal file
View File

Binary file not shown.

29
relatorio.tex Normal file
View File

@@ -0,0 +1,29 @@
\documentclass[12pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\title{Practical Assignment \#1}
\author{
João Neto -- \\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\tableofcontents
\newpage
\section{Introduction}
\section{Firewall}
Sigmasigmaboy123
\subsection{Packet fileter with NAT}
\subsection{Packet filtering without NAT}
\subsection{External Network}
\subsection{Internal Network}
\section{Intrusion Detection}
\section{Conclusion}
\end{document}

9
relatorio.toc Normal file
View File

@@ -0,0 +1,9 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introduction}{2}{}%
\contentsline {section}{\numberline {2}Firewall}{2}{}%
\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}%
\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}%
\contentsline {subsection}{\numberline {2.3}External Network}{2}{}%
\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}%
\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}%
\contentsline {section}{\numberline {4}Conclusion}{2}{}%

BIN
relatorio/imgs/email-invalido.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 21 KiB

BIN
relatorio/imgs/email-unique.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
relatorio/imgs/login-fuzzing.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 174 KiB

BIN
relatorio/imgs/sqlmap.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 270 KiB

BIN
relatorio/imgs/stack-trace.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 79 KiB

36
relatorio/relatorio.aux
View File

@@ -1,36 +0,0 @@
\relax
\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
\@nameuse{bbl@beforestart}
\catcode `"\active
\providecommand\hyper@newdestlabel[2]{}
\providecommand\HyField@AuxAddToFields[1]{}
\providecommand\HyField@AuxAddToCoFields[2]{}
\babel@aux{portuguese}{}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{3}{section.1}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {2}Architecture Considered for Both Stages}{3}{section.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Network structure}{3}{subsection.2.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Servers}{3}{subsection.2.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Services}{3}{subsection.2.3}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {3}Web application security testing}{4}{section.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Information Gathering}{4}{subsection.3.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuration and Deployment Management Testing}{4}{subsection.3.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{5}{subsection.3.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Authentication Testing}{7}{subsection.3.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.5}Authorization Testing}{7}{subsection.3.5}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.6}Session Management Testing}{7}{subsection.3.6}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{7}{subsection.3.7}\protected@file@percent }
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{8}{subsubsection.3.7.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{8}{subsection.3.8}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {3.9}Client Side Testing}{9}{subsection.3.9}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {4}Web Application Security Firewall}{10}{section.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Information Gathering}{10}{subsection.4.1}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{10}{subsection.4.2}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{10}{subsection.4.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{10}{subsection.4.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.5}Authorization Testing}{10}{subsection.4.5}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.6}Session Management Testing}{10}{subsection.4.6}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{10}{subsection.4.7}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{10}{subsection.4.8}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {4.9}Client Side Testing}{10}{subsection.4.9}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusions}{10}{section.5}\protected@file@percent }
\gdef \@abspage@last{10}

1
relatorio/relatorio.listing
View File

@@ -1 +0,0 @@
<img src="x" onerror="alert(localStorage.getItem('token'))">apple

1364
relatorio/relatorio.log
View File

File diff suppressed because it is too large Load Diff

27
relatorio/relatorio.out
View File

@@ -1,27 +0,0 @@
\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000c\000t\000i\000o\000n}{}% 1
\BOOKMARK [1][-]{section.2}{\376\377\000A\000r\000c\000h\000i\000t\000e\000c\000t\000u\000r\000e\000\040\000C\000o\000n\000s\000i\000d\000e\000r\000e\000d\000\040\000f\000o\000r\000\040\000B\000o\000t\000h\000\040\000S\000t\000a\000g\000e\000s}{}% 2
\BOOKMARK [2][-]{subsection.2.1}{\376\377\000N\000e\000t\000w\000o\000r\000k\000\040\000s\000t\000r\000u\000c\000t\000u\000r\000e}{section.2}% 3
\BOOKMARK [2][-]{subsection.2.2}{\376\377\000S\000e\000r\000v\000e\000r\000s}{section.2}% 4
\BOOKMARK [2][-]{subsection.2.3}{\376\377\000S\000e\000r\000v\000i\000c\000e\000s}{section.2}% 5
\BOOKMARK [1][-]{section.3}{\376\377\000W\000e\000b\000\040\000a\000p\000p\000l\000i\000c\000a\000t\000i\000o\000n\000\040\000s\000e\000c\000u\000r\000i\000t\000y\000\040\000t\000e\000s\000t\000i\000n\000g}{}% 6
\BOOKMARK [2][-]{subsection.3.1}{\376\377\000I\000n\000f\000o\000r\000m\000a\000t\000i\000o\000n\000\040\000G\000a\000t\000h\000e\000r\000i\000n\000g}{section.3}% 7
\BOOKMARK [2][-]{subsection.3.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000t\000i\000o\000n\000\040\000a\000n\000d\000\040\000D\000e\000p\000l\000o\000y\000m\000e\000n\000t\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 8
\BOOKMARK [2][-]{subsection.3.3}{\376\377\000I\000d\000e\000n\000t\000i\000t\000y\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 9
\BOOKMARK [2][-]{subsection.3.4}{\376\377\000A\000u\000t\000h\000e\000n\000t\000i\000c\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 10
\BOOKMARK [2][-]{subsection.3.5}{\376\377\000A\000u\000t\000h\000o\000r\000i\000z\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 11
\BOOKMARK [2][-]{subsection.3.6}{\376\377\000S\000e\000s\000s\000i\000o\000n\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 12
\BOOKMARK [2][-]{subsection.3.7}{\376\377\000I\000n\000p\000u\000t\000\040\000V\000a\000l\000i\000d\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 13
\BOOKMARK [3][-]{subsubsection.3.7.1}{\376\377\000T\000e\000s\000t\000i\000n\000g\000\040\000f\000o\000r\000\040\000S\000Q\000L\000\040\000I\000n\000j\000e\000c\000t\000i\000o\000n}{subsection.3.7}% 14
\BOOKMARK [2][-]{subsection.3.8}{\376\377\000T\000e\000s\000t\000i\000n\000g\000\040\000f\000o\000r\000\040\000E\000r\000r\000o\000r\000\040\000H\000a\000n\000d\000l\000i\000n\000g}{section.3}% 15
\BOOKMARK [2][-]{subsection.3.9}{\376\377\000C\000l\000i\000e\000n\000t\000\040\000S\000i\000d\000e\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 16
\BOOKMARK [1][-]{section.4}{\376\377\000W\000e\000b\000\040\000A\000p\000p\000l\000i\000c\000a\000t\000i\000o\000n\000\040\000S\000e\000c\000u\000r\000i\000t\000y\000\040\000F\000i\000r\000e\000w\000a\000l\000l}{}% 17
\BOOKMARK [2][-]{subsection.4.1}{\376\377\000I\000n\000f\000o\000r\000m\000a\000t\000i\000o\000n\000\040\000G\000a\000t\000h\000e\000r\000i\000n\000g}{section.4}% 18
\BOOKMARK [2][-]{subsection.4.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000t\000i\000o\000n\000\040\000a\000n\000d\000\040\000D\000e\000p\000l\000o\000y\000m\000e\000n\000t\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 19
\BOOKMARK [2][-]{subsection.4.3}{\376\377\000I\000d\000e\000n\000t\000i\000t\000y\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 20
\BOOKMARK [2][-]{subsection.4.4}{\376\377\000A\000u\000t\000h\000e\000n\000t\000i\000c\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 21
\BOOKMARK [2][-]{subsection.4.5}{\376\377\000A\000u\000t\000h\000o\000r\000i\000z\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 22
\BOOKMARK [2][-]{subsection.4.6}{\376\377\000S\000e\000s\000s\000i\000o\000n\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 23
\BOOKMARK [2][-]{subsection.4.7}{\376\377\000I\000n\000p\000u\000t\000\040\000V\000a\000l\000i\000d\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 24
\BOOKMARK [2][-]{subsection.4.8}{\376\377\000T\000e\000s\000t\000i\000n\000g\000\040\000f\000o\000r\000\040\000E\000r\000r\000o\000r\000\040\000H\000a\000n\000d\000l\000i\000n\000g}{section.4}% 25
\BOOKMARK [2][-]{subsection.4.9}{\376\377\000C\000l\000i\000e\000n\000t\000\040\000S\000i\000d\000e\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 26
\BOOKMARK [1][-]{section.5}{\376\377\000C\000o\000n\000c\000l\000u\000s\000i\000o\000n\000s}{}% 27

BIN
relatorio/relatorio.pdf
View File

Binary file not shown.

BIN
relatorio/relatorio.synctex.gz
View File

Binary file not shown.

265
relatorio/relatorio.tex
View File

@@ -1,265 +0,0 @@
\documentclass[11pt,a4paper]{article}
\usepackage[portuguese]{babel}
\usepackage[lining]{ebgaramond}
\usepackage{style}
\setlength{\parindent}{0em}
\setlength{\parskip}{2ex}
\title{Practical Assignment \#3}
\author{
João Neto -- 2023234004\\[1em]
Vasco Alves -- 2022228207
}
\begin{document}
\maketitle
\newpage
\tableofcontents
\newpage
\section{Introduction}
% FAZER EM ENGLISH??? O prof é BR temos que fazer em Brazileiro
Este trabalho tem como objetivo realizar testes de penetração numa aplicação
cobaia (o \textit{Juicebox}) desenhada para aprendizagem.
Este trabalho tem como objetivo utilizar o \textbf{WSTG} (Web security testing guide) e configurar um ModSecurity reverse proxy como uma \textbf{WAF}.
Para esse fim temos uma aplicação cobaia (o \textit{Juicebox}) desenhada para aprendizagem que vamos utilizar num ambiente controlado para aprender como descobrir vulnerabilidades (aplicando o \textbf{WSTG} e recorrendo ao \textbf{OWASP ZAP}) e prevenir antes do serviço estar online (elaborando uma \textbf{WAF}).
\section{Architecture Considered for Both Stages}
Utilizámos somente duas máquinas virtuais: um servidor a correr \textit{CentOS 9}
e um cliente a correr \textit{Kali Linux}. O servidor contém o serviço \textit{Apache},
que age como \textit{firewall} através do módulo \textit{ModSecurity}, e um servidor
\textit{Node.js} que aloja o \textit{Juicebox} --- a aplicação que vai servir de cobaia (\textit{dummy}).
% Vão ser realizadas duas etapas de testes: primeiro, sem WAF (\textit{Web Application Firewall})
% e com foco em explorar vulnerabilidades na aplicação; e, posteriormente, com uma WAF configurada para
% mitigar as várias vulnerabilidades que foram encontradas na etapa anterior.
% Para simular utilizámos \textit{Virtual Box}, como nos outros projetos, para criar as maquinas virtuais. O cenario que foi criado tem duas máquinas virtuais (servidor e cliente), e ambas as maquinas estão ligadas há mesma rede interna. O servidor vai ser executado numa das maquinas e vai ter o sistema operativo \textit{CentOS 9}, edereço 20.60.0.1, alojar um servidor \textit{Node.js} com o \textit{Juicebox} (a aplicação cobaia) na port 3000 e contém o seviço \textit{Apache} que através do módulo \textit{ModSecurity} funcionará como \textbf{WAF}. O cliente vai ser processado na maquina com o sistema operativo \textit{Kali Linux} e vai ter o edereço 20.60.0.2.
Com o ambiente criado foram realizadas duas etapas de testes:
\begin{itemize}
\item \texttt{Primeira etapa}: Explorar vulnerabilidades na aplicação que existem sem a \textbf{WAF}
\item \texttt{Segunda etapa}:Verificar que vulnerabilidades foram mitigadas da primeira etapa com o uso de uma \textbf{WAF} configurada.
\end{itemize}
Realisticamente estas etapas podiam continuar a repetir-se, até que estivessemos satisfeitos com o resultado, mas para o fim deste projeto estas etapas serão suficientes.
\subsection{Network structure}
\begin{itemize}
\item \textbf{Client (20.60.0.0/24)} Cliente.
\item \textbf{Server (10.60.0.0/24)} Apache+ModSecurity e JuiceShop.
\end{itemize}
\subsection{Servers}
\begin{itemize}
\item \textbf{10.60.0.1} Servidor CentOS 9 com WAF e aplicação JuiceShop.
\end{itemize}
\subsection{Services}
\begin{center}
\begin{tabular}{ll}
\toprule
Service & Port \\\midrule
NodeJS (JuiceShop) & 3000 \\
Apache (WAF) & 80 \\
\bottomrule
\end{tabular}
\end{center}
\section{Web application security testing}
\subsection{Information Gathering}
Utilizámos a política por omissão (\textit{default policy}) para a realização do \textit{Active Scan} através do OWASP ZAP. Com esta abordagem, obtivemos múltiplos alertas automáticos. De forma a priorizar a análise, investigamos as alertas principais com base no maior nível de risco e grau de confiança reportados pela ferramenta.
Para conseguir informação inicial realizamos um \textit{Active Scan} através do \textit{OWASP ZAP}, o policy utilizado para esse scan foi \textit{Default Policy}. Foi obtido vários aletas automáticos devido a esse scan e decidimos investigar as alertas principais com base no nível de risco e grau de confiança reportado pela ferramenta.
Adicionalmente, realizámos testes de infraestrutura utilizando ferramentas especializadas:
\begin{codeblock}{bash}
sqlmap -u "http://192.168.1.1:3000/rest/products/search?q=apple" -p q --level=5 --risk=3 --banner
\end{codeblock}
Ao executar o \textit{sqlmap}, descobrimos que o sistema de gestão de base de dados subjacente é o \textit{SQLite}.
Paralelamente, realizámos uma descoberta de ficheiros e diretórios através de técnicas de \textit{fuzzing} de URLs no OWASP ZAP recorrendo à lista de permissões da \textit{DirBuster}. Esta exploração revelou os seguintes endpoints publicamente expostos:
\begin{itemize}
\item \texttt{/ftp}: Servidor de armazenamento e transferência de ficheiros exposto.
\item \texttt{/metrics}: Métricas internas da infraestrutura expostas.
\item \texttt{/api-docs}: Documentação e esquemas estruturais da API.
\end{itemize}
\subsection{Configuration and Deployment Management Testing}
\subsubsection*{Enumerate Infrastructure and Application Admin Interfaces}
Identificámos e testámos o acesso ao endpoint \texttt{/api-docs} (\textit{Swagger UI}), validando que as interfaces de documentação interna do sistema e as definições da API estavam publicamente expostas sem qualquer tipo de controlo de acesso ou autenticação prévia.
\subsubsection*{Test HTTP Methods}
Testámos os métodos HTTP permitidos pelo servidor através do envio de pedidos \texttt{OPTIONS}. Verificámos que o servidor aceita métodos potencialmente perigosos ou desnecessários para utilizadores comuns em rotas específicas, expandindo a superfície de ataque da aplicação.
\subsubsection*{Test File Permission}
Analisámos as permissões de acesso no diretório \texttt{/ftp}. Verificámos que a falta de restrições rígidas ao nível do sistema de ficheiros permite a qualquer utilizador anónimo listar o conteúdo de diretórios estruturais e descarregar ficheiros não indexados na interface principal da aplicação.
\subsection{Identity Management Testing}
\subsubsection*{Test Role Definitions}
Efetuámos testes de manipulação de parâmetros do lado do cliente através das ferramentas de programador do navegador. Adicionámos manualmente os cookies \texttt{isAdmin} com o valor \texttt{true} e \texttt{role} com o valor \texttt{admin}. Após a atualização da página, não observámos qualquer escalonamento de privilégios, indicando que a aplicação não valida perfis administrativos com base nestes cookies específicos.
\subsubsection*{Test User Registration Process}
Utilizámos o OWASP ZAP para intercetar o tráfego de rede e definir um \textit{breakpoint} no pedido HTTP POST de registo de novos utilizadores. Modificámos o corpo do pedido JSON, injetando manualmente o parâmetro \texttt{"role":"admin"}:
\begin{codeblock}{json}
{
"email": "johnGomas@gmail.com",
"role": "admin",
"password": "password",
"passwordRepeat": "password",
"securityQuestion": {
"id": 2,
"question": "Mother's maiden name?",
"createdAt": "2026-05-30T12:28:33.216Z",
"updatedAt": "2026-05-30T12:28:33.216Z"
},
"securityAnswer": "poker"
}
\end{codeblock}
O servidor backend processou o pedido sem validar se o utilizador possuía autorização para definir o seu próprio perfil, o que resultou na criação bem-sucedida de uma conta com permissões totais de administrador (\textit{Mass Assignment Vulnerability}).
\subsubsection*{Testing for Account Enumeration and Guessable User Account}
Ao tentar registar um utilizador com o e-mail \texttt{admin@juice-sh.op}, verificámos que a aplicação devolve uma mensagem de erro explícita indicando que o e-mail já se encontra registado no sistema. Este comportamento confirma a vulnerabilidade de enumeração de contas, permitindo a um atacante mapear quais os e-mails válidos na plataforma.
\includegraphics[width=0.5\textwidth]{email-unique}
\subsubsection*{Testing for Weak or Unenforced Username Policy}
Após testar vários caracteres especiais no formulário de registo, criámos um utilizador com os seguintes dados nos campos de input:
\begin{itemize}
\item \textbf{E-mail:} \texttt{son'or1=1--@gmail.com}
\item \textbf{Nome/Campos Adicionais:} \texttt{<h1>STRONG}
\end{itemize}
A aplicação aceitou o registo sem validar a presença de carateres de injeção SQL ou tags HTML. Contudo, verificámos que é impossível efetuar login com esta conta posteriormente, uma vez que o processo de autenticação falha e resulta num erro genérico do tipo \texttt{[object Object]} no ecrã.
\includegraphics[width=0.5\textwidth]{email-invalido}
\subsection{Authentication Testing}
Realizámos testes de \textit{fuzzing} automatizado contra o formulário de login utilizando dicionários de credenciais. Identificámos que a aplicação não implementa mecanismos de bloqueio de conta (*Account Lockout*) ou limitação de taxa de pedidos (*Rate Limiting*), permitindo ataques contínuos de \textit{brute force}.
\subsection{Authorization Testing}
Testámos as permissões de acesso ao diretório \texttt{/ftp} e verificámos que o servidor está configurado para permitir nativamente apenas a visualização de ficheiros com as extensões \texttt{.md} e \texttt{.pdf}.
Seguidamente, explorámos falhas na validação de inputs através de uma injeção de \textit{Null Byte} codificado (\texttt{\%2500.md} ou \texttt{\%2500.pdf}). O ataque foi bem-sucedido e contornou a validação de extensões do servidor, garantindo o acesso e descarregamento de ficheiros confidenciais restritos: \texttt{encrypt.pyc} e \texttt{suspicious\_errors.yml}.
\subsection{Session Management Testing}
Identificámos que o cookie \texttt{token}, responsável por armazenar o identificador da sessão ativa do utilizador, possui a flag \texttt{HttpOnly} configurada como \texttt{false}. A ausência desta proteção significa que o token está totalmente exposto e pode ser lido por scripts do lado do cliente, tornando a sessão criticamente vulnerável a roubo por Cross-Site Scripting (XSS).
\subsection{Input Validation Testing}
\subsubsection*{Testing for Reflected Cross Site Scripting}
Durante a auditoria à barra de pesquisa de produtos, validámos a existência de uma vulnerabilidade de \textit{Reflected Cross-Site Scripting} (XSS) devido à ausência de higienização do input do utilizador.
\begin{enumerate}
\item \textbf{Injeção HTML:} Introduzimos o valor \texttt{<h1>apple} na pesquisa e verificámos que o resultado foi renderizado no navegador como um título estrutural, confirmando que o código HTML é injetado diretamente na página.
\item \textbf{Tentativa com Script Direto:} Inserimos o payload tradicional \texttt{<script>alert("someones gotta do it")</script>apple}. Esta tentativa não foi executada, demonstrando a presença de uma validação simples contra tags explícitas de script.
\item \textbf{Evasão com Evento de Erro:} Para contornar a restrição, injetámos uma tag de imagem com um caminho inválido acompanhado do manipulador de eventos \texttt{onerror}:
\begin{codeblock}{html}
<img src="x" onerror="alert('someones gotta do it')">apple
\end{codeblock}
O filtro falhou ao inspecionar este atributo e o navegador executou o código JavaScript com sucesso quando a imagem falhou o carregamento.
\end{enumerate}
\subsubsection{Testing for SQL Injection}
Adicionalmente, explorámos o mesmo parâmetro de pesquisa recorrendo ao \textit{sqlmap} para validar falhas de injeção SQL, conseguindo extrair com sucesso a estrutura de 22 tabelas da base de dados:
\begin{codeblock}{bash}
sqlmap -u "http://10.60.0.1:3000/rest/products/search?q=apple" -p q --dbms=sqlite --prefix="'%" --suffix="%'--" --tables --batch
[22 tables]
+-----------------------+
| Addresses |
| BasketItems |
| Baskets |
| Captchas |
| Cards |
| ChallengeDependencies |
| Challenges |
| Complaints |
| Deliveries |
| Feedbacks |
| Hints |
| ImageCaptchas |
| Memories |
| PrivacyRequests |
| Products |
| Quantities |
| Recycles |
| SecurityAnswers |
| SecurityQuestions |
| Users |
| Wallets |
| sqlite_sequence |
+-----------------------+
\end{codeblock}
Apesar de não ter sido detetado pelo active scan foi feito fuzzing nos detalhes de login para saber se estava vulneravel a esse tipo de ataques visto que existia essa vulnerabilidade noutros paremetros. Verificamos que de facto também estava vulneravel a SQL Injection, e que a resposta era a tabela com o
\subsection{Testing for Error Handling}
Ao tentar forçar o acesso a uma página ou ficheiro inexistente no servidor de ficheiros, como por exemplo na rota \texttt{/ftp/teste}, a aplicação falhou ao tratar a exceção de forma segura. Em vez de apresentar uma página de erro genérica (404), o servidor devolveu uma resposta detalhada expondo o \textit{stack trace} completo do ambiente \textit{Express.js}, revelando caminhos internos do sistema de ficheiros do servidor.
\includegraphics[width=\textwidth]{stack-trace}
\subsection{Client Side Testing}
Validámos que o token de sessão (JWT) do utilizador autenticado está armazenado diretamente no \texttt{localStorage} do navegador. Uma vez que o \texttt{localStorage} não possui mecanismos de proteção equivalentes à flag \texttt{HttpOnly} dos cookies, qualquer script executado no contexto da página consegue ler estes dados.
Utilizando a falha de XSS identificada anteriormente na barra de pesquisas, injetámos o seguinte payload direcionado:
\begin{codeblock}{html}
<img src="x" onerror="alert(localStorage.getItem('token'))">apple
\end{codeblock}
A execução deste vetor permitiu extrair o conteúdo do token diretamente do armazenamento local da vítima. Isto prova que um atacante pode automatizar a exfiltração destas informações e assumir a identidade de qualquer utilizador afetado sem necessitar de saber as credenciais de acesso de forma persistente.
\section{Web Application Security Firewall}
% Esta seccao sera preenchida com os resultados da Segunda Etapa (Com WAF ativada)
\subsection{Information Gathering}
\subsection{Configuration and Deployment Management Testing}
\subsection{Identity Management Testing}
\subsection{Authentication Testing}
\subsection{Authorization Testing}
\subsection{Session Management Testing}
\subsection{Input Validation Testing}
\subsection{Testing for Error Handling}
\subsection{Client Side Testing}
\section{Conclusions}
\end{document}

28
relatorio/relatorio.toc
View File

@@ -1,28 +0,0 @@
\babel@toc {portuguese}{}\relax
\contentsline {section}{\numberline {1}Introduction}{3}{section.1}%
\contentsline {section}{\numberline {2}Architecture Considered for Both Stages}{3}{section.2}%
\contentsline {subsection}{\numberline {2.1}Network structure}{3}{subsection.2.1}%
\contentsline {subsection}{\numberline {2.2}Servers}{3}{subsection.2.2}%
\contentsline {subsection}{\numberline {2.3}Services}{3}{subsection.2.3}%
\contentsline {section}{\numberline {3}Web application security testing}{4}{section.3}%
\contentsline {subsection}{\numberline {3.1}Information Gathering}{4}{subsection.3.1}%
\contentsline {subsection}{\numberline {3.2}Configuration and Deployment Management Testing}{4}{subsection.3.2}%
\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{5}{subsection.3.3}%
\contentsline {subsection}{\numberline {3.4}Authentication Testing}{7}{subsection.3.4}%
\contentsline {subsection}{\numberline {3.5}Authorization Testing}{7}{subsection.3.5}%
\contentsline {subsection}{\numberline {3.6}Session Management Testing}{7}{subsection.3.6}%
\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{7}{subsection.3.7}%
\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{8}{subsubsection.3.7.1}%
\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{8}{subsection.3.8}%
\contentsline {subsection}{\numberline {3.9}Client Side Testing}{9}{subsection.3.9}%
\contentsline {section}{\numberline {4}Web Application Security Firewall}{10}{section.4}%
\contentsline {subsection}{\numberline {4.1}Information Gathering}{10}{subsection.4.1}%
\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{10}{subsection.4.2}%
\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{10}{subsection.4.3}%
\contentsline {subsection}{\numberline {4.4}Authentication Testing}{10}{subsection.4.4}%
\contentsline {subsection}{\numberline {4.5}Authorization Testing}{10}{subsection.4.5}%
\contentsline {subsection}{\numberline {4.6}Session Management Testing}{10}{subsection.4.6}%
\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{10}{subsection.4.7}%
\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{10}{subsection.4.8}%
\contentsline {subsection}{\numberline {4.9}Client Side Testing}{10}{subsection.4.9}%
\contentsline {section}{\numberline {5}Conclusions}{10}{section.5}%

64
relatorio/style.sty
View File

@@ -1,64 +0,0 @@
\usepackage[margin=1in]{geometry}
\usepackage{raleway}
\renewcommand{\familydefault}{\sfdefault}
\usepackage{ulem}
\usepackage{wrapfig}
\usepackage{graphicx,tabularx,booktabs}
\usepackage{paracol}
\usepackage[dvipsnames]{xcolor}
\usepackage{enumitem,amssymb}
\usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
\graphicspath{{./imgs/}}
\usepackage{enumitem,amssymb}
\newlist{todolist}{itemize}{2}
\setlist[todolist]{noitemsep, topsep=0pt,label=$\square$}
\usepackage{pifont}
\usepackage{amssymb}
\usepackage[most]{tcolorbox}
\tcbuselibrary{listings, skins, breakable}
\lstdefinestyle{mystyle}{
basicstyle=\ttfamily\footnotesize,
breakatwhitespace=false,
breaklines=true,
captionpos=b,
keepspaces=true,
numbers=left,
numbersep=5pt,
showspaces=false,
showstringspaces=false,
showtabs=false,
tabsize=2,
commentstyle=\color{gray},
keywordstyle=\color{MidnightBlue}\bfseries,
stringstyle=\color{ForestGreen}
}
\newtcblisting{codeblock}[2][]{
enhanced,
breakable,
colback=gray!2!white,
colframe=gray!20!black,
attach boxed title to top left={yshift*=-\tcboxedtitleheight/2, xshift=4mm},
boxed title style={
colback=gray!20!black,
outer arc=0pt,
arc=0pt,
top=1pt,
bottom=1pt,
},
fonttitle=\bfseries\ttfamily\footnotesize,
title={#2},
listing only,
listing options={
style=mystyle,
language=#1,
}
}
\setlength{\parskip}{1em}%
\setlength{\parindent}{0em}%

21
relatorio/texput.log
View File

@@ -1,21 +0,0 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3) 29 MAY 2026 20:43
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
**
! Emergency stop.
<*>
End of file on the terminal!
Here is how much of TeX's memory you used:
4 strings out of 469495
118 string characters out of 5470099
433756 words of memory out of 5000000
28764 multiletter control sequences out of 15000+600000
627721 words of font info for 40 fonts, out of 8000000 for 9000
16 hyphenation exceptions out of 8191
0i,0n,0p,1b,6s stack positions out of 10000i,1000n,20000p,200000b,200000s
! ==> Fatal error occurred, no output PDF file produced!

BIN
ucstudent/PL-ModSecurity installation notes_CentOS.pdf
View File

Binary file not shown.

BIN
ucstudent/PL-Practical Exercises #5-resolution notes.pdf
View File

Binary file not shown.

BIN
ucstudent/PL-Practical Exercises #5.pdf
View File

Binary file not shown.

BIN
ucstudent/PL-Practical Exercises #6-resolution notes.pdf
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More