


















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The effects of climate change on agricultural productivity, focusing on extreme weather events, changing precipitation patterns, and the potential for adaptation strategies. It provides insights into the challenges farmers face in adapting to these changes and the role of scientific research in developing sustainable agricultural practices.
Typology: Lab Reports
1 / 90
This page cannot be seen from the preview
Don't miss anything!



















































































Group Number: _______________ Member Names: _________________________ _________________________ Date Assigned: October 23, 2007 Date Due: October 30, 2007 Last Edited: November 5, 2007 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due. NOTE: The wireless lab section requires you to reserve slots to use the equipment. The signup sheets will be posted on the lab door. The equipment you need to sign up for will not be available at the last minute. PLAN AHEAD. Part 1 Viruses and Worms Goal: The goal of this lab is to come to a better understanding of viruses and worms by experimenting with them in a safe environment. Summary: In this lab we will first look at two worms, one designed as a learning tool and an actual worm that had infected computers. Then we will look at a virus. In all three cases we will actually infect our computer to see how it is done and what happens to our computer then we will completely remove the malicious program. Background and Theory: A worm is any program that propagates copies of itself via a network. They come in many varieties, from simple email worms to those that attack network services such as Code Red and SQL Slammer. We are going to analyze a simple version of the latter. This worm, dubbed the SPOC Worm (Simple Proof Of Concept) propagates itself through a buffer overflow in a network service known as “vuln_service.” This is a service created for this lab. It opens up a TCP socket on port 3333 that allows a connection and can be easily compromised. The program simply reads any data sent to it, but it uses a weak command (see question 1.6) that allows it to be overflowed. Any other network service with a buffer overflow
vulnerability can be targeted instead, but “vuln_service” is particularly easy to study due to its simplicity. The SPOC Worm first scans all LANs it is connected to and tries to connect to port 3333 (the port that “vuln_service” runs on). Upon finding any open ports, it connects, sends a special string formatted to overflow the buffer, and executes a copy of the worm. After finishing, it begins scanning random IP addresses looking for more vulnerable services. Detailed information about this worm may be found in the paper “Design and Implementation of a Research Worm.” [on class web site] In 2001, there was a worm called “AnnaKournikova” that propagated by being sent as an e-mail attachment with the subject “Here you have, ;o)” and a body of “Hi:”,”Check This!” By opening the attachment, a VBScript file ran that sent a duplicate e-mail to every entry in a Microsft Outlook Address Book. In order for this worm to run, it required a Windows platform machine with the Windows Scripting Host and Microsoft Outlook installed. This worm did not damage any files, but it clogged up many mailservers. The AnnaKournikova worm VBScript file and its unencrypted source code can be downloaded from this site: http://www.packetstormsecurity.org/viral-db/ Viruses work in a different way by infecting files but not spreading until a user moves that file to another computer. Prelab Questions: None. Lab Scenario: You will be using the RedHat WS 4 Physical Machine, RedHat7.2 Virtual Machine, and later a Windows XP virtual machine in the last part of the lab. The setup you will be implementing for section 1 is shown below: In the above diagram, 57.35.6.a corresponds to the IP of your RH WS4 Physical Machine and 57.35.6.b corresponds to the IP of one of your RH7.2 Virtual Machine. These can be checked with #ifconfig After you copy what you need from the NAS, to be safe, make sure your network cable is unplugged, this will ensure your worms do not try to infect another groups RH WS4 Physical Machine Attacker 57.35.6.a RH7.2 Virtual Machine Server 57.35.6.b
Strace is a program which will allows us to watch what each program is doing by printing each system call that the program makes. We should see a lot of stuff go by and then see it settle on a call to accept. Accept makes the program wait until it receives a connection from the network. Now run Ethereal on the RedHat WS4 Physical Machine (Attacker), and have it begin capturing packets RedHat -> Internet -> Ethereal Network Analyzer Capture-> options then start OK To get more acquainted with strace, let’s watch what happens when we use the service correctly. From the RedHat WS4 Physical Machine (Attacker) machine, type #telnet 57.35.6.b 3333 When it connects, type the string “hi”. You should see a sequence of reads and writes occurring in “vuln_service.” Disconnect the telnet session (type ‘Ctrl-]’) and then type ‘quit’ at the prompt). Now let’s use strace to analyze our worm. You have copied the executable file worm onto the RedHat WS4 Physical Machine (Attacker), again, do not compile worm.c , just run this file. (The “source code” for the worm is included in Appendix B. The paper ‘Design and Implementation of a Research Worm” found on the class web site explains the worm code development). On the RedHat WS4 Physical Machine (Attacker) type: _#cd attacker
A lot of text should now be flowing by. The worm will be executing socket, connect, and close very quickly. This is it attempting to find copies of “vuln_service” by connecting to different IP addresses. Notice how the IP address in the connect call is changing. When it hits 57.35.6.b (the address of the RedHat7.2 Virtual Machine (Server)), it should execute a sequence of sends to send the malicious code to “vuln_service”, which will overflow its buffer and begin executing the worm. When this occurs, the “vuln_service” we ran on the RedHat7.2 Virtual Machine (Server) should begin executing the same familiar socket, connect, and close sequence. You can see this in the terminal you ran “ strace ./vuln_service ” on. This means that the worm has spread to that machine and is looking for more targets. Aside: You will see lots of 127.0.0.y addresses after the server is infected. The worm asks the machine what interfaces are active and sees the loopback interface 127.0.0.1 and begins sending to that network 127.0.0.y Stop packet capture using Ethereal on the RedHat WS4 Physical Machine (Attacker). Leave ethereal running as you will need this output you collected below.
Stop both vuln_service on the RedHat.72 Virtual Machine (Server) and worm on the RedHat8.0 Physical Machine (Attacker) with CTRL-c. Q1.1: The SPOC Worm is incredibly easy to detect. What are some methods you could use to detect the presence of the worm? Q1.2: What are some ways in which the worm could be designed to bypass detection? Q1.3: What is the growth rate of this type of worm given a network with many copies of the vulnerable service running? (Give a general answer) Look at the packets captured by Ethereal. Q1.4: Devise a rule for Snort (see lab 7 for help) that will detect this worm. Add it to the rule base of Snort as done in the forensics lab. Submit the rule with the assignment. Close Ethereal. Run Snort with the new rule base on the RedHat7.2 Virtual Machine (Server). Execute the vuln_service and worm as in the first part of the lab. Q1.5: Does Snort alert you to the worm? Now that you know of the presence of the worm, what do you do if you are responsible for the server? Here is a portion of the vuln_service code (this does not match exactly what is on the machine in the lab (and in the Appnedix) since this code has been cleaned up a bit since installed on the machine: // sockfd is a socket file descriptor to a client void svcHandle(int sockfd) { char paddington[HALFK]; char userinput[BUFFER_SIZE]; if ( (dup2( sockfd, STDOUT_FILENO)) < 0 ) { perror("svcHandle: Error STDOUT_FILENO"); return; } if ( (dup2( sockfd, STDIN_FILENO)) < 0 ) { perror("svcHandle: Error STDOUT_FILENO"); return; } bzero( userinput, BUFFER_SIZE); printf( "1- Input:%s(%d)\n", userinput, strlen(userinput)); printf( "please input a 16 character string:\n"); gets( userinput); printf( "2- Input:(%d)\n", strlen(userinput));
Now run the Windows Task Manager by pressing the key combination Ctrl-Alt-Delete. Click on the Processes tab and you should see a window like in Figure 1. Figure 1. Processes outlined in Windows Task Manager. Don’t you find the fact that CPU Usage is near 100% a little strange for an idle machine? If you look at the processes listed, you will find an executable using most of the CPU resources (in the case of Figure 1, it is wscript.exe). By ending this process, you should notice, in the Performance tab, that the CPU usage should drop down to what is normally expected of an idle machine. Go ahead and run the VBScript file again, and you should notice the CPU Usage again jump back up to nearly 100%. This type of system performance anomaly is one way to detect whether a worm is trying to execute its code. Now make sure you end the worm process before you proceed further. Now let us research what files and registry entries are associated with the worm. Go to this website: http://www.ciac.org/ciac/bulletins/l-046.shtml This site contains information and the history of the AnnaKournikova worm. Notice that some of the information presented is the same as what we deduced from the source code. There are many other database sites that you can find to help research on removing various virus/worms, but we found this site to be the most useful in learning the worm’s effects. Q2.5: What is one way in which anti-virus programs detect worms and viruses? Give an example (hint: look at the source code for the AnnaKournikova script) Now let us manually remove the AnnaKournikova worm by going to the “Removal” section on the website. Basically removal of the worm requires that we kill the running
worm, remove copies of the AnnaKournikova.jpg.vbs file from the C:\WINDOWS directory we put it in, and removing the registry entry. First, let us remove the registry entry. Click on the Start button and select Run. Then type regedit to open the registry editor. Now search for the term OnTheFly since that is where the worm made its registry entry. (You should remember this fact from viewing the source code and reading the information on the website.) The registry editor should find the OnTheFly folder just like in Figure 2. Figure 2. Worm’s Registry Entry “OnTheFly” Now let us delete this entry by right-clicking on the OnTheFly folder and selecting delete. The entry should be removed. Now let us remove the AnnaKournikova.jpg.vbs file from the C:\WINDOWS directory and the Desktop folder we created. Now reboot the WindowsXP virtual machine. The worm should be ineffective now. With this exercise, it is our hope that you learn how a real world worm can operate, where it can hide, and how to remove it by consulting sources. Section 3: Viruses In this portion of the lab, we will see how a computer virus infects a file system in Linux and how a virus is spread. Please read the program Vscr2.c (you have already copied this onto your RedHat WS Physical Machine (Attacker) and also it is included in Appendix D), and try to figure out what the program achieves.
Go back to your / home/lab8 directory and run the file test_virus: #./test_virus Again go back to the directory /usr/local/include and see whether the file stdio.h is in this directory right now. Now to undo the dirty deeds we have done:
Q4.1: What major similarity is there with this worm and the AnnaKournikova worm we looked at earlier? (Hint: how does it spread?) What code clues you into this? Q4.2: How might someone protect themselves from a worm like this?
unchanged, a hacker could try the common SSIDs and connect to your network if there is no other security on the network. MAC Address Filtering MAC address filtering can be used to increase the security of your network. It works by allowing only a set list of network cards to connect based upon their known MAC address, which should be unique for every device. However, MAC address can be captured by snooping and then spoofed which will then allow an attacker to gain access. Most wireless cards now allow MAC addresses to be changed, so this is does not adequately work as a security feature either. WEP Encryption If a user activates WEP, the wireless encrypts the payload (frame body and CRC) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA Security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. As a result, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies. As part of the encryption process, WEP prepares a keyschedule ("seed") by concatenating the shared secret key supplied by the user of the sending station with a random-generated 24-bit initialization vector (IV). The IV lengthens the life of the secret key because the station can change the IV for each frame transmission. WEP inputs the resulting "seed" into a pseudo-random number generator that produces a keystream equal to the length of the frame's payload plus a 32-bit integrity check value (ICV). The ICV is a check sum that the receiving station eventually recalculates and compares to the one sent by the sending station to determine whether the transmitted data underwent any form of tampering while intransient. If the receiving station calculates an ICV that doesn't match the one found in the frame, then the receiving station can reject the frame or flag the user. WEP specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data. Some vendors also include 128 bit keys (know as "WEP2") in their products. With WEP, the receiving station must use the same key for decryption. Each wireless card and access point, therefore, must be manually configured with the same key. Before transmission takes place, WEP combines the keystream with the payload/ICV through a bitwise XOR process, which produces ciphertext (encrypted data). WEP includes the IV in the clear (unencrypted) within the first few bytes of the frame body. The receiving station uses this IV along with the shared secret key supplied by the user of the receiving station to decrypt the payload portion of the frame body.
In most cases the sending station will use a different IV for each frame (this is not required by the 802.11 standard). When transmitting messages having a common beginning, such as the "FROM" address in an e-mail, the beginning of each encrypted payload will be equivalent when using the same key. After encrypting the data, the beginnings of these frames would be the same, offering a pattern that can aid hackers in cracking the encryption algorithm. Since the IV is different for most frames, WEP guards against this type of attack. The frequent changing of IVs also improves the ability of WEP to safeguard against someone compromising the data. WEP has been part of the 802.11 standard since initial ratification in September
Section 5: Reconnaissance on the network One reason for poor security in wireless networks has nothing to do with the technology; it is due to the operators. Most consumer wireless devices are extremely easy to setup. Many users hook up the equipment and when it works, they do not modify its settings. This leaves huge security holes. We will be exploring a network that does have some security features implemented on it. It will be your job to break into the network and snoop on what is going on inside. Step 0 – Attacker 1 & 2
Check & make sure that they are both enabled & in monitor mode before continuing. Step 2 – Attacker 2 Only
Step 5 Attacker 2 In this step we will install Aircrack-ptw, a better version of Aircrack that takes less packets to crack than the version currently on Backtrack2.
> iwconfig rausb0 essid enc mode managed > dhcpcd rausb