Scribd
Upload
2 views6 pages

Authentication and Authorization

The lab program focuses on teaching students about authentication and authorization techniques, including brute-force attacks, Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC). Students will gain hands-on experience with tools like Kali Linux and Metasploitable to test and secure systems. The program emphasizes the importance of strong security practices and the principle of least privilege in managing user access.

Uploaded by

Manohar TV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views6 pages

Authentication and Authorization

The lab program focuses on teaching students about authentication and authorization techniques, including brute-force attacks, Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC). Students will gain hands-on experience with tools like Kali Linux and Metasploitable to test and secure systems. The program emphasizes the importance of strong security practices and the principle of least privilege in managing user access.

Uploaded by

Manohar TV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Lab Program on Authentication and Authorization

Lab Overview

 Authentication: Verifying the identity of users or systems (username/password,


biometrics, MFA).
 Authorization: Once authenticated, determining what resources a user can access
(Role-Based Access Control, ACLs).

Objective

By the end of this lab, students will:

1. Learn to perform authentication testing (brute-force, MFA).


2. Understand how to manage user access using Role-Based Access Control (RBAC).
3. Secure systems by enforcing proper authorization techniques.

Tools Required

1. Kali Linux (for penetration testing tools like Hydra and Metasploit).
2. Ubuntu or any Linux distribution (for setting up the target machine).
3. Metasploitable (a vulnerable machine to test against).
4. Google Authenticator (for setting up Multi-Factor Authentication).
5. Wordlists (e.g., RockYou for brute-forcing passwords).

Pre-Lab Setup

1. Install Kali Linux (VM or physical machine).


2. Install Target System: Set up an Ubuntu or Metasploitable VM for testing
authentication and authorization.
3. Networking: Ensure all systems are on the same network for testing.

Step 1: Understanding Authentication Mechanisms

1.1 Authentication with Brute-Force Attack (Hydra)

 Objective: Simulate a brute-force attack to test the strength of a system's


authentication.
1. Start Kali Linux and open a terminal.
2. Use Nmap to identify open SSH ports on the target system (e.g., Metasploitable or
Ubuntu):

nmap -p 22 <target-ip>

3. Install Hydra on Kali Linux (if it's not pre-installed):

sudo apt install hydra

4. Run Hydra to perform a brute-force attack on SSH (assuming target is


Metasploitable with IP 192.168.1.5):

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.5

o Explanation:
 -l root: Attempts to log in using the root username.
 -P /usr/share/wordlists/rockyou.txt: Uses the RockYou
wordlist for password guesses.
 ssh://192.168.1.5: The target IP address for the SSH service.
5. Outcome: Hydra will attempt various passwords from the wordlist until it finds a
match. If successful, it will display the correct login credentials:

[22][ssh] host: 192.168.1.5 login: root password: 123456

6. Discussion: Discuss the importance of using strong passwords and the risks of weak
password authentication.

1.2 Implementing Multi-Factor Authentication (MFA)

 Objective: Secure a system by adding an extra layer of authentication (e.g., Google


Authenticator).

1. Install Google Authenticator on a Linux system (e.g., Ubuntu):

sudo apt-get install libpam-google-authenticator

2. Set up Google Authenticator:


o Run google-authenticator and follow the prompts to set up the app.
o You will be given a QR code to scan using the Google Authenticator app on
your phone.
3. Configure SSH to Require MFA:
o Open the SSH configuration file (/etc/ssh/sshd_config) and ensure
ChallengeResponseAuthentication is set to yes.
o Restart SSH to apply changes:

sudo systemctl restart ssh

4. Verify: When attempting to log in via SSH, after entering your password, you will be
asked to enter the code from the Google Authenticator app.

yaml

password:
Verification code: 123456

5. Discussion: Discuss how Multi-Factor Authentication (MFA) adds an additional


layer of security, making it harder for attackers to gain access even with a correct
password.

Step 2: Understanding Authorization Mechanisms

2.1 Role-Based Access Control (RBAC)

 Objective: Ensure that users only have access to resources based on their roles.

1. Create Users on a Linux system:

sudo useradd user1


sudo useradd user2
sudo passwd user1
sudo passwd user2

2. Create Groups (e.g., admin for privileged users and users for regular users):

sudo groupadd admin


sudo groupadd users

3. Assign Users to Groups:

sudo usermod -aG admin user1


sudo usermod -aG users user2

4. Set Permissions on a sensitive directory (/secure_folder):


sudo mkdir /secure_folder
sudo chown root:admin /secure_folder
sudo chmod 770 /secure_folder

o Explanation:
 770: Full access to root and admin group, but no access to others.
5. Test Access:
o user1 (admin group) should be able to access the folder:

sudo -u user1 ls /secure_folder

o user2 (non-admin) should not be able to access the folder:

sudo -u user2 ls /secure_folder

6. Discussion: Discuss how RBAC helps ensure that users only have access to the
resources they need to perform their job functions, minimizing security risks.

2.2 Advanced Authorization with SELinux

 Objective: Use SELinux (Security-Enhanced Linux) for stricter control over what
users can do.

1. Enable SELinux:

sudo setenforce 1
sudo getenforce

o getenforce: This will show if SELinux is enforcing, permissive, or


disabled.
2. Check Access Control using SELinux:

sudo ls -Z /secure_folder

The output will show the SELinux security context associated with files and
directories.

3. Change SELinux Context for a file:


sudo chcon -t httpd_sys_content_t /secure_folder

4. Discussion: Explain how SELinux adds another layer of authorization by controlling


access based on security contexts, making it more difficult for unauthorized users to
perform malicious activities.

Step 3: Secure System Configuration

3.1 Limit Sudo Access (Using sudoers)

 Objective: Control who can execute administrative commands using sudo.

1. Edit the sudoers file to limit who can access root privileges:

sudo visudo

2. Add entries like:


o Allow user1 to run certain commands with sudo.

user1 ALL=(ALL) NOPASSWD: /bin/ls, /bin/cat

3. Verify:
o user1 should now only be able to run the ls and cat commands as root
without needing to type a password.

sudo ls /secure_folder

4. Discussion: Discuss the importance of least privilege and ensuring that users can
only access and perform actions they need.

Conclusion:

In this educational lab:

 Students learned how to perform authentication attacks, implement Multi-Factor


Authentication (MFA), and secure login systems.
 Students understood how to set up and manage Role-Based Access Control
(RBAC) and SELinux for proper authorization enforcement.
 Hands-on experience with configuring systems to restrict user access and
permissions, following the principle of least privilege.

You might also like