COIT20262 – Advanced Network Security, Term 1, 2017

 

COIT20262 – Advanced Network Security, Term 1, 2017

Lovepreet

Question 1. Analysis of Protocols with Wireshark

(a) Application details:

Application/

Protocol

Transport protocol

Client Port(s)

Server Port,

Client IP,

Server IP

Time of use

Web (HTTP)

TCP

48158, 48160, 48162, 48164,

48166,

48168,

48170,

 

80

192.168.1.11

 

192.168.3.32

6-8, 16-18,

26-28, 36-39, 48-50,

62-64, 73-75,

Web (HTTP)

TCP

36976,

36978,

36980,

36982,

36984,

36986,

80

192.168.3.31

 

 

192.168.1.12

 

86-88, 100-102,

110-112, 124-126

134-136

145-148

Web (HTTP)

TCP

49258

80

192.168.2.21

192.168.1.12

175-177

Ping

ICMP

?

?

192.168.5.2

192.168.1.12

57-58, 117-118

Ping

ICMP

?

?

192.168.3.32

192.168.1.11

73-77,

Ping

ICMP

?

?

192.168.6.1

192.168.1.12

93-94

168-171

Ping

ICMP

?

?

192.168.2.22

192.168.1.11

95-96, 119-120,

154-155

?

UDP

56946

5001

192.168.1.11

192.168.5.2

141,166-167,182, 205, 218, 241, 254, 255, 262, 283, 311, 342, 345, 368, 393, 419 …etc.

 

 

 

 

 

 

 

 

 

(b) MAC to IP mapping:

Computer

MAC

IP

Interface

1

08:00:27:cc:71:35

192.168.1.1

1

1

08:00:27:1c:6d:33

192.168.4.1

2

1

08:00:27:61:fc:c4

192.168.5.1

3

2

08:00:27:cc:71:35

192.168.6.1

1

3

08:00:27:cc:71:35

192.168.5.2

1

4

08:00:27:cc:71:35

192.168.3.32

1

5

08:00:27:cc:71:35

192.168.3.31

1

6

08:00:27:cc:71:35

192.168.2.22

1

7

08:00:27:cc:71:35

192.168.2.21

1

8

08:00:27:fd:ab:da

192.168.1.12

1

9

08:00:27:9f:c6:9f

192.168.1.11

1

 

(c) Domain names vs. IP addresses mapping

Packet number

IP

URL

6

192.168.3.32

www.example.com

86

192.168.1.12

www.uni.edu.au

(d) Message sequence diagram

Figure 1(a): Message Sequence diagram for 1st TCP flow

192.168.1.1

192.168.3.32

SYN

SYN,ACK

ACK

HTTP GET

ACK

HTTP OK

FIN,ACK

FIN,ACK

ACK

3

4

5

6

7

87

9

10

11

12

 

 

 

Figure 1(b): Wireshark Trace for 1st TCP flow

 

 

Question (e). The TCP connection open and close mechanism (based on previous message sequence diagram):

As we know that TCP is a connection oriented reliable transport layer protocol. Almost every Application layer protocol relies on TCP. Before any TCP-based communication, a connection needs to be established between sender and receiver and that is why it is known as connection oriented protocol. All TCP segments are get acknowledged by the receiver, by which we can achieve reliability. In TCP connection setup procedure is done by Three-Way-Handshaking procedure. After communication, TCP connection needs to be closed by a Four-Way-Handshakingmechanism, but in practically it is optimized by three packets only. In figure 1(a) these two mechanisms can be observed. Packets 3-5 (3packets) are for connection open and packets 9-12 (4 packets) are connection close. Details of these packets are given bellow.

 

In packet 3 Client initiates the connection by sending a TCP SYN packet to the server.

In the packet, 4The server sends SYN-ACK packet as the acknowledgment to SYN packet.

In packet 5, the client sends the ACK as an acknowledgment to the SYN-ACK, this marks the open connection procedure.

After this 6-9 packets are used for actual data exchange, here it is used to transmit HTTP GET and HTTP OK (response code 200).

As there is no data is left then, so client sends TCP FIN-ACK.

The server acknowledges the TCP FIN-ACK.

The client sends the TCP ACK stating that it received the TCP FIN-ACK packet from the server, it marks the connection close.

 

(f). List of the Web resources:

Name of the web resources can find out by intervene all HTTP GET message. If we see response code 200 in the corresponding GET message, then it indicates that the resource is present in the web-server. Any response code which belongs 400 code family means, the file does not exist on the server. The list is given bellow.

Domain Name

Computer

HTTP resource does not exist

HTTP resource exists

Packet Number

www.example.com

192.168.3.32

 

 

 

 

 

 

page4.html

index.html

page1.html

page2.html

image.png

/subdir/page3.html

/subdir/style.css

 

6

16

26

36

48

62

73

www.uni.edu.au

192.168.1.12

 

 

 

 

 

 

page4.html

index.html

/subdir/page3.html

/subdir/style.css

page1.html

image.png

page2.html

86

100

110

134

145

159

124

(g) The password is advnetsec

Question 2. Web Application Attacks

Unvalidated Redirect attack: Open redirect is a bug of a web server which allows the attacker to any target website. These kinds of attacks are mainly performed to obtain the user id and password for any account. To perform this attack, the attacker chooses a well-known site which supports URL redirection; they also prepare some fake webpage. Finally, they prepare a redirection web-link and circulate them via spam email of via hyperlink in the advertisement. Whenever victim clicks such links, they get redirected to the fake website which is similar looking with some existing website. If victim enters any confidential data in that webpage, it captures those data. It may cause identity loss or financial loss for the victim.

 

Using virtnet, I have to try to simulate this attack scenario in my local system. For this purpose, a

topology seven was created in the system. A myuni demo website is deployed in that topology. A similar looking URL and web page is created for http://www.myuni.edu/grades/login.php, in this example, the URL is www.myunii.edu/grade/login.php and re-direction link is http://www.myuni.edu/grades/redirect.php?url=http:www.myunii.edu/grade/login.php. On visiting this link, it redirects to the fake login.php page which stores my user id and password in a file.

1. B) If redirection is mandatory for a particular website then it must perform validated redirection, i.e. web-server should check the redirected page is an authorized URL or not. It should maintain a redirection white-list; it must block all unlisted URLs from redirection.
2. C) Apart from unvalidated redirect attacker may use spyware attack or DNS poisoning attack to theft user credentials. In a case of spyware attack, attacker installs spyware software in the system. That software always keeps tracks about all online transaction in the system and forward that information to the attackers. In the other hand in DNS poisoning attack attackers modify some entries in the default DNS of the victims. So whenever victim sends the request for such web site poisoned DNS send wrong URL-to-IP mapping, so user moves to fake website unknowingly. Its vulnerability level is exactly same as the unvalidated redirect attack, but it is heard to identify.
3. D) Screenshot of the stolen username/password obtained during the attack

 

 

 

Question 3. Cryptographic Operations with OpenSSL

To solve this problem, I have to use OpenSSL program and perform the required steps as asked in a to g part.

As an outcome of this steps, we have seven files as:

keypair.pem

pubkey.pem

Commands.bash

signature.bin

key.txt

signature.bin

secretkey.bin

All these files is uploaded in the Moodle

Command required in this processes in written bellow (Also present in command.bash)

 

#!/bin/bash

openssl genrsa -out keypair.pem 4096

openssl rsa -in keypair.pem -out public.pem -outform PEM -pubout| echo

openssl sha1 -out signature.bin commands.bash | echo

openssl rand -hex 32 > key.txt | echo success

openssl enc -aes-256-cbc -salt -in commands.bash -out ciphertext.bin -pass file:key.txt -iv 00000000000000000000000000000000 -p| echo

#testing decription operation

#openssl aes-256-cbc -d -in ciphertext.bin -pass file:key.txt -iv 00000000000000000000000000000000 -p -out secrets.txt.new

cat key.txt| openssl rsautl -encrypt -pubin -inkey steven-gordon-pubkey.pem > secretkey.bin | echo

#testing: encripting using my public RSA key

#cat key.txt| openssl rsautl -encrypt -pubin -inkey public.pem > secretkey.bin | echo

#testing: decripting using my private RSA key

#openssl rsautl -decrypt -inkey keypair.pem -in secretkey.bin -out secret.key.new | echo

 

 

Question 4. Malware Research:

Abstract: This document mainly aims to identify the threats associated with Ransomware [1] based attacks. It formally defines what a Ransomware is and how this does attack any organization and personal computing devices. It also intervenes on the working principle of this vulnerability and points outs it ransomware amount collection. Finally, it has focused on the contamination processes of this malware. Prevention techniques are presented in the concluding section of this document.

Introduction: Ransomware is nothing but a malware which applies an intricate encryption algorithm on victim’s computer and restricts access to the files having important data or to the system itself. Most of the ransomware enters in a system, the data and information are still on the victim’s computers, however, they become encrypted, and designer of the malware kept the private key safe on his side. The malware keeps it encrypted until the victim pays the ransom to decrypt it. Sometime many organizations pay the ransom to avoid huge business loss due to missing of sensitive data and suppress the news to preserve the faith of their clients.

Technical Details: Most of the Ransomware are Trojan based cryptoviral [2] applications, they perform many sophisticated encryption algorithms like RSA, Elliptic Curve Deffie Hellman (ECDH) or AES to encrypt victim’s file. It is observed that few modern Ransomware uses multiple encryption algorithms at a time and they are capable of encrypting Master File Table (MTF). A different survey suggested most of the Ransomware are written on a web-based scripting language like JavaScript, and they are capable of hiding their payload in simple, innocent looking multimedia files.

Contamination Techniques: There are many ways of Ransomware spreading. The most obvious way of Ransomware spreading is vulnerable web links present in the spam email or fake advertisement. Whenever victims clink on suck link Ransomware enters in the system and executes its payload. The other means of Ransomware contaminations are unauthorized software installation, software crack installation, spreading through a flash device, Ransomware infection spreading in the local network due to pore network security management, etc.

 

Real-life Ransomware Attack Scenario: In recent days Ransomware based attacks are becoming popular in the cyber world [3]. They are capable of attacking personal computing device, an organizational computing environment, now days Ransomware based attack is noted for mobile phone also. This part of the document highlights few real-life attack scenarios.

Muni system’s network attack: Mamba and HDDCryptor malware attacks[4] Muni’s transportation system and causes entire breakdown of the system. It happened on November 25-26, 2016 and the day is known as Black Friday. The transport organization looses huge revenue as their billing system stops working. Sources say that ransom demanded was $73,000 to withdraw the attack.

CryptoWall: It was a JavaScript based ransom ware which was become a nightmare in 2014. It not just performs encryption on victims file system but also install the spyware software and still useful credential for victim’s computer.

Fusob: It is a mobile based Ransomware, and it was active during 2015-2016. It acts like legal authority and claims money based on the fictitious charges.

 

Ransom payment techniques: For ransom payment collection designer of the Ransomware relies on electronic payment options. They use an anonymous cryptocurrencies system to receive payment as it is very difficult to trace such money. Bitcoin[5] is the most popular digital wallet to collect the ransom. Zcash, iTune account, Factom are also used as alternative cryptocurrencies.

Conclusion: Though Ransomwares is a very annoying vulnerability in cyber world we can take some corrective majors to avoid it. Because it is possible to remove Ransomwares from a system by using Ransomwares-removing tools, but its effect is unrecoverable as without knowing the private key it is impossible to decrypt all encrypted files generated by a Ransomwares. Ransomwares pretension technique is very easy and straight forward. We should get aware about the contamination processes of Ransomwares and we have to avoid them. A check list for Ransomware prevention is enlisted bellow.

Prevention Checklist:

Always use updated OS and anti-virus software.

Avoid unsafe flash drive in the system.

Always take the back-up of crucial data.

Use latest firewall software in the organization.

 

 

References

Glassberg, Jason, “The Ransomware Threat,” Law and Order, pages 48-51, September 2016.

Bleeping Computer, “Locky Ransomware Information, Help Guide and FAQ,” May 2016, last accessed Oct. 2016,www.bleepingcomputer.com/virus-removal/lockyransomwareinformation-help

McAfee Labs, “Threat Predictions,” 2016 last accessed Oct. 2016 http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf

Ransomware locks up San Francisco public transportation ticket machines URL: https://arstechnica.com/security/2016/11/san-francisco-muni-hit-by-black-friday-ransomware-attack/

Merkle news on Bitcoin overshadows Apple’s Pay at http://themerkle.com/news/google-trends-ranks-bitcoin-in- front-of-apple-pay/