WEEK 6 – TASK 6.1P Pass Task.
Release Date: 11 April, Due Date: 2 May, End Date: 9 May.
Learning Outcomes
In this task, you will learn more about a few different network security topics including network footprinting and packet inspection. This task complements the theoretical discussions in week 4 and 5.
Copyright By PowCoder代写 加微信 powcoder
Instructions
An answer sheet template is available on OnTrack as a `Resources’. Please download the answer sheet and fill it with your answers. To upload on OnTrack, you need to convert the answer sheet template document to PDF. MS Word includes built-in PDF conversation capability.
All questions and their sub-questions of this task must be attempted. If screenshots are required, please ensure that text in screenshots is readable.
Remember that troubleshooting technical problems is part of learning in this field. You must patiently work through issues and solve these. Tasks are not step-by-step guide. You need to be in the driver seat and learn concepts by doing – as you would when you start your future job (many times even your future supervisor doesn’t know the answer to problems you face). After patent troubleshooting and research, if you need help:
Help is always available in SIT182. Please go to Discussions and ask your questions about this task in Task 6.1P. All students are encouraged to participate and help peers with their questions. Helping others is a great way to learn and think about aspects you may have overlooked. You can also seek help from tutors during online and face- to-face pracs. Please do not raise your questions through Teams, OnTrack, or Email.
References In cyber security, our preferred referencing style is IEEE – however, you are allowed to use any Deakin approved referencing style in this unit. Please refer to unit site > Content > Referencing – Hints & Tips for more information.
This task involves working on a set of challenges.
To access challenges that you need to open M from VirtualBox. We will use the same M that you used for Task 2.1P.
Note: If you are using cyber lab PCs, you will need to import M into VirtualBox from Drive D > VM folder. Just like you did for Task 2.1P.
First, ensure that Kali is connected to Internet. Check the Settings of M and ensure Network Adapter is connected either through NAT or Bridged Adapter.
Run M (remember that username and password is kali). Ensure Network Adapter is connected using the toolbar at the bottom of VM window.
At this point you should have access to Internet from Kali. In Kali, access Web Browser.
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
You will need to complete both Challenges 1 and 2 for this task. All questions from A – K must be included in your answer sheet for Task 6.1P
NETWORK RECONNAISSANCE
Reconnaissance is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system. During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible. We now try to gather some publicly available information about a domain. This information could be used as part of a plot against a system (e.g., social engineering).
Let’s try to see what information we can find about linux-bible.com
Run irtual Machine (VM) and log in using credential used in previous tasks. Ensure that you have a working Internet connection for M. If you don’t have access to the
Internet, refer to the previous week tasks and ensure the relevant options are enabled. Once your M is up and running, click on the Terminal Emulator application.
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
Type the following command in the Terminal:
whois linux-bible.com
Review the information retrieved after running the command. Now, answer the following questions:
Question A:
1. This domain was created in 2020, is this correct? if not, what date was this domain created first?
2. When does the registration of the domain expire?
3. What is a “Name Server” and what is it used for? (Include a reference for your
answer) What are the Name Servers for this domain?
4. What is a Registrar? Who is the registrar of this domain?
Let’s use another command. Open Terminal app again. This time run the following command:
host 128.184.20.21
Question B:
1. Include a screenshot of the output you get.
2. What is the host command used for? (Include a reference for your answer)
Now, run the following command:
host -t mx deakin.edu.au
Question C:
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
1. Include a screenshot of the output you get.
2. What is an MX record in DNS?
Time to try another command. In the Terminal run the following command:
ping deakin.edu.au
After about 5 seconds, stop the ping command by pressing Ctrl+C. You should have ping responses similar to the following (with different values):
Time to explore the `traceroute’ command.
Open a new Terminal app in M and run the following command:
sudo python -m SimpleHTTPServer 80
After you hit enter, it will prompt you to provide your M password. If everything goes well, you will have a local webserver running.
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
64 bytes from jobs.deakin.edu.au (128.184.20.21): icmp_seq=1 ttl=240 time=6.07 ms
Note: If for any reason deakin.edu.au stopped replying to your ping requests, use google.com or linux-bible.com.
Question D:
1. Include a screenshot of the output you get.
Investigate about ping command and answer the following questions:
2. What is ICMP?
3. Fill in the blanks: A correctly-formed ping packet is typically ____ bytes in size, or ___ bytes when the ICMP header is considered, and ___ including Internet Protocol version 4 header.
4. What does `ttl’ refer to in the ping command output?
Leave the Terminal with the HTTP server open. Run the Web Browser in M:
In the web browser access the following address:
Question E:
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
1. Using the “host” you learned about earlier, find the IP address for localhost. What is the IPv4 address for localhost?
2. Do you need Internet access to retrieve the “localhost” domain?
Open up a 2nd Terminal app and run the following command in it:
traceroute localhost
traceroute linux-bible.com
Review the output you get. Leave the 2nd Terminal open.
Now, open up a 3rd Terminal app and run the following command in it:
Compare the output between the result you get after running traceroute for localhost and linux-bible.com.
Question F:
1. What is a `hop’ referring to in the output for the traceroute command?
2. What happens if one of the servers/routers in the hops is not listening for ICMP echo requests?
3. How can an attacker use “traceroute” when targeting computer networks? click here to access a suggested reading to find the answer to this question.
Visual Traceroute
Access https://geotraceroute.com in Web Browser. In the left panel, click on `run another
traceroute’. Pick the Source server that is closest to your location (e.g., Australia Sydney ) and use “linux-bible.com” as Site (i.e., destination). This will show you a nice visual representation of how your traffic travels around the world. Try a few different sites and see how they compare.
Note: if many users attempt accessing this website during practical time from the university network, it may enforce a temporary ban to IP (it’s a free service and they want to avoid DoS and associated costs). Wait a few hours and try to do this at a later time (maybe from home).
You can close all the Terminal application windows in M.
Challenge 1 – Question G
The Challenge 1 is to crack a password. Using the host command, find the ip address of the domain linux-bible.com. Include the screenshot of your host command and the results.
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
PACKET INSPECTION
In this challenge, you will run two docker instances, understand the basics of networking and inspect packets using tcpdump.
Initial Setup
Open M and run Terminal application. Ensure that M is connected to the Internet. In the Terminal, run the following command:
$ sudo dockerd
Leave this Terminal running (i.e., do not close it).
Now, open another Terminal and run the following command:
if everything goes well, you should see something like below in the Terminal:
Type exit and you will get out of the docker.
Now, open two separate Terminal app instances in M and run the following command in each:
$ sudo docker run -it –rm secunive/seclab:lab4 ash
Interfaces
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
$ sudo docker run -it –rm secunive/seclab:lab4 ash
You can inspect network interfaces using ifconfig:
1 2 3 4 5 6 7 8 9
$ ifconfig
Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 …
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 …
Explanation:
Question H:
there are two interfaces eth0 and lo
eth0 has address 172.17.0.2 and mask 255.255.0.0, meaning that the interface is connected to a
subnetwork in which hosts have the address of the form 172.17.*.* . The broadcast address
is 172.17.255.255
lo has address 127.0.0.1 with mask 255.0.0.0 and represents the loopback interface,
mapping directly to the localhost
1. Include a screenshot of running the “ifconfig” command in each of the terminals. What is the IP address for eth0 in Terminal 1 and what is the IP address for eth0 in Terminal 2?
Check Connectivity: Ping
We now use ping to check network connectivity. In Terminal 1, we first run ping with the eth0 address:
$ ping 172.17.0.2
2 PING 172.17.0.2 (172.17.0.2): 56 data bytes
3 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.095 ms
4 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.093 ms
5 64 bytes from 172.17.0.2: seq=2 ttl=64 time=0.083 ms
ping sends an ICMP echo request to the destination that answers with an ICMP echo reply. When the reply is received the roundtrip time is displayed, for diagnostic purposes. In this example the host is pinging itself using the external network interface eth0 (notice that replies come from address 172.17.0.2 even if we are pinging the local host).
A similar effect is achieved when pinging localhost (which is an alias for 127.0.0.1):
1 $ ping localhost
2 PING localhost (127.0.0.1): 56 data bytes
3 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.097 ms
4 64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.094 ms
5 64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.094 ms
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
Question I:
1. Ping host 172.17.0.2 from the second docker instance in the second terminal (that should have the address 172.17.0.3) and vice-versa, to check network connectivity between the two hosts. Include screenshots confirming that you have executed the commands and received ping replies confirming connectivity between the two hosts.
Packet inspection
tcpdump is a powerful tool for traffic analysis. For example, we can run it on host 172.17.0.2 in order to inspect the ICMP packets sent/received by ping
$ tcpdump -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Explanation:
Now if we ping from the host 172.17.0.3 (running in your 2nd Terminal) we get the following output (numbers may vary for your):
1 18:16:58.300947 IP 172.17.0.3 > 172.17.0.2: ICMP echo request, id 2560, seq 0, length 64
2 18:16:58.301009 IP 172.17.0.2 > 172.17.0.3: ICMP echo reply, id 2560, seq 0, length 64
3 18:16:59.301422 IP 172.17.0.3 > 172.17.0.2: ICMP echo request, id 2560, seq 1, length 64
4 18:16:59.301509 IP 172.17.0.2 > 172.17.0.3: ICMP echo reply, id 2560, seq 1, length 64
5 18:17:00.305286 IP 172.17.0.3 > 172.17.0.2: ICMP echo request, id 2560, seq 2, length 64
6 18:17:00.305316 IP 172.17.0.2 > 172.17.0.3: ICMP echo reply, id 2560, seq 2, length 64
We observe that
each line is a packet
packets from 172.17.0.3 to 172.17.0.2 are ICMP echo requests
packets from 172.17.0.2 to 172.17.0.3 are ICMP echo replies
requests and replies have matching id and seq numbers
In the 2nd Terminal with IP 172.17.0.3 press Ctrl+C to stop the Ping command, you started.
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
option -n prevents converting addresses to names
icmp specifies to only inspect ICMP packets
Useful links
tcpdump documentation on the tcpdump website
tcpdump tutorial with examples
Challenge 2 – Question J:
ARP protocol is used to discover the Media Access Control (MAC) address corresponding to a certain IP address. Whenever a host needs to connect to an IP that has not used recently (for which it has a cached MAC address), it broadcasts an ARP request.
Find the correct tcpdump option to sniff ARP packets and ping 172.17.0.10 from 172.17.0.3 (in the 2nd Terminal) to observe an ARP request of the form ARP, Request ……. 172.17.0.10 tell 172.17.0.3.
The ……. is the password.
What is the password you obtained?
Question K: Reflection Point – How did this task complement the theoretical concepts you learned in Week 4 and Week 5? What did you learn that was most exciting for you? Are you finding it easier to use the shell for hands-on activities?
SIT182 – Real World Practices for Cyber Security Ontrack.deakin.edu.au
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com