FIT5037 Network Security Assignment Total Marks 100

Due on Sunday, 4 August 2024, 11:55 PM.

1. Overview

   The learning objective of this assignment is for you to gain a first-hand experience on network attacks (i.e., TCP and DNS attacks) and get a deeper understanding on how to launch these attacks in practice. All tasks in this assignment can be done on the virtual machine used in the labs.

2. Submission Policy

   You need to submit a lab report (one single PDF file) to describe what you have done and what you have observed with screen shots whenever necessary; you also need to provide explanation or codes to the observations that are related to the tasks. In your report, you are expected to answer all the questions listed in this manual. Typeset your report into .pdf format (make sure it can be opened with Adobe Reader) and name it as the format:

   [Your Name]-[Student ID]-FIT5037-Assignment, e.g., HarryPotter-12345678-FIT5037-Assignment.pdf.

   All source code if required should be embedded in your report. In addition, if a demonstration video is required, you should record your screen demonstration with your voice explanation and upload the video to

   your Monash Google Drive. For video demonstration, please keep it to maximum of 30 minutes in total duration; you a wing face is

   mandatory. Th quired. You can

   use any tool yo

   panopto.aarnet.edu.au/) and Zoom.

   Late submission penalthy: t10t–ppoisnt:d/ed/upctioonwper cdaoy. Idf yeourre.qcuiroe amspecial consideration, the application should be submitted and notified a t l east t hree d ays i n a d vance. Z ero t olerance o n

   assignmentchef

   plagiarism: If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. The demonstration video is also used to detect/avoid plagiarism. University polices can be found at https://www.monash.edu/students/academic/policies/academic-integrity.

3. Environment Setup

   In this section, you need to double check whether you have configured GNS3 c orrectly. We will b e using the Topic 6 – Week 5A lab configuration, i .e., your GNS3 configuration should lo ok like below:

   Figure 1: GNS3 Config

   Otherwise, if you don’t have the VM ready, we refer you to Environment Setup in Week 01. It is recommended to perform lab tasks of Topic 6 – Week 5A before proceeding.

4. TCP Attacks – Using Scapy [40 Marks]

   The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It sits on top of the IP layer, and provides a reliable and ordered communication channel between applications running on networked computers. TCP is in a layer called Transport layer, which provides host-to-host communication services for applications. To achieve such reliable and order communication, TCP requires both ends of a communication to maintain a connection. Unfortunately, when TCP was developed, no security mechanism was built into this protocol, making it possible for attackers to eavesdrop on connections, break connections or hijack connections. In this section, you are required to perform these attacks using Scapy—a packet manipulation tool for computer networks written in Python.

   1. Task 1: TCP Reset Attacks [15 Marks]

      In the stream of packets of a TCP connection, each packet contains a TCP header. In the header, there is a bit known as the ”reset” (RST) flag. In most packets, this bit is set to 0 and has no effect; however, if this bit is set to 1, it indicates that the receiver should immediately stop using the TCP connection. That means it should not send back any more packets using the connection’s identifying numbers, called ports, and discard any further packets with headers belong to that connection. A TCP reset basically kills a TCP connection instantly.

      It is possible for a third computer (aka attacker) to monitor the TCP packets on the connection and then send a ”forged” packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forg ection.

      The idea is qui st spoofs a TCP

      RST packet from A to B or from B to A.

      Q1: Connect from Intehrntatl-pClsie:n/t /tpo Iontwernacl-oSerdveer rus.incg oSSmH (use apt install ssh if SSH

      is not installed), the username and password are same: msfadmin. Perform TCP RST attack, from Internal-Attacker workstation, on SSH service using Scapy (python-based) packet generator. Internal-Client terminal should show the connection is terminated. Please submit your python code

      and the steps, along with video link showing that you have performed the attack. (Python code: 5

      marks, explanation during recording demonstration: 5 marks)

      assignmentchef

      Q2: Briefly explain the TCP RST attack and propose at least two theoretical countermeasures. You do not have to do any configuration/implementation for this task. (Explanation: 2.5 marks, counter- measures: 2.5 marks)

   2. Task 2: TCP Session Hijacking Attacks [25 Marks]

      Once a TCP client and server finish the three-way handshake protocol, a connection is established, and we call it a TCP session. From then on, both ends can send data to each other. Since a computer can have multiple concurrent TCP sessions with other computers, when it receives a packet, it needs to know which TCP session the packet belongs to. TCP uses four elements to make that decision, i.e., to uniquely identify a session: (1) source IP address, (2) destination IP address, (3) source port number, and (4) destination port number.

      We call these four fields as the signature of a TCP session. As we have already learned, spoofing packets is not difficult. What if we spoof a TCP packet, whose signature matches that of an existing TCP session on the target machine? Will this packet be accepted by the target? Clearly, if the above four elements match with the signature of the session, the receiver cannot tell whether the packet comes from the real sender or an attacker, so it considers the packet as belonging to the session.

      However, for the packet to be accepted, one more critical condition needs to be satisfied. It is the TCP sequence number. TCP is a connection-oriented protocol and treats data as a stream, so each octet in the TCP session has a unique sequence number, identifying its position in the stream. The TCP header

      contains a 32-bit sequence number field, which contains the sequence number of the first octet in the payload. When the receiver gets a TCP packet, it places the TCP data (payload) in a buffer; where exactly the payload is placed inside the buffer depends on the sequence number. This way, even if TCP packets arrive out of order, TCP can always place their data in the buffer using the correct order.

      The objective of this task is to hijack an existing TCP connection (session) between client and server by injecting malicious contents into their session.

      Q3: Connect TELNET from Internal-Client to Internal-Server, the username and password are same: msfadmin. Write a python code, using Scapy, which can inject packets in the TELNET communica- tion, the goal is to make a directory called “attacker” at the Internal-Server (as seen in the screenshot below). You can use Internal-Attacker workstation to run the python code. Submit python code and steps, along with video link that demonstrates you have performed the attack. (Python code: 5 marks, explanation during recording demonstration: 5 marks)

Q4: Connect TELNET from Internal-Client to Internal-Server. The objective is to get a reverse

shell from In hine, connecting

back to the a rage students to

research abou -cf154dfee6bd.

Write a python code, using Scapy, which can inject packets in TELNET communication and create a

reverse shell from Internal-Server to Internal-Attacker (as seen in the screenshot below, in this case

the Internal-Server’s IhP atdtdpresss i:s /10/.1p0.1o0.1w97).cSoubmditepyrth.ocn ocodme and steps, along with video link

showing that you have performed the attack. (Python code: 5 marks, explanation during recording

demonstration: 5 marks)

assignmentchef

Figure 2: Directories in Internal-Server

Figure 3: Receiving reverse shell

Q5: Connect SSH from Internal-Client to Internal-Server, the username and password are same: msfadmin. Perform same TCP hijacking attacks as you did for TELNET, i.e. make attacker directory in Internal-Server and create a reverse shell from Internal-Server to Internal-Attacker by hijacking SSH connection. If your attacks are successful, please submit python code and steps, along with video link showing that you have performed the attacks. If your attacks were unsuccessful, explain the reason in detail. (Python Code and Explanation during recording demonstration: 5 marks)

1. DNS Attacks – Using Scapy [60 Marks]

   Domain Name System (DNS) is an essential component of the Internet infrastructure. It serves as the phone book for the Internet, so computers can look up for “telephone number” (i.e. IP addresses) from domain names. Without knowing the IP address, computers will not be able to communicate with one another. Due to its importance, the DNS infrastructure faces frequent attacks. In this section, you will explore the most primary attack on DNS. That is DNS cache poisoning by investigating both Local and Remote DNS cache poisoning attacks.

   Due to the large number of computers and networks on the Internet, the domain namespace is organised in a hierarchical tree-like structure. Each node on the tree is called a domain or sub-domain when referencing to its parent node. The following figure depicts a part of the domain hierarchy.

   Figure 4: Domain hierarchy

   The domain hierarchy tree structure describes how the domain namespace is organised, but that is not exactly how the domain name systems are organised. Domain name systems are organised according to zones. A DNS zone basically groups contiguous domains and sub-domains on the domain tree, and assign the management authority to an entity. Each zone is managed by an authority, while a domain does not indicate any authority information. The following figure depicts an example of the example.com domain.

   https://pFigourew5: cDNoS dZoneesr.com

   assignmentchef

   Assume that example.com in the above figure is an international company, with branches all over the world, so the company’s domain is further divided into multiple sub-domains, including usa.example.com, uk.example.com, and france.example.com. Inside US, the usa sub-domain is further divided into chicago, boston, and nyc subdomains.

   Each DNS zone has at least one authoritative nameserver that publishes information about that zone. The goal of a DNS query is to eventually ask the authoritative DNS server for answers. That is why they are called authoritative because they provide the original and definitive answers to DNS queries, as opposed to obtaining the answers from other DNS servers.

   With such arrangement, the root zone for example.com only needs to keep records of who the authority is for each of its subdomains. By doing this, it maintains the independence among the branches in different countries and enable the administrative right of those subdomains, so the branch in each country manages its own DNS information. For a given DNS query, if your local DNS server does not the answer, it will ask

   other DNS servers on the Internet for answer via hierarchical authority servers. The following example demonstrates a dig (DNS query) for the domain www.example.net when sending the query directly to one of the root server (i.e. a.root-servers.net).

   Figure 6: DIG to the root server

   There are four types of sections in a DNS response: question section, answer section, authority section, and additional section. From the above result, we can see that the root server does not know the answer (because the reply does not include an answer section, but it tells several authoritative nameservers for the net zone (the NS records in the authority section), along with their IP address if possible in the additional section). If you continuously dig the domain www.example.net on one these authoritative nameservers, you will finally ting the website

   for www.exampl

   When your loc ation, so if the

   same information is needed, it will not waste time to ask again.

   1. Task 3: Local DNhS Attttpacsk :t/ar/gpetoingwAucthoorditey Nr.amceosemrver [20 Marks]

assignmentchef

We recalled that a DNS response contains question section, answer section, authority section, and additional section. If we only target the answer section, the attack only affects one hostname (as we did in our Topic 6 – Week 5A lab “DNS Spoofing Attacks”). Real DNS attacks usually target the authority section by providing a fake NS record for the target domain in the authority section. If the fake NS record is cached, when the victim local DNS server tries to find any IP address in the target domain, it will send a request to the malicious nameserver specified in the fake NS record. Such an attack can affect all the hostnames in the target domain. In this task, you will explore how to target the authority server of example.net and manage to replace it with ns1.attacker.com and ns2.attacker.com.

Q6: Submit your python code and write comments in the code step by step to perform the DNS spoofing attack that modifies the authority server of example.net to be ns1.attacker.com and ns2.attacker.com. Use Internal-Client as victim and Internal-Attacker as the attacker machine. (Python code: 10 marks). If the attack works, you should see the result as in following figures for which the malicious authoritative servers are taken place.