第五组
part 1 Arp Spoofing
Last week, we have seen that ARP spoofing can be used to attack the confidentiality of a network. In this week, we will use a simplified version of an ARP packet to illustrate this behavior and try to defend against it.
A spoofed ARP packet is basically an unsollicited ARP reply for an IP address that is already in the network. The goal is to let the network believe that the attacker is the one that has the IP address specified in the packet. This can create a man in the middle attack.
Step 1
The first goal of this assignment is to create an ARP spoofing packet in the simplified format. You can implement this in the function spoofArp(spoofIP). The argument passed to this function is the IP address that you want to impersonate.
Step 2
The second goal of this assignment is to implement an ARP table for your router and detect attacks going on. An attack occurs when you observe a packet that tries to connect your MAC address to another IP or tries to claim an IP address that we know is already in use.
Do not save for requests, only for replies.
You have to implement the function that receives ARP
packets: receiveArp(message). This function receives an ARP packet and returns one of three status codes:
Additionally, when the function receives a request of its own IP address, it returns not a status code, but the ARP reply instead.
OK – If the packet was handled by the system.
IGNORE – If the packet was not meant for this system.
ATTACK – If an attack has been detected.
The simplified packet looks as follows:
• Opcode – 1 byte, 1 for request and 2 for reply.
• Rest of the fields are self explanatory.
• All fields are hexadecimal
Part 2 Message Modification
With your implementation of the ARP spoof attack, you have entered your favorite bank. Luckily for your attack, they do not have any detection methods for the ARP spoof. But what they do have, is encryption in their messages.
As it so happens, you conduct a targeted attack on one of the employees of the bank, right at the moment that money is transfered. During this attack, you have peeked at their screen and you have seen to which account the money is being transfered. Additionally, a secret source has provided you with the format of the packet, and the method of encryption. From this you have learned that the bank uses a XOR stream encryption.
The packet format is as follows (all fields are transfered in hexadecimal):
In your attack, you are interested in replacing the target account number with your own account number.
Task
Implement the
function modifyMessage(message,targetAccount,yourAccount), in which you modify the message in such a way that it correctly decrypts with your account number in it.
Part 3 Message authentication code
Due to your insane hacking skills, the bank has decided to hire you to solve all of their problems.
Your task is to implement a message authentication code (MAC) for the bank, which can be used to verify messages. To help you do this, there is a library function available: Hash.hash(message). This function returns a hash for the message you put into it.
Your MAC should be built using a key, and should be resistant to replay attacks. This means that every time a MAC is generated for a message, the MAC should be different.
Task 1
You should implement the function addMac(message,key, messageLength). This function should return the message with a MAC added.
Task 2
The second function to implement is checkMac(message,key, messageLength). This function takes a message with your generated MAC and checks if the MAC is correct. When a message is replayed against your system, this function should label it as not correct and therefore return false.
(Hint: You can use a counter to make MACs unique for the same input.)
Challenge task for 100/100
With the other two tasks, you can receive a score of 90/100.
If you want 100/100, you will have to implement the
function forgeMac(message). To do this, you have access to the library function that checks your answer: MacLib.checkMac(message, mac). This
function is vulnerable to a timing attack. The length of the MAC is 16 Hexadecimal characters (make sure to pad your guess to this length).
Note that due to our implementation of the checkMac function, running this attack might take some time.
Reviews
There are no reviews yet.