1 Overview

The learning objective of this assignment is for you to gain a first-hand experience on network attacks (i.e., TCP and DNS attacks) and get a deeper understanding on how to launch these attacks in practice. All     tasks in this assignment can be done on the virtual machine used in the labs.

2 Submission Policy

You need to submit a lab report (one single PDF file) to describe what you have done and what you have observed with screen shots whenever necessary; you also need to provide explanation or codes to the        observations that are related to the tasks. In your report, you are expected to answer all the questions     listed in this manual. Typeset your report into .pdf format (make sure it can be opened with Adobe        Reader) and name it as the format: [Your Name]- [Student ID]-FIT5037-Assignment, e.g.,              HarryPotter-12345678-FIT5037-Assignment.pdf.

All source code if required should be embedded in your report. In addition, if a demonstration video is    required, you should record your screen demonstration with your voice explanation and upload the video  to your Monash Google Drive. For video demonstration, you are required to say your name and student ID at the start of recording, showing face is mandatory. The shared URL of the video   should be mentioned in your report wherever required. You can use any tool you would like to record       videos, for example panopto (https://monash-panopto.aarnet.edu.au/) and Zoom. Note: the             assignment is due on October 7th, Friday, 11:55:59 PM (Firm!).

Late submission penalty: 10-point deduction per day. If you require a special consideration, the          application should be submitted and notified at least three days in advance. Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. The demonstration       video is also used to detect/avoid plagiarism. University polices can be found at https://www.monash.edu/students/academic/policies/academic-integrity.

3 Environment Setup

In this section, you need to double check whether you have configured GNS3 correctly. We will be using the Week06 lab configuration, i.e., your GNS3 configuration should look like below:

Figure 1: GNS3 Config

Otherwise, if you don’t have the VM ready, we refer you to Environment Setup in Week 01. It is recommended to perform lab tasks of Week06 before proceeding.

4 TCP Attacks – Using Scapy [40 Marks]

The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It sits on top  of the IP layer, and provides a reliable and ordered communication channel between applications running on networked computers. TCP is in a layer called Transport layer, which provides host-to-host                 communication services for applications. To achieve such reliable and order communication, TCP requires both ends of a communication to maintain a connection. Unfortunately, when TCP was developed, no      security mechanism was built into this protocol, making it possible for attackers to eavesdrop on               connections, break connections or hijack connections. In this section, you are required to perform these    attacks using Scapy—a packet manipulation tool for computer networks written in Python.

4.1 Task 1: TCP Reset Attacks [15 Marks]

In the stream of packets of a TCP connection, each packet contains a TCP header. In the header, there is a bit known as the ”reset” (RST) flag. In most packets, this bit is set to 0 and has no effect; however, if   this bit is set to 1, it indicates that the receiver should immediately stop using the TCP connection. That means it should not send back any more packets using the connection’s identifying numbers, called ports, and discard any further packets with headers belong to that connection. A TCP reset basically kills a      TCP connection instantly.

It is possible for a third computer (aka attacker) to monitor the TCP packets on the connection and then send a ”forged” packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the            endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a             convincing forged value for the fake reset to trick the endpoint into closing the TCP connection.

The idea is quite simple: to break up a TCP connection between A and B, the attacker just spoofs a TCP RST packet from A to B or from B to A.

4.2 Task 2: TCP Session Hijacking Attacks [25 Marks]

Once a TCP client and server finish the three-way handshake protocol, a connection is established, and we call it a TCP session. From then on, both ends can send data to each other. Since a computer can have    multiple concurrent TCP sessions with other computers, when it receives a packet, it needs to know which TCP session the packet belongs to. TCP uses four elements to make that decision, i.e., to uniquely           identify a session: (1) source IP address, (2) destination IP address, (3) source port number, and (4)         destination port number.

We call these four fields as the signature of a TCP session. As we have already learned, spoofing packets is not difficult. What if we spoof a TCP packet, whose signature matches that of an existing TCP session on the target machine? Will this packet be accepted by the target? Clearly, if the above four elements match with the signature of the session, the receiver cannot tell whether the packet comes from the real sender or an attacker, so it considers the packet as belonging to the session.

However, for the packet to be accepted, one more critical condition needs to be satisfied. It is the TCP    sequence number. TCP is a connection-oriented protocol and treats data as a stream, so each octet in the TCP session has a unique sequence number, identifying its position in the stream. The TCP header contains a 32-bit sequence number field, which contains the sequence number of the first octet in the    payload. When the receiver gets a TCP packet, it places the TCP data (payload) in a buffer; where     exactly the payload is placed inside the buffer depends on the sequence number. This way, even if TCP packets arrive out of order, TCP can always place their data in the buffer using the correct order.

The objective of this task is to hijack an existing TCP connection (session) between client and server by injecting malicious contents into their session.

Figure 2: Directories in Internal-Server

Figure 3: Receiving reverse shell

5 DNS Attacks – Using Scapy [60 Marks]

Domain Name System (DNS) is an essential component of the Internet infrastructure. It serves as the   phone book for the Internet, so computers can look up for “telephone number” (i.e. IP addresses) from domain names. Without knowing the IP address, computers will not be able to communicate with one  another. Due to its importance, the DNS infrastructure faces frequent attacks. In this section, you will explore the most primary attack on DNS. That is DNS cache poisoning by investigating both Local and Remote DNS cache poisoning attacks.

Due to the large number of computers and networks on the Internet, the domain namespace is organised in a hierarchical tree-like structure. Each node on the tree is called a domain or sub-domain when referencing to its parent node. The following figure depicts a part of the domain hierarchy.