Network Security Lab

Due: Friday, June 5, 2015 at 5:00pm (Note: corrected from June 6 -- Friday is the intended deadline.)

Before you start

Please work in groups of 2 or 3. Fill out the catalyst survey with the netids of the members in your group. Only one survey entry per group.

Introduction

This project will introduce you to common network protocols, the basics behind analyzing network traces from both offensive and defensive perspectives, and several local network attacks.

Objectives

Read This First

Part 3 for this project (extra credit) asks you to perform attacks, with our permission, against a target network that we are providing for this purpose. Attempting the same kinds of attacks against other networks without authorization is prohibited by law and university policies and may result in fines, expulsion, and jail time. You must not attack any network without authorization! There are also severe legal consequences for unauthorized interception of network data under the Electronic Communications Privacy Act and other statutes. Per the course ethics policy, you are required to respect the privacy and property rights of others at all times, or else you will fail the course.

Part 1. Exploring Network Traces

Security analysts and attackers both frequently study network traffic to search for vulnerabilities and to characterize network behavior. In this section, you will examine a packet trace from a sample network we set up for this assignment. You will search for specific vulnerable behaviors and extract relevant details using the Wireshark network analyzer.

Download the network trace here and examine it using Wireshark. Provide concise answers to the following questions. Each response should require at most 2–3 sentences.
  1. Multiple hosts sent packets on the local network. What are their MAC and IP addresses?
  2. What type of network does this appear to be (e.g., a large corporation, an ISP backbone, etc.)? Point to evidence from the trace that supports this.
  3. One of the clients connects to an FTP server during the trace
    1. What is the DNS hostname of the server it connects to?
    2. Is the connection using Active or Passive FTP?
    3. Based on the packet capture, what’s one major vulnerability of the FTP protocol?
    4. Name at least two network protocols that can be used in place of FTP to provide secure file transfer.
  4. The trace shows that at least one of the clients makes HTTPS connections to sites other than Facebook. Pick one of these connections and answer the following:
    1. What is the domain name of the site the client is connecting to?
    2. Is there any way the HTTPS server can protect against the leak of information in (a)?
    3. During the TLS handshake, the client provides a list of supported cipher suites. List three of the cipher suites and name the crypto algorithms used for each.
    4. Are any of these cipher suites worrisome from a security or privacy perspective? Why?
    5. What cipher suite does the server choose for the connection?
  5. One of the clients makes a number of requests to Facebook
    1. Even though logins are processed over HTTPS, what is insecure about the way the browser is authenticated to Facebook?
    2. How would this let an attacker impersonate the user on Facebook?
    3. How can users protect themselves against this type of attack?
    4. What did the user do while on the Facebook site?

What to submit

Submit a text file named pcap.txt containing your answers.

Part 2. Anomaly Detection

In Part 1, you manually explored a network trace. Now, you will programmatically analyze trace data to detect suspicious behavior. Specifically, you will be attempting to identity port scanning.

Port scanning is a technique used to find network hosts that have services listening on one or more target ports. It can be used offensively to locate vulnerable systems in preparation for an attack, or defensively for research or network administration. In one port scan technique, known as a SYN scan, the scanner sends TCP SYN packets (the first packet in the TCP handshake) and watches for hosts that respond with SYN+ACK packets (the second handshake step).

Since most hosts are not prepared to receive connections on any given port, typically, during a port scan, a much smaller number of hosts will respond with SYN+ACK packets than originally received SYN packets. By observing this effect in a packet trace, you can identify source addresses that may be attempting a port scan.

Your task is to develop a Python program that analyzes a PCAP file in order to detect possible SYN scans. You should use a library for packet manipulation and dissection: either dpkt or scapy. Both are available in most package repositories. You can find more information about dpkt here and view documentation by running pydoc dpkt,pydoc,dpkt.ip, etc.; there’s also a helpful tutorial here. To learn about scapy, visit here.

Your program will take one argument, the name of the PCAP file to be analyzed, e.g.:

python2.7 detector.py capture.pcap

The output should be the set of IP addresses (one per line) that sent more than 3 times as many SYN packets as the number of SYN+ACK packets they received. Your program should silently ignore packets that are malformed or that are not using Ethernet, IP, and TCP.

A sample PCAP file captured from a real network can be downloaded here. (You can examine the packets manually by opening this file in Wireshark.) For this input, your program’s output should be these lines, in any order:

128.3.23.2
128.3.23.5
128.3.23.117
128.3.23.158
128.3.164.248
128.3.164.249

Update - Scapy

NOTE: scapy is slower than dpkt. It takes about 15 min to run on the large pcap file with a decent desktop.

Scapy has trouble reading in large files using the rdpcap function. To get around this please do the following:

We have modified the source so that it can read in large pcaps without causing a memory explosion. This can be downloaded here. To install from source, untar the file and run the following in the scapy source directory:

python2.7 setup.py install

Once installed use rdpcap_generator instead of rdpcap. This function is similar to rdpcap except for two differences. It takes a second argument that is the number of packets it will read in at a time. Also, instead of returning an iterator over all the packets (like rdpcap), rdpcap_generator iterates over lists the of packets (of size specified in the second argument).

Here is a normal usage for rdpcap:

pcap_iter = rdpacp(pcap_path)
for p in pcap_iter:
    # Do something to the packet p


Here is the same usage with rdpcap_generator:

pcap_list_iter = rdpcap_generator(pcap_path, 25000)
for pcap_l in pcap_list_iter:
    for p in pcap_l:
        # Do something to the packet p

What to submit

Submit a Python program that accomplishes the task specified above, as a file named detector.py. You should assume that dpkt 1.8 and scapy 2.3 are available, and you may use standard Python system libraries, but your program should otherwise be self-contained. We will grade your detector using a variety of different PCAP files.

Part 3. Network Attacks (Extra Credit)

In this part of the project, you will experiment with network attacks by cracking the password for a WEP-encrypted WiFi network, analyzing web traffic, and recovering a simulated victim’s username and password.

In CSE room 003D, there is WiFi network named cse484 that is protected with WEP, a common but insecure crypto protocol. We’ve created this network specifically for you to attack, and you have permission to do so. There is also a client wirelessly connected to this network that makes a connection to a password-protected HTTP server every few seconds. Your goal is to find the client’s password and log in to this website.

You should have card-key access to the room (CSE 003D). Let the TAs know if you do not.

The tools and techniques you use are up to you, but here are some suggestions to get you started:
  1. First, you will need to crack the WEP encryption key for the network. There are many online tutorials and automated tools available to help you perform this task. We recommend installing Kali Linux in a Virtual Machine (with VirtualBox) and using Aircrack-Ng. For a good introduction to aircrack go to here. Many built in wireless cards in laptops will not work with aircrack (especially those in Macs). To solve this, we have provided you with USB wireless cards that you can use. These are in CSE 003D in a red cup. You are free to use them as long as you are in the room, but please don't remove them from 003D. If you are using a virtual machine then you need to add the USB wireless device under the virtual machines settings.

    The WEP cracking process usually involves generating network traffic to speed up the collection of data. For this project, we’ve made sure that there’s sufficient traffic on the network for data collection. When following an Aircrack tutorial, please skip any steps that involve generating traffic.

  2. Once you’ve cracked the WEP key, join the network and examine the traffic. Determine the IP addresses of the client and server, and carefully investigate any services running on these machines. If you are not seeing all of the traffic after joining the network then you may want to try a different wireless card because only some of them can listen to traffic promiscuously. Nmap is a powerful tool for probing remote hosts.

  3. In order to discover the client’s password, you’ll need to analyze the web traffic. You may want read up on the HTTP Basic Authentication method, which is specified in RFC 2617.

What to submit

Submit a text file named attack.txt that contains the following: (1) the WEP key for the network; (2) the client and server IP addresses; (3) a list of the network services running on each machine; (4) the username and password for the HTTP site the client loads; (5) a paragraph describing the steps and the tools you used to carry out the attacks; (7) the maximum number of years in jail that you could face under 18 USC § 2511 for intercepting traffic on an encrypted WiFi network without permission.

Submission Checklist

Upload to Catalyst a gzipped tarball (.tar.gz) named lab3.tar.gz

This tarball should contain the following:
  1. Part 1: Exploring Network Traces

  2. pcap.txt - A plain text file containing your answers to the questions in Part 1.

  3. Part 2: Anomaly Detection

  4. detector.py - Your Python program for SYN scan detection.

  5. Part 3: Network Attacks - ONLY if you did the extra credit

  6. attack.txt - A plain text file with the contents specified in Part 3.

Credits

This project was designed and created by Alex Halderman for the University of Michigan Introduction Computer Security Course. Thanks Alex!