FIT5037 Network Security Assignment
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
FIT5037 Network Security Assignment
Total Marks 100
Due on October 7th, Friday, 11:55:59 PM
1 Overview
The learning objective of this assignment is for you to gain a first-hand experience on network attacks (i.e., TCP and DNS attacks) and get a deeper understanding on how to launch these attacks in practice. All tasks in this assignment can be done on the virtual machine used in the labs.
2 Submission Policy
You need to submit a lab report (one single PDF file) to describe what you have done and what you have observed with screen shots whenever necessary; you also need to provide explanation or codes to the observations that are related to the tasks. In your report, you are expected to answer all the questions listed in this manual. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format: [Your Name]- [Student ID]-FIT5037-Assignment, e.g., HarryPotter-12345678-FIT5037-Assignment.pdf.
All source code if required should be embedded in your report. In addition, if a demonstration video is required, you should record your screen demonstration with your voice explanation and upload the video to your Monash Google Drive. For video demonstration, you are required to say your name and student ID at the start of recording, showing face is mandatory. The shared URL of the video should be mentioned in your report wherever required. You can use any tool you would like to record videos, for example panopto (https://monash-panopto.aarnet.edu.au/) and Zoom. Note: the assignment is due on October 7th, Friday, 11:55:59 PM (Firm!).
Late submission penalty: 10-point deduction per day. If you require a special consideration, the application should be submitted and notified at least three days in advance. Zero tolerance on plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. The demonstration video is also used to detect/avoid plagiarism. University polices can be found at https://www.monash.edu/students/academic/policies/academic-integrity.
3 Environment Setup
In this section, you need to double check whether you have configured GNS3 correctly. We will be using the Week06 lab configuration, i.e., your GNS3 configuration should look like below:
Figure 1: GNS3 Config
Otherwise, if you don’t have the VM ready, we refer you to Environment Setup in Week 01. It is recommended to perform lab tasks of Week06 before proceeding.
4 TCP Attacks – Using Scapy [40 Marks]
The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It sits on top of the IP layer, and provides a reliable and ordered communication channel between applications running on networked computers. TCP is in a layer called Transport layer, which provides host-to-host communication services for applications. To achieve such reliable and order communication, TCP requires both ends of a communication to maintain a connection. Unfortunately, when TCP was developed, no security mechanism was built into this protocol, making it possible for attackers to eavesdrop on connections, break connections or hijack connections. In this section, you are required to perform these attacks using Scapy—a packet manipulation tool for computer networks written in Python.
4.1 Task 1: TCP Reset Attacks [15 Marks]
In the stream of packets of a TCP connection, each packet contains a TCP header. In the header, there is a bit known as the ”reset” (RST) flag. In most packets, this bit is set to 0 and has no effect; however, if this bit is set to 1, it indicates that the receiver should immediately stop using the TCP connection. That means it should not send back any more packets using the connection’s identifying numbers, called ports, and discard any further packets with headers belong to that connection. A TCP reset basically kills a TCP connection instantly.
It is possible for a third computer (aka attacker) to monitor the TCP packets on the connection and then send a ”forged” packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection.
The idea is quite simple: to break up a TCP connection between A and B, the attacker just spoofs a TCP RST packet from A to B or from B to A.
Q1: Connect from Internal-Client to Internal-Server using SSH (use apt install ssh if SSH is not installed), the username and password are same: msfadmin. Perform TCP RST attack, from Internal-Attacker workstation, on SSH service using Scapy (python-based) packet generator. Internal-Client terminal should show the connection is terminated. Please submit your python code and the steps, along with video link showing that you have performed the attack. (Python code: 5 marks, explanation during recording demonstration: 5 marks) |
|
4.2 Task 2: TCP Session Hijacking Attacks [25 Marks]
Once a TCP client and server finish the three-way handshake protocol, a connection is established, and we call it a TCP session. From then on, both ends can send data to each other. Since a computer can have multiple concurrent TCP sessions with other computers, when it receives a packet, it needs to know which TCP session the packet belongs to. TCP uses four elements to make that decision, i.e., to uniquely identify a session: (1) source IP address, (2) destination IP address, (3) source port number, and (4) destination port number.
We call these four fields as the signature of a TCP session. As we have already learned, spoofing packets is not difficult. What if we spoof a TCP packet, whose signature matches that of an existing TCP session on the target machine? Will this packet be accepted by the target? Clearly, if the above four elements match with the signature of the session, the receiver cannot tell whether the packet comes from the real sender or an attacker, so it considers the packet as belonging to the session.
However, for the packet to be accepted, one more critical condition needs to be satisfied. It is the TCP sequence number. TCP is a connection-oriented protocol and treats data as a stream, so each octet in the TCP session has a unique sequence number, identifying its position in the stream. The TCP header contains a 32-bit sequence number field, which contains the sequence number of the first octet in the payload. When the receiver gets a TCP packet, it places the TCP data (payload) in a buffer; where exactly the payload is placed inside the buffer depends on the sequence number. This way, even if TCP packets arrive out of order, TCP can always place their data in the buffer using the correct order.
The objective of this task is to hijack an existing TCP connection (session) between client and server by injecting malicious contents into their session.
Q3: Connect TELNET from Internal-Client to Internal-Server, the username and password are same: msfadmin. Write a python code, using Scapy, which can inject packets in the TELNET communica- tion, the goal is to make a directory called “attacker”at the Internal-Server (as seen in the screenshot below). You can use Internal-Attacker workstation to run the python code. Submit python code and steps, along with video link that demonstrates you have performed the attack. (Python code: 5 marks, explanation during recording demonstration: 5 marks) |
Figure 2: Directories in Internal-Server
Q4: Connect TELNET from Internal-Client to Internal-Server. The objective is to get a reverse shell from Internal-Server. Reverse shell is a shell process running on a remote machine, connecting back to the attacker’s machine. We are omitting the details of reverse shell and encourage students to research about it, you can start from here: https://hackernoon.com/reverse-shell-cf154dfee6bd. Write a python code, using Scapy, which can inject packets in TELNET communication and create a reverse shell from Internal-Server to Internal-Attacker (as seen in the screenshot below, in this case the Internal-Server’s IP address is 10.10.10.197). Submit python code and steps, along with video link showing that you have performed the attack. (Python code: 5 marks, explanation during recording demonstration: 5 marks) |
Figure 3: Receiving reverse shell
Q5: Connect SSH from Internal-Client to Internal-Server, the username and password are same: msfadmin. Perform same TCP hijacking attacks as you did for TELNET, i.e. make attacker directory in Internal-Server and create a reverse shell from Internal-Server to Internal-Attacker by hijacking SSH connection. If your attacks are successful, please submit python code and steps, along with video link showing that you have performed the attacks. If your attacks were unsuccessful, explain the reason in detail. (Python Code and Explanation during recording demonstration: 5 marks) |
2022-09-19