IY2840 Coursework 3: Network and Web Security
Deadline: 23:59, 31 Mar 2020
This is a blind submission, and submissions must be made in a ZIP compressed file on Moodle. This compressed file should include the coursework report, network packet files (in pcap format) and necessary source-code files. The report must be in file PDF format, other formats such as: .docx or .pages are not accepted. This coursework counts for 10% of your grade on this module and is worth 100 marks in total. We expect a good submission to be succinct and be less than six pages in length. Learning outcomes assessed are:
• Understanding of network packets and how to capture and investigate them.
• Understanding the fundamentals of network attack detection.
• Understanding key network infrastructure to identify key DNS security concerns. • Understanding the fundamentals of Web attacks and their countermeasures.
IMPORTANT:
• Use Wireshark to analyse the .pcap files in the coursework attachment. • Download the following virtual machines (VMs):
– The local DNS VM: https://www.dropbox.com/s/26fm3taangct6nr/Ubuntu-Local_ DNS_Server.ova
– The attacker VM: https://www.dropbox.com/s/z8652jo7i5rwwny/ SEEDUbuntu-attacker.ova
These VMs must be used to test some solutions for this coursework. Therefore, you need to install these VMs on your own machine. Keep in mind, you only have access to the attacker machine and the local DNS VM must be on for Question 1.c and and whole question 2. To setup the environment, follow the setup and configuration environment guidelines section (see Appendix).
• Use the source files (source − f iles − coursework3.zip) for Question 1.a and 1.c.
• All answers related to developing a program will be checked on a SEEDLab VM, so it is
important to make sure that your solutions being provided are executable on this platform.
1
This coursework aims to have you reflect on Web and Network security. To get started, it is important to review the lecture notes and lab materials, the course text, but also to investigate online resources. We are not after essays in this coursework. We are after concise and succinct responses to each question with some proof of implementation (code snippets and screenshots). Do share useful resources that you find with others on the Moodle forum, but do not give any answers away. Note: All the work you submit must be solely your own work and you should make sure the submitted file not corrupted. Submissions are routinely checked for plagiarism. If for whatever reason you are not seeing the expected outcome of any of your attack, be sure to still report on what you have tried to do, as this will still net you almost (if not all points for the attempt).
Questions
1. Question 1 (55 Marks).
(a) A security analyst has the c1.pcap, c2.pcap and c3.pcap files which are network traffic captures of different network segments. The analyst wants to identify potential attacks in these files. You are asked to assist them in their task. Examine these pcap files to determine the attacks within these files and justify your answers. Submit your answer and your justification in your report. (15 marks).
(b) It is important for security analysts to understand suspicious activity in pcap files. This is often done by reproducing attacks. Write a program to reproduce the c2.pcap attack (hint: refer to Lab7 on how to create network programs) and describe briefly the program in the report. Also, provide the pcap traffic capture of running your program being developed using Wireshark (your pcap and the provided pcap are not expected to be identical, as the addresses would be different in your network settings). Submit your source-code and your traffic-capture file from running your program. (15 marks)
(c) A local DNS server (running in the local DNS VM being provided as shown Figure 1) is vulnerable to Kaminsky DNS cache poisoning. Dan Kaminsky developed an approach to overcome the caching effect (see lecture 9 slides 34-37), attackers will be able to continuously attack a DNS server on a domain name, without the need for waiting. This enables attackers to have a successful attack within a very short period of time. Here, an attacker attempts to poison the resource record for the domain of www.example.org by linking the field of the name server for this domain to ns.attackerns.net which is a malicious DNS server. In the attacker VM, write a program that executes this attack (see the DNS security lecture) and sends DNS requests for non-existent domains (NXDOMAIN) to the local DNS server and spoofing their Name Server (NS) replies. The attacker must be able to run this attack remotely (i.e. there is no way for the attacker to capture the Name Server (NS) requests being generated by the local DNS server as the attacker is not a part of the Local DNS Server network).
2
Figure 1: Environment setup. See the appendix for setup information. Note that the IP address of the attacker may not be the same for your configuration. Use ifconfig to determine the attackers IP address.
In the attachment, the udp.c file is provided to help you to create a program to perform the attack. You will need to develop a DNS request and reply with filling each DNS field with the correct value and understanding the value in each field, you can use Wireshark to capture a few DNS query and response packets. You should use port 33333 for the port local DNS Server as it is decided to be fixed for simplicity. You will need to find out the IP of the Name Server for www.example.org to be able to hijack the NS replies. You will also need to make use of dig to get this information. Finally, you need to consider how to use random Query IDs in conducting this attack.
Provide the output (a screenshot) showing that you have a successful attack (i.e showing the resource record of the example.org with ns.attackerns.net) and report the changes made to the udp.c file including the instructions (e.g. dig) which are used to perform the attack and check the attack result. Submit your source-code and add your screenshots to your report. (25 marks)
2. Question 2 (45 Marks)
A company “IY2840 Co.” owns a website, (http://10.0.2.x/index.html (x here is unknown and students are expected to find this), this URL refers to the local DNS server VM that hosts the company web server, refer to Figure 1) which is utilised for managing the employees records of the company. In order to access the website resources, you need to have a login credentials. This website is vulnerable to SQL injection (SQLi) and cross-site scripting (XSS) attacks.
(a) How can an attacker bypass the website login without having access credentials? Assume there is an ’admin’ user for this system. Justify your answer and report the output (screenshot). Submit your answer and your justification in your report. (10 marks)
3
(b) An attacker is often keen on cracking the ’admin’ password in the system, however password is usually protected by a hashing function (SHA1 is used in this website). How can an attacker learn about the stored password for the admin user in this website? demonstrate the steps to perform this attack including the necessary injected inputs. Report the necessary screenshots. Finally, name two countermeasures to prevent SQL injection attacks. Submit your answer and screenshot in your report. (20 marks)
[Hints: this question is not meant to use any types of available brute forcing tool for cracking the website login in this system (i.e. hitting the system with many randomised passwords). However, this question requires you to perform a number of steps to learn about the database (schema, tables and columns) using UNION query to reach password data. Then, you need to brute force this data (a hash value) to recover the actual password; you can use in this context any online or offline tools for crack the hash value]
(c) Within so many websites, session cookies are still widely used as a means to authenticate user requests and maintain session information for a specific period of time. These cookies are normally created once users login to the website.
Suppose that you have already compromised the admin password from the previous question. Create an XSS attack scenario to be able to persistently steal the cookies for the current admin sessions in the websites even if the admin
changes the password and the SQL injection problem is solved for the
website hereafter. As an attacker, you need to find out the sink where to inject the
script which facilitates obtaining the cookie and how to receive the cookie. Also, you may need to take advantage of nc command to create a server in the attacker VM to capture the cookie. Also you may need to use the following script/HTML methods for the attack, however proposing some different alternatives of script methods is acceptable (make sure those alternatives work):
1) Image().src=”link to the image”
2) document.cookie
Report the steps of the scenario and the stolen cookie. Provide all necessary outputs (screenshots and traffic capture) indicating that you perform a successful attack. Can you identify the type of the XSS attack in this context? Submit your answer and screenshots in your report, along with a traffic packet capture file. (15 marks)
4
Appendix: Setup and config. environment guidelines
In addition to your existing SEEDLab VM, you will for the purposes of this coursework also need a separate VM to be your DNS server.
1. Install VirtualBox: https://www.virtualbox.org/wiki/Downloads. Make sure you are using the most up-to-date VirtualBox.
Installation Notes for different platforms:
• Mac: you need to allow Oracle apps to be installed in the security and privacy setting.
• Windows: check that your machine has enabled virtualization. This can be done by entering your bios and enabling virtualization in a setting there. To check whether you have virtualization enabled or not, we suggest you go to your task manager, see a screenshot here: https://www.shaileshjha.com/wp-content/uploads/2017/ 02/windows_10_task_manager_performance_tab_virtualization_enabled.jpg
• Linux, we expect the problem would be the same as windows.
2. Download the local DNS and attacker virtual machines.
3. Import the local DNS and attacker virtual machines. Follow how to import OVA files here: https://www.virtualbox.org/manual/ch01.html#ovf-import-appliance.
4. [IMPORTANT] DO NOT SWITCH ON THE VMs YET. Before running the two
virtual machines, we need to configure VirtualBox to setup the network for the coursework assignment.
5. Click “File” on the top left of the VirtualBox main UI. Then click “Preferences” as shown in Figure 2.
Figure 2: Preferences
5
6. Click the “Network” tab on left panel. click the “+” icon to create a new NAT Networks (NatNetwork) adaptor (if one does not exist). Double click on the NatNetwork, and look at its configuration. Set the configuration as the same as what is shown in Figure 3.
Figure 3: Network Configuration
7. Enable Adapter 1 (and disable the other adapters if any are enabled), then choose “NAT Network” and then NatwNetwork which is already declared in the previous step.
6
Figure 4: VM Network Adapter (the MAC address can be whatever VirtualBox assigns it.)
8. [IMPORTANT]: It is useful to take a snapshot of your current VMs (especially while doing Question 1.c for cache poisoning to able to reset the DNS cache), just in case you may need a VM reset at some point while conducting the attacks. You can take as many snapshots as you want, but be aware they increse the size of your VMs substantially.
Figure 5: Menu – Take Snapshot
9. To restore from a snapshot that you have taken before, you can click the followings (you need to shut-down the VM first).
Figure 6: Snapshot UI 7
10. Some Virtualbox installations may complain about USB 2.0 ad USB 3.0 not being configured properly. If this happens, you can either revert to USB 1.0 or install a pack to enable USB2.0 or USB3.0. Either approach is fine, but we suggest reverting to USB 1.0.
Figure 7: Enable the USB1.0 controller
11. [IMPORTANT] Switch on both VMs. First the DNS VM, then the attacker VM. After you have switched on both, they will both be given an IP address each, it will be a 10.0.2.x IP address. On the attacker machine, you can manually set it in the ethernet network connection information (click “edit connection”, in the upper right corner). The gateway IP address will be: 10.0.2.1 and the network mask will be: 255.255.255.0. You will need to find out what IP address is your DNS separately. You can either scan your network to do so, or use a number of Linux commands to find this out.
SD & JH 20 March 2020
8