Network Security and Penetration Testing

Transcription

1 CORK INSTITUTE OF TECHNOLOGY INSTITIÚID TEICNEOLAÍOCHTA CHORCAÍ Semester 1 Examinations 2012/13 Module Title: Network Security and Penetration Testing Module Code: COMP9006 School: Science & Informatics Programme Title: MSc in Networking and Security Programme Code: KNSEC_9_Y5 External Examiner(s): Internal Examiner(s): Dr David Sinclair Mr V. Ryan Instructions: Answer any 6 questions Each Question is worth 20 Marks. Note that 120 Marks = 100%. Duration: 3 Hours Sitting: Winter 2012 Requirements for this examination: Note to Candidates: Please check the Programme Title and the Module Title to ensure that you are attempting the correct exaination. If in doubt please contact an Invigilator. Page 1 of 5

2 Question 1 a) Write a tcpdump command that will capture only DNS traffic that has the AA and TC bits set to 1. The following shows the layout of the DNS header. b) Explain how the idle host scan works and the rationale behind it. c) Detail one other approach to idle host scanning. (ref. Article from Pauldotcom.com) Page 2 of 5

3 Question 2 a) PoisonIvy is a backdoor trojan that allows unauthorized access and control of an affected machine. The network traffic generated by PoisonIvy begins with 256 bytes of seemingly random data after a successful TCP handshake. These bytes comprise a challenge request to see if the client (i.e., the RAT controller) is configured with the password embedded in the server (i.e., the victim). While the default port for PoisonIvy is 3460, it is most commonly seen used on ports 80, 443, and 8080 as well. After the challenge response is received, the client (i.e., controller) then sends 4 bytes specifying the size of the machine code that it will send. This value has consistently been D PoisonIvy also makes use of keep-alive requests that are 48 bytes long. These requests appear to be always of the same length, but their content differed depending on the password with which the PosionIvy client/server is configured. The default password, admin, is consistently detected. The figure below shows a capture of the 256-byte challenge request. Discuss how you would approach detecting PoisonIvy. b) Evaluate the Bell-La Padula security model. Page 3 of 5

4 Question 3 a) What information might be kept in the state table of a stateful firewall? Explain why this information is retained, and how the information evolves. b) Write iptables rules to allow incoming ping request to internal hosts from network /24, but only at a rate of 10 per minute. All other ping requests from this network should be logged and dropped. c) Describe one security related weakness in the design of IPv6. Question 4 a) Explore the concept of false positives as it applies to NIDS technology. As part of your answer, compare different types of NIDS as to their susceptibility to producing false positives. b) Describe and evaluate the use of hex encoding as an obfuscation technique. c) At the packet level, describe the differences between Tunnel and Transport mode in AH protocol as used in IPSec. Question 5 a) Describe in detail why it is important that DNS Queries/Responses randomize both the query-id and the source port. As part of your answer, describe in detail the cache poisoning technique which Dan Kaminsky demonstrated. [12 Marks] b) What do you understand by split-dns and why might it be employed? How can it be improved upon explain your answer in detail. Page 4 of 5

5 Question 6 a) What do you understand by the switch -PN as used in nmap? When and why might you use it? [5 Marks] b) How can we defend our network against port scanning? - Give details. [9 Marks] c) What is an ACK scan and what is it used for? Question 7 a) Explain how DNS can be used to amplify DDoS attacks. Detail at least two approaches using DNS. b) Explain in detail how XSS attacks work. Give details regarding how attackers can use them. Question 8 a) Discuss security issues relating to TCP port b) In the phases of incident handling, detail the purpose of the third phase and list 5 typical tasks that would normally be carried out during this phase. c) Outline how one can use netcat to create a backdoor. [4 Marks] Page 5 of 5