HW/Lab 2: Network Mapping and Attacks. CS 336/536: Computer Network Security DUE at 10/19/2015 (11am)

Transcription

1 HW/Lab 2: Network Mapping and Attacks CS 336/536: Computer Network Security DUE at 10/19/2015 (11am) This HW/Lab assignment covers Lecture 5 and Lecture 6. Please review these thoroughly before starting to work on the assignment. It is a combination of a hands-on lab exercise (problem 4) and conceptual problems. You are strongly encouraged to utilize your lab session to accomplish the lab exercise. All soft copy submissions (with answers to the problems) must be turned in via Blackboard Learn. Name your files as Lastname_Firstname_HW2. Please make sure that you have correctly submitted/uploaded the files. You can submit hand-written hard copies, if you wish. However, we would prefer that you submit soft copies. If you choose to submit hard copies in any case, please turn them into my mailbox in the CS office or hand them in before the lectures. Please also make sure that your hand-written solutions and handwriting is legible and easy to understand. You must submit by the deadline 11am on 10/19/2015. This applies to both soft and hard copy submissions. Late submissions will not be graded. You will be graded based on the correctness of your answer and also on the steps that you took to come to that answer, whenever possible and applicable. Please try to show all your work, when feasible. The assignment needs to be solved individually by every student. No collaboration of any sort is allowed, unless stated otherwise. No plagiarism is allowed. Please check the course policies against misconduct (discussed in Lecture 1). When in doubt, please consult the instructor. Please submit early to avoid any last minute issues. Please do start working on the homework early and do not wait until the deadline.

2 A. Lab Exercise and Conceptual Problems 1. [10pts] SSH to moat.cis.uab.edu and run a traceroute to facebook.com. List the results, then interpret and report your findings. 2. [15pts] Answer the following questions and explain how you obtained the information asked: a. [5pts] Who is the administrative contact and what is the DNS name server for the uab.edu domain? b. [5pts] Who is the registrar for cnn.com? c. [5pts] What are the public IP address blocks that have been allocated to nsf (National Science Foundation)? 3. [10pts] If you were infiltrating a network ( /16), and searching for vulnerabilities (while trying to remain undetected), why would running the following command be a bad idea? nmap /16. Explain your answer. Note: if you are not familiar with subnetting, we have provided a brief description at the end of Section B. 4. [30pts] Using the tool(s) described in Section B, you are to search the CIS Public Network for machines hosting the following services: LDAP, DNS, DHCP, NFS, and SMTP. For each machine hosting any of these services, include the following information. Explain how you obtained this information. a. [10pts] IP addresses of host. b. [10pts] Any three other open ports on the host. c. [10pts] OS on each host, including OS version. Note: You can connect to the CIS Public Network by using SSH to connect to moat.cis.uab.edu, using your CIS credentials. The subnet of the CIS Public Network is /23. Since there may be a lot of machines running these services, we expect that you will search for 3-5 machines for each service and report your answers to a, b, c parts for each machine running these services. 5. [20pts] Answer the following questions: a. [5pts] Explain why it is difficult to establish a TCP connection using a spoofed IP address. b. [10pts] Explain how this problem can be addressed using session hijacking. c. [5pts] Describe a defense mechanism that can be used to protect the information exchanged between two parties in the presence of a session hijacking attack. 6. [15pts] Describe what a SYN Flooding attack is. Describe how the use of cookies can be used to defend against this attack.

3 B. Tools Description The purpose of this lab is to gain an understanding of some of the basic reconnaissance tools that are available to an outside attacker. The programs/tools you may use are: whois Whois is a simple command to do internet domain lookups on names that are registered with a domain registration service (such as GoDaddy). Ex: whois stackoverflow.com... Domain Name: stackoverflow.com Registrar: Name.com LLC Expiration Date: :18:07 Creation Date: :18:07 Name Servers: ns1.serverfault.com ns2.serverfault.com ns3.serverfault.com ns4.serverfault.com REGISTRANT CONTACT INFO Stack Exchange, Inc. Sysadmin Team 1 Exchange Plaza Floor 26 New York NY US Phone: Address: sysadmin-team@stackoverflow.com (This is just a small excerpt) You can also learn information about publicly registered ip addresses by using whois in conjunction with an ip address: Ex: whois

4 nmap: Of all the tools we discussed above, nmap is probably one of the most powerful tools available for network analysis. There is a massive number of arguments and ways to use nmap, so we ll just cover a few basic arguments that can be useful for network analysis. Note: Do not scan large IP ranges when using nmap, especially if you re doing a full scan on more than a handful of hosts. nmap hostname (or ip) - Scans commonly used ports on the specified host nmap X..X - nmap Scans IP range of nmap * - Scans in place of * nmap /24 -Scan entire subnet nmap -O hostname - Scan operating system of remote machine, requires sudo nmap -sp /24 - Scan subnet to see which machines are online ( ping scan ) nmap -p # hostname - Scan specific port on destination machine - Ex: nmap -p 22 google.com - Ex: nmap -p google.com More Commands here:

5 Ping: with record route option (Ping -R) Ping is a network tool that relies on the ICMP (Internet Control Message Protocol), a Layer 3 protocol for diagnosing networking issues. Normally, ping is just used to check whether or not a machine is accessible via your network (ex: ping google.com, ping -c 4 google.com to only send 4 frames). With the use of the -R command (this seems better suited for internal network usage), you can trace the path to your destination. Ex: ping -R google.com $ ping -c 4 -R hornbill.cis.uab.edu PING hornbill.cis.uab.edu ( ) 56(124) bytes of data. 64 bytes from : icmp_req=1 ttl=64 time=0.125 ms RR: bytes from : icmp_req=2 ttl=64 time=0.085 ms (same route) 64 bytes from : icmp_req=3 ttl=64 time=0.122 ms (same route) 64 bytes from : icmp_req=4 ttl=64 time=0.139 ms (same route) Identifying Networks CIDR and Subnetting Each IP address is composed of 4 bytes, giving us a possible IP range of to However, given an arbitrary IP address, such as , how can we determine which network it belongs to? Each IP address has two parts, a network portion, and a host portion. The former identifies the network, while the latter specifies which host on the network. The original method for network identification was Classful networking, in which the leading two bits would determine how much of the IP address identified the network. For instance, if the first bit were a 0, only the first octet of the IP address identifies the network. So for the given IP , the network would be and the host portion would be (and the network would include all IPs from ). This scheme was replaced by the less wasteful Classless addressing scheme in which a network mask value is used to determine the network portion of the IP address. The network mask is a value composed of 1 s from the most significant bit of the IP address, and determines the network portion when ANDed with the network mask. So for the example above, the subnet mask for under the Classful system would be We can represent these subnet masks by using CIDR notation, which is just based on the number of 1 s in the subnet mask. For example, would be /8, and would be /16. For more information, read and