Question 1. Analysis of Protocols with Wireshark
Objective: Gain a good understanding of common Internet protocols as well as using packet capture software (Wireshark)
The file a01-assignment-1-question-1-capture.pcap contains packets captured in an exchange between several computers.
The capture was performed in an internet where all subnets used a /24 mask. The capture was performed on interface eth1 on a computer with the following details:
network@node:~$ ifconfig eth1
eth1 Link encap:Ethernet HWaddr 08:00:27:cc:71:35
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fecc:7135/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:917 errors:0 dropped:0 overruns:0 frame:0 TX packets:831 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:299281 (299.2 KB) TX bytes:99008 (99.0 KB)
network@node:~$ ifconfig eth2
eth2 Link encap:Ethernet HWaddr 08:00:27:1c:6d:33
inet addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe1c:6d33/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:435 errors:0 dropped:0 overruns:0 frame:0 TX packets:412 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:40322 (40.3 KB) TX bytes:58580 (58.5 KB)
network@node:~$ ifconfig eth3
eth3 Link encap:Ethernet HWaddr 08:00:27:61:fc:c4
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe61:fcc4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:411 errors:0 dropped:0 overruns:0 frame:0 TX packets:541 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:59508 (59.5 KB) TX bytes:243173 (243.1 KB)
Use the file and the above information to answer the following sub-questions. Do not try to guess answers; use only the above information, the capture file and your knowledge of networking and security to find the answers.
(a) Several applications were used on several different computers. Complete the table to summarise the applications in use in the network. The columns are:
- Application name or protocol, e.g. Web, SSH, ?, where ? means cannot determine from the capture.
- Transport protocol. TCP, UDP, ICMP or other.
- Client Port(s). Use a range, e.g. 1-10, if the client changes ports for each connection.
- Server Port, Client IP, Server IP.
- Time of use. The time when the application is in use. Round to the nearest second. Use a range, e.g. 0-4 seconds.
The first row includes example values of selected columns. Complete (or edit) and add further rows as necessary.
Application Table
|
App.
|
Tra.
|
Client Port(s)
|
Server Port
|
Client IP
|
Server IP
|
Time of use
|
|
Web
|
|
48158-
48170
|
|
|
|
0-4
|
|
|
|
|
|
|
|
|
(b) Complete the address table below to show known address information of computers/interfaces in the network. Some information in the table may not be known (e.g. cannot be determined from the capture). Use a question mark "?" in the table if the information is not known. Use only the information in the question and the capture file to determine the answers (do not guess).
Address Table
|
Computer
|
Interface
|
MAC
|
IP
|
|
1
|
1
|
08:00:27:cc:71:35
|
192.168.1.1
|
|
1
|
2
|
08:00:27:1c:6d:33
|
192.168.4.1
|
|
1
|
3
|
08:00:27:61:fc:c4
|
192.168.5.1
|
|
2
|
|
|
|
(c) Some of the computers in the network have domain names as well as IP addresses. List the IP address and domain name of each computer with a domain name, and give the packet number where you found the domain name.
(d) Consider the 1st TCP connection in the capture (which starts at packet number 3 in the capture file). Draw a message sequence diagram that illustrates all packets in that TCP connection. A message sequence diagram uses vertical lines to represent events that happen at a computer over time (time is increasing as the line goes down). Addresses of the computers/software are given at the top of the vertical lines. Horizontal or sloped arrows are used to show messages (packets) being sent between computers. Each arrow should be labelled with the protocol, packet type and important information of the message. Examples of message sequence diagrams are given in workshops. Note that you do not need to show the packet times, and the diagram does not have to be to scale.
(e) Briefly explain how a TCP connection starts (or opens), and how it completes (or closes), using the 1st TCP connection from the capture (and your message sequence diagram above) as an example.
(f) Some of the computers in the network are running a web server. Choose one of the computers and then list which files exist on the web server, and which files do not exist on the web server. Explain how you know the files (that is, refer to the packet number(s) in the capture).
(g) What is the password?
Question 2. Web Application Attacks
Objective: Understand how real web application attacks work, and methods for mitigating them.
For this question you must use virtnet (as used in the workshops) to study web application attacks. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and performing the attack.
Your task is to:
- Create topology 7 in virtnet
- Deploy the MyUni demo website on the nodes
- On node4, add a user to the grading web application with username set to your student ID, and password set to your first name.
- Perform an unvalidated redirect attack, such that the attacker steals your username/password.
- While performing the attack, take a screenshot of the window showing the stolen username/password.
After performing and understanding the attack, answer the following sub-questions.
(a) Give a short description of an unvalidated redirect attack, referring to the steps you performed in the attack and the vulnerability your attack exploited.
(b) Assuming a website must use redirects, recommend a technique that can be used to minimise the impact of unvalidated redirect attacks.
(c) In the attack you performed in virtnet, describe what methods the attacker used (other than an unvalidated redirect) and how the attacker benefits from the attack (that is, what do they gain and how?).
(d) Include the screenshot of the stolen username/password obtained during the attack.
Question 3. Cryptographic Operations with OpenSSL
Objective: understand and apply different cryptographic primitives, use common encryption software (OpenSSL), and demonstrate secure procedures for key management.
Your task is to use OpenSSL to perform a set of cryptographic operations. When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted).
Perform the following steps:
(a) Generate your own RSA 4096-bit key pair. Use the public exponent of 65537. Save your key pair as keypair.pem.
(b) Extract your public key and save it as pubkey.pem.
(c) Create a Bash shell script that contains all OpenSSL commands you used on the terminal in the previous steps, as well as the following steps, and save them in a text file called commands.bash. You should copy-and-paste the actual commands you used from the terminal as they may be used to test your submission. As this script contains commands from steps (a), (b), (d), (e), (f) and (g), you should run those commands first and then put them in your script file, then do them again using the final script.
(d) Sign your Bash shell script using SHA1, saving the signature as signature.bin.
(e) Generate a 256 bit random value using OpenSSL. This value will be used as a secret key. Store the key as a 64 hex digit string in a file key.txt.
(f) Encrypt your Bash shell script using AES-256-CBC and the key generated in step (e). Use and IV of all 0's (that is, 32 0's). Save the ciphertext as ciphertext.bin.
(g) Encrypt your key.txt file using RSA so that only the Unit Coordinator can view the contents. Save the encrypted key as secretkey.bin.
Multiple files are output from the above steps. You must submit the following on Moodle:
- keypair.pem
- pubkey.pem
- commands.bash
- signature.bin
- key.txt
- ciphertext.bin
- secretkey.bin
The file names must be exactly as listed above. Use lowercase for all files and double-check the extensions (be careful that Windows doesn't change the extension).
Examples of the OpenSSL operations needed to complete this task, as well as a Bash script, are on Moodle.
Question 4. Malware Research
Objective: research real malware and gain an understanding of the techniques used in the malware and countermeasures
Ransomware attacks are increasingly publicised. In addition it is estimated there are many more ransomware attacks not being made public, e.g. companies and users paying a ransom but not disclosing the attack. The prevalence of ransomware, and the impact it has on organisations, has led to the discussion of ransomware insurance. Your task is to study what is ransomware, what are the challenges and possible countermeasures, and report on it in an easy-to-understand manner. You must write a short report on ransomware that addresses at least the following issues/topics:
(a) What is ransomware?
(b) What are examples of ransomware attacks? For example, names of malware, organisations attacked.
(c) What are common methods of infection by ransomware?
(d) What is the payload in ransomware? What cryptographic techniques are commonly used?
(e) How is the ransom obtained? What is the role of Bitcoin (or other cryptocurrencies)?
(f) What are the options for users once infected?
(g) What countermeasures should users and organisations take to prevent ransomware attacks?
The above is a guide of what should be covered. You may also address other issues, and you don't have to address them in the order listed.
There is no minimum/maximum length of the report. As a guide 1 to 2 pages of text (not including pictures) may be appropriate. In addition you may include your own pictures (not pictures from other sources) if they are useful in explaining ransomware. Including pictures from other sources, or including pictures that do not help with the explanation will not gain marks and may lead to reduced marks.
You may assume the audience of the report has similar background on network security as you. You should refer to techniques and concepts covered in the unit, and give sufficient technical detail to demonstrate you understand ransomware.
At least five (5) references should be included and follow the Harvard (author-date) style. References may be a mix of websites, textbooks and conference/journal articles.
Attachment:- a01assignment1question1capture-1.rar