首页 > > 详细

辅导IY2840留学生、讲解Web Security、辅导c++编程设计、c/c++讲解 讲解R语言编程|讲解R语言编程

IY2840 Coursework 3:
Network and Web Security
Deadline: 23:59, 31 Mar 2020
This is a blind submission, and submissions must be made in a ZIP compressed file on
Moodle. This compressed file should include the coursework report, network packet files (in
pcap format) and necessary source-code files. The report must be in file PDF format, other
formats such as: .docx or .pages are not accepted. This coursework counts for 10% of your
grade on this module and is worth 100 marks in total. We expect a good submission to be
succinct and be less than six pages in length. Learning outcomes assessed are:
• Understanding of network packets and how to capture and investigate them.
• Understanding the fundamentals of network attack detection.
• Understanding key network infrastructure to identify key DNS security concerns.
• Understanding the fundamentals of Web attacks and their countermeasures.
IMPORTANT:
• Use Wireshark to analyse the .pcap files in the coursework attachment.
• Download the following virtual machines (VMs):
– The local DNS VM: https://www.dropbox.com/s/26fm3taangct6nr/Ubuntu-Local_
DNS_Server.ova
– The attacker VM: https://www.dropbox.com/s/z8652jo7i5rwwny/
SEEDUbuntu-attacker.ova
These VMs must be used to test some solutions for this coursework. Therefore, you need to
install these VMs on your own machine. Keep in mind, you only have access to the attacker
machine and the local DNS VM must be on for Question 1.c and and whole question 2. To
setup the environment, follow the setup and configuration environment guidelines
section (see Appendix).
• Use the source files (source − f iles − coursework3.zip) for Question 1.a and 1.c.
• All answers related to developing a program will be checked on a SEEDLab VM, so it is
important to make sure that your solutions being provided are executable on this platform.
1
This coursework aims to have you reflect on Web and Network security. To get started,
it is important to review the lecture notes and lab materials, the course text, but also to
investigate online resources. We are not after essays in this coursework. We are after concise
and succinct responses to each question with some proof of implementation (code snippets and
screenshots). Do share useful resources that you find with others on the Moodle forum, but do
not give any answers away. Note: All the work you submit must be solely your own
work and you should make sure the submitted file not corrupted. Submissions are
routinely checked for plagiarism. If for whatever reason you are not seeing the expected
outcome of any of your attack, be sure to still report on what you have tried to do, as this
will still net you almost (if not all points for the attempt).
Questions
1. Question 1 (55 Marks).
(a) A security analyst has the c1.pcap, c2.pcap and c3.pcap files which are network traffic
captures of different network segments. The analyst wants to identify potential attacks
in these files. You are asked to assist them in their task. Examine these pcap files
to determine the attacks within these files and justify your answers. Submit
your answer and your justification in your report. (15 marks).
(b) It is important for security analysts to understand suspicious activity in pcap files.
This is often done by reproducing attacks. Write a program to reproduce the
c2.pcap attack (hint: refer to Lab7 on how to create network programs) and
describe briefly the program in the report. Also, provide the pcap traffic capture of
running your program being developed using Wireshark (your pcap and the provided
pcap are not expected to be identical, as the addresses would be different in your
network settings). Submit your source-code and your traffic-capture file from running
your program. (15 marks)
(c) A local DNS server (running in the local DNS VM being provided as shown Figure 1)
is vulnerable to Kaminsky DNS cache poisoning. Dan Kaminsky developed an
approach to overcome the caching effect (see lecture 9 slides 34-37), attackers will
be able to continuously attack a DNS server on a domain name, without the need
for waiting. This enables attackers to have a successful attack within a very short
period of time. Here, an attacker attempts to poison the resource record for the
domain of www.example.org by linking the field of the name server for this domain
to ns.attackerns.net which is a malicious DNS server. In the attacker VM, write
a program that executes this attack (see the DNS security lecture) and sends
DNS requests for non-existent domains (NXDOMAIN) to the local DNS server and
spoofing their Name Server (NS) replies. The attacker must be able to run this attack
remotely (i.e. there is no way for the attacker to capture the Name Server (NS)
requests being generated by the local DNS server as the attacker is not a part of the
Local DNS Server network).
2
Figure 1: Environment setup. See the appendix for setup information. Note that the IP
address of the attacker may not be the same for your configuration. Use ifconfig to determine
the attackers IP address.
In the attachment, the udp.c file is provided to help you to create a program to perform
the attack. You will need to develop a DNS request and reply with filling each DNS
field with the correct value and understanding the value in each field, you can use
Wireshark to capture a few DNS query and response packets. You should use port
33333 for the port local DNS Server as it is decided to be fixed for simplicity. You will
need to find out the IP of the Name Server for www.example.org to be able to hijack
the NS replies. You will also need to make use of dig to get this information. Finally,
you need to consider how to use random Query IDs in conducting this attack.
Provide the output (a screenshot) showing that you have a successful attack
(i.e showing the resource record of the example.org with ns.attackerns.net) and report
the changes made to the udp.c file including the instructions (e.g. dig) which are used
to perform the attack and check the attack result. Submit your source-code and add
your screenshots to your report. (25 marks)
2. Question 2 (45 Marks)
A company “IY2840 Co.” owns a website, (http://10.0.2.x/index.html (x here is
unknown and students are expected to find this), this URL refers to the local DNS server
VM that hosts the company web server, refer to Figure 1) which is utilised for managing
the employees records of the company. In order to access the website resources, you need to
have a login credentials. This website is vulnerable to SQL injection (SQLi) and cross-site
scripting (XSS) attacks.
(a) How can an attacker bypass the website login without having access
credentials? Assume there is an ’admin’ user for this system. Justify your answer
and report the output (screenshot). Submit your answer and your justification in
your report. (10 marks)
3
(b) An attacker is often keen on cracking the ’admin’ password in the system, however
password is usually protected by a hashing function (SHA1 is used in this website).
How can an attacker learn about the stored password for the admin user
in this website? demonstrate the steps to perform this attack including the
necessary injected inputs. Report the necessary screenshots. Finally, name two
countermeasures to prevent SQL injection attacks. Submit your answer and screenshot
in your report. (20 marks)
[Hints: this question is not meant to use any types of available brute forcing tool
for cracking the website login in this system (i.e. hitting the system with many
randomised passwords). However, this question requires you to perform a number of
steps to learn about the database (schema, tables and columns) using UNION query
to reach password data. Then, you need to brute force this data (a hash value) to
recover the actual password; you can use in this context any online or offline tools for
crack the hash value]
(c) Within so many websites, session cookies are still widely used as a means to
authenticate user requests and maintain session information for a specific period of
time. These cookies are normally created once users login to the website.
Suppose that you have already compromised the admin password from the previous
question. Create an XSS attack scenario to be able to persistently steal the
cookies for the current admin sessions in the websites even if the admin
changes the password and the SQL injection problem is solved for the
website hereafter. As an attacker, you need to find out the sink where to inject the
script which facilitates obtaining the cookie and how to receive the cookie. Also, you
may need to take advantage of nc command to create a server in the attacker VM to
capture the cookie. Also you may need to use the following script/HTML methods
for the attack, however proposing some different alternatives of script methods is
acceptable (make sure those alternatives work):
1) Image().src="link to the image"
2) document.cookie
Report the steps of the scenario and the stolen cookie. Provide all necessary
outputs (screenshots and traffic capture) indicating that you perform a
successful attack. Can you identify the type of the XSS attack in this context?
Submit your answer and screenshots in your report, along with a traffic packet capture
file. (15 marks)
4
Appendix: Setup and config. environment guidelines
In addition to your existing SEEDLab VM, you will for the purposes of this coursework also
need a separate VM to be your DNS server.
1. Install VirtualBox: https://www.virtualbox.org/wiki/Downloads. Make sure you are
using the most up-to-date VirtualBox.
Installation Notes for different platforms:
• Mac: you need to allow Oracle apps to be installed in the security and privacy setting.
• Windows: check that your machine has enabled virtualization. This can be done by
entering your bios and enabling virtualization in a setting there. To check whether
you have virtualization enabled or not, we suggest you go to your task manager,
see a screenshot here: https://www.shaileshjha.com/wp-content/uploads/2017/
02/windows_10_task_manager_performance_tab_virtualization_enabled.jpg
• Linux, we expect the problem would be the same as windows.
2. Download the local DNS and attacker virtual machines.
3. Import the local DNS and attacker virtual machines. Follow how to import OVA files here:
https://www.virtualbox.org/manual/ch01.html#ovf-import-appliance.
4. [IMPORTANT] DO NOT SWITCH ON THE VMs YET. Before running the two
virtual machines, we need to configure VirtualBox to setup the network for the coursework
assignment.
5. Click “File” on the top left of the VirtualBox main UI. Then click “Preferences” as shown
in Figure 2.
Figure 2: Preferences
5
6. Click the “Network” tab on left panel. click the “+” icon to create a new NAT Networks
(NatNetwork) adaptor (if one does not exist). Double click on the NatNetwork, and look
at its configuration. Set the configuration as the same as what is shown in Figure 3.
Figure 3: Network Configuration
7. Enable Adapter 1 (and disable the other adapters if any are enabled), then choose “NAT
Network” and then NatwNetwork which is already declared in the previous step.
6
Figure 4: VM Network Adapter (the MAC address can be whatever VirtualBox assigns it.)
8. [IMPORTANT]: It is useful to take a snapshot of your current VMs (especially while doing
Question 1.c for cache poisoning to able to reset the DNS cache), just in case you may need
a VM reset at some point while conducting the attacks. You can take as many snapshots
as you want, but be aware they increse the size of your VMs substantially.
Figure 5: Menu - Take Snapshot
9. To restore from a snapshot that you have taken before, you can click the followings (you
need to shut-down the VM first).
Figure 6: Snapshot UI
7
10. Some Virtualbox installations may complain about USB 2.0 ad USB 3.0 not being
configured properly. If this happens, you can either revert to USB 1.0 or install a pack to
enable USB2.0 or USB3.0. Either approach is fine, but we suggest reverting to USB 1.0.
Figure 7: Enable the USB1.0 controller
11. [IMPORTANT] Switch on both VMs. First the DNS VM, then the attacker VM. After
you have switched on both, they will both be given an IP address each, it will be a 10.0.2.x
IP address. On the attacker machine, you can manually set it in the ethernet network
connection information (click “edit connection”, in the upper right corner). The gateway
IP address will be: 10.0.2.1 and the network mask will be: 255.255.255.0. You will need
to find out what IP address is your DNS separately. You can either scan your network to
do so, or use a number of Linux commands to find this out.
SD & JH 20 March 2020
8

联系我们 - QQ: 99515681 微信:codinghelp
程序辅导网!