 I'm going to demonstrate setting up some websites on our Linux virtual network using VertNet. So to get started, we're going to, on Windows, deploy a topology, topology number seven. So I'll use the script vn-topology07.command, run that, and follow the instructions and that deploys the five nodes. And once they're deployed, I need to start them and set them up. If you've done this before, you can skip this part and go to the part where I set up the websites. It takes a few minutes, start each node, and once I've started them, I'll then explain how the websites work while they're setting up. Start node four, node five. Once those nodes are all started, we need to run the command that deploys the node. So we're using topology seven, and for each node, the node number one, two, three, four, five, and that would just set up the IP address and other settings on the node. We'll reboot them and then deploy the website. Now for the websites, each node actually runs an Apache web server, a MySQL database server. So they're already running. There's no need to start them. But if you wanted to start or stop them, you can use the command system control command. To boot InvertNet, some demo websites. There's a very simple static web index, which has a few pages and style sheets. We'll not use that one today. We'll deploy a little bit more advanced website, which is I call the MyUNI website, which provides a very basic grading system where students can log in and see their grades. And this website's useful for testing web application attacks like SQL injection, monkey stealing, and others. The topology that we're deploying, this topology seven, we're going to use it like this, where node one is going to be our normal user using our web browser. Node four is going to be our web server running the MyUNI grading system and node three with a router. In some scenarios, we only need those three nodes, and we can illustrate different web application attacks. In other scenarios, we may need additional nodes. For example, we may have a second browser for the malicious user on node two, and on node five, the malicious user may have another web server under their control. The domains are listed here. So what we'll do on node four is deploy the MyUNI, the real MyUNI website, and for other attacks on node five, we'll deploy the fake MyUNI website. As those nodes boot, we log in, network, network, and when we run the command sudo bash, vn deploy node, we're using topology seven, node one, we run that, network is the password, and now we reboot. And I'll do that for all nodes, and then we'll come back and set up the websites on each. I've deployed the five nodes, nodes one, two, three, four. I've started again and running, and I'm going to start node five. I'm going to start in headlet start where there's no virtual box terminal, but I'll use putty to log into that node. So node four is running, node five is booting now. I've got putty window opened here, logged into node one. Let's log into node four, create a new session, hostname 127.0.0.1, the local host, and the port for node four is 2204. And we can open that, and it opens a terminal into node four, and we can log in. And that just allows me to use putty instead of the virtual box terminal and change some of the settings so I can make the appearance, for example, change the font so it's larger and easier to see. So here's node four. Now let's set up the web server. We said the real MyUNI web server is going to be on node four and the fake one on node five. So we'll deploy the real one first. And to deploy the MyUNI website, there's a script that will do it for us. So on node four, we run this command which deploys real MyUNI. So let's go to node four and try that sudo bash verb net bin vn deploy real MyUNI. Network with the password, yes, we want to proceed. And a few warnings that we shouldn't set a password on the command line, that's okay. And the website's deployed. Now let's just test that, so we'll go back to node one. And we've got a website on node four. And now we want to access that website. So since we don't have a graphic user interface, we'll use a text-based web browser called links. And we use links followed by the URL. And the system set up such that we've got some fake domain names. And node four, we'll use the domain name www.myuni.edu. Node five is set up so it sort of has two different domain names. We'll see that in a moment. So that should be already set up. If not, you could change the ETC host file to set that up. MyUNI.edu and actually the website is under the directory grades. And that opens my web browser on node one which connects to the web server on node four. The MyUNI web server. And you can see it's a very basic website. It says welcome, let's log in. And with links, we can scroll through the links in the web page using up and down arrow keys. The bottom links are just some help pages. We want the login link and I'll press the right arrow to follow that link. It takes me to a login page where it prompts for my username and password. Now we've set up some initial usernames and passwords for the system. If we go to the website and scroll down. There are a few usernames and passwords for different user IDs and student passwords. So let's log in as our S1234567 student. Type in the username and the password and go to the login link and right arrow to login. And it says, do you want to allow cookies? I'll say A for always. We can change a setting later that will automate that step. It's going through some login steps and it takes me to the welcome page. Welcome S1234567. You're now logged in. You've got two things you can do. You can log out or you can view the grades. So let's view the grades and the view grade system basically takes two parameters, the student ID and a course code. So I can view the grades of a particular course or unit and then a submit button. So the idea is that the student can only view their grades. They cannot use a view other students grades and of course they cannot change grades. So let's leave the student ID as is the default value, which is ours. And a course ID COIT20262 submit and it says the grades for that student for that course is a HD. We can go back to view grades. If we don't provide a course code and go to submit, it shows all of our grades for all the courses we're enrolled in. So that's the normal system. You can see through different attacks and see, for example, if a student can see other students grades. Well, let's try that as another student. I'm logged in as S1234567, but there's another student. Can we see their grades? Maybe for this course. I want to see another student's grades. Submit, no, it doesn't check in. You can only view your own grades. OK, so there's the security mechanism or access control in place. In the attacks, one thing you'll try and do is try to view the grades of other students and maybe even try and edit grades. I can log out and log in as a different user. The user called Steve is the admin user or a faculty user. And the admin user, I'll log in, has some more permissions. So let's view the grades of another student. So we'll view the grades of student S with all zeros and submit. So Steve can view the grades of other students. And note that there's a link here on the student ID. And if Steve follows that, he can edit the grade. He can set it to a different value. So I can choose, for example, to change the grade, which was originally an F to a C. And I'll follow that link. And that's a grade update. So only the admin user or the faculty user, Steve, is allowed to change grades and view other students' grades. So that's the basics of the MyUNI website. To see some more details, the policy, you can view on the website here, some other features like how to add new users or courses if needed. The other thing we'll do is on node five, which has started now, we'll connect to that using putty, create a new session, and the address 127.0.0.1. And the call for node five is 2205. And open that. Yes, we really trust it. Log in as network, network. Under node five, let's just change the appearance so it's a little bit larger. You can set up your system so that these will be the defaults. We're on node five. And node five can be used in some attacks by the malicious user, assuming it's a web server under the control of the malicious user. So a fake website called freestuff.com and another one called myuni.edu.gr. So to deploy that website, it's quite simple. We can run this script on node five to deploy the fake websites, both of them in fact, not just one. sudo bash, vertnet, bin, then deploy fake myuni. Yes, we proceed. And that's deployed. And I'll leave it for you as a task to try and use that fake website. And you can use it in different attacks. And some of the attacks are described in some demos here, including SQL injection, cross site request, forgeries, cookie stealing, and others.