Project 4: Network Security
Deadline: Thursday, December 5 by 11:59PM.
Before you start, review the course syllabus for the Lateness, Collaboration, and Ethical Use policies.
You may optionally work alone, or in teams of at most two and submit one project per team. If you have difficulties forming a team, post on Piazza’s Search for Teammates forum. Note that the final exam will cover project material, so you and your partner should collaborate on each part.
The code and other answers your group submits must be entirely your own work, and you are bound by the University’s Student Code. You may consult with other students about the conceptualization of the project and the meaning of the questions, but you may not look at any part of someone else’s solution or collaborate with anyone outside your group. You may consult published references, provided that you appropriately cite them (e.g., in your code comments). Don't risk your grade and degree by cheating!
Complete your work in the CS 4440 VM—we will use this same environment for grading. You may not use any external dependencies. Use only default Python 3 libraries and/or modules we provide you.
Helpful Resources
- The CS 4440 Course Wiki
- VM Setup and Troubleshooting
- Terminal Cheat Sheet
- Python 3 Cheat Sheet
- Wireshark Tutorial
- Scapy Cheat Sheet
Introduction
In this project, you will get hands-on experience with real-world network attacks and defenses. You will take on the role of a network security consultant who is helping a company secure their enterprise network. Your job will be to automatically find and characterize anomalous network activity, as well as the feasibility for an attacker to intercept sensitive information from the network. You will write small programs to analyze a set of simple network packet traces, which we will provide you.
Objectives
- Gain exposure to fundamental network protocols and their data specifications.
- Learn to apply manual and automated traffic analysis to detect security problems.
- Understand offensive techniques used to intercept information from network traffic.
Start by reading this!
Before you begin, please carefully read through the following sections for important setup information and guidelines about this project.
Packet Capture Traces
To help you develop your solutions, we provide a set of network packet captures (.pcap files) for you to experiment with. Note that we will use a different set of capture files to grade your solutions.
- Inside your VM, launch a terminal (accessible in the VM via an icon in the bottom-left of your screen).
- Within the terimal, download the assignment .pcap archive via the following command:
$ wget http://cs4440.eng.utah.edu/files/project4/pcaps.tar.gz. - Then, use the command
$ tar -xf pcaps.tar.gzto extract the assignment files. You should see apcaps/directory which contains the packet capture files.
Attack Template
To help you get started, we provide a skeleton template (proj4.py) for you to implement your solutions. You may extend the code as you wish, but do not remove or modify any of the code already there!
#!/usr/bin/python3
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import re
def parsePacket(packet):
if not packet.haslayer("TCP"): return
# ----------------------------------------
# TODO: finish implementing parsePacket()!
# ----------------------------------------
return
if __name__ == "__main__":
for packet in rdpcap(sys.argv[1]):
parsePacket(packet)
Your code will utilize Python 3’s Scapy library, which should come pre-installed in your VM. In case Scapy is not installed, just run $ pip3 install scapy in your VM's terminal.
Packet Analysis with Wireshark
In constructing your solutions, we recommend that you first perform manual packet inspection via the graphical packet analyzer Wireshark. To access Wireshark in your VM, follow these instructions:
- Inside your VM, launch the interactive menu (accessible via the bottom-left-most icon). Navigate to the Internet tab, and select Wireshark.
- Once Wireshark has launched, click on File and then Open. Select your
pcapfile of choice. - After the trace is loaded, double-click on any packet to inspect it. You can explore the fields and information contained in each of the packet's layers, beginning with the link-layer frame and ending with its app-layer application protocol (if applicable for the packet).
After using Wireshark to first identify what fields are relevant within a packet, you should then move onto constructing your Scapy-based packet inspection scripts.
Part 1: Detecting Network Attacks
Attackers study network traffic to characterize its behavior and identify weaknesses that may be exploited. In this section, you will assume the role of a network security specialist working for The University of Wossamotta (colloquially known as "Wossamotta U")—a large university whose network is constantly subject to attempted intrusions. Using your CS 4440 knowledge, you will write small programs to programmatically examine network packet traces (pcaps) for signs of attacks.
Password Cracking (14pts)
You observe that Wossamotta U’s world-renown faculty rely on pretty antiquated means of uploading files such as student grades—namely, FTP (“File Transfer Protocol”). You recently heard a rumor that a disgruntled student may be trying a brute-force password cracking attack to find their professor’s password and alter their grade records. Can you catch such an attacker in the act?
Your task: write a Python 3 program (detect0.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- IP addresses responsible for a non-zero number of FTP login requests.
- The number of FTP login requests for the aforementioned IP addresses.
- The number of failed FTP logins for the aforementioned IP addresses.
To help you test your attack, we provide the following sample packet traces: crack0.pcap and crack1.pcap.
For these traces, your program’s output is expected to match the following:
$ python3 detect0.py crack0.pcap
IP:192.168.56.1, REQS:30, FAILS:30
$ python3 detect0.py crack1.pcap
IP:61.219.70.91, REQS:6, FAILS:5
payload = bytes(packet["TCP"].payload).decode('utf-8','replace').
Port Scanning (14pts)
Like most universities, Wossamotta U’s network is often targeted by nation-state hackers. You suspect that hackers from The Republic of Krakozhia are performing port scanning: a technique used to find network hosts that have services listening on one or more target ports. Port scanning is used offensively to locate vulnerable systems in preparation for an attack.
Many firewalls employ heuristics to flag suspicious incoming packets. To evade such defenses, port scanners will often alter their generated TCP packets to introduce more entropy: NULL scans disable all TCP flags; FIN scans enable only the FIN flag; and XMAS scans enable FIN, PSH, and URG flags—"lighting up" the packet like a Christmas tree!
Your task: write a Python 3 program (detect1.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- IP addresses performing a NULL scan, and the number of total occurrences.
- IP addresses performing a FIN scan, and the number of total occurrences.
- IP addresses performing a XMAS scan, and the number of total occurrences.
On the provided sample (scan0.pcap), your program’s output should match the following:
$ python3 detect1.py scan0.pcap
NULLScan, IP:192.168.47.171, COUNT:1030
FINScan, IP:192.168.47.171, COUNT:1084
XMASScan, IP:192.168.47.132, COUNT:1121
packet["TCP"].flags.
Anomalous Activity (21pts)
In one kind of port scan technique against TCP known as a SYN scan, the scanner sends SYN packets (recall from lecture that this is the first packet of the three-way TCP handshake), and watches for hosts that respond with SYN-ACK packets (the second handshake step). Since most hosts are not prepared to receive connections on any given port, typically, during a port scan, a much smaller number of hosts will respond with SYN-ACK packets than originally received SYN packets. By recognizing this behavior in a packet trace, you can identify suspicious IP addresses that may be attempting a port scan.
Your task: write a Python 3 program (detect2.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- IP addresses that issued more than 3 times as many
SYNpackets as the number ofSYN-ACKpackets they received. For any IPs that received zeroSYN-ACKpackets, report them only if they issued more than threeSYNpackets (i.e., the minimum ratio ofSYNtoSYN-ACKmust be 4 : 0). - The number of
SYNpackets that the aforementioned IPs sent. - The number of
SYN-ACKpackets they received.
On the provided sample (scan1.pcap), your program’s output should match the following:
$ python3 detect2.py scan1.pcap
IP:128.3.23.5, SYN:16, SYNACK:1
IP:128.3.23.117, SYN:21, SYNACK:3
IP:128.3.23.158, SYN:14, SYNACK:2
IP:128.3.23.2, SYN:6, SYNACK:0
What to Submit:
detect#.py. You should assume Python 3 library scapy is available, and you may use standard Python system libraries, but your program should otherwise be self-contained. We will grade your attacks using a variety of different pcap traces. The order of printing does not matter (e.g., it's fine if your detect2.py prints IP:128.3.23.2 ... before IP:128.3.23.117 ...).
Part 2: Spying on Network Traffic
After a successful career of thwarting network attacks against Wossamotta U, you decide to join a network penetration testing startup. In your new role, you are tasked with performing simulated attacks against your company’s clients. Specifically, you will develop software to programmatically analyze clients’ network packet traces for sensitive information that may be valuable to attackers.
Plaintext Credentials (14pts)
A common security weakness is when sensitive information is transmitted in plain-text (unencrypted) form. Using your expert CS 4440 knowledge, you realize that attackers could easily mine information from intercepted network traffic such as FTP and IMAP connections. Can you beat them to it to warn your clients in advance of such an attack?
Your task: write a Python 3 program (attack0.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- Any plaintext usernames and passwords transmitted over FTP.
- Any plaintext usernames and passwords transmitted over IMAP.
On the provided samples (ftp.pcap and imap.pcap), your program’s output should match:
$ python3 attack0.py ftp.pcap
FTP, USERNAME:csanders, PASSWORD:echo
$ python3 attack0.py imap.pcap
IMAP, USERNAME:bhodgyalo59, PASSWORD:rangzen
Encoded Credentials (15pts)
Some of your clients insist that HTTP v1.0 is secure as-is, and that its base64-encoded credentials are safe from attackers’ prying eyes. As a network security expert, you know that this is just not true, and set out to show them that such credentials are easily recoverable.
Your task: write a Python 3 program (attack1.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- Any decoded credentials transmitted via HTTP’s basic access authentication.
On the provided sample (http.pcap), your program’s output should match the following:
$ python3 attack1.py http.pcap
USERNAME:brodgers, PASSWORD:TheyPlayedWithGreatCharacter
USERNAME:dmoyes, PASSWORD:IAmAFootballGenius
USERNAME:aoursler, PASSWORD:Id10tExpert
b64decode() function from the base64 library.
Accessed URLs (22pts)
Another piece of information potentially valuable to attackers is the network’s web traffic. You aim to demonstrate that HTTP URLs can be extracted with relatively little effort.
Your task: write a Python 3 program (attack2.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- Any HTTP URLs (i.e., the full path and resource) accessed by users of the network.
On the provided sample (url0.pcap), your program’s output should match the following:
$ python3 attack2.py url0.pcap
URL:www.ethereal.com/download.html
URL:pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633
URL:icanhascheezburger.files.wordpress.com/2009/06/funny-pictures-kitten-says-hello.jpg
We provide several other example traces (url1.pcap and url2.pcap) which you can use to test your code. However, we will not provide their expected outputs—you should inspect these manually (i.e., using Wireshark) to pinpoint any edge-case URLs representations!
Extra Credit: Transferred Files (20pts)
As a final proof-of-concept, you aim to demonstrate how an attacker may recover files transferred over FTP. Your program will need to piece-together the file from intercepted packets.
Your task: write a Python 3 program (attack3.py) that takes the path of the pcap file to be analyzed as its single command-line parameter, and returns the following information:
- Any files transferred over FTP, saving them to the current directory.
On the provided sample (ftp.pcap), your program’s output should match the following:
$ python3 attack3.py ftp.pcap
Generated file "music.mp3"
We will verify the correctness of your extracted files based on file name and MD5 digest. The MD5 digest for file music.mp3 from trace ftp.pcap should match the following:
$ openssl dgst -md5 music.mp3
6418993b0bbac01502611ce3c76c5994
We will test your solution code with a variety of FTP packet captures different from the one above. You can—and are encouraged to—find additional pcap traces on the web to thoroughly test your code.
What to Submit:
attack#.py. You should assume Python 3 library scapy is available, and you may use standard Python system libraries, but your program should otherwise be self-contained. We will grade your attacks using a variety of different pcap traces. The order of printing does not matter (e.g., it's fine if your attack2.py prints URL:www.ethereal... before URL:icanhascheez...).
Submission Instructions
Upload to Canvas a tarball (.tar.gz) named project4.uid1.uid2.tar.gz, replacing your team's UIDs accordingly (if working alone, provide only your UID once). Each UID must be in u####### format. Your tarball must contain only the files listed below. These will be autograded, so make sure that your solutions conform to the expected filenames, formatting, and behaviors.
Failure to follow assignment instructions (e.g., submitting a corrupted tarball; wrong, missing, or broken code; improper formatting; etc.) will be ineligible for regrades. External dependencies are prohibited. You may use only default Python 3 libraries and/or modules we provide you. Your solutions must work as-is in the CS 4440 VM. Make sure to thoroughly test your code before submitting!
Generate the tarball in your VM terminal using this command (be sure to first cd to the directory that contains your files):
tar -zcf project4.uid1.uid2.tar.gz detect[012].py attack[0123].py