Assignment 4: Network Security (Group Assignment)
Introduction

This project will introduce you to common network protocols, to network packet trace analysis, and to the basics of network penetration testing. This is a group assignment and must be done in groups of 2 or 3 only.

Objectives
Read this First

This project asks you to perform attacks, with our permission, against a target network that we are providing for this purpose. Attempting the same kinds of attacks against other networks without authorization is prohibited by law and university policies. You must not attack any network without authorization! Per course policy, you are required to respect the privacy and property rights of others at all times. See “Right, Rules, and Responsibilities” on the Princeton University website for more details. This includes observing the work of other groups if visible on shared networks or machines.

Additionally, please understand and honor the specific actions that are OUT OF SCOPE for Part 3 of the assignment at the end of that section.

Getting Started
Please follow the instructions below to setup a virtual environment with pre-installed tools needed for this project. Once the setup is complete and you are able to log into the virtual machine, download the assignment files to the virtual machine and proceed to the following parts. You will answer questions in the text files found in that starter zip archive.
Virtual Machine Instructions for x86 Users

Follow the VM instructions to set up the Virtual Machine environment needed for this project.

Virtual Machine Instructions for Apple Silicon Users

ARM-based Apple Silicon products (i.e. iMac or Macbook Pro with the M1 chip) are unfortunately not supported by VirtualBox. If you are using one of these devices, we have prepared an alternate ARM-based Ubuntu VM for this assignment. Follow the instructions below to get set up:

  1. Download the COS432 UTM Student VM. Note that this file is quite large (~3 GB), and may take a while to finish downloading.
  2. Unarchive cos432-student-utm-vm.tar.gz by double-clicking it in the Finder, or run tar -xzvf Downloads/cos432-student-vm.tar.gz. You should now have a file called cos432-student.utm in your Downloads folder.
  3. Download UTM v2.4.1 for Mac from this web page.
  4. Run the UTM application.
  5. Select File -> Import Virtual Machine..., then select cos432-student.utm in your file browser.
  6. It should appear on the left side of the UTM application. Click it, and click the large "Play" button to start the VM.
  7. Select the "COS432 Student" user and log in with password student.
  8. You should be logged in now, and can use the VM like you would a regular Linux desktop.
Part 1. Exploring Network Traces

Security analysts and attackers both frequently study network traffic to search for vulnerabilities and to characterize network behavior. In this section, you will examine a network packet trace (commonly called a “pcap”, for “packet capture”) that we recorded on a sample network we set up for this assignment. You will search for specific vulnerable behaviors and extract relevant details using the Wireshark network analyzer, which is available in the provided VM image, or at https://www.wireshark.org.

Examine the part1.pcap file from the zip file that you downloaded. Familiarize yourself with Wireshark’s features. Try exploring the various options for filtering and for reconstructing data streams.

Concisely answer the questions below. Each response should require at most two to three sentences. Use the provided part1.txt file.

  1. There are no more than five devices actively communicating on the local area network. What are their MAC and IP addresses? Who manufactured these devices?

  2. What type of network does this appear to be (e.g., a large corporation, an ISP backbone, etc.)? Point to evidence from the trace that supports this.

  3. One of the clients connects to an FTP server during the trace.

    1. What is the DNS hostname of the server it connects to?

    2. Is the connection using Active or Passive FTP?

    3. Based on the packet capture, what is one major vulnerability of the FTP protocol?

    4. Name at least two network protocols that can be used in place of FTP to provide secure file transfer. Use the associated acronyms.

  4. The trace shows that at least one of the clients makes HTTPS connections to sites other than Facebook. Pick one of these connections and answer the following:

    1. What is the domain name of the site the client is connecting to?

    2. Is there any way the HTTPS server can protect against the leak of information in (a)? If yes, explain why. If no, explain why not.

    3. During the TLS handshake, the client provides a list of supported cipher suites. List the first three cipher suites and name the cryptographic algorithms used in each.

    4. Are any of these cipher suites worrisome from a security or privacy perspective? Why?

    5. What cipher suite does the server choose for the connection?

  5. One of the clients makes a number of requests to Facebook.

    1. Even though logins are processed over HTTPS, what is insecure about the way the browser is authenticated to Facebook?

    2. How would this let an attacker impersonate the user on Facebook?

    3. How can users protect themselves against this type of attack?

    4. What did the user do while on the Facebook site?

Part 2. Anomaly Detection

In Part 1, you manually explored a network trace. Now, you will programmatically analyze a pcap file to detect suspicious behavior. Specifically, you will be attempting to identify port scanning.

Port scanning is a technique used to find network hosts that have services listening on one or more target ports. It can be used offensively to locate vulnerable systems in preparation for an attack, or defensively for research or network administration. In one kind of port scan technique, known as a SYN scan, the scanner sends TCP SYN packets (the first packet in the TCP handshake) and watches for hosts that respond with SYN+ACK packets (the second handshake step). Since most hosts are not prepared to receive connections on any given port, typically, during a port scan, a much smaller number of hosts will respond with SYN+ACK packets than originally received SYN packets. By observing this effect in a packet trace, you can identify source addresses that may be attempting a port scan.

Your task is to develop a Python program that analyzes a pcap file in order to detect possible SYN scans. To do this, you will use dpkt, a library for packet manipulation and dissection. It is available in most package repositories. You can find more information about dpkt at https://github.com/~kbandla/dpkt and view documentation by running pydoc dpkt, pydoc dpkt.ip, etc.; there's also a helpful tutorial here: https://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2-parsing-a-pcap-file

Your program will take the path of the pcap file to be analyzed as a command-line parameter, e.g.:

python detector.py capture.pcap

The output should be the set of IP addresses (one per line) that sent more than three times as many SYN packets as the number of SYN+ACK packets they received. Your program should silently ignore packets that are malformed or that are not using Ethernet, IP, and TCP.

A large (~350MB) sample pcap file captured from a real network is included in the starter zip as part2.pcap.

You can examine the packets manually by opening this file in Wireshark. For this input, your program’s output should be these lines, in any order:

128.3.23.2
128.3.23.5
128.3.23.117
128.3.23.158
128.3.164.248
128.3.164.249

Although the above instructions are for a Python program, you are welcome to use any programming language of your choice. Simply make a private Ed Discussions post if your group is planning to use a different programming language and wait for a confirmation from the AIs (we'd like to make sure we're equipped to evaluate and grade your code). In this post, please also specify the library you plan on using. Kindly note that support might be limited for languages other than Python.

Part 3. Penetration Testing

The fictional company SketchyCorp has contracted with COS 432 to provide penetration testing services to it. Each project team will conduct a thorough penetration test of the company's networks and exposed systems.

SketchyCorp recently set up a remote office for its employees to work in. SketchyCorp is concerned that its remote office may be more vulnerable than its headquarters since it uses a wireless network to provide access to its remote employees.

Your objective is to test the security of SketchyCorp’s networks and systems. In this engagement you will be authorized to break in to SketchyCorp’s systems and explore any vulnerabilities you find, subject to the Rules of Engagement below. As in a real-world penetration test, you will be expected to use your ingenuity and technical skills to discover clues and techniques for meeting your objectives.

SketchyCorp employees connect to the wireless network using WPA2-PSK security. From there, they can access the SketchyCorp firewall, which allows company employees to log in and gain access to company mainframe.

The investigators believe the infrastructure works as shown in Figure 1.

Figure 1: Infrastructure overview of SketchyCorp.

We have sent investigators to the remote office to attempt to capture WiFi traffic. However, they have been foiled by WPA2-PSK security used by the WiFi network. They have managed to find a capture of the WiFi authentication handshake which can be found as part3.pcap in the zip file. They have also managed to determine the password is in the form of either cos432-XYZ or COS432-XYZ where X,Y,Z are alphanumeric characters [a-z,A-Z,0-9]. Provide them with the WiFi password at https://www.sketchycorpwifi.net/netsec and they will provide you with your next lead.

Concisely answer the questions below. Each response should require at most two to three sentences. Use the provided part3.txt file.

  1. How many possible Wi-Fi passwords are there that fulfills the password format?

  2. What is that actual Wi-Fi password used? How did you obtain that password?

  3. There are three machines in the network, namely the employee, the firewall, and the mainframe.

    1. What are their IP addresses, respectively? (If a machine has multiple interfaces, report all IP addresses.) How did you get these addresses?

    2. What services are currently running on these machines respectively? On which port is each service running? How did you obtain this information?

  4. List all of the clients of the company. Briefly explain how you gained access to this client list.

  5. There are unencrypted and encrypted conversations between Alice and Bob.

    1. What does the unencrypted conversation say? Please paste it here and briefly describe how you found and obtained the content.

    2. (extra credit) Can you decrypt the encrypted messages? If so, what does the plaintext say? Describe how you determined the plaintext contents of the encrypted messages.

There will be certain systems and networks that are in scope for this project. Everything else should be considered out of scope. If you have any questions about what is in or out of scope for this project, get clarification from one of the course AIs before you act.

Things that are in scope:

Here are a few guidlines to avoid going OUT OF SCOPE during this project:


A note about cheating: There may be backdoors you discover along the way. DO NOT SHARE THEM. If you have questions about whether you may use a particular backdoor, post a private question on Ed Discussions before using it.

Submission Checklist