Analysis of Protocols with Wireshark

8

Name of the student: Avtar

Assignment 1

Question 1. Analysis of Protocols with Wireshark

(a). Application, protocol, ports and IP addresses used are:

Application name or protocol

Transport Protocol

Client Port

Server Port

Client IP

Server IP

Time of use

wget

TCP

48158-84

80

192.168.1.11

192.168.3.32

0.001884-3.935059,

18.350688- 21

ping

ICMP

?

?

192.168.5.2

192.168.1.12

2.662197-2.664566, 7.661626, 12.662553, 17.665939,22, 27, 32, 47,

ping

ICMP

?

?

192.168.1.11

192.168.2.22

3.923463-3.928133, 7.925722, 16.348104,

19.943458,

wget

TCP

36976-37000

80

192.168.3.31

192.168.1.12

5.656903-10.141065, 22, 23, 25,

ping

ICMP

?

?

192.168.1.12

192.168.6.1

5.902673-5.903418, 11.905208, 23, 29, 41,

ping

ICMP

?

?

192.168.1.11

192.168.2.22

5.923233-5.924929, 9.928377, 11.931221, 15.938206, 21, 23, 29, 31, 33, 45

?

UDP

56946

5001

192.168.1.11

192.168.5.2

9.346241, 10.346672, 12.346429,13.346979, 15.346986,21, 23, 25, 26, 27, 28, 30, 32, 34, 35, 37, 39, 43, 48

wget

TCP

49258

80

192.168.2.21

192.168.1.12

12.021093, 27, 28, 29,

ping

ICMP

?

?

192.168.6.1

192.168.1.12

17.915177,

?

TCP

38168

18

192.168.1.12

192.168.3.31

20.234008, 28, 32, 33,

?

TCP

38330

10001

192.68.2.22

192.168.1.11

25, 43

(b). The MAC addresses found in the packet capture are:

Computer

Interface

MAC

IP

1

1

08:00:27:9f:c6:9f

192.168.1.11

2

1

08:00:27:fd:ab:da

192.168.1.12

3

1

08:00:27:cc:71:35

192.168.1.1

3

2

08:00:27:1c:6d:33

192.168.4.1

3

3

08:00:27:61:fc:c4

192.168.5.1

(c). The DNS for the computers involved are:

IP Address

DNS

Packet number

192.168.1.1

www.routerlogin.com

2

192.168.3.32

www.example.com

6

192.168.1.12

www.uni.edu.au

86

(d). Message Sequence Diagram for the first TCP connection:

(e). The TCP connection follows the three-way handshake to establish a connection before the data transfer initiation. The establishment and closing of the connection follow:

First, the client sends the TCP SYN packet to the server with the sequence number.

The server acknowledges the TCP SYN packet by sending the TCP SYN-ACK packet back to the client.

The client sends the acknowledgment back to the server for SYN-ACK, by sending the TCP SYN packet.

Once the connection between client and server has been established, the server may send the data to the client. The client acknowledges each data packet sent by the server.

The server waits for the further requests (like HTTP request in our case). If the client’s requests are fulfilled, then the client sends the TCP FIN-ACK packet to the server to initiate the connection closing.

The server responds to the TCP FIN-ACK packet by sending the same packet. Then the client sends the acknowledgment to the server, and hence the connection closing gets completed.

(f). We can get the list of files by looking at the HTTP requests and decide if it exists or not by looking at the corresponding response code in the response packet.

Computer

DNS

File exists

File does not exist

Packet Number

192.168.3.32

www.example.com

index.html

page1.html

page2.html

image.png

/subdir/page3.html

/subdir/style.css

page4.html

Req 6, Resp 8

Req 16, Resp 18

Req 26, Resp 28

Req 36, Resp 39

Req 48, Resp 50

Req 62, Resp 64

Req 73, Resp 75

192.168.1.12

www.uni.edu.au

index.html

/subdir/page3.html

/subdir/style.css

page1.html

image.png

page2.html

page4.html

Req 86, Resp 88

Req 100, Resp 102

Req 110, Resp 112

Req 124, Resp 126

Req 134, Resp 136

Req 145, Resp 148

Req 159, Resp 161

Question 2. Web Application Attacks

Objective: Understand how real web application attacks work, and methods for mitigating them

(a). Unvalidated Redirect attack: URL redirection is a technique which provides the flexibility to use multiple URLs for the same web page. Redirection can be used for several useful purposes, like URL shortening and the same website with multiple domains owned by the same owner. Some applications of this technique can be used by the malicious attackers. The attacker may use the redirection to the malicious website for phishing. The steps, to perform unvalidated redirect attack using topology 7, followed are as follows:

Deployed the MyUni application on node 4. The URL for this application is “http://www.myuni.edu/grades/login.php”.

Deployed the fake MyUni application on node 5. The URL for this fake application is “http://www.myuni.edu.gr/ades/login.php”

Created a user on node 4’s mysql.

Visited the URL “http://www.myuni.edu/grades/redirect.php?url=http://www.myuni.edu.gr/ades/login.php”. There is a file kept on Node 4, called “redirect.php”. It takes an URL as a parameter and redirects to it.

After reaching the redirected URL, the user enters the username and password on the login page provided. On node 5, the stolen username and password can be seen, by simply reading the file “/tmp/stolenlogins.txt”.

Login page on the node five application is a phishing page, which contains the logic of reading the username and password, and then writing them into a file.

(b). Assuming a website must use redirects, the technique that can be used to

minimize the impact of unvalidated redirect attacks is that rather than sending the URL or portion of it in the destination parameters, one should use value mappings. This is because the server side code may be used to translate these mappings into the target URL.

(c). Apart from the unvalidated redirect attack, the attacker could have used the DNS poisoning. In such technique, the attacker changes the DNS entries and force the users to be redirected to its one of the servers. Those servers will be containing the stolen usernames and passwords. The benefit of such attacks to the attacker is that the attacker can gain access to important online accounts for different services like email, etc. Once the attacker gains access to the email accounts, s/he may escalate attack to other online services account, which is connected to that email account. So, the loss may be huge and impacts the user badly. Apart from it, these accounts are sold on the internet, which provides direct money.

(d). The screenshot of the stolen username and password, during the attack.

Question 3. Cryptographic Operations with OpenSSL

No separate documentation is required for this project. Required files (ciphertext.bin, keypair.pem, pubkey.pem, signature.bin, commands.bash, key.txt, secretkey.bin) are uploaded in the Moodle. To run the bash file, it is required to store Steven-Gordon-pubkey.pem in the same path as in step g, key.txt is encrypt using RSA by steven-gordon-pubkey.pem so that only Unit Coordinator can only decrypt the file.

Question 4. Malware Research:

Introduction: Ransomware is a malware-based attack, and it is increasingly get popularized in recent days. Generally, it gets installed in the victims computing device unwarily. After getting infected by such malware, user’s system fails to enter in the system legitimately. These kinds of malware encrypt all user data with a large key and make them unreadable for the user and in the other hand, it threats the victim to publish the critical data in public domain. Actual motive behind this kind of attack to obtained ransom payment from the victim, so it displays message in victim’s device and demand money to withdraw the attack from the system. Sometime many organizations pay the ransom and suppress the news to protect their image to its customer.

Background: File encryption based Ransomware was invented by two computer scientist Young and Yung[1] at Columbia University, and they have present this cryptoviral extortion mechanism by a 3-round protocol. Practically this kind of attack was mainly popular in Russia during 2013, and after that, it gets spread in the rest of the world. Few well-known attacks which happen in recent days are enlisted bellow.

Muni system’s network attack: It was also known as Black Friday attack. On November 25-26, 2016 Mamba and HDDCryptor malware attacks Muni’s transportation system and causes the total breakup of the system. It was demanded $73,000 to withdraw the attack.

Police Trojan[3]: It is a Reveton based Ransomware attack was performed on several computer systems during 2012 in Europe based country. It mainly victimized end computer users by an act like a law enforcement agency.

Fusion: It belongs to ransomware family. It was active during April 2015 and March 2016. It is the most popular mobile ransomware. Like other ransomwares it also uses scare tactics to force people to pay a ransom otherwise it claims to give fictitious charges on the user. It uses iTunes gift cards for payment.

Working Technologies: Ransomwares basically spread using Trojan. Ransomwares get hidden in a payload of Trojan and act like a legitimate file. It enters the system during a malicious site visit, malicious file downloading or gets speeded in the local network from a single infected node due to a vulnerability in a network service. After entering in a system, Trojan program executes the payload and then in may lock the system or encrypt data present in the HDD, or make modification in MBR. Finally, it claims some ransom amount to withdraw the attack. MBR modifications or file encryption based attacks are more vulnerable as if the victim somehow able to remove the malware but its effect will remain unchanged in the system. Modern file encryption based ransomware are known as CryptoLocker and Crypto- ransomware, and it internally uses RSA-2048 and AES together.

Ransom payment techniques: To void legal obligation in ransom taking, designer of those ransomware uses sophisticated techniques to obtain the ransom. But in some scenario, it is observed that some traceable medium also acts like the money transfer medium, as in Fusob in uses iTune account for payment transfer but this kind of examples is rare. Ransomware mainly uses Bitcoin, Factom, Zcash cryptocurrencies[4] as it is difficult to trace the money in these cryptocurrencies system.

Pretension Techniques: Ransomware based attacks are an avoidable attack, we can easily avoid this kind of attack by following few security measures [5] like:

Avoid opening unverified or spam mails or clicking embedded link on eye-catching advertisement link.

Back up sensitive files in regular interval. It was better to create three backup copies on two different media with one backup in a separate location.

Regularly update operating system and anti-malware protection software.

Use Anti-Ransomware Tools in sensitive system Example RANSOM_MILICRY.A, RANSOM_POGOTEAR.A, R980 ransomware, RANSOM_STAMPADO.A,

References

Young, A.; M. Yung (1996). Cryptovirology: extortion-based security threats and countermeasures. IEEE Symposium on Security and Privacy. pp. 129–140. doi:10.1109/SECPRI.1996.502676. ISBN 0-8186-7417-2.

Ransomware locks up San Francisco public transportation ticket machines URL: https://arstechnica.com/security/2016/11/san-francisco-muni-hit-by-black-friday-ransomware-attack/

Gardaí warn of ‘Police Trojan’ computer locking virus. TheJournal.ie. Retrieved 31 May 2016.

Jerry Brito & Andrea Castillo (2013). “Bitcoin: A Primer for Policymakers.” Mercatus Center. George Mason University. Retrieved 22 October 2013.

Jack Schofield (28 July 2016). “How can I remove a ransomware infection?”. The Guardian. Retrieved 28 July 2016