Assignment 4: Network Security (Group Assignment)

• Download Files ⇓
• Submit Files ⇑

Introduction

This project will introduce you to common network protocols, to network packet trace analysis, and to the basics of network penetration testing. This is a group assignment and must be done in groups of 2 or 3 only.

Objectives

• Gain exposure to core network protocols and concepts.
• Learn to apply manual and automated traffic analysis to detect security problems.
• Understand offensive techniques used to attack local network traffic.
• Practice network penetration testing.

Read this First

This project asks you to perform attacks, with our permission, against a target network that we are providing for this purpose. Attempting the same kinds of attacks against other networks without authorization is prohibited by law and university policies. You must not attack any network without authorization! Per course policy, you are required to respect the privacy and property rights of others at all times. See “Right, Rules, and Responsibilities” on the Princeton University website for more details. This includes observing the work of other groups if visible on shared networks or machines.

Additionally, please understand and honor the specific actions that are OUT OF SCOPE for Part 3 of the assignment at the end of that section.

Getting Started

Please follow the VM instructions to set up the Virtual Machine environment needed for this project. Once the setup is complete and you are able to log in to the COS432 VM, download the starter zip to the VM, then proceed to the following parts. You will be answering questions in the text files found in that starter zip archive.

Part 1. Exploring Network Traces

Security analysts and attackers both frequently study network traffic to search for vulnerabilities and to characterize network behavior. In this section, you will examine a network packet trace (commonly called a “pcap”, for “packet capture”) that we recorded on a sample network we set up for this assignment. You will search for specific vulnerable behaviors and extract relevant details using the Wireshark network analyzer, which is available in the provided VM image, or at https://www.wireshark.org.

Examine the part1.pcap file from the zip file that you downloaded. Familiarize yourself with Wireshark’s features. Try exploring the various options for filtering and for reconstructing data streams.

Concisely answer the questions below. Each response should require at most two to three sentences. Use the provided part1.txt file.

1. Multiple devices are connected to the local network. What are their MAC and IP addresses? Who manufactured these devices?

2. What type of network does this appear to be (e.g., a large corporation, an ISP backbone, etc.)? Point to evidence from the trace that supports this.

3. One of the clients connects to an FTP server during the trace.

   1. What is the DNS hostname of the server it connects to?

   2. Is the connection using Active or Passive FTP?

   3. Based on the packet capture, what is one major vulnerability of the FTP protocol?

   4. Name at least two network protocols that can be used in place of FTP to provide secure file transfer.

4. The trace shows that at least one of the clients makes HTTPS connections to sites other than Facebook. Pick one of these connections and answer the following:

   1. What is the domain name of the site the client is connecting to?

   2. Is there any way the HTTPS server can protect against the leak of information in (a)?

   3. During the TLS handshake, the client provides a list of supported cipher suites. List the first three cipher suites and name the crypto algorithms used in each.

   4. Are any of these cipher suites worrisome from a security or privacy perspective? Why?

   5. What cipher suite does the server choose for the connection?

5. One of the clients makes a number of requests to Facebook.

   1. Even though logins are processed over HTTPS, what is insecure about the way the browser is authenticated to Facebook?

   2. How would this let an attacker impersonate the user on Facebook?

   3. How can users protect themselves against this type of attack?

   4. What did the user do while on the Facebook site?

Part 2. Anomaly Detection

In Part 1, you manually explored a network trace. Now, you will programmatically analyze a pcap file to detect suspicious behavior. Specifically, you will be attempting to identify port scanning.

Port scanning is a technique used to find network hosts that have services listening on one or more target ports. It can be used offensively to locate vulnerable systems in preparation for an attack, or defensively for research or network administration. In one kind of port scan technique, known as a SYN scan, the scanner sends TCP SYN packets (the first packet in the TCP handshake) and watches for hosts that respond with SYN+ACK packets (the second handshake step). Since most hosts are not prepared to receive connections on any given port, typically, during a port scan, a much smaller number of hosts will respond with SYN+ACK packets than originally received SYN packets. By observing this effect in a packet trace, you can identify source addresses that may be attempting a port scan.

Your task is to develop a Python program that analyzes a pcap file in order to detect possible SYN scans. To do this, you will use dpkt, a library for packet manipulation and dissection. It is available in most package repositories. You can find more information about dpkt at https://github.com/~kbandla/dpkt and view documentation by running pydoc dpkt, pydoc dpkt.ip, etc.; there's also a helpful tutorial here: https://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2-parsing-a-pcap-file

Your program will take the path of the pcap file to be analyzed as a command-line parameter, e.g.:

python detector.py capture.pcap

The output should be the set of IP addresses (one per line) that sent more than three times as many SYN packets as the number of SYN+ACK packets they received. Your program should silently ignore packets that are malformed or that are not using Ethernet, IP, and TCP.

A large (~350MB) sample pcap file captured from a real network is included in the starter zip as part2.pcap.

You can examine the packets manually by opening this file in Wireshark. For this input, your program’s output should be these lines, in any order:

128.3.23.2
128.3.23.5
128.3.23.117
128.3.23.158
128.3.164.248
128.3.164.249

Although the above instructions are for a Python program, you are welcome to use any programming language of your choice. Simply make a private Piazza post if your group is planning to use a different programming language and wait for a confirmation from the AIs (we'd like to make sure we're equipped to evaluate and grade your code). In this post, please also specify the library you plan on using. Kindly note that support might be limited for languages other than Python.

Part 3. Penetration Testing

The fictional company SketchyCorp has contracted with COS 432 to provide penetration testing services to it. Each project team will conduct a thorough penetration test of the company's networks and exposed systems.

SketchyCorp recently set up a remote office for its employees to work in. SketchyCorp is concerned that its remote office may be more vulnerable than its headquarters since it uses a wireless network to provide access to its remote employees.

Your objective is to test the security of SketchyCorp’s networks and systems. In this engagement you will be authorized to break in to SketchyCorp’s systems and explore any vulnerabilities you find, subject to the Rules of Engagement below. As in a real-world penetration test, you will be expected to use your ingenuity and technical skills to discover clues and techniques for meeting your objectives.

SketchyCorp employees connect to the wireless network using WPA2-PSK security. From there, they can access the SketchyCorp firewall, which allows company employees to log in and gain access to company mainframe.

The investigators believe the infrastructure works as shown in Figure 1.

We have sent investigators to the remote office to attempt to capture WiFi traffic. However, they have been foiled by WPA2-PSK security used by the WiFi network. They have managed to find a capture of the WiFi authentication handshake which can be found as part3.pcap in the zip file. They have also managed to determine the password is in the form of either cos432-XYZ or COS432-XYZ where X,Y,Z are alphanumeric characters [a-z,A-Z,0-9]. Provide them with the WiFi password at https://www.cos432.org/netsec and they will provide you with your next lead.

Concisely answer the questions below. Each response should require at most two to three sentences. Use the provided part3.txt file.

1. How many possible Wi-Fi passwords are there that fulfills the password format?

2. What is that actual Wi-Fi password used? How did you obtain that password?

3. There are three machines in the network, namely the employee, the firewall, and the mainframe.

1. What are their IP addresses, respectively? (If a machine has multiple interfaces, report all IP addresses.) How did you get these addresses?

2. What services are currently running on these machines respectively? On which port is each service running? How did you obtain this information?

4. There are unencrypted and encrypted conversations between Alice and Bob.

1. What does the unencrypted conversation say? Please paste it here and briefly describe how you found and obtained the content.

2. (extra credit) Can you decrypt the encrypted messages? If so, what does the plaintext say? Describe how you determined the plaintext contents of the encrypted messages.

5. List all of the clients of the company. Briefly explain how you gained access to this client list.

There will be certain systems and networks that are in scope for this project. Everything else should be considered out of scope. If you have any questions about what is in or out of scope for this project, get clarification from one of the course AIs before you act.

Things that are in scope:

• Connecting to the SketchyCorp network.

• Capturing network traffic from the SketchyCorp firewall

• Using automated network scanning tools from the SketchyCorp firewall.

• Connecting to any servers accessible from SketchyCorp firewall.

• Logging in to SketchyCorp systems with any credentials you obtain.

• Brute forcing or cracking SketchyCorp passwords with your local machine.

Here are a few guidlines to avoid going OUT OF SCOPE during this project:

• DO NOT brute force any passwords if it means sending large amounts of traffic over a network connection.

• DO NOT capture traffic on your local machine with Wireshark or tcpdump. Additionally, NMap may not be run on your local machine at all. You may only use Wireshark on your local machine to review packet capture files.

• DO NOT perform actions that cause difficulty for other users or that interfere with the project infrastructure (i.e., denial of service).

• DO NOT attempt to elevate your shell privileges on the SketchyCorp firewall.

• DO NOT do anything else that’s not specifically designated as in scope. If you’re unsure, please ask for clarification on Piazza.

A note about cheating: There may be backdoors you discover along the way. DO NOT SHARE THEM. If you have questions about whether you may use a particular backdoor, post a private question on Piazza before using it.

Submission Checklist

• □ part1.txt - Answers to questions regarding Part 1.
• □ detector.py - The source code for your Python script (or another language) for SYN scan detection.
• □ part3.txt - Answers to questions regarding Part 3.