Swansea University College of Science
Prifysgol Abertawe Coleg Gwyddoniaeth
May/June 2018/19
CSCM28
Security Vulnerabilities and Penetration Testing
Time Available: 2 hours
Coordinator: Dr P D James
Queries: The Exams Office hold contact details for this paper
Only University-supplied dictionaries are permitted
Calculators? Not Permitted
Attempt all questions
Question 1: Methodologies and Legalities
(a) Outline each of the six main phases of penetration testing. For each phase,
describe the main activities of the phase and state one tool that can be used to
support the phase. [12 marks]
(b) Recently, the UK government has discussed various issues around the use
of encrypted communication systems. Assume that a law stating the following,
rather extreme reaction, was passed:
“All encrypted communication is illegal.”
For each of the phases of penetration testing explain what would be affected by
this law. Use suitable examples to explain what information would now be read-
ily available for penetration testers to obtain within each of the effected phases.
[10 marks]
(c) The investigatory powers act 2016, details new powers for UK intelligence
agencies and law enforcement. Describe three of these new powers and explain
why and how they affect penetration testers and security professionals working
within UK intelligence agencies. [6 marks]
CSCM28: Page 1 of 5
Question 2: Protocols and Techniques
(a) Using Google is a good way to find out information about a target. Describe
how searching for information about a target can be undertaken in a passive man-
ner using Google. [4 marks]
(b) Consider the following URL:
http://win-or-lose.com/index.html
For each of the following Google search operators, state whether or not the op-
erator is applicable to the URL and if it is, highlight which part of the URL is
searched.
• SITE
• INTITLE
• INURL
• FILETYPE
• LINK
• INTEXT [6 marks]
(c) When using network scanning tools, there are four core protocols typically
involved. List each of the protocols and state what their main purpose is with
respect to the network stack. [8 marks]
CSCM28: Page 2 of 5
(d) Consider an IP router containing entries for the following CIDR (Classless
Inter-Domain Routing) networks:
Name Network
A 192.168.100.0/24
B 192.168.101.128/25
C 192.169.101.192/26
D 193.168.101.224/27
The router receives a packet with destination address 192.168.101.130. The router
determines that it should forward the packet to network B. Part of this process
will check that this packet is not addressed for networks A, C and D. Demonstrate
the steps and perform the calculations that are made to check the packet is not
designated for network C. [6 marks]
(e) NMap provides a number of TCP scans that can be useful for fingerprinting
of services, discuss two different TCP scans provided by NMap and describe how
they work including details on the flags set within the communicated TCP packets.
[6 marks]
(f) Explain how the traceroute command works including details on the packets
that are sent. What information can a penetration tester gain from running tracer-
oute? [4 marks]
CSCM28: Page 3 of 5
Question 3: Vulnerabilities
(a) The following is a snippet of an entry from a Linux shadow file.
john:$1$fnfffc$pGteyHdicpGFx:...
Explain each value of the snippet, describe how the salt is used and explain why
storing salt values in plaintext is acceptable. [6 marks]
(b) Using gdb on a 32-bit executable that crashes with large inputs, you have
detected that the stack pointer register ($esp) contains the value: 0xffffd578
and the base pointer register ($esb) contains the value: 0xffffd5f8. Describe
how you could use this information to perform a buffer overflow attack. You can
assume you have available shell code consisting of 24 bytes of hex. You should
include in your discussion accurate lengths of strings needed to perform the attack.
[10 marks]
(c) Explain what ASLR means and how it would prevent your buffer overflow
from Part (d) from working. [4 marks]
(d) Web applications often need to perform session management in order to keep
track of users interacting with the application. Explain what session management
is and describe two attacks that penetration testers may use against it. [8 marks]
(e) Consider the following snippet of code that has been taken from a web appli-
cation:
print("Please enter the name of file to remove");
$file = $_GET["filename"];
system("rm $file");
?>
Explain the vulnerability exhibited by this code and why it occurs. What kind of
Metasploit exploit might an attacker craft in order to exploit this vulnerability?
Explain how such an exploit works. [10 marks]
CSCM28: Page 4 of 5
End of Paper
CSCM28: Page 5 of 5