COMM048 Information and Network Security 2018–2019, Semester 1 Coursework
Professor Liqun Chen
Surrey Centre for Cyber Security University of Surrey
Deadline
Coursework solutions must be uploaded to SurreyLearn by
Tuesday, 08.01.2019 (16:00 h)
Layout
Solutions, including a python script as part of Exercise 2, must be submitted in a single PDF document to the Coursework Submission Folder of the module. The first page of the submitted PDF document must contain this page and the form found below must be filled and signed by the student. All pages of the submission must contain your name and URN. It must be clear from the submission, which solutions refer to which exercise parts.
Miscellaneous
Exercises must be solved individually, without consultations with other students. Students are advised to read the exercise questions and supplementary materials carefully. This table must be filled by the student prior to submission:
The following table will be filled during the marking process. Each exercise brings up to the number of points listed in the table that can be obtained by solving the corresponding tasks. Coursework results will be returned within three weeks of the submission deadline and feedback will be provided in form of solutions to compare with, which will be published on SurreyLearn.
Student’s Name
URN
—
Excercise 1
Exercise2
Exercise 3
Exercise 4
Total
Maximum Points
25
20
30
25
100
Received Points
1
Introduction Linux (Ubuntu)
It will be easier to use Ubuntu for most of the exercises. You can either use the virtual machines available in the lab, or install a virtual machine on your own computer.
To get the manual page of a program, e.g. Wireshark, type
..$ man wireshark into a terminal window.
Wireshark
Wireshark ( https://www.wireshark.org/ ) is a well known GUI tool to interactively dump and analyze network traffic (introduced in Lecture 1 and Lab 1). It lets you interactively browse packet data from a live network or from a previously saved capture file. Wireshark uses the common libpcap file format, which is also the format used by tcpdump and various other tools. In order to start Wireshark type
..$ sudo wireshark
in a terminal window. To identify network packets use Wireshark frame numbers. Frames
reassemble network packets and display them in their context.
Scapy
Scapy ( http://www.secdev.org/projects/scapy/ ) is a powerful interactive packet manip- ulation program (introduced in Lecture 1 and Lab 1). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It is written in python (http://www.python.org/) and also uses python syntax in its interactive interface. For full documentation see http://www.secdev.org/projects/s capy/doc/ . Run scapy using the following command:
..$ sudo scapy
There are two useful commands to remember, which are: ls() and ls(protocol). The first command lists all of the available protocols, and the second command lists all of the details relevant to a specific protocol. For instance, if you type ls(IP), you will see all of the details that can be edited when creating an IP packet.
Snort
Snort (http://www.snort.org) is a free and open source network intrusion prevention system and network intrusion detection system (introduced in Lecture 5 and Lab 5). For a complete overview, refer to the snort user manual in the Lab 5 directory.
Exercise 1: E-Mail Signing (25 Points)
In this exercise you should use OpenSSL (see Lab 2) to generate a signing certificate for your university e-mail address. You should send a signed e-mail to yourself and show that the certificate is accepted and seen as valid and include a screen capture in your write-up (for example, see Figure 1). The certificate has to be valid for 365 days and contain a 2048-bit RSA key. If you do not have an e-mail client on your computer you can use Thunderbird on an Ubuntu virtual machine.
2
Hints
Figure 1: Confirming the signature’s validity
1. It will be easier to use Ubuntu and Thunderbird for this exercise as these make it straight- forward to import and delete certificates as you experiment with the commands.
2. You will first need to become a root Certificate Authority as you did in Lab 2 and then create your e-mail signing certificate.
3. To conform with RFC5280 the e-mail address should not be included in the Distinguished Name (leave this blank), but included in the certificate as a subjectAltName. To do this set the subjectAltName in the [ user cert ] extensions section of the OpenSSL configuration file.
4. You will need to import your CA certificate together with your e-mail signing certificate into your mail server.
Your write up for this exercise should contain at least the following information:
• A complete list of OpenSSL commands (including a description of each of the arguments) that were used to generate the private key and e-mail certificate. You do not need to include the commands that you use to become a Certificate Authority. (12 points)
• The certificate description output using OpenSSL (cf. Listing 1 for an example). (5 Points)
• A description of the steps taken to import the private key and certificate into your email
client and confirm its validity. (6 points)
• Your screen capture showing that your signed digital signature is accepted. (2 Points)
Listing 1: Example of OpenSSL print of Certificate:
3
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2607447712 (0x9b6a7ea0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Surrey, O=COMM048 Ltd, CN=COMM048_CA
Validity
Not Before: Nov 4 14:02:51 2017 GMT
Not After : Nov 4 14:02:51 2018 GMT
Subject: C=GB, ST=Surrey, O=COMM048 Ltd, CN=COMM048_CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:f6:50:b3:bf:cc:ea:44:1a:47:85:e6:d7:1c:
49:a3:4b:1a:69:24:07:60:8b:45:17:46:7c:70:d6:
51:0a:71:6d:14:a8:dd:53:8a:5c:c5:40:1d:08:e0:
22:c9:a4:e0:c6:9a:8c:42:7b:a7:13:9b:6f:16:14:
f6:fb:fd:15:cf:d6:9e:bc:f3:44:88:64:c5:cd:7a:
0a:a0:21:e3:50:fa:f4:96:1c:02:fc:17:6e:25:0d:
a8:9a:87:e5:f5:d9:22:81:27:f3:c5:da:a4:56:31:
c9:3e:9a:df:fd:7a:e2:eb:9d:c8:1a:8b:5a:30:a0:
4a:f1:30:89:bb:13:63:43:52:bf:fc:7a:20:68:47:
ff:91:c1:e9:12:a0:e2:a0:cb:db:b8:0b:b6:70:88:
3d:63:16:2d:a0:ff:86:80:2b:ab:de:ac:72:a1:e9:
9c:0d:4d:1e:2f:85:4c:f1:f5:68:60:64:83:03:b7:
00:aa:15:95:e8:fd:5f:0a:7f:03:3f:c5:4a:4f:5f:
9f:f6:bd:d8:3a:02:8d:e3:62:a9:c6:b9:b1:04:61:
a3:20:04:d4:74:c2:a4:66:7b:29:d7:bd:5e:49:fe:
1d:8a:fc:6b:e4:c2:92:3c:0a:7a:12:bb:b4:8a:6d:
55:55:ca:f2:00:31:b3:cc:bc:5c:23:ef:3c:26:6e:
5a:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B4:E0:FC:64:77:5A:3E:1A:88:5A:28:78:B0:5F:CC:A5:DC:B5:CD:E2
X509v3 Authority Key Identifier:
keyid:DA:31:CF:2B:1B:3A:C4:09:1C:47:34:87:74:B6:92:5B:48:D8:60:47
X509v3 Subject Alternative Name:
email:G0FGZ@yahoo.co.uk
Signature Algorithm: sha256WithRSAEncryption
a7:6e:3a:d9:3b:ac:6a:80:d0:f6:b9:70:b0:ec:66:3c:38:83:
dc:d1:01:83:3b:52:b3:d2:e9:7f:31:79:3b:25:b4:a5:42:3d:
d4:33:93:bf:8a:77:d2:ce:65:d9:49:f6:83:d2:bc:0a:bb:c3:
94:a8:ff:9e:23:04:ab:a1:60:a1:9d:21:9d:5f:e1:2c:c9:67:
4
cb:bd:ac:2d:ea:89:b0:6c:4a:50:e4:80:95:4a:9e:2b:b1:49:
40:e4:d3:ee:2f:61:d4:b3:5a:72:e7:cf:ad:33:8f:14:c7:83:
02:09:38:0c:0c:34:22:c2:5b:9c:a5:4d:0a:b2:1d:c6:d9:c6:
f3:9d:28:75:b9:a4:c4:3d:ed:87:e6:12:3e:2b:2b:7e:c1:d5:
c1:17:1b:00:ee:15:21:1e:33:ec:fa:ed:49:a6:6f:d1:ec:0a:
39:ec:48:b0:95:7f:b2:75:11:4f:87:60:59:ef:8d:d3:34:65:
6d:5d:1c:33:0d:4e:d7:94:a3:25:6d:8c:3d:69:39:5e:2d:92:
c0:62:b6:60:59:67:2c:05:19:bd:41:56:ff:4f:ab:82:a7:f2:
15:49:64:dc:2d:fe:f0:47:89:9a:ff:13:cf:4b:fe:38:98:60:
96:5a:31:ab:ae:95:14:66:ee:29:b4:72:b1:3c:69:04:b4:e6:
96:90:40:51
Exercise 2: SYN flooding Attack — SCAPY (20 Points)
SYN Flooding is a form of DoS attack where an attack sends a succession of SYN requests to a targets system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
A SYN flooding attack takes advantage of the TCP protocols three-way handshake. A client sends a TCP SYN (S flag) packet to begin a connection to the server. The target server replies with a TCP SYN-ACK (SA flag) packet, but the client does not respond to the SYN-ACK, leaving the TCP connection half-open. In normal operation, the client should send an ACK (A flag) packet followed by the data to be transferred, or an RST reply to reset the connection. On the target server, as the ACK packet may have been lost due to network problems, the connection is kept open, in a SYN RECV state.
2.1 A SYN packet in Scapy (10 Points)
Make use of two virtual machines one of which plays the role of the target server and the other one the role of the attacker. Use scapy to craft a TCP SYN packet and let the attacker send it to the target server. Describe any component of your scapy packet and the command used to send it.
Hints:
1. Make sure that you are sending the TCP SYN packet to an open port by typing
..$ nmap -open
2. You can check the effect of your packet on the victim by typing
..$ netstat -nt
in a terminal window on the victim machine. This will give you a table showing the status
of any connections to the machine (see below).
3. Source ports for your tests should be in the range set aside for public use (49512 —65535).
Capture your packet with Wireshark and provide a snapshot showing the packet details together with the netstat output from the victim.
5
2.2 A python script (10 Points)
Write a python script that repeatedly sends TCP SYN packets to the victim. Run your program and show the result by using
..$ netstat -nt
on the victim machine. Include part of this output in your write up, 15 lines, or so, should be enough to show that your program is working. Make sure that the src IP addresses should be different to each other in multiple sendings. For example
Proto Recv-Q Send-Q Local Address
Foreign Address
192.168.1.124:62279
192.168.1.64:57815
192.168.1.27:52417
192.168.1.169:57660
192.168.1.141:58526
192.168.1.172:55191
192.168.1.50:53440
192.168.1.218:53170
192.168.1.194:62334
192.168.1.241:54757
192.168.1.196:50560
192.168.1.4:63491
192.168.1.64:53050
192.168.1.11:60532
192.168.1.24:64138
State
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
SYN_RECV
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
tcp 0
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
0 192.168.1.164:22
In your python script, please write down how you stop the program when it is running.
Exercise 3: VPN, IPSec, SSL and Kerberos (30 Points) 3.1 Virtual Private Network (VPN) (3 points)
Discuss benefits of VPNs compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up.
3.2
• •
3.3
TCP security, IPSec (5 points)
Describe how IPSec prevents SYN flooding attacks (2 points).
Consider the following scenario: A is sending packets to B using IPsec. Suppose B’s TCP ACK gets lost, and A’s TCP retransmits the packet since it assumes the packet was lost. Will B’s IPsec implementation notice that the packet is a duplicate and discard it? (3 points)
Digital Certificates (10 points)
What is a digital certificate? Which cryptographic algorithms are usually used to create a digital certificate?
Consider the CAs arranged in a hierarchy as shown in Figure 2. Show the various certificates necessary to navigate the hierarchy. For example, Bob receives a digital certificate from Alice,
6
1(
CA0 0)
@
CA1 CA3 0) 0)
@ @
1( 1(
@ @
1( 1(
@
CA2 CA4 0) 0)
Figure 2: A certificate hierarchy
describe the process by which Bob validates Alice’s public key. (Hint: please add necessary information to this figure to indicate who certifies whose public key.)
3.4 SSL (8 points)
Describe how SSL avoids any of the following threats:
1. Man-in-the-middle attack: An attacker interposes during key exchange, acting as the client to the server and as the server to the client.
2. Password sniffing: Passwords in HTTP or other application traffic are eavesdropped.
3. IP spoofing.
3.5 Kerberos (4 points)
Draw the message flow in the Kerberos authentication protocol when a user wants to access some network service. Assume the user already has a TGT. Write the main information exchanged in each flow.
Exercise 4: Intrusion Detection Systems and Working with Snort (25 Points)
4.1 Intrusion Detection Systems (6 points)
Briefly answer the following questions.
1. Outline the components of an Intrusion Detection System (IDS). 2. Describe network-based and host-based IDSs and their differences. 3. Discuss the difference between passive and reactive systems.
Alice
7
Bob
4.2 Writing Snort Rules (4 points)
Let Home Net be set to 10.130.4.25 and External Net set to !Home Net
1. Create a snort rule that alerts for FTP connection from any IP address different from Home Net.
2. Create a snort rule that alerts for worm in content outgoing from Home Net.
3. Does the rule you have written at the previous question raise an alert when a Google search for Internet Worm is executed from Home Net? Explain your answer.
4. Create a snort rule that alerts for pings from External Net.
4.3 Snort Rules (10 points)
Explain how each of the following rules work:
1. alert tcp any any -> 10.1.1.0/24 6000:6010
(msg: “X Windows Service traffic”;)
2. alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:”SCAN FIN”; flags: F; reference:arachnids,27;)
3. alert tcp $HOME_NET 23 -> $EXTERNAL_NET any
(msg:”TELNET login incorrect”; content:”Login incorrect”; flags: A+; reference:arachnids,127;)
4. alert icmp any any -> any any (msg:”ICMP Source Quench”; itype: 4; icode:0;)
4.4 A Computer Worm (5 points)
Suppose you need to detect a computer worm that aims at causing a denial of service on some Internet hosts. Figure 3 shows the tcpdump output that resulted by running the worm script against a machine on a test network.
Write a Snort rule to detect this worm. The rule must include the following:
1. The head of the snort signature must alert on UDP packets to port 1434 on the “home network” from the “external network”.
2. The message placed in the alert must specify “Internet Worm to be stopped”.
3. The rule must search for an ‘07’ byte at the start of the payload (coloured magenta in the figure). Note that in the figure the mustard coloured section is the IP header (20 bytes), followed by the UDP header (8 bytes) and then the start of the payload.
4. If the ‘07’ match succeeds the rule must then search for the binary string “71 f2 03 01 04 9b 71 f2 01”. This is the cyan coloured section in the figure.
5. Finally, if the rule matches the previous checks, the rule must search for the text “tire” (coloured orange in the figure).
8
0x0000 4500 0194 0x0010 c0a8 0196 0x0020 0101 0101 0x0030 0101 0101 0x0040 0101 0101 0x0050 0101 0101 0x0060 0101 0101 0x0070 0101 0101 0x0080 42eb 0e01 0x0090 4290 9090 0x00a0 0101 0131 0x00b0 89e5 5168 0x00c0 726e 5168 0x00d0 7454 66b9 0x00e0 5f66 b965 0x00f0 6873 656e 0x0100 508d 45e0 0x0110 428b 1e8b 0x0120 42ff 16ff 0x0130 71f2 0101 0x0140 166a 116a 0x0150 c050 ff16 0x0160 b48d 0c40 0x0170 c28d 0490 0x0180 c951 6681 0x0190 ffd6 ebca
56ea 0000 8011 5e24 c0a8 0164
07b5 059a 0180 a94b 0701 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 01dc c9b0 0101 0101 0101 70ae 4201 70ae 9090 9090 9068 dcc9 b042 b801 c9b1 1850 e2fd 3501 0101 0550 2e64 6c6c 6865 6c33 3268 6b65 6f75 6e74 6869 636b 4368 4765 6c6c 5168 3332 2e64 6877 7332 7451 6873 6f63 6b66 b974 6f51 64be 1810 ae42 8d45 d450 ff16 508d 45f0 50ff 1650 be10 10ae 033d 558b ec51 7405 be1c 10ae d031 c951 5150 71f2 0301 049b 0101 518d 45cc 508b 45c0 50ff 026a 02ff d050 8d45 c450 8b45 89c6 09db 81f3 3c61 d9ff 8b45 8d14 88c1 e204 01c2 c1e2 0829 01d8 8945 b46a 108d 45b0 5031 f178 0151 8d45 0350 8b45 ac50
E…V…..^$…d
………..K….
…………….
…………….
…………….
…………….
…………….
…………….
B………p.B.p.
B……..h…B..
…1…P..5….P
..Qh.dllhel32hke
rnQhounthickChGe
tTf.llQh32.dhws2
_f.etQhtiref.toQ
hsend….B.E.P..
P.E.P.E.P..P….
B….=U..Qt…..
B….1.QQP……
……Q.E.P.E.P.
.j.j.j…P.E.P.E
.P……..
Figure 3: tcpdump of the Internet Worm
9