FIT5037 AssignmentFIT5037 Network Security Assignment (S2 2021)Total Marks 100Due on October 17th, Sunday, 11:59:59 am1 OverviewThe learning objective of this assignment is for you to gain a first-hand experience on network attacks (i.e.,TCP and DNS attacks) and get a deeper understanding on how to launch these attacks in practice. Alltasks in this assignment can be done on the virtual machinehttps://cloudstor.aarnet.edu.... as used in Lab Week 8-Network Attacks.2 Submission PolicyYou need to submit a lab report (one single PDF file) to describe what you have done and what you haveobserved with screen shots whenever necessary; you also need to provide explanation or codes to theobservations that are related to the tasks. In your report, you are expected to answer all the questionslisted in this manual. Typeset your report into .pdf format (make sure it can be opened with AdobeReader) and name it as the format: [Your Name]-[Student ID]-FIT5037-Assignment, e.g.,HarryPotter-12345678-FIT5037-Assignment.pdf.All source code if required should be embedded in your report. In addition, if a demonstration video isrequired, you should record your screen demonstration with your voice explanation and upload the videoto your Monash Google Drive. For video demonstration, you are required to say your name andstudent ID at the start of recording, showing face is optional. The shared URL of the videoshould be mentioned in your report wherever required. You can use this free tool to make the video:https://monash-panopto.aarnet...; other tools are also fine. Then, please upload the PDF file toMoodle. Note: the assignment is due on October 17th, 2021, Sunday, 11:59:59 am (Firm!).Late submission penalty: 10-point deduction per day. If you require a special consideration, theapplication should be submitted and notified at least three days in advance. Zero tolerance on plagiarism:If you are found cheating, penalties will be applied, i.e., a zero grade for the unit. The demonstrationvideo is also used to detect/avoid plagiarism. University polices can be found athttps://www.monash.edu/studen...3 Environment SetupIn this section, you need to double check whether you have configured GNS3 correctly. We will be usingthe Week08 lab configuration, i.e., your GNS3 configuration should look like below:Figure 1: GNS3 ConfigOtherwise, if you just downloaded the VM for the first time, we refer you to Environment Setup1FIT5037 Assignment(https://lms.monash.edu/mod/re...) in Week 01. It is recommended toperform lab taskts of Week08 before proceeding.4 TCP Attacks – Using Scapy [40 Marks]The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It sits on topof the IP layer, and provides a reliable and ordered communication channel between applications runningon networked computers. TCP is in a layer called Transport layer, which provides host-to-hostcommunication services for applications. To achieve such reliable and order communication, TCP requiresboth ends of a communication to maintain a connection. Unfortunately, when TCP was developed, nosecurity mechanism was built into this protocol, making it possible for attackers to eavesdrop onconnections, break connections or hijack connections. In this section, you are required to perform theseattacks using Scapy—a packet manipulation tool for computer networks written in Python.4.1 Task 1: TCP Reset Attacks [15 Marks]In the stream of packets of a TCP connection, each packet contains a TCP header. In the header, there isa bit known as the ”reset” (RST) flag. In most packets, this bit is set to 0 and has no effect; however, ifthis bit is set to 1, it indicates that the receiver should immediately stop using the TCP connection. Thatmeans it should not send back any more packets using the connection’s identifying numbers, called ports,and discard any further packets with headers belong to that connection. A TCP reset basically kills aTCP connection instantly.It is possible for a third computer (aka attacker) to monitor the TCP packets on the connection and thensend a ”forged” packet containing a TCP reset to one or both endpoints. The headers in the forged packetmust indicate, falsely, that it came from an endpoint, not the forger. This information includes theendpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to aconvincing forged value for the fake reset to trick the endpoint into closing the TCP connection.The idea is quite simple: to break up a TCP connection between A and B, the attacker just spoofs a TCPRST packet from A to B or from B to A.Q1: Connect from Internal-Client to Internal-Server using SSH (use apt install ssh if SSHis not installed), the username and password are same: msfadmin. Perform TCP RST attack,from Internal-Attacker workstation, on SSH service using Scapy (python-based) packet generator.Internal-Client terminal should show the connection is terminated. Please submit your python codeand the steps, along with video link showing that you have performed the attack. (Python code: 5marks, explanation during recording demonstration: 5 marks)Q2: Briefly explain the TCP RST attack and propose at least two theoretical countermeasures. You donot have to do any configuration/implementation for this task. (Explanation: 2.5 marks, counter-measures: 2.5 marks)4.2 Task 2: TCP Session Hijacking Attacks [25 Marks]Once a TCP client and server finish the three-way handshake protocol, a connection is established, and wecall it a TCP session. From then on, both ends can send data to each other. Since a computer can havemultiple concurrent TCP sessions with other computers, when it receives a packet, it needs to know whichTCP session the packet belongs to. TCP uses four elements to make that decision, i.e., to uniquelyidentify a session: (1) source IP address, (2) destination IP address, (3) source port number, and (4)destination port number.We call these four fields as the signature of a TCP session. As we have already learned, spoofing packets isnot difficult. What if we spoof a TCP packet, whose signature matches that of an existing TCP session onthe target machine? Will this packet be accepted by the target? Clearly, if the above four elements matchwith the signature of the session, the receiver cannot tell whether the packet comes from the real sender oran attacker, so it considers the packet as belonging to the session.2FIT5037 AssignmentHowever, for the packet to be accepted, one more critical condition needs to be satisfied. It is the TCPsequence number. TCP is a connection-oriented protocol and treats data as a stream, so each octet in theTCP session has a unique sequence number, identifying its position in the stream. The TCP headercontains a 32-bit sequence number field, which contains the sequence number of the first octet in thepayload. When the receiver gets a TCP packet, it places the TCP data (payload) in a buffer; whereexactly the payload is placed inside the buffer depends on the sequence number. This way, even if TCPpackets arrive out of order, TCP can always place their data in the buffer using the correct order.The objective of this task is to hijack an existing TCP connection (session) between client and server byinjecting malicious contents into their session.Q3: Connect TELNET from Internal-Client to Internal-Server, the username and password aresame: msfadmin. Write a python code, using Scapy, which can inject packets in the TELNET communica-tion, the goal is to make a directory called “attacker” at the Internal-Server (as seen in the screenshotbelow). You can use Internal-Attacker workstation to run the python code. Submit python code andsteps, along with video link that demonstrates you have performed the attack. (Python code: 5 marks,explanation during recording demonstration: 5 marks)Figure 2: Directories in Internal-ServerQ4: Connect TELNET from Internal-Client to Internal-Server. The objective is to get a reverseshell from Internal-Server. Reverse shell is a shell process running on a remote machine, connectingback to the attacker’s machine. We are omitting the details of reverse shell and encourage students toresearch about it, you can start from here: https://hackernoon.com/revers...Write a python code, using Scapy, which can inject packets in TELNET communication and create areverse shell from Internal-Server to Internal-Attacker (as seen in the screenshot below, in this casethe Internal-Server’s IP address is 10.10.10.197). Submit python code and steps, along with video linkshowing that you have performed the attack. (Python code: 5 marks, explanation during recordingdemonstration: 5 marks)Figure 3: Receiving reverse shellQ5: Connect SSH from Internal-Client to Internal-Server, the username and password are same:msfadmin. Perform same TCP hijacking attacks as you did for TELNET, i.e. make attacker directory inInternal-Server and create a reverse shell from Internal-Server to Internal-Attacker by hijackingSSH connection. If your attacks are successful, please submit python code and steps, along with videolink showing that you have performed the attacks. If your attacks were unsuccessful, explain the reason indetail. (Python Code and Explanation during recording demonstration: 5 marks)5 DNS Attacks – Using Scapy [60 Marks]Domain Name System (DNS) is an essential component of the Internet infrastructure. It serves as thephone book for the Internet, so computers can look up for “telephone number” (i.e. IP addresses) fromdomain names. Without knowing the IP address, computers will not be able to communicate with oneanother. Due to its importance, the DNS infrastructure faces frequent attacks. In this section, you willexplore the most primary attack on DNS. That is DNS cache poisoning by investigating both Local andRemote DNS cache poisoning attacks.3FIT5037 AssignmentDue to the large number of computers and networks on the Internet, the domain namespace is organised ina hierarchical tree-like structure. Each node on the tree is called a domain or sub-domain when referencingto its parent node. The following figure depicts a part of the domain hierarchy.Figure 4: Domain hierarchyThe domain hierarchy tree structure describes how the domain namespace is organised, but that is notexactly how the domain name systems are organised. Domain name systems are organised according tozones. A DNS zone basically groups contiguous domains and sub-domains on the domain tree, and assignthe management authority to an entity. Each zone is managed by an authority, while a domain does notindicate any authority information. The following figure depicts an example of the example.com domain.Figure 5: DNS ZonesAssume that example.com in the above figure is an international company, with branches all over theworld, so the company’s domain is further divided into multiple sub-domains, including usa.example.com,uk.example.com, and france.example.com. Inside US, the usa sub-domain is further divided intochicago, boston, and nyc subdomains.Each DNS zone has at least one authoritative nameserver that publishes information about that zone. Thegoal of a DNS query is to eventually ask the authoritative DNS server for answers. That is why they arecalled authoritative because they provide the original and definitive answers to DNS queries, as opposed toobtaining the answers from other DNS servers.With such arrangement, the root zone for example.com only needs to keep records of who the authority isfor each of its subdomains. By doing this, it maintains the independence among the branches in differentcountries and enable the administrative right of those subdomains, so the branch in each country managesits own DNS information. For a given DNS query, if your local DNS server does not the answer, it will askother DNS servers on the Internet for answer via hierarchical authority servers. The following exampledemonstrates a dig (DNS query) for the domain www.example.net when sending the query directly to oneof the root server (i.e. a.root-servers.net).4FIT5037 AssignmentFigure 6: DIG to the root serverThere are four types of sections in a DNS response: question section, answer section, authority section, andadditional section. From the above result, we can see that the root server does not know the answer(because the reply does not include an answer section, but it tells several authoritative nameservers for thenet zone (the NS records in the authority section), along with their IP address if possible in the additionalsection). If you continuously dig the domain www.example.net on one these authoritative nameservers,you will finally end up with the answer section showing the IP address of the machine hosting the websitefor www.example.net.When your local DNS server gets information from other DNS servers, it caches the information, so if thesame information is needed, it will not waste time to ask again.5.1 Task 3: Local DNS Attack targeting Authority Nameserver [20 Marks]We recalled that a DNS response contains question section, answer section, authority section, andadditional section. If we only target the answer section, the attack only affects one hostname (as we did inour Week08 lab “DNS Spoofing Attacks”). Real DNS attacks usually target the authority section byproviding a fake NS record for the target domain in the authority section. If the fake NS record is cached,when the victim local DNS server tries to find any IP address in the target domain, it will send a requestto the malicious nameserver specified in the fake NS record. Such an attack can affect all the hostnames inthe target domain. In this task, you will explore how to target the authority server of example.net andmanage to replace it with ns1.attacker.com and ns2.attacker.com.Q6: Submit your python code and write comments in the code step by step to perform the DNS spoofingattack that modifies the authority server of example.net to be ns1.attacker.com and ns2.attacker.com.Use Internal-Client as victim and Internal-Attacker as the attacker machine. (Python code: 10marks). If the attack works, you should see the result as in following figures for which the maliciousauthoritative servers are taken place.5FIT5037 AssignmentFigure 7: Q6Q7: Provide your explanation in video demonstration to support your above DNS spoofing attack. (Ex-planation and attack’s results: 5 marks, highlight Wireshark packet monitor in the video: 5marks)5.2 Task 4: Remote DNS Attack targeting Authority Server [40 Marks]For this task, the attacker (Internal-Attacker) and DNS server need to be in different LAN. We willmove DNS server to Server LAN and configure its IP statically. The GNS3 configuration for this taskshould look like below:Figure 8: GNS3 for Remote DNS Attacks6FIT5037 AssignmentConfigure static IP for DNS:Figure 9: Static IP config for DNSNow login to Internal-FW (username is ‘admin’, no password), and execute the following to disable NAT:ip firewall nat remove 0The previous local DNS attacks assume that the attacker and the DNS victim server are on the same LANso that she can observe the DNS query message and reply with a forged DNS packet. When the attackerand the DNS server are not on the same LAN, the attack becomes harder since the attacker cannotperform ARP poisoning attack and see the DNS query. When the DNS victim server cannot resolve theDNS query, it will forward the DNS query packet to the forwarder DNS server (Google DNS server in ourcurrent setup). The DNS query is sent via a UDP packet where the UDP’s source port is a 16-bit randomnumber. In addition, the 16-bit transaction ID in the DNS header is also self-created by the DNS victimserver. Hence, if the remote attacker wants to forge the DNS response, the forged packet must contain thecorrect values of these two numbers; otherwise, the reply will not be accepted.Without being able to sniff the query packet, the remote attacker can only guess these two numbers. Thechance is one out of 232 for each guess. If an attacker can send out 1000 spoofed responses, it may takeseveral days to try up 232 time. In contrast, it only takes few seconds to receive the correct packetresponse from the forwarder Google DNS. Consequently, that real reply will be cached by the local DNSvictim server. To make another try, the attacker has to wait for the server to send out another DNS querywhen its cache times out. Hence, this attacking chance makes the remote DNS attack unrealistic.The remote DNS attack had become an open problem until Dan Kaminsky came up with a simple solutionin 2008. The attack is depicted in the following figure.Figure 10: Kaminsky Attack7FIT5037 AssignmentWe choose a domain test.com as our targeted domain name in this task. When a client queries the DNSserver for www.test.com, the attacker (Internal-Attacker) wants to cause the DNS server to use her DNSserver (ns.attacker.com). The following steps with reference to above figure describe the outline of theattack.
...