Network Security Lab
Due: Friday, June 5, 2015 at 5:00pm (Note: corrected from June 6 -- Friday is the intended deadline.)
Before you start
Please work in groups of 2 or 3.
Fill out the catalyst survey with the netids of the members
in your group. Only one survey entry per group.
This project will introduce you to common network protocols, the basics behind analyzing network
traces from both offensive and defensive perspectives, and several local network attacks.
- Gain exposure to core network protocols and concepts.
- Learn to apply manual and automated traffic analysis to detect security problems.
- Understand offensive techniques used to attack local network traffic.
Read This First
Part 3 for this project (extra credit) asks you to perform attacks, with our permission, against a target network that we are
providing for this purpose. Attempting the same kinds of attacks against other networks without
authorization is prohibited by law and university policies and may result in
fines, expulsion, and jail time.
You must not attack any network without authorization!
There are also severe legal
consequences for unauthorized interception of network data under the Electronic Communications
Privacy Act and other statutes. Per the course ethics policy, you are required to respect the privacy
and property rights of others at all times,
or else you will fail the course.
Part 1. Exploring Network Traces
Security analysts and attackers both frequently study network traffic to search for vulnerabilities
and to characterize network behavior. In this section, you will examine a packet trace from a
sample network we set up for this assignment. You will search for specific vulnerable behaviors
and extract relevant details using the Wireshark network analyzer.
Download the network trace here
and examine it using Wireshark. Provide concise answers to the following questions. Each response
should require at most 2–3 sentences.
- Multiple hosts sent packets on the local network. What are their MAC and IP addresses?
- What type of network does this appear to be (e.g., a large corporation, an ISP backbone,
etc.)? Point to evidence from the trace that supports this.
- One of the clients connects to an FTP server during the trace
- What is the DNS hostname of the server it connects to?
- Is the connection using Active or Passive FTP?
- Based on the packet capture, what’s one major vulnerability of the FTP protocol?
- Name at least two network protocols that can be used in place of FTP to provide secure
- The trace shows that at least one of the clients makes HTTPS connections to sites other than
Facebook. Pick one of these connections and answer the following:
- What is the domain name of the site the client is connecting to?
- Is there any way the HTTPS server can protect against the leak of information in (a)?
- During the TLS handshake, the client provides a list of supported cipher suites. List three of the cipher suites and name the crypto algorithms used for each.
- Are any of these cipher suites worrisome from a security or privacy perspective? Why?
- What cipher suite does the server choose for the connection?
- One of the clients makes a number of requests to Facebook
- Even though logins are processed over HTTPS, what is insecure about the way the
browser is authenticated to Facebook?
- How would this let an attacker impersonate the user on Facebook?
- How can users protect themselves against this type of attack?
- What did the user do while on the Facebook site?
What to submit
Submit a text file named pcap.txt containing your answers.
Part 2. Anomaly Detection
In Part 1, you manually explored a network trace. Now, you will programmatically analyze trace
data to detect suspicious behavior. Specifically, you will be attempting to identity port scanning.
Port scanning is a technique used to find network hosts that have services listening on one or more
target ports. It can be used offensively to locate vulnerable systems in preparation for an attack, or
defensively for research or network administration. In one port scan technique, known as a
SYN scan, the scanner sends TCP SYN packets (the first packet in the TCP handshake) and watches for
hosts that respond with SYN+ACK packets (the second handshake step).
Since most hosts are not prepared to receive connections on any given port, typically, during a port
scan, a much smaller number of hosts will respond with SYN+ACK packets than originally received
SYN packets. By observing this effect in a packet trace, you can identify source addresses that may
be attempting a port scan.
Your task is to develop a Python program that analyzes a PCAP file in order to detect possible
SYN scans. You should use a library for packet manipulation and dissection: either
dpkt or scapy. Both are available in most package repositories. You can find more information about
dpkt here and view documentation by running pydoc dpkt,pydoc,dpkt.ip, etc.;
there’s also a helpful tutorial here.
To learn about scapy, visit here.
Your program will take one argument, the name of the PCAP file to be analyzed, e.g.:
python2.7 detector.py capture.pcap
The output should be the set of IP addresses (one per line) that sent more than 3 times as many
SYN packets as the number of SYN+ACK packets they received. Your program should silently ignore
packets that are malformed or that are not using Ethernet, IP, and TCP.
A sample PCAP file captured from a real network can be downloaded
(You can examine the packets manually by opening this file in Wireshark.) For this input, your program’s output
should be these lines, in any order:
Update - Scapy
NOTE: scapy is slower than dpkt. It takes about 15 min to run on the large pcap file with a decent desktop.
Scapy has trouble reading in large files using the rdpcap function. To get around this please do the following:
We have modified the source so that it can read in large pcaps without causing a memory explosion.
This can be downloaded here. To install from source, untar the file
and run the following in the scapy source directory:
python2.7 setup.py install
Once installed use
rdpcap_generator instead of
rdpcap. This function is similar to rdpcap
except for two differences. It takes a second argument that is the number of packets it will read in at a time. Also,
instead of returning an iterator over all the packets (like rdpcap), rdpcap_generator iterates over lists the
of packets (of size specified in the second argument).
Here is a normal usage for rdpcap:
pcap_iter = rdpacp(pcap_path)
for p in pcap_iter:
# Do something to the packet p
Here is the same usage with rdpcap_generator:
pcap_list_iter = rdpcap_generator(pcap_path, 25000)
for pcap_l in pcap_list_iter:
for p in pcap_l:
# Do something to the packet p
What to submit
Submit a Python program that accomplishes the task specified above, as a file named detector.py.
You should assume that dpkt 1.8 and scapy 2.3 are available, and you may
use standard Python system libraries, but your program should otherwise be self-contained. We
will grade your detector using a variety of different PCAP files.
Part 3. Network Attacks (Extra Credit)
In this part of the project, you will experiment with network attacks by cracking the password for
a WEP-encrypted WiFi network, analyzing web traffic, and recovering a simulated
victim’s username and password.
In CSE room 003D, there is WiFi network named cse484 that is protected with
WEP, a common but insecure crypto protocol. We’ve created this network specifically for you
to attack, and you have permission to do so. There is also a client wirelessly connected to this
network that makes a connection to a password-protected HTTP server every few seconds. Your
goal is to find the client’s password and log in to this website.
You should have card-key access to the room (CSE 003D). Let the TAs know if you do not.
The tools and techniques you use are up to you, but here are some suggestions to get you started:
- First, you will need to crack the WEP encryption key for the network. There are many
online tutorials and automated tools available to help you perform this task. We recommend
installing Kali Linux in a Virtual Machine (with VirtualBox) and
using Aircrack-Ng. For a good introduction to aircrack go to here.
Many built in wireless cards in laptops will not work
with aircrack (especially those in Macs). To solve this, we have provided you with USB wireless cards that you can use. These
are in CSE 003D in a red cup. You are free to use them as long as you are in the room, but please don't remove them
from 003D. If you are using a virtual machine then you need to add the USB wireless device under the virtual machines settings.
The WEP cracking process usually involves generating network traffic to speed up the collection
of data. For this project, we’ve made sure that there’s sufficient traffic on the network
for data collection. When following an Aircrack tutorial, please skip any steps that involve
- Once you’ve cracked the WEP key, join the network and examine the traffic.
Determine the IP addresses of the client and server, and carefully
investigate any services running on these machines. If you are not seeing all of the traffic
after joining the network then you may want to try a different wireless card because only some
of them can listen to traffic promiscuously. Nmap is a powerful
tool for probing remote hosts.
- In order to discover the client’s password, you’ll need to analyze the web traffic.
You may want read up on the HTTP Basic Authentication method,
which is specified in RFC 2617.
What to submit
Submit a text file named attack.txt that contains the following: (1) the WEP
key for the network; (2) the client and server IP addresses; (3) a list of the network services running
on each machine; (4) the username and password for the HTTP site the client loads;
(5) a paragraph describing the steps and the tools you
used to carry out the attacks; (7) the maximum number of years in jail that you could face under
18 USC § 2511 for intercepting traffic on an encrypted WiFi network without permission.
Upload to Catalyst a gzipped tarball (.tar.gz) named lab3.tar.gz
This tarball should contain the following:
- Part 1: Exploring Network Traces
pcap.txt - A plain text file containing your answers to the questions in Part 1.
- Part 2: Anomaly Detection
detector.py - Your Python program for SYN scan detection.
- Part 3: Network Attacks - ONLY if you did the extra credit
attack.txt - A plain text file with the contents specified in Part 3.
This project was designed and created by Alex Halderman for the University of Michigan Introduction
Computer Security Course. Thanks Alex!