$30
CS526-Project 2 Solved
One of the most important tasks you will perform while doing work related to network security is looking through packet traces. A packet trace is simply a recording of the packets that pass through some point on the network. Typically the packets are recorded at the lowest level possible, so the packets include link-layer headers, higher-layer headers (e.g., IP, TCP, HTTP), and application data.
In this project, you will be analyzing packet traces to identify attacks and other security-related network phenomena. The goal of the project is to cement a more solid understanding of network protocols and attacks and to help you gain familiarity with the standard tools used to view and analyze them.
.
Objectives
• Gain exposure to core network protocols and concepts.
• Learn to apply manual and automated traffic analysis to detect security problems.
2
3 Questions
Part 1. Automating the Exploration of Network Traces
Security analysts and attackers both frequently study network traffic to search for vulnerabilities and to characterize network behavior. In this section, you will examine a network packet trace (commonly called a “pcap”) that we recorded on a sample network we set up for this assignment. You will search for specific vulnerable behaviors and extract relevant details using the Wireshark network analyzer, which is available at https://www.wireshark.org.
Download the pcap from https://www.cs.purdue.edu/homes/clg/CS526/projects/project2 part1.trace, and examine it using Wireshark. Familiarize yourself with Wireshark’s features and try exploring the various options for filtering and for reconstructing data streams. Remember, for this section your approach should be as automated and scalable as possible (ie you should not be scrolling through the entire trace by hand to find the solution).
1. HTTP Sessions
For this problem, find all web servers that were successfully visited in the trace (that is, contacted via HTTP). Include any servers that engaged in a valid instance of the HTTP protocol, even if the status code returned was, for example, 404 rather than 200.[1] Submit a list of their IP addresses with your answer. Please note that you should not try to identify HTTPS traffic.[2]
2. Directory Traversal
One simple way people attempt to exploit a web server is by making requests for files outside the normal directories it serves using pathnames with sequences like “../../../”. (Of course, a reasonably well-implemented web server will not fall for tricks like this.) Find a host that appears to be attempting this type of attack and submit its IP address with your answer.
3. Password Guessing
If you’ve ever looked through the logs of an SSH server, you’ve likely seen attempts to login through brute force guessing of usernames and passwords. Of course, the same attack is possible for any type of protocol with password authentication. There is one host that attempted such an attack against a password protected FTP server. Find that host and include the IP address of the attacker with your answer.
4. Unencrypted Usernames and Passwords
Next, find an unencrypted username and password. Note that we are interested in a real username and password, so failed login attempts don’t count. Examples of some protocols that can send usernames and passwords without encryption are Telnet, FTP, HTTP, and POP3. List the username and password with your answer.
5. Service Versions
Finding hosts running specific versions of servers is an important step in exploiting them; in general, older versions will have more vulnerabilities. For this problem, find the host running the oldest version of Apache. (Apache is the most widely used web server on the Internet.) Don’t count “ApacheCoyote” as “Apache”; also, ignore any servers that don’t specify their version. Submit that host’s IP address with your answer.
6. DNS and Source Port Randomization
Most clients now select a random UDP source port when making DNS queries to help prevent an attack due to Kaminsky.[3] For this problem, look for clients which do not use a random source port. There are exactly two such DNS resolvers (not including MDNS[4]). With your answer to this question, submit the IP addresses of the two DNS resolvers (not counting MDNS) that use the same source port for all the DNS queries they make (and make more than 1 query).
7. TCP Sequence Numbers
It is important that the first sequence number chosen by hosts forming a TCP connection be unpredictable. If an adversary can guess the initial sequence number (ISN), they can easily mount TCP session hijacking attacks. In this particular trace, only a few of the TCP implementations appear to use fully random ISNs.[5] You may want to disable Wireshark’s relative sequence number feature while working on this question.[6] Find the IP addresses of the two TCP endpoints that participate in 5 connections or more and that provide the broadest 32-bit coverage in their ISNs. Submit theses IP addresses with your answer.
8. Traceroute Scanning
Traceroute is a utility for finding the addresses of the routers along the IP route between the host it is being run on and an arbitrary destination. You can read about the utility here: http://en.wikipedia.org/ wiki/Traceroute.
Attackers sometimes use traceroute to find out about a victim’s network infrastructure (routers and possibly firewalls). Identify the host that is running traceroute for detecting routers on a path. Submit the IP address of the host running traceroute and the IP address of the destination of the traceroute path with your answer.
9. Cross-Site Scripting
In class, we discussed three types of cross-site scripting (XSS) attacks: reflected XSS, stored XSS, and DOM-based XSS. Recall that reflected XSS involves an attacker sending the victim a URL that contains a script inside the URL itself, so that the server that processes the URL includes the script within the body of the page it returns. Find evidence of reflected XSS. Specifically, submit the IP address of the server that has a reflected cross-site scripting vulnerability that was exploited in the trace. (To our knowledge, there is only one such server in the trace.)
Part 2. Interpreting Network Traces
Now that you have explored how to use Wireshark to learn about network traffic and how to automate the discovery of useful information, we will work on not only extracting the relevant data but also interpreting the implications of various network behaviors.
Concisely answer the questions below. Each response should require at most 2–3 sentences. For this section, you may obtain the answers in any way that you choose, and we will not be putting an emphasis on scalability of solutions (though scalability and automation using tools like Wireshark will probably make this much easier for you).
1. Multiple devices are connected to the local network. What are their MAC and IP addresses?
2. What type of network does this appear to be (e.g., a large corporation, an ISP backbone, etc.)? Pointto evidence from the trace that supports this.
3. One of the clients connects to an FTP server during the trace.
(a) What is the DNS hostname of the server it connects to?
(b) Is the connection using Active or Passive FTP?
(c) Based on the packet capture, what’s one major vulnerability of the FTP protocol?
(d) Name at least two network protocols that can be used in place of FTP to provide secure filetransfer.
4. One of the clients makes a number of requests to Facebook.
(a) Even though logins are processed over HTTPS, what is insecure about the way the browser isauthenticated to Facebook?
(b) How would this let an attacker impersonate the user on Facebook?
(c) How can users protect themselves against this type of attack?
(d) What did the user do while on the Facebook site?
Part 3. Anomaly Detection
In Parts 1 and 2, you manually explored network traces with the help of Wireshark. Now, you will programmatically analyze a pcap file to detect suspicious behavior. Specifically, you will be attempting to identify port scanning.
Port scanning is a technique used to find network hosts that have services listening on one or more target ports. It can be used offensively to locate vulnerable systems in preparation for an attack, or defensively for research or network administration. In one kind of port scan technique, known as a SYN scan, the scanner sends TCP SYN packets (the first packet in the TCP handshake) and watches for hosts that respond with SYN+ACK packets (the second handshake step).
Since most hosts are not prepared to receive connections on any given port, typically, during a port scan, a much smaller number of hosts will respond with SYN+ACK packets than originally received SYN packets. By observing this effect in a packet trace, you can identify source addresses that may be attempting a port scan.
Your task is to develop a Python program that analyzes a pcap file in order to detect possible SYN scans. To do this, you will use dpkt, a library for packet manipulation and dissection. It is available in most package repositories
