(Due at the beginning of class on 10/9/07)
This problem set will be graded out of 50 points. It counts for 8% of your final grade.
Please include any
scripts that you write while completing this assignment.
Please submit your reports on port scanning, enumeration and vulnerability scanning for your two machines – the Linux machine and the Windows server. Questions 1, 2 and 3 are to be done in teams - the same team as for Problem Set 2. Questions 4 and 5 are to be done individually.
1) Port scanning
A port scan is a series of packets sent to a range of ports to determine open ports on the target host. If the port is open, further tests can be made to find out weaknesses that could be exploited. A port scanner is a program that does the scanning automatically given a port range and a hostname / IP address of the target.
a) One of the most widely used programs is NMAP, which is already installed on your Linux machine. Try to determine the operating system of your Windows machine and construct the list of all open ports. For each 'well-known' port, specify what service could be provided at that port. [4]
b) Install Ethereal on your Windows server, and use it to capture the packets sent by your port scanner. What types of packets do you observe? What packets come in response from the target host? [4]
(You may get an error while installing the latest version of Ethereal; alternatively you can download an older version from http://www.ccs.neu.edu/course/csg254/local/ethereal/ethereal-setup-0.10.14.exe ; Ignore TCP port 3389, because RDC uses this port)
c) Download and install NMAP (http://insecure.org/nmap/download.html) on your Windows server. Try to determine the operating system of your Linux machine and construct the list of all open ports. [2]
d) Explain what a ‘SYN scan’ is and why it is used instead of trying to establish a TCP connection on each port scanned. [3]
2) Enumeration
Enumeration is a technique used to identify which services are available on the target host. If a vulnerable service (or vulnerable version of a service) is found on the target host, known exploits can be used for an attack.
a) Use Netcat (Linux command-line tool also known as nc) for service enumeration of the Windows machine. If during scanning you saw any http or telnet services on the target, you can use Netcat for banner grabbing. Banner grabbing is used to remotely connect to the target host to obtain platform-specific information (e.g. what operating system an http or telnet server runs on) and configurations of the service (e.g. version number). Create a summary of all that you have found out about the available services. [7]
3) Vulnerability
Scanners
There already exist a number of so-called
all-in-one vulnerability scanners that will perform port scanning, enumeration,
banner grabbing and even known attacks for you.
a)
One of
the most popular and powerful vulnerability scanners is called Nessus. Perform the scan of both your target machines.
[2]
Run
> /usr/sbin/nessus-mkcert
Then create a new user
> /usr/sbin/nessus-adduser
And start nessus
daemon and client
> /usr/sbin/nessusd -D
> /usr/bin/nessus
b)
Summarize the information you have found.
Also, describe how Nessus works and what tools are
available (plug-ins, up-to-date database of
vulnerabilities, possibility of creating a custom tool for Nessus). [5]
c)
Describe how
Nessus or another vulnerability scanner can be used by
a system/network administrator. Explain how it can also be used by a malicious
user. [3]
4) Viruses and
worms
a)
What
is a telescope used for? [2]
b)
What
is backscatter? Why is it generated, how can it be detected?
[2]
c)
What
are honey pots used for? [2]
d)
Prove that it is impossible to create a
universal virus catching program. [4]
5) Worms
Consider the RCS model presented in “How
to own the Internet in your spare time” by Staniford,
Paxson and Weaver. In this model a represents the proportion of infected
computers as a fraction of the total number of vulnerable computers, K represents the number of vulnerable
computers each infected computer finds per hour and T fixes the time position of the spread.
The model generates the differential equation da/dt = Ka(1-a)
which has the solution a(t) = eK(t-T)/(1 + eK(t-T)).
a.
Consider a worm, which obeys the RCS
model, with the property that it attacks at the beginning of each month but then
switches off after a week. It is observed from empirical data that in the very
first attack K=3/hr. It is believed
that in the period leading up to the second attack 40% of the vulnerable computers were
patched. What is the expected value of K for the second attack?
[3]
b.
Prove that in the RCS model, for all x, a(T + x) + a(T –
x) = 1. [4]
c.
Describe what happened to the Internet on
the night of Jan 25, 2003. [3]