IERG4130 Redirection attack

Lab Setup

This lab assignment exercise will be conducted in your own PC/ laptop using VIRTUAL machines. The imagesof required VMs can be downloaded with the following links.For Windows, you can install to switch on all three virtual machines.

• For MacOS, you can install VMWare Fusion Player (available at

https://softwareupdate.vmware.com/cds/vmw-desktop/fusion/

). You may need to register a free personal license first.

After installation of the VMWare Player, please load three downloaded VM images into it. This canbe done by simply drag-and-drop the .vmx files into VMWare.You may also want to rename these VMs by right-clicking on their names on the left panel.By default, we assign (2G, 2G, 256M} memory to (Kali, Lubuntu, Win2K). If yourcomputer haslimited memory space (<8G), you may want to adjust the virtual memory assignment. For

example, you can reduce Lubuntu’s memory to 512M. We recommend assigning 2G to Kali.Then, launch all three VMs and keep them running. You should be able to see login screen foreach of them. Below is a screenshot of the VMWare Workstation on Windows after the setup.Overview In this lab exercise, you are going to examine some cyber hacking scenarios and counter-measures in theInternet. They include:

• Password sniffing
• Redirection attack
• Hacking exerciseThe network topology used in this laboratory session is shown below. The machines are installed as virtualmachines and they are connected as a network.You will mainly operate on Attacker’s machine (marked [Kali]). Some operations need to be doneon Victim2’s machine (marked [Lubuntu]). You don’t need to log intoVictim1(Windows 2000)during the whole lab.Machines’ account information (username/password) are listed below:- Attacker (Kali): kali/kali- Victim1 (Lubuntu): osboxes.org/osboxes.orgLab Preparation:

Before the following tasks, please find the IP addresses of the three virtual machines and they will be usedafterwardsHints: you may use ifconfig or run nmap or arp in Kali (You can search these terms online for more

nformation)

1. Password Sniffing Experiment [15 MarksYou should only operate on [Kali] to complete the task In this experiment, we will examine the HTTP User Authentication schemes [1] and see the levels ofprotection as well as the various security handshake mechanisms provided by these schemes.

Using the Mozilla Firefox web browser, browse to the following web pages:username: ierg4130 password:ierg4130_digestUse Wireshark [3] to capture the packets that are exchanged between the web browser and the webAttackerKaliVictim1Windows 2000Victim2Lubuntuserver. To run Wireshark, open a terminal and type the following command: wireshark. After startingthe tool, you shall see the application as follow:

Analyze the contents of the captured packets and answer the following questions:Q1-1 [Kali] Using Wireshark, can you find out the username and password that were used to login tothe two web pagesQ1-2 [Kali] After the web server has verified the username/password, and sends back the webpage, is

the content of the webpage encryptedQ1-3 [Kali] Identify the type of authentication mechanisms used in the two webpages and explaintheir differences.

2. ARP Poisoning Experiment [25 Marks]Address Request Protocol (ARP) is a routing protocol for translating destination IP addresses to theMAC address of the network interface. ARP poisoning or ARP spoofing is an attack to remap the defaultrouter IP address to the attacker’s MAC address. By doing this, attacker can force all LAN trafficspassing through to his own machine. Thus, he can be the man in themiddle (MITM).Q2-1 [Lubuntu] Check the IP to MAC binding with the command arp -a? Include a screenshot in yourreport. What is the IP and MAC of the router and the attacker’s machine? (Hint: you can use thecommand route to find out router’s IP address)

Q2-2 [Kali] Ettercap is a MITM attacking tool. Search it online for tutorials of Ettercap or read [4] to learnits basic usage. Open in the Kali and conduct ARP poisoning attacto sniff traffics from/to Victim2. Takescreenshots and describe the steps you took. Note that you canchoose to use either the graphicalinterface or command line of Ettercap.Q2-3 [Lubuntu] Repeat Q2-1 again. Can you see the difference in the output of arp -a? Takescreenshots and explain what happened in your report.Q2-4 On [Lubuntu], visit the two URLs in Q1. At the same time, on [Kali], use Wireshark to monitortraffics as you did in Q1. Can you see the requests and credentials sent fromVictim2 (Lubuntu) onAttacker’s machine? Include screenshots in the report.

3. DNS Spoofing Experiment [25 Marks]

Before getting data from a web service, we need to request DNS server for the IP address from thedomain address of that web service. Client will then connect to the web server via returned IP address 代写IERG4130  Redirection attack .DNS Spoofing is an attack to send the client with the malicious IP address so that they will connect tothe malicious website instead of the legitimate one.In this session, we, as the attacker, will create our own fake website and use DNS spoofing to attackVictim2. We will also examine the mechanisms to distinguish between real and fake websites.We assume our target website is the official page of IE website:https://www.ie.cuhk.edu.hk/[Kali] Let’s first create our fake webpage(https://www.hkbea-cyberbanking.com.) by cloning the bankwebpage on the attacker’s machine.

Q3-1 [Kali] Execute the following commands(without the “$”) line by line in the terminal to setup a weberver on the attacker’s machine:$ sudo a2enmod ssl$ cd /etc/apache2/sites-available$ sudo a2ensite 000-default$ sudo a2ensite default-ss$ sudo service apache2 restartQ3-2 [Kali] Clone the targetwebpage into our web server’s folder with the command:sudo wget -k 'https://www.hkbea-cyberbanking.com/ibk/auth/web/login?Lang=Eng' -O/var/www/html/index.htmlNow open a browser in Kali and visit http://localhost/. You should see a clone of thecyberbanking login page. Include a screenshot in the report.

Q3-3 [Kali] Check the IP address of the www.ie.cuhk.edu.hk using dig. What is its IP and IP of DNSserver?Q3-4 [Kali] Start Netwox and choose tool 105. Use this tool to spoof the DNS request ofwww.ie.cuhk.edu.hk with IP of attacker and name of authority server be ns1.ie.cuhk.edu.hk with IP ofattacker.Include the command used in thereport. Also include screenshot of dig to prove the attack issuccessful.Q3-5 Switch to [Lubuntu], visit www.ie.cuhk.edu.hk in Firefox browser. You need to clear all privatedata stored in the browser before re accessing the webpage. The browser should post a phishing websiteof the IE webpage. Include a screenshot of the webpage. State one method to prove that the webpageis not the real webpage.Q3-6 [kali] Switch off the Netwox. Suggest one possible defense to this attack.Hacking Experiment [35 Marks]You should operate on [Kali] to complete the taskIn this experiment, we will use different software attacking tools to perform network mapping andreconnaissance on victim machine to determine open ports andvulnerabilities, and then break into thevictim machine. The victim machine is victim1. The attacking tools that will be used in this exercise are

• Nmap [7][8]
• Legion [6]
• Metasploit [9] [10]Refer to the URLs provided in the Reference section for detailed usage and tutorials of the aboveattacking tools. The software has been installed in the attacker machine.

For Nmap, you can run it by this command: “nmap”.

For Legion, you can find and run it in Kali’s menu.For Metasploit, you can start by running “msfconsole” in the terminal.The commands set and more details on the use of the metasploit console application can be referred to

[11].Tasks:Try all means to break into Victim1’s machine (windows 2000) from Attacker’s machine (Kali).After successfully breaking into the victim machine, you will needto searchfor a secret file in itsfilesystem, which is named "ierg4130.txt". Please include a screenshot of how/where you find it and thesecret's content.

Q4-1 [Kali] Please provide the verification code in the report.

n addition, you have to describe the steps that you took to break into the victim machine, including theexploits and payloads that you used (including those you tried but failed to hack into). Q4-2 [Kali] Does the scanner or nmap report any vulnerabilities of the system? If so, list one of them

with their CVE-IDs, descriptions, and severities.Bonus—Buffer Overflow Attack [35 Marks] To begin this experiment, students are required to:(You may need to understand the article in part 1 before doing it.) I.Making shellcode:In the folder /home/hacker/shellcode, there are three files code{0,1,3}.c.

(1) Compile the code{0,1}.c and use gdb to view their assembly codes. Compare their assemblycodes. What is the assembly code(s) of “name[0] = ‘/bin/sh’;”?How long is the assembly code(s) in bytes? Please include the hex representation of this assemblycode(s).

(2) Try to run code1. Can you get root privilege? Why or why not?II.Understanding the exploit program:In the folder /home/hacker, there is a file exp3.c which is the exploit program.There are also binaries of two potentially vulnerable programs vul{1,2} and their correspondingsource code files called vul{1,2}.c. We have already granted these programs escalated rootprivileges even when they are executed by a normal user like you.

(1) View the content of exp3.c and locate the shellcode. Why we need to include “setuid(0)” inthe shellcode?

(2) What is the meaning of the “addr” inside the code?(3) Explain how to exploit a vulnerable program with exp3.c. Draw the diagram of stack allocatioto help explain the idea. (You may use the similar diagram in tutorial for help.)

III.Exploiting the vulnerability:For each potentially vulnerable program vul{1,2}, answer the following question: Is the program exploitable, i.e. gaining root access? If yes, include the commands used and ascreenshot of successful exploitation in report. If not, explain why it is not exploitable.References s/manual-exploitation