联系方式

  • QQ:99515681
  • 邮箱:99515681@qq.com
  • 工作时间:8:00-21:00
  • 微信:codinghelp

您当前位置:首页 >> C/C++编程C/C++编程

日期:2020-03-26 08:12

IY2840 Coursework 3:

Network and Web Security

Deadline: 23:59, 31 Mar 2020

This is a blind submission, and submissions must be made in a ZIP compressed file on

Moodle. This compressed file should include the coursework report, network packet files (in

pcap format) and necessary source-code files. The report must be in file PDF format, other

formats such as: .docx or .pages are not accepted. This coursework counts for 10% of your

grade on this module and is worth 100 marks in total. We expect a good submission to be

succinct and be less than six pages in length. Learning outcomes assessed are:

? Understanding of network packets and how to capture and investigate them.

? Understanding the fundamentals of network attack detection.

? Understanding key network infrastructure to identify key DNS security concerns.

? Understanding the fundamentals of Web attacks and their countermeasures.

IMPORTANT:

? Use Wireshark to analyse the .pcap files in the coursework attachment.

? Download the following virtual machines (VMs):

– The local DNS VM: https://www.dropbox.com/s/26fm3taangct6nr/Ubuntu-Local_

DNS_Server.ova

– The attacker VM: https://www.dropbox.com/s/z8652jo7i5rwwny/

SEEDUbuntu-attacker.ova

These VMs must be used to test some solutions for this coursework. Therefore, you need to

install these VMs on your own machine. Keep in mind, you only have access to the attacker

machine and the local DNS VM must be on for Question 1.c and and whole question 2. To

setup the environment, follow the setup and configuration environment guidelines

section (see Appendix).

? Use the source files (source ? f iles ? coursework3.zip) for Question 1.a and 1.c.

? All answers related to developing a program will be checked on a SEEDLab VM, so it is

important to make sure that your solutions being provided are executable on this platform.

1

This coursework aims to have you reflect on Web and Network security. To get started,

it is important to review the lecture notes and lab materials, the course text, but also to

investigate online resources. We are not after essays in this coursework. We are after concise

and succinct responses to each question with some proof of implementation (code snippets and

screenshots). Do share useful resources that you find with others on the Moodle forum, but do

not give any answers away. Note: All the work you submit must be solely your own

work and you should make sure the submitted file not corrupted. Submissions are

routinely checked for plagiarism. If for whatever reason you are not seeing the expected

outcome of any of your attack, be sure to still report on what you have tried to do, as this

will still net you almost (if not all points for the attempt).

Questions

1. Question 1 (55 Marks).

(a) A security analyst has the c1.pcap, c2.pcap and c3.pcap files which are network traffic

captures of different network segments. The analyst wants to identify potential attacks

in these files. You are asked to assist them in their task. Examine these pcap files

to determine the attacks within these files and justify your answers. Submit

your answer and your justification in your report. (15 marks).

(b) It is important for security analysts to understand suspicious activity in pcap files.

This is often done by reproducing attacks. Write a program to reproduce the

c2.pcap attack (hint: refer to Lab7 on how to create network programs) and

describe briefly the program in the report. Also, provide the pcap traffic capture of

running your program being developed using Wireshark (your pcap and the provided

pcap are not expected to be identical, as the addresses would be different in your

network settings). Submit your source-code and your traffic-capture file from running

your program. (15 marks)

(c) A local DNS server (running in the local DNS VM being provided as shown Figure 1)

is vulnerable to Kaminsky DNS cache poisoning. Dan Kaminsky developed an

approach to overcome the caching effect (see lecture 9 slides 34-37), attackers will

be able to continuously attack a DNS server on a domain name, without the need

for waiting. This enables attackers to have a successful attack within a very short

period of time. Here, an attacker attempts to poison the resource record for the

domain of www.example.org by linking the field of the name server for this domain

to ns.attackerns.net which is a malicious DNS server. In the attacker VM, write

a program that executes this attack (see the DNS security lecture) and sends

DNS requests for non-existent domains (NXDOMAIN) to the local DNS server and

spoofing their Name Server (NS) replies. The attacker must be able to run this attack

remotely (i.e. there is no way for the attacker to capture the Name Server (NS)

requests being generated by the local DNS server as the attacker is not a part of the

Local DNS Server network).

2

Figure 1: Environment setup. See the appendix for setup information. Note that the IP

address of the attacker may not be the same for your configuration. Use ifconfig to determine

the attackers IP address.

In the attachment, the udp.c file is provided to help you to create a program to perform

the attack. You will need to develop a DNS request and reply with filling each DNS

field with the correct value and understanding the value in each field, you can use

Wireshark to capture a few DNS query and response packets. You should use port

33333 for the port local DNS Server as it is decided to be fixed for simplicity. You will

need to find out the IP of the Name Server for www.example.org to be able to hijack

the NS replies. You will also need to make use of dig to get this information. Finally,

you need to consider how to use random Query IDs in conducting this attack.

Provide the output (a screenshot) showing that you have a successful attack

(i.e showing the resource record of the example.org with ns.attackerns.net) and report

the changes made to the udp.c file including the instructions (e.g. dig) which are used

to perform the attack and check the attack result. Submit your source-code and add

your screenshots to your report. (25 marks)

2. Question 2 (45 Marks)

A company “IY2840 Co.” owns a website, (http://10.0.2.x/index.html (x here is

unknown and students are expected to find this), this URL refers to the local DNS server

VM that hosts the company web server, refer to Figure 1) which is utilised for managing

the employees records of the company. In order to access the website resources, you need to

have a login credentials. This website is vulnerable to SQL injection (SQLi) and cross-site

scripting (XSS) attacks.

(a) How can an attacker bypass the website login without having access

credentials? Assume there is an ’admin’ user for this system. Justify your answer

and report the output (screenshot). Submit your answer and your justification in

your report. (10 marks)

3

(b) An attacker is often keen on cracking the ’admin’ password in the system, however

password is usually protected by a hashing function (SHA1 is used in this website).

How can an attacker learn about the stored password for the admin user

in this website? demonstrate the steps to perform this attack including the

necessary injected inputs. Report the necessary screenshots. Finally, name two

countermeasures to prevent SQL injection attacks. Submit your answer and screenshot

in your report. (20 marks)

[Hints: this question is not meant to use any types of available brute forcing tool

for cracking the website login in this system (i.e. hitting the system with many

randomised passwords). However, this question requires you to perform a number of

steps to learn about the database (schema, tables and columns) using UNION query

to reach password data. Then, you need to brute force this data (a hash value) to

recover the actual password; you can use in this context any online or offline tools for

crack the hash value]

(c) Within so many websites, session cookies are still widely used as a means to

authenticate user requests and maintain session information for a specific period of

time. These cookies are normally created once users login to the website.

Suppose that you have already compromised the admin password from the previous

question. Create an XSS attack scenario to be able to persistently steal the

cookies for the current admin sessions in the websites even if the admin

changes the password and the SQL injection problem is solved for the

website hereafter. As an attacker, you need to find out the sink where to inject the

script which facilitates obtaining the cookie and how to receive the cookie. Also, you

may need to take advantage of nc command to create a server in the attacker VM to

capture the cookie. Also you may need to use the following script/HTML methods

for the attack, however proposing some different alternatives of script methods is

acceptable (make sure those alternatives work):

1) Image().src="link to the image"

2) document.cookie

Report the steps of the scenario and the stolen cookie. Provide all necessary

outputs (screenshots and traffic capture) indicating that you perform a

successful attack. Can you identify the type of the XSS attack in this context?

Submit your answer and screenshots in your report, along with a traffic packet capture

file. (15 marks)

4

Appendix: Setup and config. environment guidelines

In addition to your existing SEEDLab VM, you will for the purposes of this coursework also

need a separate VM to be your DNS server.

1. Install VirtualBox: https://www.virtualbox.org/wiki/Downloads. Make sure you are

using the most up-to-date VirtualBox.

Installation Notes for different platforms:

? Mac: you need to allow Oracle apps to be installed in the security and privacy setting.

? Windows: check that your machine has enabled virtualization. This can be done by

entering your bios and enabling virtualization in a setting there. To check whether

you have virtualization enabled or not, we suggest you go to your task manager,

see a screenshot here: https://www.shaileshjha.com/wp-content/uploads/2017/

02/windows_10_task_manager_performance_tab_virtualization_enabled.jpg

? Linux, we expect the problem would be the same as windows.

2. Download the local DNS and attacker virtual machines.

3. Import the local DNS and attacker virtual machines. Follow how to import OVA files here:

https://www.virtualbox.org/manual/ch01.html#ovf-import-appliance.

4. [IMPORTANT] DO NOT SWITCH ON THE VMs YET. Before running the two

virtual machines, we need to configure VirtualBox to setup the network for the coursework

assignment.

5. Click “File” on the top left of the VirtualBox main UI. Then click “Preferences” as shown

in Figure 2.

Figure 2: Preferences

5

6. Click the “Network” tab on left panel. click the “+” icon to create a new NAT Networks

(NatNetwork) adaptor (if one does not exist). Double click on the NatNetwork, and look

at its configuration. Set the configuration as the same as what is shown in Figure 3.

Figure 3: Network Configuration

7. Enable Adapter 1 (and disable the other adapters if any are enabled), then choose “NAT

Network” and then NatwNetwork which is already declared in the previous step.

6

Figure 4: VM Network Adapter (the MAC address can be whatever VirtualBox assigns it.)

8. [IMPORTANT]: It is useful to take a snapshot of your current VMs (especially while doing

Question 1.c for cache poisoning to able to reset the DNS cache), just in case you may need

a VM reset at some point while conducting the attacks. You can take as many snapshots

as you want, but be aware they increse the size of your VMs substantially.

Figure 5: Menu - Take Snapshot

9. To restore from a snapshot that you have taken before, you can click the followings (you

need to shut-down the VM first).

Figure 6: Snapshot UI

7

10. Some Virtualbox installations may complain about USB 2.0 ad USB 3.0 not being

configured properly. If this happens, you can either revert to USB 1.0 or install a pack to

enable USB2.0 or USB3.0. Either approach is fine, but we suggest reverting to USB 1.0.

Figure 7: Enable the USB1.0 controller

11. [IMPORTANT] Switch on both VMs. First the DNS VM, then the attacker VM. After

you have switched on both, they will both be given an IP address each, it will be a 10.0.2.x

IP address. On the attacker machine, you can manually set it in the ethernet network

connection information (click “edit connection”, in the upper right corner). The gateway

IP address will be: 10.0.2.1 and the network mask will be: 255.255.255.0. You will need

to find out what IP address is your DNS separately. You can either scan your network to

do so, or use a number of Linux commands to find this out.

SD & JH 20 March 2020

8


版权所有:编程辅导网 2021 All Rights Reserved 联系方式:QQ:99515681 微信:codinghelp 电子信箱:99515681@qq.com
免责声明:本站部分内容从网络整理而来,只供参考!如有版权问题可联系本站删除。 站长地图

python代写
微信客服:codinghelp