Subject Code : FIT3031
Country : Australia
FIT3031 Network Security - TCP And DNS Attacks - IT Assessment Answer
Assessment Task:

Overview

The learning objective of this assignment is for you to gain first-hand experience on network attacks (i.e., TCP and DNS attacks) and get a deeper understanding of how 

to launch these attacks in practice.

TCP Attacks – Using Scapy 

In the stream of packets of a TCP connection, each packet contains a TCP header. In the header, there is a bit known as the "reset" (RST) flag. In most packets, this bit is set to 0 and has no effect; however, if this bit is set to 1, it indicates that the receiver should immediately stop using the TCP connection. That means it should not send back any more packets using the connection's identifying numbers, called ports, and discard any further packets with headers belong to that connection. A TCP reset basically kills a TCP connection instantly.

It is possible for a third computer (aka attacker) to monitor the TCP packets on the connection and then send a "forged" packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection.

The idea is quite simple: to break up a TCP connection between A and B, the attacker just spoofs a TCP RST packet from A to B or from B to A.

Question

Q1: Connect from the client (container) to server (container) using SSH (from the client terminal execute ssh 10.4.1.15), the username and password are same: client. Perform TCP RST attack, from the attacker (container), on SSH service using Scapy (python-based) packet generator. The client terminal should show the connection is terminated. Please submit your python code and the steps, along with screenshots, you have taken to perform the attack.

Q2: Briefly explain the TCP RST attack and propose at least two theoretical countermeasures. You do not have to do any configuration/implementation for this task.

Task 2: TCP Session Hijacking Attacks 

Once a TCP client and server finish the three-way handshake protocol, a connection is established, and we call it a TCP session. From then on, both ends can send data to each other. Since a computer can have multiple concurrent TCP sessions with other computers, when it receives a packet, it needs to know which TCP session the packet belongs to. TCP uses four elements to make that decision, i.e., to uniquely identify a session: (1) source IP address, (2) destination IP address, (3) source port number, and (4) destination port number.

We call these four fields as the signature of a TCP session. As we have already learned, spoofing packets is not difficult. What if we spoof a TCP packet, whose signature matches that of an existing TCP session on the target machine? Will this packet be accepted by the target? Clearly, if the above four elements match with the signature of the session, the receiver cannot tell whether the packet comes from the real sender or an attacker, so it considers the packet as belonging to the session.

However, for the packet to be accepted, one more critical condition needs to be satisfied. It is the TCP sequence number. TCP is a connection-oriented protocol and treats data as a stream, so each octet in the TCP session has a unique sequence number, identifying its position in the stream. The TCP header contains a 32-bit sequence number field, which contains the sequence number of the first octet in the payload. When the receiver gets a TCP packet, it places the TCP data (payload) in a buffer; where exactly the payload is placed inside the buffer depends on the sequence number. This way, even if TCP packets arrive out of order, TCP can always place their data in the buffer using the correct order.

The objective of this task is to hijack an existing TCP connection (session) between client and server by injecting malicious contents into their session.

Q3: Connect TELNET from client to server (from the client terminal execute telnet 10.4.1.15), the username and password are same: client. Write a python code, using scapy, which can inject packets in the client-server telnet communication, the goal is to make a directory called “attacker” at the server (as seen in the screenshot below). You can use attacker container to run the python code. Submit python code and steps, along with screenshots, you have taken to perform the attack.

Q4: Connect TELNET from client to server (from the client terminal execute telnet 10.4.1.15), the username and password are same: client. The objective is to get a reverse shell from the server. A reverse shell is a shell process running on a remote machine, connecting back to the attacker’s machine. We are omitting the details of reverse shell and encourage students to research about it. Write a python code, using Scapy, which can inject packets in client-server telnet communication and create a reverse shell from the server, which connects back to the attacker (as seen in the screenshot below). Submit python code and steps, along with screenshots, you have taken to perform the attack.

Task 3: Local DNS Attack targeting Authority Nameserver 

We recalled that a DNS response contains question section, answer section, authority section, and additional section. If we only target the answer section, the attack only affects one hostname. Real DNS attacks usually target the authority section by providing a fake NS record for the target domain in the authority section. If the fake NS record is cached, when the victim local DNS server tries to find any IP address in the target domain, it will send a request to the malicious nameserver specified in the fake NS record. Such an attack can affect all the hostnames in the target domain. In this task, you will explore how to target the authority server of example.net and manage to replace it with “ns1.FIT3031.attacker.com” and “ns2.FIT3031.attacker.com”.

Q6: Submit your python code and steps to perform the directly spoofing DNS attack that modifies the authority server of example.net to be “ns1.FIT3031.attacker.com” and “ns2.FIT3031.attacker.com. (Python code: 10 marks). If the attack works, you should see the result as in the following figures for which the malicious authoritative servers are taken place.

Q7: Provide your explanation and evidence (snapshots) to support your directly spoofing DNS attacks above.

Task 4: Remote DNS Attack targeting Authority Server 

The previous local DNS attacks assume the attacker and the DNS victim server are on the same LAN so that she can observe the DNS query message and reply with a forged DNS packet. When the attacker and the DNS server are not on the same LAN, the attack becomes harder since the attacker cannot see the DNS query. When the DNS victim server cannot resolve the DNS query, it will forward the DNS query packet to the forwarder DNS server (Google DNS server in our current setup). The DNS query is sent via a UDP packet where the UDP’s source port is a 16-bit random number. In addition, the 16-bit transaction ID in the DNS header is also self-created by the DNS victim server. Hence, if the remote attacker wants to forge the DNS response, the forged packet must contain the correct values of these two numbers; otherwise, the reply will not be accepted.

Without being able to sniff the query packet, the remote attacker can only guess these two numbers. The chance is one out of 232 for each guess. If an attacker can send out 1000 spoofed responses, it may take several days to try up 232 times. In contrast, it only takes a few seconds to receive the correct packet response from the forwarder Google DNS. Consequently, that real reply will be cached by the local DNS victim server. To make another try, the attacker has to wait for the server to send out another DNS query when its cache times out. Hence, this attacking chance makes the remote DNS attack unrealistic.

The remote DNS attack had become an open problem until Dan Kaminsky came up with a simple solution in 2008.

Q8: You need to complete Step 1 in the remote_dns.py to create 10000 dummy hostnames.

Q9: You need to complete Step 2 in the remote_dns.py to generate a random DNS query for each dummy hostnames. 

Q10: You need to complete Step 3 in the remote_dns.py to flood about 100 random forged

response packets. Each packet has:

• A randomly generated transaction ID for DNSpkt. (5 marks for code and screenshot)
• The malicious DNS server “ns.FIT3031.attacker.com” is included in the nameserver authority for the domain test.com when you construct DNSpkt. (10 marks for code
and screenshot)
• Additional section showing “ns.FIT3031.attacker.com” has the IP of the attacker 10.0.0.2. (5 marks for code and screenshot)

Q11: Provide your video demonstration evidence to support and verify that you have performed the attack and it worked successfully. You need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can
view and verify your works. In the video, you need to demonstrate the following key points:

• Wireshark traffic captured on the Gateway on eth1 shows the transactionID in DNS packet sent by the victim DNS server to Google, and the correctly matched transaction ID in the forged packet sent by the attacker to the victim DNS server. 

This IT Assessment has been solved by our IT Assessment Experts at UniLearnO. Our Assignment Writing Experts are efficient to provide a fresh solution to this question. We are serving more than 10000+ Students in Australia, UK & US by helping them to score HD in their academics. Our Experts are well trained to follow all marking rubrics & referencing style.

Be it a used or new solution, the quality of the work submitted by our assignment experts remains unhampered. You may continue to expect the same or even better quality with the used and new assignment solution files respectively. There’s one thing to be noticed that you could choose one between the two and acquire an HD either way. You could choose a new assignment solution file to get yourself an exclusive, plagiarism (with free Turnitin file), expert quality assignment or order an old solution file that was considered worthy of the highest distinction.

  • Uploaded By : Mitchell Lee
  • Posted on : October 28th, 2018
  • Downloads : 210

Whatsapp Tap to ChatGet instant assistance