COIT20262 Advanced Network Security
COIT20262 – Advanced Network Security Term 2
Assessment Item 1— Assignment 1
Note: Attempt all questions
Question 1
Protocol Analysis with Wireshark (10 Marks)
This assignment question requires that you analyse a packet capture dump file and provide comments explaining each packet. See assignment 1 page of the course website. This pcap file contains a SMTP transaction between a client and server. Your task is to annotate each packet commenting on the following characteristics.
- Comment on any significant TCP flags and what they mean in the context of the packet capture. Significant flags include SYN, FIN, RST, and URG. You must explain why the flag has been set and what it means for this TCP connection.
- Comment on the direction of each packet (ie. client -> server or server -> client). Be clear to explain in which direction the interaction is occurring.
- Comment on each SMTP command and response between the client and the server. You must explain what each command does. You should also explain the data that is exchanged. This will require that you study the SMTP RFC or other Internet documents relating to SMTP to understand what the commands mean.
You should also comment on the 2 port numbers used in this connection and their significance. For example, is it an ephemeral or reserved port? If it is a reserved port, what protocol does it relate to?
On the following page is an example of the template to use to complete this question. It provides a brief summary of each packet and has been formatted to include an “explanation” field underneath each packet. You are to write your comments in this “explanation” field addressing the packet immediately above, based on your analysis of the packet using Wireshark. Be specific and detailed. Any vague or limited responses will not attract any marks. Note, that the table is only a summary of the information provided in the pcap file. Be sure to comment in relation to information provided in the pcap file using Wireshark, not just the summary table.
For examples of how to complete the table, be sure to have completed all 3 parts of the Packet Capture Exercises. They are available from the Lectures and Tutorials page of the course website. Your solution must of course be in your own words. Do not copy directly from any examples or you will get zero marks
No. |
Time |
Source |
Destination |
Protocol |
Info |
1 |
2006-10-03 14:50:19.628169 |
138.77.36.105 |
138.77.36.46 |
TCP |
41640 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=34790 TSER=0 WS=2 |
Explanation: | |||||
2 |
2006-10-03 14:50:19.632551 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=285859166 TSER=34790 WS=5 |
Explanation: | |||||
3 |
2006-10-03 14:50:19.633273 |
138.77.36.105 |
138.77.36.46 |
TCP |
41640 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=34792 TSER=285859166 |
Explanation: | |||||
4 |
2006-10-03 14:50:19.641368 |
138.77.36.46 |
138.77.36.105 |
SMTP |
Response: 220 basil.cqu.edu.au ESMTP Sendmail 8.13.7/8.13.7; Tue, 3 Oct 2006 14:50:19 +1000 |
Explanation | |||||
5 |
2006-10-03 14:50:19.642024 |
138.77.36.105 |
138.77.36.46 |
TCP |
41640 > smtp [ACK] Seq=1 Ack=84 Win=5840 Len=0 TSV=34794 TSER=285859169 |
Explanation: | |||||
6 |
2006-10-03 14:50:19.643019 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Command: EHLO localhost.localdomain |
Explanation: | |||||
7 |
2006-10-03 14:50:19.643032 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [ACK] Seq=84 Ack=29 Win=5792 Len=0 TSV=285859169 TSER=34794 |
Explanation: | |||||
8 |
2006-10-03 14:50:19.643157 |
138.77.36.46 |
138.77.36.105 |
SMTP |
Response: 250-basil.cqu.edu.au Hello [138.77.36.105], pleased to meet you |
Explanation: | |||||
9 |
2006-10-03 14:50:19.649160 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Command: MAIL From: SIZE=2893 |
Explanation | |||||
10 |
2006-10-03 14:50:19.653374 |
138.77.36.46 |
138.77.36.105 |
SMTP |
Response: 250 2.1.0 ... Sender ok |
Explanation: | |||||
11 |
2006-10-03 14:50:19.656209 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Command: RCPT To: |
Explanation: | |||||
12 |
2006-10-03 14:50:19.660963 |
138.77.36.46 |
138.77.36.105 |
SMTP |
Response: 250 2.1.5 ... Recipient ok |
Explanation: | |||||
13 |
2006-10-03 14:50:19.663490 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Message Body |
Explanation: | |||||
14 |
2006-10-03 14:50:19.664861 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Message Body |
Explanation: | |||||
15 |
2006-10-03 14:50:19.664894 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [ACK] Seq=411 Ack=2589 Win=10752 Len=0 TSV=285859175 TSER=34802 |
Explanation: | |||||
16 |
2006-10-03 14:50:19.665627 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Message Body |
Explanation: | |||||
17 |
2006-10-03 14:50:19.703495 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [ACK] Seq=411 Ack=3096 Win=13632 Len=0 TSV=285859185 TSER=34803 |
Explanation: | |||||
18 |
2006-10-03 14:50:19.704150 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Message Body |
Explanation: | |||||
19 |
2006-10-03 14:50:19.704211 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [ACK] Seq=411 Ack=3099 Win=13632 Len=0 TSV=285859185 TSER=34807 |
Explanation: | |||||
20 |
2006-10-03 14:50:19.732248 |
138.77.36.46 |
138.77.36.105 |
SMTP |
Response: 250 2.0.0 k934oJPY003485 Message accepted for delivery |
Explanation:. | |||||
21 |
2006-10-03 14:50:19.767562 |
138.77.36.105 |
138.77.36.46 |
SMTP |
Command: QUIT |
Explanation: | |||||
22 |
2006-10-03 14:50:19.767778 |
138.77.36.46 |
138.77.36.105 |
SMTP |
Response: 221 2.0.0 basil.cqu.edu.au closing connection |
Explanation: | |||||
23 |
2006-10-03 14:50:19.768005 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [FIN, ACK] Seq=514 Ack=3105 Win=13632 Len=0 TSV=285859201 TSER=34819 |
Explanation: | |||||
24 |
2006-10-03 14:50:19.769023 |
138.77.36.105 |
138.77.36.46 |
TCP |
41640 > smtp [FIN, ACK] Seq=3105 Ack=515 Win=6912 Len=0 TSV=34820 TSER=285859201 |
Explanation: | |||||
25 |
2006-10-03 14:50:19.769089 |
138.77.36.46 |
138.77.36.105 |
TCP |
smtp > 41640 [ACK] Seq=515 Ack=3106 Win=13632 Len=0 TSV=285859201 TSER=34820 |
Explanation: |
Question 1 Marking Criteria
- 8 -10 marks
A very good, in-depth explanation of the packet capture. Shows good understanding of the material
- 6 - 7 marks
Has a few misunderstandings or explanations
- 5 marks
Passable solutions, a few mistakes, some major and vague in explanations
- 1 - 4 marks
Major problems. Does not demonstrate a good understanding of the material or solution is very vague in explanations
- 0 marks
Essentially nothing correct or solutions have been copied verbatim from other sources
Question 2: Firewall and Proxy Services Configurations (10 marks)
The following diagram shows the topology of the network of a small company. There are three servers located in a DMZ (Demilitarised Zone).
The web server can directly accept requests (HTTP or HTTPS) from the Internet or from the internal network (192.168.1.0/25).
The DNS server can directly accept requests from the Internet. The DNS server can also directly accept requests from the internal network (192.168.1.0/25). However, if the DNS server can not resolve a domain name requested by the internal network (192.168.1.0/25), it will contact the DNS servers on the Internet directly for the name resolution.
On behalf of the users on the internal network (192.168.1.0/25), the email server sends emails to and receives emails from the Internet. The users on the internal network (192.168.1.0/25) use IMAP (Internet E-mail Access Protocol) to read and organise their emails on the email server.
The users on the internal network (192.168.1.0/25) are allowed to access the Internet only for HTTP, HTTPS and FTP services. However, the users of the internal network are never allowed to connect to the Internet directly.
Based on the above network configuration and application scenarios, answer the following three questions.
A. The firewall services are installed on the router. Create the firewall rules to implement the packet filtering and only allow the specified traffic. The firewall rules are to be created in the following format.
Rule No. |
Application Protocol |
Transport Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
Action |
1 | |||||||
2 | |||||||
: |
B. Briefly explain each rule in the rule base that you have created.
C. The proxy services are also installed on the router to conceal the users of the internal network (192.168.1.0/25) from the Internet. Suppose that users on the internal computers send the following requests to the Internet. The proxy services perform the Port Address Translation (PAT). Complete the following connection table to show how PAT is working for requests from the users on the internal network.
Packet Addressing on internal network |
Packet Addressing on external network | ||||||
Source IP |
Source Port |
Destination IP |
Destination Port |
Source IP |
Source Port |
Destination IP |
Destination Port |
192.168.1.2 |
1033 |
203.206.209.77 |
80 | ||||
192.168.1.2 |
1035 |
210.10.102.196 |
443 | ||||
192.168.1.5 |
2301 |
203.206.209.55 |
21 | ||||
192.168.1.5 |
2302 |
202.2.59.40 |
443 | ||||
192.168.1.5 |
4123 |
72.5.124.55 |
80 | ||||
192.168.1.8 |
4128 |
72.5.124.35 |
21 | ||||
192.168.1.8 |
1033 |
150.101.16.250 |
80 | ||||
192.168.1.9 |
1035 |
150.101.16.250 |
443 |
Question 2 Marking Criteria
Parts A & B (6 Marks)
- 6 Marks:
All rules present and in appropriate order; explanations clear and correct
- 4-5 Marks:
A few rules missing or incorrect however the explanations justify the intent.
- 3 Marks:
Passable solution but with a number of missing rules and/or incorrect explanations
- 1-2 Marks
Most rules missing/incorrect and/or explanations are not correct.
- 0 Marks
Essentially noting is correct
Part C (4 Marks)
- 1/2 mark per correct table entry
Question 3: Network Attack Research [10 marks]
Although the course textbook and other resources discuss several specific network attack vulnerabilities, it is not feasible to cover all of them. New vulnerabilities are being discovered all of the time, and there are hundreds of currently known vulnerabilities. Professional network administrators have to keep themselves current with all possible threat possibilities. One way of doing this is by performing personal research. In this hypothetical case study, you should use the Internet to assist you in developing responses to the three questions. Use of the course textbook and supplied resources only is not sufficient to award full marks. You should use your research skills and go beyond these resources.
PHP is a popular scripting language commonly used to implement dynamic web pages. Unlike JavaScript, which is a web client-side scripting language, PHP is a web server-side scripting language. At the web server, PHP scripts are used to dynamically generate the HTML pages that are then sent to the client. At the client end these HTML pages are displayed in the web browser.
James has just completed his first year at university in a Bachelor of Information Technology degree. One of the courses that James studied was Web Programming 101. In that course James learnt the basics of using HTML, CSS and PHP to create dynamic web pages.
As a favour to James’ good friend Kirandeep, he designed and implemented a simple dynamic blog site using the skills he had gained in Web Programming 101. After testing the web site on a local secure network, and fixing a number of scripting errors. James delivered the implementation files to Kirandeep, who uploaded them to an ISP web hosting site. Both James and Kirandeep were ecstatic to see people from across the Globe using the web site to share their personal experiences.
Within a few hours of the blog site going live, Kirandeep received an urgent email from the ISP Manager informing her that the blog site had to be closed down because it had been used by unknown hackers to send spam emails to thousands of addresses around the world. The Manager told Kirandeep that she could only reactivate the blog site when the problem had been fixed and it could be guaranteed that it would not happen again.
Kirandeep quickly phoned James and told him of the dilemma. James spent the rest of the day and most of the next night examining his PHP scripts and doing research on the Internet to find out what might have caused the problem. After many hours James tracked the problem down to the simple web page contact form that he had used so that people could send emails to Kirandeep without letting them know what Kirandeep’s email address was.
(See Figure 1)
Users fill out the form by supplying their email addresses, a brief subject line, followed by the message to be sent to Kirandeep. When the submit button is clicked, the contents of the form fields are sent to the web server, where a PHP script receives the field information and uses it to initiate an email to Kirandeep. Kirandeep’s email address is stored in the PHP script, so the form user never gets to see it. That way Kirandeep’s email address is kept secret. Unknown to James, the use of simple contact forms is a well-known vulnerability that threat agents can exploit. He also discovered that it is not only PHP scripts that are vulnerable to this type of exploitation – all of the several available server-side scripting languages are vulnerable.
You are required to answer the following questions. Please reference all sources – do not copy directly from sources.
- Based on the information provided, what type of attack has been performed by the hackers using Kirandeep’s blog? You need to fully justify your answer, not just state the type of attack.
- Describe in detail how the attack may have occurred – you will need to provide sample form field data such as:
Your Email Address: M.Patel@hotmail .com
Subject: Thank you
Message: Thank you for providing such a useful blog site for me to use. I have learnt a lot from reading the blogs left by other people.
You don’t need to provide a detailed explanation of how PHP or other server-side scripting languages work; but you need to provide sufficient information to explain how malicious field data entered by a hacker could trick the web server into generating multiple spam emails.
- How would James need to change the PHP script to prevent such attacks? You don’t need to provide the actual PHP code – just describe what measures James would have to implement to ensure that malicious field data could not be used to generating multiple spam emails.
- What limitations does this form of attack have?
Hint: Would this attack only have to be performed once to generate thousands of spam emails?
Marking Criteria
- 3 marks (1 mark correct identification, 2 marks for justification)
- 4 marks for description (allocated based on quality and correctness)
- 2 marks for prevention (allocated based on quality and correctness)
- 1 mark for limitation (allocated based on quality and correctness)
Question 4: (10 marks)
In this hypothetical case study, you should use the Internet to assist you in developing responses to three questions. Use of the text only is not sufficient to attract full marks.
SafeBank recently received a series of reports from customers concerning security breaches in online banking. Customers reported having money transferred from their accounts, usually after they have found that their password has changed. A full security audit revealed that the money transfers and changes to user passwords all originated from an Eastern European country on servers within the domain of crazyhackers.com – however – the question remained: how did the hackers undertake the attack?
Given that legitimate account numbers and passwords were used, it was initially assumed that it could be some form of phishing attack. However, no evidence of such emails was found. The only commonality between the victims was that they all used the same ISP.
You are required to answer the following questions. Please reference all sources – do not copy directly from sources.
- Based on the information provided, what type of attack has been performed? Justify your answer.
Hint: In order to capture account numbers and passwords, how would a hacker “redirect” users to their servers instead of SafeBank’s?
- Describe in detail how the attack occurred – you may wish to include one or more diagrams. You will need to make assumptions about host names, domains and IP addresses – document these. You need not concern yourself with the technical details of the capture and reuse of SafeBank’s customer details (eg. Fake web sites/malware) – you are documenting how it was possible from a network perspective.
- What steps would you advise to prevent such attacks? What limitations does this form of attack have?
Hint: Would this attack only have to be performed once?
Marking Criteria
Part A – 3 Marks (1 mark correct identification, 2 marks justification)
Part B – 4 Marks (variable on quality, correctness)
Part C – 3 Mark (2 marks correct prevention, 1 limitations)
COIT20262 – Advanced Network Security
Assignment 2
Question 1: Snort Rules (10 Marks)
Scenario
A small company has a network set up behind a NAT router. The router is connected to the Internet via a single ISP provided dynamic IP address. The ISP provided access address may change over short periods of time.
The internal network is RFC 1918 Category 2 compliant, and uses the private address space 192.168.2.0/24. The gateway router is configured to use DHCP allocated IP addresses to internal hosts as they connect. However, a record is kept within the router of what IP addresses have previously been allocated to specific MAC addresses. Whenever those MAC addressed hosts disconnect from and later reconnect to the network they are reallocated the same IP address. It is only if the router has a power off episode, or is manually reset, that allocation of different IP addresses may occur (and even then, the same addresses may be allocated as before).
The company operates an approved internal web server at 192.168.2.21:80, to facilitate in-house development of web pages and web sites that will later be deployed to an external server for public access. It is a company policy that only one approved internal web server is to be in operation on the network.
It has come to the notice of the IT manager that a company employee has set up a rogue web server on the internal network, using a personal laptop. The employee is using that web site to provide undesirable material to a small clique of employees, to whom the web server address has been provided secretly.
Considerations
- The rogue web server may be on any internal IP address, and will be using any of the ephemeral ports. It will not be using a well-known port.
- The clients accessing the rogue web server may come from any internal IP address using any ephemeral port.
- The MAC addresses of all company host devices are on record.
Your job
Use snort to monitor for any internal network HTTP traffic destined for any internal host on any port address other than the authorised company internal web server and produce an alert message.
You are to write a .conf file containing the snort rule(s) that will accomplish a solution and run it against the pcap file provided.
The snort monitoring will identify when breaches have occurred. The Wireshark pcap file containing the captured packets can be time correlated with the logged snort alertsto obtain MAC addresses for source and target.
If your rule is correct the alert.ids file will show entries like the following:
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.439844 192.168.2.5:49496 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18940 IpLen:20 DgmLen:408 DF
***AP*** Seq: 0xE8349C5 Ack: 0xBCB171EE Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791384 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.440554 192.168.2.2:6400 -> 192.168.2.5:49496
TCP TTL:128 TOS:0x0 ID:1065 IpLen:20 DgmLen:1300 DF
***A**** Seq: 0xBCB171EE Ack: 0xE834B29 Win: 0xFE9B TcpLen: 32
TCP Options (3) => NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.449929 192.168.2.5:49496 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18942 IpLen:20 DgmLen:367 DF
***AP*** Seq: 0xE834B29 Ack: 0xBCB1799C Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791384 195453
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:29.450478 192.168.2.2:6400 -> 192.168.2.5:49496
TCP TTL:128 TOS:0x0 ID:1067 IpLen:20 DgmLen:485 DF
***AP*** Seq: 0xBCB1799C Ack: 0xE834C64 Win: 0xFD60 TcpLen: 32
TCP Options (3) => NOP NOP TS: 195453 1210791384
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.904673 192.168.2.5:49496 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18947 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xE834C64 Ack: 0xBCB17B4E Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791413 195509
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.913290 192.168.2.5:49497 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18950 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xBF45540D Ack: 0xBEFA2FE2 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.913886 192.168.2.2:6400 -> 192.168.2.5:49497
TCP TTL:128 TOS:0x0 ID:1071 IpLen:20 DgmLen:571 DF
***AP*** Seq: 0xBEFA2FE2 Ack: 0xBF45559C Win: 0xFE70 TcpLen: 32
TCP Options (3) => NOP NOP TS: 195597 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.919054 192.168.2.5:49498 -> 192.168.2.2:6400
TCP TTL:64 TOS:0x0 ID:18956 IpLen:20 DgmLen:365 DF
***AP*** Seq: 0x18030D8E Ack: 0xCFE60A18 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1210791413 0
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:10:43.946959 192.168.2.2:6400 -> 192.168.2.5:49498
TCP TTL:128 TOS:0x0 ID:1075 IpLen:20 DgmLen:660 DF
***AP*** Seq: 0xCFE60A18 Ack: 0x18030EC7 Win: 0xFEC6 TcpLen: 32
TCP Options (3) => NOP NOP TS: 195598 1210791413
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:11.614057 192.168.2.3:1923 -> 192.168.2.2:6400
TCP TTL:128 TOS:0x0 ID:44619 IpLen:20 DgmLen:496 DF
***AP*** Seq: 0xC9090643 Ack: 0x550D4778 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:11.656165 192.168.2.2:6400 -> 192.168.2.3:1923
TCP TTL:128 TOS:0x0 ID:1079 IpLen:20 DgmLen:230 DF
***AP*** Seq: 0x550D4778 Ack: 0xC909080B Win: 0xFE37 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.504867 192.168.2.3:1926 -> 192.168.2.2:6400
TCP TTL:128 TOS:0x0 ID:44648 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0xEC018654 Ack: 0x5E762A07 Win: 0xFFFF TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.540195 192.168.2.2:6400 -> 192.168.2.3:1926
TCP TTL:128 TOS:0x0 ID:1082 IpLen:20 DgmLen:555 DF
***AP*** Seq: 0x5E762A07 Ack: 0xEC0187EE Win: 0xFE65 TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.550534 192.168.2.3:1926 -> 192.168.2.2:6400
TCP TTL:128 TOS:0x0 ID:44650 IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xEC0187EE Ack: 0x5E762C0A Win: 0xFDFC TcpLen: 20
[**] [1:1000010:1] Unauthorised HTTP traffic [**]
[Classification: <DELETED>] [Priority: 1]
09/12-19:11:19.590606 192.168.2.2:6400 -> 192.168.2.3:1926
TCP TTL:128 TOS:0x0 ID:1083 IpLen:20 DgmLen:792 DF
***AP*** Seq: 0x5E762C0A Ack: 0xEC018989 Win: 0xFCCA TcpLen: 20
Note: The classification identifier has been deleted.
Tips:
- You will need to familiarise yourself with the HTTP header contents. You need to identify some text pattern in the HTTP header that will unambiguously indicate whether a client is accessing a web server, or vice versa. (remember, the rogue web server is operating on a non-standard ephemeral port.
- Make sure you include the standard Snort classtypes in your rule. Refer to the SNORT documentation to determine which classtype is appropriate for this exploit as described above. You will probably have to make use of the config file (located in the Snort\etc\ directory) – research how to make reference to this file from your rules file.
- Failure to use the correct syntax in your rule will mean the rule is ineffective. This means you will lose marks on this question.
Note: Duplicating the contents from the text, lecture slides, weekly notes or the Internet is not acceptable (even if it is referenced) and will not attract any marks. Your solutions must be written in your own words. If you cannot write your answer in your own words, then you have not yet mastered the topic and require further reading or advice from your tutor. Any information taken from an external source (either from the textbook or any other source) must be referenced appropriately. Failure to do so constitutes plagiarism.
a) Identification of Addresses
By inspecting the alert.ids entries you should be able to identify:
- The IP address, and port number of the device hosting the rogue web server.
- The IP addresses and port numbers of all devices that have accessed the rogue web server.
You are to enter this information into the table following
Description |
IP Address |
Port Number |
Rogue Web Server |
192.168.2.2 |
6400 |
Accessing Client #1 |
192.168.2.5 |
49496 |
Accessing Client #2 |
192.168.2.3 |
1923 |
Explain in your own words how the MAC addresses of these devices can be discovered from the pcap file.
Answer:
MAC addresses of these devices can be discovered easily for the pcap file because MAC address is based on the 48 bit. The digits of the MAC address contains hexadecimal digits. It is in the form of hexadecimal like (01:23:45:67:89:ab).
b) Write your SNORT Rule with commenting using table below
Line Number |
SNORT RULE |
1 |
Msg: ftp Exploit |
2 |
Class type: class type is used to quickly identify the attack types |
3 |
Sid 344: it is the snort rule which is known as the unique identifier. |
4 |
External_net source address: the specific IP is ok |
5 |
Directions: not to change the directions of IP although <> is allowed |
6 |
TCP protocol: IP, UDP, ICMP allowed |
7 |
Reference: bugTraq snorts allow links to third-party warnings. |
8 |
Content: the snort allow only the specific IP and MAC addresses. |
9 |
Block the unauthorized IP addresses |
10 |
All rules are part of the revision process and detect new attacks. |
Question 2: Certificates (10 Marks)
1. Because there are multiple certificate authorities (CAs) for the Web PKI it is possible to buy multiple certificates for the same domain signed by different CAs. How would a browser treat these different certificates?
Answer:
When the user can buy the different certificates with the same domain signed by various certificate authorities, then the browsers would treat all the certificates as authentic certificates.
B.)Suppose that an imposter is able to obtain a certificate for a domain that the imposter doesn’t own. (For example, in January 2001, an imposter tricked VeriSign into signing two certificates for “Microsoft Corporation” to be used for signing new software to be installed.) What sorts of attacks could an imposter pull off once in possession of such “fake” certificates for?
- installing software:
Answer:
It is said that the imposter could trick the users easily because the users would think that the imposter was installing the code written by Microsoft but in real the imposter was installing the malware.
- Viewing Web pages:
Answer:
The imposter could easily trick the users at this situation the imposter could pull off the attack of phishing, they can easily trick the users, and the users think that they can use their own bank’s website in actual the imposter works in-between and pull off the man-in-the-middle attack and gather all the confidential data and information of the users.
- Typically the public SSH keys used by servers are not signed by any
Certificate authority, but the SSH protocol does support checking certificates.
- Why, in practice, are server certificates rarely signed?
Answer:
The in practice server’s certificates are rarely signed because it appears as trouble to security distributes the public keys in advance for the certificate authorities and it can store it in .ssh/ authroized_keys directory of the clients machine.
- What is the benefit of checking server certificates?
Answer:
The benefits of the checking the server certificates are as follow
Through the verification system, the users can quickly identify whether the certificate is original or not. When the user can get access their account, the authenticating model can show the pop-up of entering the pins. If this authenticating model does not appear on the machine screen, it means that the transaction is not secure, and some unauthorized users could act as a man-in-middle.
Question 3: Firewall Rules (10 Marks)
Assume you have the following firewall rules:
Rule No. |
Transport Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
Action |
1 |
UDP |
0.0.0.0/0 |
any |
129.174.17.180 |
53 |
allow |
2 |
TCP |
55.66.77.0/24 |
any |
129.174.17/180 |
22 |
allow |
3 |
TCP |
55.66.77.12 |
4500 |
129.174.17/180 |
22 |
deny |
4 |
TCP |
127.0.0.1 |
443 |
129.174.17/180 |
6000 |
allow |
5 |
TCP |
0.0.0.0/0 |
any |
129.174.17/180 |
6000 |
deny |
6 |
UDP |
0.0.0.0/0 |
any |
129.174.17/180 |
32768 |
deny |
7 |
TCP |
0.0.0.0/0 |
any |
129.174.17/180 |
32769 |
deny |
8 |
TCP |
0.0.0.0/0 |
any |
129.174.17/180 |
32768 |
deny |
9 |
TCP |
0.0.0.0/0 |
any |
129.174.17/180 |
80 |
allow |
10 |
UDP |
129.174.16.20 |
1025 |
0.0.0.0/0 |
65535 |
allow |
11 |
UDP |
129.174.20.100 |
1025 |
0.0.0.0/0 |
65535 |
allow |
12 |
UDP |
129.174.18.100 |
1025 |
0.0.0.0/0 |
65535 |
allow |
13 |
any |
0.0.0.0/0 |
any |
0.0.0.0/0 |
any |
allow |
14 |
TCP |
0.0.0.0/0 |
any |
0.0.0.0/0 |
any |
deny |
15 |
UDP |
0.0.0.0/0 |
any |
0.0.0.0/0 |
any |
deny |
16 |
TCP |
0.0.0.0/0 |
any |
129.57.17.180 |
6000:6010 |
deny |
17 |
TCP |
0.0.0.0/0 |
any |
129.174.17.180 |
0:1024 |
deny |
18 |
any |
0.0.0.0/0 |
any |
129.174.17.180 |
any |
deny |
a) Define what a rule conflict is and identify any conflicts.
Rules are developed to monitor the inbound and outbound traffic as well. The rule conflict arises when the users first allow the transport protocol on the firewall and then later they can deny the same transport protocol on the firewall. In this situation conflict arises. In above table the conflict are highlighted with red colour as clearly shown below.
b) Identify any redundancies and explain which rule would be applied using each of the following 3 matching strategies:
- FIRST
- BEST
- LAST
Redundancies:
It is known as the rules that are fully and partly overlap and their actions are same.
It is stated that the FIRST match strategy rule is always applied for top to bottom in the firewall because if something is allow in the first it will be allowed always.
The BEST match strategy applies on the rule that is more specific in the term of network.
The LAST match strategy applies in the rules that is first form bottom to top.
Question 4: Firewalls (10 Marks)
a) What is a proxy firewall and how is it different from a network (or transparent) firewall?
Answer:
Application level firewall and proxy level firewalls are used interchangeably, on TCP/IP stack the proxy/ application firewalls works; it can access on the behalf of the network which is located. They never interact the incoming request of the client because it can protect the individual’s computers. It is stated that the proxy level firewalls are more granular, and the process request is slower in the proxy firewall than network firewall.
b) What does NAT stand for, and how does the mechanism work? Describe what, if any, security NAT provides (or fails to provide).
Answer:
Network address translator (NAT) is used to translate the port numbers and source IP. NAT is used to solve all the problems of IP address globally. With the help of NAT, the users can easily connect private networks with internet resources. The work of the NAT is that it can modify the header of the packet and replaces the source IP address with its IP address. After changing the IP address, they can send the packet outside. It can store the IP address, port number and the destination of IP address in its table. NAT can provide the security by allowing the multiple hosts to hide behind the one or more public IP addresses.
c) Where would you place a web server in an organization assuming that you can use a network firewall and why?
Answer:
It is stated that all the servers in the organization are connected to the public network including the DNS and Web servers. The DMZ is also protected by the firewall, but it has located outside the network of an organization and has separate subnet location. The traffic comes from the organization's network are allowed to DMZ, but the traffic from the DMZ is not authorized to come to the network of organizations. Port forwarding system are applied to the local area network so only the authorized users can get access to the information of the organization. It can just allow the port 80 which is non-secure but if secure then forwarded to port 443.
Question 5 (10 marks)
You are the Chief Information security Officer (CISO) of a small medium sized - accounting Services Company. In the last few weeks, senior staff have been complaining that some confidential information has been disclosed via email without any authorisation. You are approached by the Chief Information Officer (CIO) to discuss the issue and see the most appropriate way to tackle this problem. You suspect that some of the employees might be using their technical skills to access sensitive information either from the mail servers or during transmission. To counteract this malpractice, you suggest to the CIO the implementation of encryption. Before you actually implement the system, you want to conduct a pilot using the GNU Privacy Guard (GPG) software.
The pilot requires that you install GNU Privacy Guard (GPG) software onto your own computer and complete the following activities.
Note: The GNU Privacy Guard is available for free download from http://www.gnupg.org/ and “A Practical Introduction to GNU Privacy Guard in Windows” by Brendan Kidwell is available at http://www.glump.net/howto/gpg_intro
After installing GPG software onto your own computer, complete the following tasks:
- Generate your own key-pair by using GPG software and do not create a pass-phrase for your private key (in a real world this is not a good practice. Just for the sake of this assignment, do not create a pass-phrase). You must use screen-shots to show that you have successfully completed this task. A valid screen-shot is similar to the one shown in Figure 1. Pay attention to the red circles, which demonstrate the success of key pair generation ( 2 marks).
Figure 1 Key Pair Creation
- Export your public key and paste it into your assignment document. You must use two screen-shots to show that you have successfully completed this task. One screen-shot is to show the use of gpg command and the other is to show the exported public key. For example, the screen-shot in Figure 2, shows a public key, which is exported into the file: CC-pubkey.txt (2 marks).
Figure 2 Screen-shot of a Public Key
Use “gpg --export -a” command to export public key
- Explain the how to import the courses public key from the key-server http://pgp.mit.edu (we have created a public key and stored it at the MIT PGP Public Key Server under the name COIT20262-T1-2016). Include in the assignment document the gpg command line, individual options you used and their meaning. As above, use screenshots of website interactions, with accompanying explanations of the screenshots to explain the steps involved in importing this public key from the key-server http://pgp.mit.edu (3 marks).
Answer:
To import a key use the command “gpg --import [Filename]”
- Create an ASCII text file to store your full-name, your student number, and your student CQU email address (please do not use any other email address). Then using the course public key, encrypt this text file. The resulting file should also be ASCII armored so that it is readable once decrypted by your lecturer / tutor. Failure to do so will result in loss of marks. Submit the resulting encrypted file along with your assignment solutions document (word document) via the online submission system and following the naming convention given above (3 marks).
An example explaining the steps to export a key
Here is a specific example for explaining the step of exporting a private key, to be imported onto another computer running GPG. Use this example to guide you in how to give explanations in this question.
To export your private key, you need to execute the following gpg command:
gpg --output “privkey.txt” --export-secret-keys “Xiao Li”
The output option specifies the filename in which to write the private key into. Finally, the export-secret-keys option specifies the name of the private key to be exported. The name is given as “Xiao Li”. This option is distinct from the “export” option which exports only public keys.
Now the private key is stored in the file “privkey.txt” unencrypted and can be imported into another version of GPG.
Hints:
Where required be detailed and specific about your actions explaining exactly what you did, and why you did not. Document the exact GPG commands you have used, and provide an explanation of what the command does, including the individual command line options, and/or provide screenshots of any interactions with websites.
Brendan Kidwell’s practical guide is not the only one available on the Internet. There are plenty of other documents on the Internet that explain how to use GPG for various functions.
Marking:
2 Marks for key-pair creation
2 Marks for exporting your public key
3 Marks for explaining the steps how to import the course public key from the key-server
3 Marks for creating an ASCII text file and encrypting it using your lecturer’s public
Resources
- 24 x 7 Availability.
- Trained and Certified Experts.
- Deadline Guaranteed.
- Plagiarism Free.
- Privacy Guaranteed.
- Free download.
- Online help for all project.
- Homework Help Services
Testimonials
Urgenthomework helped me with finance homework problems and taught math portion of my course as well. Initially, I used a tutor that taught me math course I felt that as if I was not getting the help I needed. With the help of Urgenthomework, I got precisely where I was weak: Sheryl. Read More