Introduction
During the second half of the roller-coaster of a year that was 2020, I delivered a Python scripting course to a Cybersecurity Masters programme. This scripting course had a heavy focus on using the likes of Scapy to create red and blue team tools. Many of these were network security tools. Due to the pandemic this course was delivered fully online. This posed an interesting challenge:
How can we provide students with an environment where they can safely build and test their network security tools at home?
The university already has a solution to this. A vLab infrastructure is available where Virtual Machines (VMs) can be spun up and networked as you want. This was already used by some courses pre-pandemic. However I was concious that some students may not have reliable internet connections and I wanted them to be able to work on labs and assignments offline. If they had any issues connecting to the vLabs when they wouldn not be able to progress through the coursework.
My solution to this problem was to use a tool called Mininet [1]. Mininet is a tool I use for my SDN research that allows you spin up a virtual network of hosts and OpenVSwitch switches. It uses process-based virtualisation magic (I believe this is the most accurate technical term) to create and isolate virtual hosts and switches. Using this tool the students could create a network of hosts which all had their own separate set of processes, network interfaces, ARP cache, etc. One caveat here is that the hosts all share the same file system.
I provided my students with a Ubuntu VM with the necessary tools for the course pre-installed. They could download it, import it into VirtualBox, and run it. They used the Ubuntu VM as their development environment and could use Mininet to create a virtual network when needed.
Installing Mininet
You can install Mininet using the following command:
sudo apt-get install mininet
Once it's installed you can launch it and create a basic topology by running:
sudo mn
This will provide you with a prompt where you can issue commands. For example, the
net command will show the current topology:
mininet> net
h1 h1-eth0:s1-eth1
h2 h2-eth0:s1-eth2
s1 lo: s1-eth1:h1-eth0 s1-eth2:h2-eth0
mininet>
The above output tells us the the network we just created has 2 hosts (h1 and h2.) and 1 switch (s1). It also provides us with information about the network interfaces these hosts are using and how they are connected (i.e. h1's interface h1-eth0 is connected to s1's interface s1-eth1).
The
help command will show a full list of the available commands and some example usage.
If you want to issue a command to a specific host in the network you can do so like this:
h1 ping h2
The above command will have the host h1 ping the host h2. You can run any command that would be available on h1 the same way (e.g. ls, ifconfig, route, etc.).
We can also open an xterm terminal window for these hosts by using the following command:
xterm h1
The Mininet hosts aren't quite Virtual Machines, but they're just as good in many scenarios. For example, we can perform an ARP cache poisoning attack in the Mininet network exactly the same way we would if we had VMs. We could run a service on one host and exploit a vulnerability in that service from another host. We can essentially spin up a playground where we can play around with network traffic and services without needing more than one VM.
Custom Topology Example
Lets say that we want to use Mininet to create a virtual network with 3 hosts and 1 switch.
| Host |
IP Address |
Services |
| Client |
10.0.0.1 |
None |
| Server 1 |
10.0.0.2 |
Telnet |
| Server 2 |
10.0.0.3 |
SSH |
The first thing we need to do is create a file containing Mininet commands. We don't strictly need this file but it does help automate the process of deploying the network.
We create a new file called mn_commands.txt containing the following:
h1 xterm -fa 'Monospace' -fs 14 -xrm 'XTerm.vt100.allowTitleOps: false' -T "Client" &
h2 /sbin/inetd
h2 xterm -fa 'Monospace' -fs 14 -xrm 'XTerm.vt100.allowTitleOps: false' -T "Server 1" &
h3 /usr/sbin/sshd
h3 xterm -fa 'Monospace' -fs 14 -xrm 'XTerm.vt100.allowTitleOps: false' -T "Server 2"
The first line in the file will open an xterm terminal window for h1 which will be our client. It labels the terminal window accordingly. The next line will start the Telnet service on h2. This service will only run on h2. The next line will open a terminal window for h2 and label it as "Server 1". The next two lines will start the SSH service on h3 and open a terminal window.
Note: The "&" at the end of some lines will allow the terminal windows to run in the background. We do not include this for the last host as otherwise the Mininet command line will exit.
With the file created we can use the following command to start Mininet:
sudo mn --topo single,3 --test pingall --post mn_commands.txt
In the above command...
"--topo single,3" -> Create a new topology with a single switch and 3 hosts
"--test pingall" -> When the network has been created have hosts ping each other to verify connectivity
"--post mn_commands.txt" -> Our set of commands to run once Mininet and started
Once the command has been executed 3 terminal windows should open. The terminal labeled "Server 1" should be for our second host running Telnet. This can be verified by checking the running processes or checking the open ports on that host. You should be able to telnet into Server 1 and ssh into Server 2 once the network has been deployed.
You should be able to run most services in the Mininet hosts in the same way as the Telnet and SSH services were ran in this example. You could alternatively have the Mininet host call a script and run additional commands that way.
To stop Mininet, close each of the terminals. If the Mininet command line is still open use the "exit" command to exit it. Use the following command to clean up anything that might be left over:
sudo mn -c
Note: If the Telnet or SSH services do not start they may be missing. If this is the case you'll need to install telnetd and openssh-server by running sudo apt-get install telnetd openssh-server
Recommendation for Use
If you are going to use Mininet in your labs I would recommend the following steps:
- Create a VM and install any software that might be required for your labs. Export this VM and upload it somewhere online. Instruct the students to download and import the VM.
- If any additional software is required at any stage, create a script to install the software and provide this to the students. They can run the script and install the software.
- Create the script containing the desired Mininet commands. Provide this to the students.
- Provide the students with the command to start Mininet in a script. They can either run the script to start Mininet and copy the command from the file.
- Create a companion document for any lab or assignment where you might be using Mininet with exact instructions on how to deploy the Mininet network.
I found that the above steps helped students set up the lab environments with minimal issues.
References
[1] http://mininet.org/