COIT20262 – Advanced Network Security, Term 1, 2017
Lovepreet
Question 1. Analysis of Protocols with Wireshark
(a) Application details:
Application/
Protocol
Transport protocol
Client Port(s)
Server Port,
Client IP,
Server IP
Time of use
Web (HTTP)
TCP
48158, 48160, 48162, 48164,
48166,
48168,
48170,
80
192.168.1.11
192.168.3.32
6-8, 16-18,
26-28, 36-39, 48-50,
62-64, 73-75,
Web (HTTP)
TCP
36976,
36978,
36980,
36982,
36984,
36986,
80
192.168.3.31
192.168.1.12
86-88, 100-102,
110-112, 124-126
134-136
145-148
Web (HTTP)
TCP
49258
80
192.168.2.21
192.168.1.12
175-177
Ping
ICMP
?
?
192.168.5.2
192.168.1.12
57-58, 117-118
Ping
ICMP
?
?
192.168.3.32
192.168.1.11
73-77,
Ping
ICMP
?
?
192.168.6.1
192.168.1.12
93-94
168-171
Ping
ICMP
?
?
192.168.2.22
192.168.1.11
95-96, 119-120,
154-155
?
UDP
56946
5001
192.168.1.11
192.168.5.2
141,166-167,182, 205, 218, 241, 254, 255, 262, 283, 311, 342, 345, 368, 393, 419 …etc.
(b) MAC to IP mapping:
Computer
MAC
IP
Interface
1
08:00:27:cc:71:35
192.168.1.1
1
1
08:00:27:1c:6d:33
192.168.4.1
2
1
08:00:27:61:fc:c4
192.168.5.1
3
2
08:00:27:cc:71:35
192.168.6.1
1
3
08:00:27:cc:71:35
192.168.5.2
1
4
08:00:27:cc:71:35
192.168.3.32
1
5
08:00:27:cc:71:35
192.168.3.31
1
6
08:00:27:cc:71:35
192.168.2.22
1
7
08:00:27:cc:71:35
192.168.2.21
1
8
08:00:27:fd:ab:da
192.168.1.12
1
9
08:00:27:9f:c6:9f
192.168.1.11
1
(c) Domain names vs. IP addresses mapping
Packet number
IP
URL
6
192.168.3.32
www.example.com
86
192.168.1.12
www.uni.edu.au
(d) Message sequence diagram
Figure 1(a): Message Sequence diagram for 1st TCP flow
192.168.1.1
192.168.3.32
SYN
SYN,ACK
ACK
HTTP GET
ACK
HTTP OK
FIN,ACK
FIN,ACK
ACK
3
4
5
6
7
87
9
10
11
12
Figure 1(b): Wireshark Trace for 1st TCP flow
Question (e). The TCP connection open and close mechanism (based on previous message sequence diagram):
As we know that TCP is a connection oriented reliable transport layer protocol. Almost every Application layer protocol relies on TCP. Before any TCP-based communication, a connection needs to be established between sender and receiver and that is why it is known as connection oriented protocol. All TCP segments are get acknowledged by the receiver, by which we can achieve reliability. In TCP connection setup procedure is done by Three-Way-Handshaking procedure. After communication, TCP connection needs to be closed by a Four-Way-Handshakingmechanism, but in practically it is optimized by three packets only. In figure 1(a) these two mechanisms can be observed. Packets 3-5 (3packets) are for connection open and packets 9-12 (4 packets) are connection close. Details of these packets are given bellow.
In packet 3 Client initiates the connection by sending a TCP SYN packet to the server.
In the packet, 4The server sends SYN-ACK packet as the acknowledgment to SYN packet.
In packet 5, the client sends the ACK as an acknowledgment to the SYN-ACK, this marks the open connection procedure.
After this 6-9 packets are used for actual data exchange, here it is used to transmit HTTP GET and HTTP OK (response code 200).
As there is no data is left then, so client sends TCP FIN-ACK.
The server acknowledges the TCP FIN-ACK.
The client sends the TCP ACK stating that it received the TCP FIN-ACK packet from the server, it marks the connection close.
(f). List of the Web resources:
Name of the web resources can find out by intervene all HTTP GET message. If we see response code 200 in the corresponding GET message, then it indicates that the resource is present in the web-server. Any response code which belongs 400 code family means, the file does not exist on the server. The list is given bellow.
Domain Name
Computer
HTTP resource does not exist
HTTP resource exists
Packet Number
www.example.com
192.168.3.32
page4.html
index.html
page1.html
page2.html
image.png
/subdir/page3.html
/subdir/style.css
6
16
26
36
48
62
73
www.uni.edu.au
192.168.1.12
page4.html
index.html
/subdir/page3.html
/subdir/style.css
page1.html
image.png
page2.html
86
100
110
134
145
159
124
(g) The password is advnetsec
Question 2. Web Application Attacks
Unvalidated Redirect attack: Open redirect is a bug of a web server which allows the attacker to any target website. These kinds of attacks are mainly performed to obtain the user id and password for any account. To perform this attack, the attacker chooses a well-known site which supports URL redirection; they also prepare some fake webpage. Finally, they prepare a redirection web-link and circulate them via spam email of via hyperlink in the advertisement. Whenever victim clicks such links, they get redirected to the fake website which is similar looking with some existing website. If victim enters any confidential data in that webpage, it captures those data. It may cause identity loss or financial loss for the victim.
Using virtnet, I have to try to simulate this attack scenario in my local system. For this purpose, a
topology seven was created in the system. A myuni demo website is deployed in that topology. A similar looking URL and web page is created for http://www.myuni.edu/grades/login.php, in this example, the URL is www.myunii.edu/grade/login.php and re-direction link is http://www.myuni.edu/grades/redirect.php?url=http:www.myunii.edu/grade/login.php. On visiting this link, it redirects to the fake login.php page which stores my user id and password in a file.
- B) If redirection is mandatory for a particular website then it must perform validated redirection, i.e. web-server should check the redirected page is an authorized URL or not. It should maintain a redirection white-list; it must block all unlisted URLs from redirection.
- C) Apart from unvalidated redirect attacker may use spyware attack or DNS poisoning attack to theft user credentials. In a case of spyware attack, attacker installs spyware software in the system. That software always keeps tracks about all online transaction in the system and forward that information to the attackers. In the other hand in DNS poisoning attack attackers modify some entries in the default DNS of the victims. So whenever victim sends the request for such web site poisoned DNS send wrong URL-to-IP mapping, so user moves to fake website unknowingly. Its vulnerability level is exactly same as the unvalidated redirect attack, but it is heard to identify.
- D) Screenshot of the stolen username/password obtained during the attack
Question 3. Cryptographic Operations with OpenSSL
To solve this problem, I have to use OpenSSL program and perform the required steps as asked in a to g part.
As an outcome of this steps, we have seven files as:
keypair.pem
pubkey.pem
Commands.bash
signature.bin
key.txt
signature.bin
secretkey.bin
All these files is uploaded in the Moodle
Command required in this processes in written bellow (Also present in command.bash)
#!/bin/bash
openssl genrsa -out keypair.pem 4096
openssl rsa -in keypair.pem -out public.pem -outform PEM -pubout| echo
openssl sha1 -out signature.bin commands.bash | echo
openssl rand -hex 32 > key.txt | echo success
openssl enc -aes-256-cbc -salt -in commands.bash -out ciphertext.bin -pass file:key.txt -iv 00000000000000000000000000000000 -p| echo
#testing decription operation
#openssl aes-256-cbc -d -in ciphertext.bin -pass file:key.txt -iv 00000000000000000000000000000000 -p -out secrets.txt.new
cat key.txt| openssl rsautl -encrypt -pubin -inkey steven-gordon-pubkey.pem > secretkey.bin | echo
#testing: encripting using my public RSA key
#cat key.txt| openssl rsautl -encrypt -pubin -inkey public.pem > secretkey.bin | echo
#testing: decripting using my private RSA key
#openssl rsautl -decrypt -inkey keypair.pem -in secretkey.bin -out secret.key.new | echo
Question 4. Malware Research:
Abstract: This document mainly aims to identify the threats associated with Ransomware [1] based attacks. It formally defines what a Ransomware is and how this does attack any organization and personal computing devices. It also intervenes on the working principle of this vulnerability and points outs it ransomware amount collection. Finally, it has focused on the contamination processes of this malware. Prevention techniques are presented in the concluding section of this document.
Introduction: Ransomware is nothing but a malware which applies an intricate encryption algorithm on victim’s computer and restricts access to the files having important data or to the system itself. Most of the ransomware enters in a system, the data and information are still on the victim’s computers, however, they become encrypted, and designer of the malware kept the private key safe on his side. The malware keeps it encrypted until the victim pays the ransom to decrypt it. Sometime many organizations pay the ransom to avoid huge business loss due to missing of sensitive data and suppress the news to preserve the faith of their clients.
Technical Details: Most of the Ransomware are Trojan based cryptoviral [2] applications, they perform many sophisticated encryption algorithms like RSA, Elliptic Curve Deffie Hellman (ECDH) or AES to encrypt victim’s file. It is observed that few modern Ransomware uses multiple encryption algorithms at a time and they are capable of encrypting Master File Table (MTF). A different survey suggested most of the Ransomware are written on a web-based scripting language like JavaScript, and they are capable of hiding their payload in simple, innocent looking multimedia files.
Contamination Techniques: There are many ways of Ransomware spreading. The most obvious way of Ransomware spreading is vulnerable web links present in the spam email or fake advertisement. Whenever victims clink on suck link Ransomware enters in the system and executes its payload. The other means of Ransomware contaminations are unauthorized software installation, software crack installation, spreading through a flash device, Ransomware infection spreading in the local network due to pore network security management, etc.
Real-life Ransomware Attack Scenario: In recent days Ransomware based attacks are becoming popular in the cyber world [3]. They are capable of attacking personal computing device, an organizational computing environment, now days Ransomware based attack is noted for mobile phone also. This part of the document highlights few real-life attack scenarios.
Muni system’s network attack: Mamba and HDDCryptor malware attacks[4] Muni’s transportation system and causes entire breakdown of the system. It happened on November 25-26, 2016 and the day is known as Black Friday. The transport organization looses huge revenue as their billing system stops working. Sources say that ransom demanded was $73,000 to withdraw the attack.
CryptoWall: It was a JavaScript based ransom ware which was become a nightmare in 2014. It not just performs encryption on victims file system but also install the spyware software and still useful credential for victim’s computer.
Fusob: It is a mobile based Ransomware, and it was active during 2015-2016. It acts like legal authority and claims money based on the fictitious charges.
Ransom payment techniques: For ransom payment collection designer of the Ransomware relies on electronic payment options. They use an anonymous cryptocurrencies system to receive payment as it is very difficult to trace such money. Bitcoin[5] is the most popular digital wallet to collect the ransom. Zcash, iTune account, Factom are also used as alternative cryptocurrencies.
Conclusion: Though Ransomwares is a very annoying vulnerability in cyber world we can take some corrective majors to avoid it. Because it is possible to remove Ransomwares from a system by using Ransomwares-removing tools, but its effect is unrecoverable as without knowing the private key it is impossible to decrypt all encrypted files generated by a Ransomwares. Ransomwares pretension technique is very easy and straight forward. We should get aware about the contamination processes of Ransomwares and we have to avoid them. A check list for Ransomware prevention is enlisted bellow.
Prevention Checklist:
Always use updated OS and anti-virus software.
Avoid unsafe flash drive in the system.
Always take the back-up of crucial data.
Use latest firewall software in the organization.
References
Glassberg, Jason, “The Ransomware Threat,” Law and Order, pages 48-51, September 2016.
Bleeping Computer, “Locky Ransomware Information, Help Guide and FAQ,” May 2016, last accessed Oct. 2016,www.bleepingcomputer.com/virus-removal/lockyransomwareinformation-help
McAfee Labs, “Threat Predictions,” 2016 last accessed Oct. 2016 http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
Ransomware locks up San Francisco public transportation ticket machines URL: https://arstechnica.com/security/2016/11/san-francisco-muni-hit-by-black-friday-ransomware-attack/
Merkle news on Bitcoin overshadows Apple’s Pay at http://themerkle.com/news/google-trends-ranks-bitcoin-in- front-of-apple-pay/