$30
Intro to Computer Security Project 3: Network Security
Introduction
This project will introduce you to common network protocols, the basics behind analyzing network
traces from both offensive and defensive perspectives, and several local network attacks.
Objectives
• Gain exposure to core network protocols and concepts.
• Understand offensive techniques used to attack local network traffic.
• Learn to apply manual and automated traffic analysis to detect security problems.
Read this First
This project asks you to perform attacks, with our permission, against a target network that we are
providing for this purpose. Attempting the same kinds of attacks against other networks without
authorization is prohibited by law and university policies and may result in fines, expulsion, and
jail time. You must not attack any network without authorization! There are also severe legal
consequences for unauthorized interception of network data under the Electronic Communications
Privacy Act and other statutes. Per the course ethics policy, you are required to respect the privacy
and property rights of others at all times, or else you will fail the course. See “Ethics, Law, and
University Policies” on the course website.
Part 1. Exploring Network Traces
Security analysts and attackers both frequently study network traffic to search for vulnerabilities
and to characterize network behavior. In this section, you will examine a packet trace from a
sample network we set up for this assignment. You will search for specific vulnerable behaviors
and extract relevant details using the Wireshark network analyzer (http://www.wireshark.org).
Download the network trace at https://www.eecs.umich.edu/courses/eecs388/static/proj2-1.pcap
and examine it using Wireshark. Provide concise answers to the following questions. Each response should require at most 2–3 sentences.
1. Multiple hosts sent packets on the local network. What are their MAC and IP addresses?
2. What type of network does this appear to be (e.g., a large corporation, an ISP backbone,
etc.)? Point to evidence from the trace that supports this.
3. One of the clients connects to an FTP server during the trace.
(a) What is the DNS hostname of the server it connects to?
(b) Is the connection using Active or Passive FTP?
(c) Based on the packet capture, what’s one major vulnerability of the FTP protocol?
(d) Name at least two network protocols that can be used in place of FTP to provide secure
file transfer.
4. The trace shows that at least one of the clients makes HTTPS connections to sites other than
Facebook. Pick one of these connections and answer the following:
(a) What is the domain name of the site the client is connecting to?
(b) Is there any way the HTTPS server can protect against the leak of information in (a)?
(c) During the TLS handshake, the client provides a list of supported cipher suites. List
the cipher suites and name the crypto algorithms used for each.
(d) Are any of these cipher suites worrisome from a security or privacy perspective? Why?
(e) What cipher suite does the server choose for the connection?
5. One of the clients makes a number of requests to Facebook.
(a) Even though logins are processed over HTTPS, what is insecure about the way the
browser is authenticated to Facebook?
(b) How would this let an attacker impersonate the user on Facebook?
(c) How can users protect themselves against this type of attack?
(d) What did the user do while on the Facebook site?
What to submit Submit a text file named pcap.txt containing your answers.
2
Part 2. Network Attacks
In this part of the project, you will experiment with network attacks by cracking the password for
a WEP-encrypted WiFi network, decrypting an HTTPS connection, and recovering a simulated
victim’s username and password.
In the atrium of the Beyster building, there is WiFi network named eecs388 that is protected with
WEP, a common but insecure crypto protocol. We’ve created this network specifically for you
to attack, and you have permission to do so. There is also a client wirelessly connected to this
network that makes a connection to a password-protected HTTPS server every few seconds. Your
goal is to find the client’s password and log in to this website.
The tools and techniques you use are up to you, but here are some suggestions to get you started:
1. First, you will need to crack the WEP encryption key for the network. There are many
online tutorials and automated tools available to help you perform this task. We recommend
installing Kali Linux (available from http://www.kali.org) and using Aircrack-ng (https://
www.aircrack-ng.org/). If your hardware doesn’t work with Aircrack, we can loan you an
external network adapter.
The WEP cracking process usually involves generating network traffic to speed up the collection of data. For this project, we’ve made sure that there’s sufficient traffic on the network
for data collection. When following an Aircrack tutorial, please skip any steps that involve
generating traffic.
2. Once you’ve cracked the WEP key, join the network and examine the traffic. We recommend
using Kali and Wireshark. Determine the IP addresses of the client and server, and carefully
investigate any services running on these machines. Nmap (http://nmap.org) is a powerful
tool for probing remote hosts.
3. In order to discover the client’s password, you’ll need to decrypt the HTTPS traffic. Wireshark can do this for TLS connections that don’t use forward secrecy, if you can provide the
server’s private key. You may also want read up on the HTTP Basic Authentication method,
which is specified in RFC 2617.
What to submit Submit a text file named attack.txt that contains the following: (1) the WEP
key for the network; (2) the client and server IP addresses; (3) a list of the network services running
on each machine; (4) the username and password for the HTTPS site the client loads; (5) the secret
contents of the website the client is loading; (6) a paragraph describing the steps and the tools you
used to carry out the attacks; (7) the maximum number of years in jail that you could face under
18 USC § 2511 for intercepting traffic on an encrypted WiFi network without permission.
3
Part 3. Anomaly Detection
In Part 1, you manually explored a network trace. Now, you will programmatically analyze trace
data to detect suspicious behavior. Specifically, you will be attempting to identify port scanning.
Port scanning is a technique used to find network hosts that have services listening on one or more
target ports. It can be used offensively to locate vulnerable systems in preparation for an attack, or
defensively for research or network administration. In one port scan technique, known as a SYN
scan, the scanner sends TCP SYN packets (the first packet in the TCP handshake) and watches for
hosts that respond with SYN+ACK packets (the second handshake step).
Since most hosts are not prepared to receive connections on any given port, typically, during a port
scan, a much smaller number of hosts will respond with SYN+ACK packets than originally received
SYN packets. By observing this effect in a packet trace, you can identify source addresses that may
be attempting a port scan.
Your task is to develop a Python program that analyzes a PCAP file in order to detect possible
SYN scans. You should use a library for packet manipulation and dissection: either dpkt or
scapy. Both are available in most package repositories. You can find more information about
dpkt at https://code.google.com/p/dpkt/ and view documentation by running pydoc dpkt, pydoc
dpkt.ip, etc.; there’s also a helpful tutorial here: http://jon.oberheide.org/blog/2008/10/15/dpkttutorial-2-parsing-a-pcap-file/. To learn about scapy, visit http://www.secdev.org/projects/scapy/.
Your program will take one argument, the name of the PCAP file to be analyzed, e.g.:
python2.7 detector.py capture.pcap
The output should be the set of IP addresses (one per line) that sent more than 3 times as many
SYN packets as the number of SYN+ACK packets they received. Your program should silently ignore
packets that are malformed or that are not using Ethernet, IP, and TCP.
A sample PCAP file captured from a real network can be downloaded at ftp://ftp.bro-ids.org/
enterprise-traces/hdr-traces05/lbl-internal.20041004-1305.port002.dump.anon. (You can examine
the packets manually by opening this file in Wireshark.) For this input, your program’s output
should be these lines, in any order:
128.3.23.2
128.3.23.5
128.3.23.117
128.3.23.158
128.3.164.248
128.3.164.249
What to submit Submit a Python program that accomplishes the task specified above, as a file
named detector.py. You should assume that dpkt 1.8 and scapy 2.2 are available, and you may
use standard Python system libraries, but your program should otherwise be self-contained. We
will grade your detector using a variety of different PCAP files.
4
Submission Checklist
Upload to CTools a gzipped tarball (.tar.gz) named project3.uniqname1.uniqname2.tar.gz.
The tarball should contain only the files below:
Part 1: Exploring Network Traces
pcap.txt A plain text file containing your answers to the questions in Part 1.
Part 2: Network Attacks
attack.txt A plain text file with the contents specified in Part 2.
Part 3: Anomaly Detection
detector.py Your Python program for SYN scan detection.
5