(Lab Report and Survey Due by 11:45pm on 11/22/08)
Attacks on TCP/IP protocols
This lab is to provide students the chance of gaining first-hand experience on vulnerabilities of TCP/IP protocols, along with attacks against these vulnerabilities. Students can learn the common patterns of vulnerabilities so that they can avoid making similar mistakes in the future. What's more, by using vulnerabilities as case studies, students can can have a better understanding of secure design, secure programming, etc.
There is a special category of vulnerabilities in TCP/IP protocols designs and implementations. Studying these weakness can help students better understand the challenges of network security and the reasons why so many security methods are necessary and important. TCP/IP protocols have vulnerabilities at different layer. Students will need to conduct attacks to TCP/IP protocols in Linux system for this lab.
In this lab, you need to conduct attacks on TCP/IP protocols. You can use Netwox tools and/or other tools in your attacks. To simplify the "guess" of TCP sequence numbers and source port numbers, we assume that attacks are on the same physical network as the victims. Therefore, you can use sniffers to get those information. The following is the list of attacks that need to be implemented.
1. ARP cache poisoning: change the target host's ARP cache.
2. ICMP Redirect Attack: change the target host's routing table using ICMP redirect message.
3. Attacks on TCP
4. ICMP attacks against TCP
5. TCP Initial Sequence Numbers (ISN) and window size (Use Nmap or Wireshark)
6. TCP source ports
7. Port scanning using Nmap: understand the techniques used by Nmap. Try at least 5 techniques on a target machine, and report your obersations.
8. OS Fingerprinting: use Nmap to fingerprint Linux and Windows (if you also use Windows); report your observations.
It should be noted that some vulnerabilities have already been fixed in Linux, so some the attacks above will fail. You should draw a table in the report to indicate whether a attack is successful or not.
1. You will need to reserve a machine in VCL (http://vcl.ncsu.edu/). How to make a reservation: How to Create a New Reservation
Make a new reservation using the latest version "CSC_474_lab_1" image. You will need to have an X server running on your local computer and use an ssh client to connect to the system. Detail instructions on how to connect to VCL with graphic support can be found at how to connect vcl
2. Once successfully reserved, start VMware by typing "vmware" in you ssh client.
3. You will see three virtual machines all with Fedora 9, "Fedora9Lab_host", "Fedora9Lab_victim", "Fedora9Lab_monitor". You should use "Fedora9Lab_host" as the attacker machine, "Fedora9Lab_victim" as attacking target, and "Fedora9Lab_monitor" as an observer who can see the affect of the attacking.
To login in, use username and password as follows:
"Fedora9Lab_host": username: host password: host
"Fedora9Lab_victim": username: victim password: victim
"Fedora9Lab_monitor": username: monitor password: monitor
The "Fedora9Lab_victim" vm has provided http service and mysql service. You can see the webpage by typing its ip address in any internet browser.
It should displays "It works!". The victim machine also provides a forum at http://ip address/phpBB2
Some tool may need to be run with admin privilege. The root password is "jinkai" for each vm.
4. Use netwag or netwox as your attacking tools.
5. Useful links.
Netwox/Netwag Guides, by Sridhar Iyer.
ICMP attacks against TCP, by Gont, F.
Slipping in the Window: TCP Reset attacks, by Paul A. Watson.
Strange Attractors and TCP/IP Sequence Number Analysis by Zalewski.
Remote OS detection via TCP/IP Stack FingerPrinting by Fyodor, 1998.
6. Some commands you might want to use:
You should submit a lab report. The report should cover the following sections:
1. Design: The design of your attacks, including attacking strategies, packets that you use in your attacks, tools that you used, etc.
2. Observation: Is you attack successful? How do you know whether it is successful or not? What do you expect to see? What do you actually observe? Do some analysis.
3. Explanation: Some of the attacks might fail. If so, you need to find out the reason. You can give the explanations from your experiments which is preferred, or from internet. If your explanation is from internet, you are expected to verify it through your experiments.
You need to download this file and answer the questions. You need to upload your answers to the submission site. Your survey answers will be properly anonymized by the TA before reaching the instructor.
This lab includes materials provide by Dr. Wenliang Du (Syracuse University) and Mr. Jinkai Gao (Syracuse University).