VERSION 0.93 (2011-11-06)

Grenoble INP Ensimag

5MMSSI

INFORMATION SECURITY - PRACTICALASSESSMENT - TP4 - NETWORK SECURITY

GRENOBLE INP ENSIMAGhttp://www.ensimag.fr

COMPUTER SCIENCE3RD YEAR SIF-LOAD - 1ST SEMESTER, 2011

Lecturers: Fabien Duchene - Karim Hossenfirstname.lastname [ at ] imag.fr

NOTE: Practical assessment regarding the course we had on Thu. 3rd, November 2011 and regardingthe chapter 4. network security https://ensiwiki.ensimag.fr/index.php/5MMSSI. It is due forWednesday 16th, November 2011 11pm59.

This practical assessment will let you practice regarding network security (broad sense).

Goals:

• understand the importance of routing nodes, and why SSL and DNSSEC were created

• be aware of how identity federation is important when corporations are working together

• discover the impact of password policies

• understand the difference between MAC and DAC access controls

IMPORTANT NOTESDeliverables: for that assessment, you will submit SEVERAL deliverables:

• your report (.txt / .pdf) (accepted languages: french FR-FR or english EN-UK / EN-US)

• (may be inside your report): how you would rate that assessment:

– how many (efficient) hours you did spend on that assessment?

– what you enjoyed?

– what you did not enjoy?

– what was easy? ... hard? in which way?

– any suggestion?

• the following files, related to the exercises:

– generate password.source: the source code in the language of your choice of a passwordgeneration program according to the rules mentioned

All the exercises have similar importance in terms of notation, so please work on ALL OFTHEM.Each time you use a command related to a tool:

CONTINUED

VERSION 0.93 (2011-11-06)

– 2 –

Grenoble INP Ensimag

5MMSSI

• write the command

• and the most relevant part of the output

... in your report!

In case of an error, or a question, please send an email to your teachers and write the questionat http://saf.li/a75au

1. (Bonus question): According to the STRIDE vulnerability impact nomenclature, what is the gravity of therecent vulnerability in TrueType Font Parsing on Windows NT5+ (thus XP, 2003, Vista, 2008, 7, 2008 R2)?(also provide a link where you found that information)

1 Firewall and DNS

1.1 Basics in virtual machine with floppyfw and virtualbox

For old computers, or even, for increasing fault tolerance, it is sometimes useful to have diskless firewall, suchas floppyfw ( http://www.zelow.no/floppyfw/ ), Devil Linux ( http://www.devil-linux.org ). Theyrely on a minimal Linux distribution that could be stored on a USB stick, CD-ROM, or even floppy disk. Forthat exercise, we will rely on floppyfw, which only requires 12MB or RAM, and that is stored on a virtualfloppy!

2. Configure an instance of a floppyfw using the instructions provided at http://saf.li/b75aM (since thewebpage contains a lot of screenshots, it might be a bit long to load).

(a) “PART 0: configure a virtual host network” [provide a screenshot of YOUR work]

(b) “PART 2: create a new virtual machine”. [provide a screenshot of YOUR work]

For the virtual floppy disk, you will use http://saf.li/675ao

(c) Download and import the TP4-ubuntu-webserver virtual machine from http://car-online.fr/en/

files/5MMSSI/ and perform the “PART 3.2: configure ubuntu server connectivity”

(d) start all the virtual machines. “PART 4: verify network connectivity” [provide a screenshot of YOUR work]

CONTINUED

VERSION 0.93 (2011-11-06)

– 3 –

Grenoble INP Ensimag

5MMSSI

3. Reflexion on virtual networks

(a) During the part 0, you configured a virtual host network, what it? [use your own words!]

(b) During part 2, you configured 2 types of network interfaces: Bridged, Host-Only. What are the differ-ences? [use your own words!]

4. Security management principles Have a look at https://www.owasp.org/index.php/Category:

Principle. To which security principle do each of the following statements refer to?

(a) floppyfw seems to have very few services running

(b) By default, all incoming traffic is rejected for traffic going from the DMZ to the internal network

(c) Among that list, you can see two that we saw during the chapter 2 “risk and security management”and during the section “security management principles”. Name them and briefly describe them [use

your own words!]

1.2 Topology discovery

5. Basic services discovery. From your hypervisor host, perform an aggressive nmap scan on each of the3 interfaces of the floppyfw router/firewall (see chapter 4.3.1. slide “firewall location”, to understand thetopology)

(a) “eth1: LAN” 192.168.57.2 (FF LAN IP) Which interesting services can you notice? Log-on using thatservice ( root / ensimag ) [provide a screenshot of YOUR work]Use the following command options, since thekey does change each time the virtual machine is rebooted:

1 −o Str ictHostKeyChecking=no −o UserKnownHostsFile=/dev/null user@ip

(b) “eth0: WAN”: (FF WAN IP) ip to be determined after having logged-on to the floppyfw firewall [provide

a screenshot of YOUR work]

Remark: FF WAN IP and the hypervisor (= your computer) HV WAN IP will be on the same subnet.For instance, my home router have to floppyfw the IP 192.168.0.19 and to my hypervisor wirelessinterface the 192.168.0.17 IP

CONTINUED

VERSION 0.93 (2011-11-06)

– 4 –

Grenoble INP Ensimag

5MMSSI

6. Network diagram. Draw a network diagram showing the interfaces addresses of BOTH the floppy-fwvirtual machine, the ubuntu virtual machine and of your computer host / hypervisor.The nodes will be:

• hypervisor-host (=your computer) (HV WAN IP)

• floppyfw (FF WAN IP and FF LAN IP)

• ubuntu-web-server (UB LAN IP)

Also precise the virtual network names:

• virtualboxnet1

• WAN network

In order to help you here is the result of ifconfig on the ubuntu web server:

1.3 Basics in firewall

7. Firewall and DMZ: definitions

(a) Read the slides chapter 4 (esp. the section “Firewall”). Explain what is a 2nd generation firewall (iethat is able to perform “Stateful packet inspection”) [use your own words!]This is the kind of firewall thatwe will be manipulating here (more precisely, we will rely on “iptables”).

(b) explain what is a DMZ [use your own words!]

(c) on the slide numbered 31, 2 types of DMZ topologies are shown. What is the kind that we use here?

REMARK: for simplified floppyfw configuration, the ubuntu-webserver is not located in the DMZ but inthe INTERNAL NETWORK. Thus we will not USE the DMZ afterwards. However, keep in mind thatcorporation would put exposed server within DMZ.

8. (command to be run on floppyfw). During the nmap scan, you discovered some services on some interfacesof the floppyfw vm. However, when listing on which sockets, services are listening,

1 ne t s t a t −atnne t s t a t −aun

we can remark, that the remote command service is listening on more interfaces than we actually are ableto connect to. What is your explanation? hint: run the following command:

i p t a b l e s −L

CONTINUED

VERSION 0.93 (2011-11-06)

– 5 –

Grenoble INP Ensimag

5MMSSI

9. D-NAT

(a) what is a D-NAT? which security property does it try to ensure regarding the internal network topology?

(b) when you have a look at http://saf.li/b75aM , section “PART 1: configure the floppyfw OS”, whatcan you tell regarding the port forwarding? ie if a client tries to connect to eth0 ip:80 , to which ip:portwill a D-NAT be performed? hint: have a look at the section “PART 1: configure the floppyfw OS”,D-NAT.

(c) Verify this by performing from your hypervisor: [provide a screenshot of YOUR work]

1 t e l n e t FF WAN IP 80GET whateveryouwant

(d) draw again the same network diagram as the Network diagram question, and show a packet goingfrom HV WAN IP:?? (hypervisor host) to FF WAN IP:80, also show how it is modified when goingto the virtual network virtualboxnet1. That packet has to include: SOURCE PORT, SOURCE IP,DEST PORT, DEST IP

(e) from your browser, load the following URL: http://FF_WAN_ip:80/ and enter your ensimag loginwithin the text field. [provide a screenshot of YOUR work]The screenshot has to include the URL of thewebpage, your ensimag login and the whole images.

CONTINUED

VERSION 0.93 (2011-11-06)

– 6 –

Grenoble INP Ensimag

5MMSSI

1.4 Identity spoofing thanks to DNS and routing control

10. DNS reply spoofing

(a) briefly remind what is the purpose of the DNS protocol and in what extend it is used when you load awebpage [use your own words!]

(b) log-on on the ubuntu-webserver

ssh ensimag@192 . 1 6 8 . 5 7 . 1 0 02 # password : ensimag

have a look at the dns resolver: [provide a screenshot of YOUR work]

cat / e t c / r e s o l v . conf

Which host is it?

(c) That host (the one you found within the precedent command) performs DNS resolving operationdnsmasq as a DNS fowarder. It will resolves DNS names using the following order:

• /etc/hosts (actually that file is polled every 5 minutes)

• DNS forwarder configured in /etc/resolv.conf

Log-on on that host and show the content of those files [provide YOUR command and its execution result]

(d) Can you think of an attack on the integrity of the DNS records that will be asked by the host ubuntu-webserver for the DNS record ensiwiki.ensimag.fr ? (ie the user queries for ensiwiki.ensimag.fr, butinstead has another website)

(e) Implement it. [provide a screenshot of YOUR work]

(f) Wait for 5 minutes for the cache to be resolved, and from ensimag@ubuntu-webserver, to prove thatyour “hack” worked, run: [provide a screenshot of YOUR work]

1 nslookup en s iw i k i . ensimag . f rwget −O ens iw ik i−webpage en s iw i k i . ensimag . f r

3 cat ens iw ik i−webpage

11. (a) Which security propertie(s) is(are) important to be ensured regarding DNS replies?

(b) Name one counter-measure do you propose for ensuring that property (there is a protocol that doesensure that property). [cite your source!]

(c) In what is SSL different from the counter-measure you just proposed? what is its aim? (if we put apartthe potential client authentication)

2 Authentication and password policy

2.1 Password policy

This part is in reply to a question of one of your students during the very first lecture: “what is the mostsecure: a password 8 characters long that uses characters from 3 classes, or a 20 characters long passwordthat uses only 2 classes?”. We will here provide some answers.

CONTINUED

VERSION 0.93 (2011-11-06)

– 7 –

Grenoble INP Ensimag

5MMSSI

2.1.1 Corporate password policy

12. Here is a screenshot of the kind of password policy that is deployed within the “Sasuke Uchiha” organization:

For each parameter, explain: [use your own words!]

• its significance

• the type of problem or attack that such parameter tries to prevent

2.1.2 Theoretical computation

CONTINUED

VERSION 0.93 (2011-11-06)

– 8 –

Grenoble INP Ensimag

5MMSSI

13. We will consider only the following 4 character class:

• class U: Uppercase characters of ASCII characters (A through Z)

• class L: Lowercase characters of ASCII characters (a through z)

• class N: Base 10 digits (0 through 9)

• class A: Non-Alphanumeric characters:

1 ˜ !@#$%ˆ&∗ −+=‘|\() {} [ ] : ;” ’<> , .?/

Generation strategy

(a) At least how many different passwords are possible, if the password policy of “Sasuke Uchiha” companyis Policy 1 :

• password length: min: 12 ; max: 26

• complexity: at least 2 characters from U, and at least 3 from L

(b) Same question for Policy 2

• password length: min: 7 ; max: 20

• complexity: at least 2 characters from U, at least 2 from L, at least 1 from N and 1 from A

14. Exploration strategy: A hacker is trying to impersonate a user of the “Sasuke Uchiha” company.

(a) He wants to brute-force a user password.

(i) Which information(s) does he need to know regarding at least one user?

(ii) Which information(s) could he make assumptions on?

(b) Choose two passwords, so that each password does respect only one of the previously described passwordpolicies that “Sasuke Uchiha” did implement.

(c) Which password (among the two ones you previously chose) will the hacker find more quickly assumingthat he will use the following exploration strategy:

(i) descending priority: U (ie characters from U will be tried the first), A, N, L and among eachclass, the first character will be tried the first (eg: A: % will be tried before [)

(ii) descending priority: L, A, N, U (and among each class, the last character will be tried the first)

CONTINUED

VERSION 0.93 (2011-11-06)

– 9 –

Grenoble INP Ensimag

5MMSSI

2.1.3 SSH brute-force login

15. For that question, we will assume we are a hacker that is using the ubuntu web server, and we are trying tohack the floppyfw router and firewall. We already know that the username should be root. For changing thefloppyfw password:

• log-on to floppyfw (see the Firewall and DNS section )

• passwd

(a) choose two passwords:

• password1:

– password length: min: 5 ; max: 8

– complexity: at least 1 characters from U, and at least 1 from L

• password2:

– password length: min: 4 ; max: 8

– complexity: at least 1 characters from U, at least 1 from L, at least 1 from N and 1 from A

(b) Using an SSH password brute-forcer tool, and using the first exploration strategy we mentioned before,brute-force the SSH password from the ubuntu web server. [provide YOUR command and its execution

result][provide a screenshot of YOUR work]

Here are some tools you might find useful:

• http://zeldor.biz/2011/01/how-to-bruteforce-ssh/

• http://www.madirish.net/content/sshatter-ssh-brute-forcer

Note that you first will have to generate a dictionary of passwords you want to test.You have to write small piece of code in the language of your choice, and to put it inthe file generate password.source that you will submit within a compressed archive alsocontaining your deliverable report.

(c) Which counter-measure for preventing SSH bruteforcing could you think of?

(d) Name at least one executable enforcing such a counter-measure. [cite your source!]

3 Access Control

Read the slides within chapter 4 “network security” http://saf.li/c75b9 and especially regarding theaccess control part.

16. (a) What is the difference between a Discretionary Access Control and a Mandatory one?

(b) Provide one example of your imagination for each model.

CONTINUED

VERSION 0.93 (2011-11-06)

– 10 –

Grenoble INP Ensimag

5MMSSI

17. On Windows NT6+, ie since Windows Vista, Microsoft did implement a security feature named MandatoryIntegrity Control.

(a) What kind of access control model does it use? .. On which resources / objects? Which entities arethe requesters?

(b) What are the 5 integrity levels? [cite your source!]

(c) Have a look at that example:

(i) Is the process 3316 able to: [justify each answer!]

• read data on the process 3316

• write data on 3316

• write on 3256

• write on 3468

• read on 3468

• read on 4060

(ii) same questions for the process with PID 4076

(iii) same questions for 3468

(d) Have a look at the following security details regarding some processes.

CONTINUED

VERSION 0.93 (2011-11-06)

– 11 –

Grenoble INP Ensimag

5MMSSI

(i) What are the differences between the processes 3316 and 4060?

(ii) Those differences are surprising, because the very same user is running the very same process.What is your hypothesis, regarding those differences?

(iii) Find a source confirming your hypothesis. [cite your source!]

CONTINUED

VERSION 0.93 (2011-11-06)

– 12 –

Grenoble INP Ensimag

5MMSSI

18. Have a look to the following configured entries: (consider Role-Based Access Control as a slightly variantfrom the DAC model. Refer to the course notes regarding permissions priorities)

Is Sophie able to: [justify each answer!]

(a) print?

(b) manage the printer?

(c) manage the documents?

4 Authentication and identity federation

4.1 Identity federation

Please read again:

• the Kerberos part within chapter “3.2 - cryptography applications”

• the Authentication part within the chapter “4. network security”

And do not forget to search for informations on those topics, but when doing so, [cite your source!]

CONTINUED

VERSION 0.93 (2011-11-06)

– 13 –

Grenoble INP Ensimag

5MMSSI

4.1.1 The big picture

19. (a) What is Identity Federation? [use your own words!]Describe it using the following vocabulary: User,Service Provider, Identity Provider [cite your source!]Also draw a schema showing those actors, and thenetwork flows.

(b) Identify 4 points that make Identity Federation useful for businesses working together: [cite your source!]

(i) for end-users: ?

(ii) for the Service Provider: ?

(iii) for the Identity Provider: ?

(iv) for a way of building applications not mixing ... and ... ?

4.1.2 Trust relationships

CONTINUED

VERSION 0.93 (2011-11-06)

– 14 –

Grenoble INP Ensimag

5MMSSI

20. Facebook wants to allow users to be able to access their FB webpage using their Yahoo account.

(a) What is the minimal trust relationship needed? (qualify it: one-way trust, two way trust) How do werepresent it? (meaning using ← and/or → notation)

(b) Yahoo authorizes users to access Yahoo services (including Yahoo finance) with their Google identity(let us only consider this within the Yahoo picture). Knowing this, use trust notations (← ...) torepresent the trust relationships between Yahoo, Facebook and Google.

4.1.3 Applications

21. (a) Name one authentication protocol widely used in corporations that is not web-based and that permitsto perform Identity Federation. [cite your source!]

(b) Do the same for web-based protocols. [cite your source!]

(c) For each one of them, briefly describe how they do work. [use your own words!]