Question 1:
Snort Rules (10 Marks)
This question presents a fictitious security vulnerability in a range of lasers printers. The question requires that
you develop SNORT IDS rules to detect exploits of this fictitious vulnerability. All information regarding this
vulnerability is fabricated to give the illusion of a real security threat. As a result, searches on the Internet will
not yield any information regarding the signature of this vulnerability. All the information required to detect exploits
for this vulnerability are presented in this question, except where noted otherwise.
You are a security specialist working for XYZ Incorporated. XYZ use SNORT as their NIDS which protects both their IP
sub-networks being 192.168.1.0/24 and 192.168.2.0/24.
A security vulnerability has been detected in the Humphrey Pollard Laserprint 12050 printer model. This vulnerability is
remotely exploitable and allows the execution of arbitrary code.
There is a bug in the way the printer processes the postscript spool management header. A sample of a spool header is
given below:
%!PS-Adobe-3.0 %%Creator: texttops/CUPS v1.2.2%%CreationDate: Thu 21 Sep 2006 11:49:57 AM EST%%Title: TODO %%For:
username %%DocumentNeededResources: font Courier-Bold …
The printer’s code which parses these headers only allows 8 bytes for the “%%For” field value buffer in memory. In the
example above, the field value is “username”. It is possible to overflow the buffer by providing a value to the “%%For”
field that is greater than 8 bytes. The “%%For” field can be found anywhere in the packet.
An exploit has been released in the form of a worm which when infecting the Laser printer’s memory, tricks the laser
printer into emailing all documents received for printing to an email account in Russia. The worm propagates by scanning
networks in proximity of its own for other vulnerable printers. On finding vulnerable machines, it copies itself to them
and the cycle continues.
It also propagates via email as a PDF attachment. The malicious code is embedded in the PDF file. The email message
suggests that the attached document contains a joke and requires printing to a laser printer to view. When the user
prints the PDF, its payload is sent to the printer either directly, or via a printer spooling server. Effectively, this
means the worm can attack printers from any host on the network.
If a printer is found to be compromised, power-cycling (turning off and then on) the printer will erase the worm from the
printer’s volatile memory. However, this does not prevent the printer from being re-infected.
You are required to write 2 SNORT IDS rules labeled (a) and (b) to manage this vulnerability until patches are applied
and printers reset. Rule (a) must detect attempts to exploit this vulnerability on any printer in the company network.
The rule should scan for attempts from any host on the network to any host on the network. It should also scan only for
connections to the Jetdirect printing TCP/IP port number, used by this range of printers. You may need to research
Jetdirect to identify which port number it uses for printing and what transport protocol. Google is a good place to
start.
The signature of the exploit is given as follows:
%%For: username
The value “username” can be any sequence of characters, but must be exactly 8 characters long. For example, “username”
could be “abcdefgh”. Note also there is a space between the colon and “username”. Immediately following the 8
characters for the username is the payload of the exploit, which is given below as decimal byte values:
124 185 30 135 99 214 51 29
Your rule should match the entire sequence as described above starting from “%%For:” through to the last decimal byte of
the exploit payload “29”. On detecting packets, your rule should generate an alert with a message stating: “Attempt to
exploit laser printer vulnerability”.
Rule (b) must detect attempts by the malicious payload running on any infected printers to email documents to the
Internet.
You have 6 printers on your network that are vulnerable to this attack. Their IP addresses are:
192.168.1.45
192.168.1.40
192.168.2.15
192.168.2.30
192.168.2.31
192.168.2.40
Your email rule must apply only to the vulnerable printers on the network. In other words, your rule should detect
attempts to email the hacker from only the above printers, and no other hosts.
This model of laser printer also provides scanning and faxing capabilities. When the scanning function is used, the unit
will email the scanned document to an Internet email address given by the user when scanning. As a result, it is normal
behaviour for these printers to send emails via SMTP. Therefore, it is necessary to check the recipient email address of
the document. The rule should detect attempts to email users outside of the organisation, as no document should be
emailed outside the company from a printer. The organisation’s domain name is: xyzcorp.com.au. So any emails sent to an
address of form: user@xyzcorp.com.au should not be detected as these addresses are for company employees. Any other
email addresses without the exact domain name above should be detected. Any mail server could be used to deliver the
email. On detecting an email from one of these printers to an address outside the organisation, your rule should
generate an alert with the message: “Compromised printer attempting to email document outside organisation”
For both rules, be sure to complete the following.
1. Allocate an appropriate SID value and a revision number
2. Designate an appropriate class type for this attack.
3. Annotate your rules with comments describing what each component of the rule does, so other security specialists
in your team can see how your rules are written. Comments can be introduced to your rules file snort.conf by preceding
each line with a hash character “#”. Anything after the hash character to the end of the line will be treated as a
comment by SNORT and ignored by the rule parsing code. This is how you should comment your rules.
An example of how to present your rules in your assignment document is shown below:
# Your explanation of the below in italics
var HOME_NET 138.77.23.0/16
var EXTERNAL_NET !138.77.23.0/16
# Your explanation of the below
drop udp $EXTERNAL_NET any -> $HOME_NET 993
#Your explanation of the below, and so on…
…
An example explanation for a SNORT rule option:
# The content of the packet must contain the string “USER root” to be matched.
# Furthermore, the offset option specifies that the string “USER root” should be
# matched exactly 10 bytes from the beginning of the packet. In other words, it will
# only match packets where 10 bytes from the start of the payload, the string
# “USER root” is specified.
content: “USER root”; offset:10;
Testing your rule
A pcap dump file has been provided which includes the signatures for both the laser printer exploit, and the email
messages that are sent from infected printers. This file serves two purposes. Firstly, it allows you to analyse the
format of normal and malicious packets. Using Wireshark, you are able to open the pcap dump file, look at the format of
the packets, and search for the malicious ones using the information in this document. Secondly, the pcap dump file can
be used with SNORT to test your rules. To do the above, you need have installed SNORT and Wireshark on your home
computer.
Instructions on how to obtain these applications are available on the course website under the “Software Resources”
section.
To test your rule with SNORT, copy the sample.pcap file to a working folder on your computer. In this same folder,
create a sub-folder called “logs”. Open up notepad and save an empty file in your working folder called “snort.conf”.
This file will contain your rules. As you change the rules in notepad, resave the file. Now to test your rule using
SNORT, you execute the SNORT program from a command window as follows:
c:snortbinsnort.exe –r sample.pcap –c snort.conf –l log
(This is an example – your install location for SNORT may differ. Note also this is a windows example – you may use
Linux or OS X to complete this assignment).
Check the output of the alert.ids file to see which packets have been detected by your rules. Also check the packet dump
files as generated by SNORT using Wireshark which give the full packet content that were detected by your rules. They
are the files named “snort.log.{number}” where {number} is the timestamp value of when you ran SNORT. This provides a
history of each time you execute SNORT. The greatest number is the newest version. You can drag these files from
explorer window onto the Wireshark window. Also, alerts are appended to the end of your alert.ids file each time you
execute SNORT. So just a hint: before you run SNORT each time to test your rules, delete the alerts file and the dump
files so it is less confusing. Otherwise, they can be hard to read. Reviewing these logs files are essential to helping
you to identify where you have gone wrong with your rules.
Your alert.ids file should contain the following:
[**] [1:1000022:1] Attempt to exploit laser printer vulnerability [**]
[Classification: <
09/21-11:49:57.965425 192.168.2.31:49140 -> 192.168.2.30:9100
TCP TTL:64 TOS:0x0 ID:39862 IpLen:20 DgmLen:782 DF
***A**** Seq: 0x31A554DB Ack: 0xFCFF2DD Win: 0xB7 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23973781 489101
[**] [1:1000022:1] Attempt to exploit laser printer vulnerability [**]
[Classification: <
09/21-11:50:13.094991 192.168.2.11:49144 -> 192.168.2.40:9100
TCP TTL:64 TOS:0x0 ID:44774 IpLen:20 DgmLen:782 DF
***A**** Seq: 0x322170AB Ack: 0x100D84CB Win: 0xB7 TcpLen: 32
TCP Options (3) => NOP NOP TS: 23977563 489132
[**] [1:1000021:1] Compromised printer attempting to email document outside orga
nisation [**]
[Classification: <
09/21-14:57:32.058922 192.168.2.40:1941 -> 192.168.1.4:25
TCP TTL:128 TOS:0x0 ID:65489 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0xFC0CF9C8 Ack: 0x32CC7240 Win: 0xFE7D TcpLen: 20
[**] [1:1000021:1] Compromised printer attempting to email document outside organisation [**]
[Classification: <
09/21-15:02:40.010228 192.168.1.40:1955 -> 192.168.1.4:25
TCP TTL:128 TOS:0x0 ID:5281 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0x9B7E2E43 Ack: 0x463DFBEF Win: 0xFE7C TcpLen: 20
Note: The classification identifer has been deleted. If your alert.ids file is different to the above, you have false
positives or false negatives. This means your rule is not specific enough, or is too specific. Identify which alerts
are incorrect in your file and open the snort.log.{number} dump file to view their contents to see where you have gone
wrong. If you are missing alerts, then identify the timestamp in the alert.ids file given above and search for the same
packet in the sample.pcap file using Wireshark. Instructions on how to do this using Wireshark are given below in the
tips section.
Tips:
• Search for the SMTP RFC document “RFC0821” via google. In particular, you will need to familiarise yourself with
the “RCPT TO:” SMTP command. This is the format you need to check for to detect safe receiving email addresses.
• Use Wireshark to analyse the pcap dump file. You can identify which packets contain the exploit by using the
“Edit” menu, and “Find Packet” option. You can specify a String value and search in the “Packet bytes” to find the
signatures of the vulnerability.
• Make use of SNORT to test your rule. Check the output from your alerts file with what is provided in this
document to see if you have implemented your rule properly. In particular, check for false positives, and false
negatives.
• The alert.ids file generated by SNORT on execution will provide the headers of the packets that were detected by
your rules. If you wish to see the full contents of these packets, you can search for them in the pcap dump file using
Wireshark. The headers of the packet in the alert.ids file include the timestamp when the packet was captured. You can
search for the exact timestamp in the pcap file to find the same packet. This can be done by changing the settings of
Wireshark to show the absolute time of the packets, rather than an offset from the very first packet. Then if you wanted
to find the packet in the alert.ids file with the timestamp: “11:49:57.965425”, you would search for the same string in
Wireshark. To change the display format for the timestamp in Wireshark:
1. Click “View” menu
2. Click “Time display format” option
3. Click “Time of day”
• Certain characters are “special” in SNORT rules. These characters must be escaped to tell SNORT to treat them
literally, rather than interpret their special meaning. To escape a special character, you simply precede it with a
back-slash “”. For example, if you wish to continue your rule on a new line in the configuration file, then you end the
line with a “” character to escape the special meaning of the ENTER character at the end of the line. SNORT treats the
ENTER character as special. It means it is the end of the current rule. With a “” at the end of the line, it tells
SNORT to treat it as a literal ENTER which will be interpreted as just spacing for your rule and allows it to continue on
the next line. If you receive the following error when you attempt to run your rule through SNORT: “ParsePattern Got Null
enclosed in quotation marks (“)!”, then you have a special character in your rule content that needs to be escaped.
Refer to the SNORT documentation website for details on which characters have special meanings.
• Research how to express a group of unrelated individual IP addresses as a source or destination.
• Make sure you include the classtype in your rule. Refer to the SNORT documentation to determine which classtype
is appropriate for this exploit as described above. You will probably have to make use of the classification.config
file (located in the Snortetc directory) – research how to make reference to this file from your rules file.
• Failure to use the correct syntax in your rule will mean the rule is ineffective. This means you will lose marks
on this question.
• Refer to the Snort manual for assistance in writing the rules – a link to the manual is availed from the Software
Resources section of the course web site.
Note: Duplicating the contents from the text, lecture slides, weekly notes or the Internet is not acceptable (even if it
is referenced) and will not attract any marks. Your solutions must be written in your own words. If you cannot write
your answer in your own words, then you have not yet mastered the topic and require further reading or advice from your
tutor. Any information taken from an external source (either from the textbook or any other source) must be referenced
appropriately. Failure to do so constitutes plagiarism.
Question 1 Marking Criteria
There is a total of 5 marks for each of the two rules. 2.5 marks for commenting, and 2.5 marks for rule correctness
explained below.
Commenting criteria:
• 2.5 marks
A very good, in depth explanation of the SNORT Rule. Shows good understanding of the material
• 2 marks
Has a few misunderstandings or explanations
• 1 – 1.5 marks
Passable explanations, a few mistakes, some major and not very descriptive
• 0.5 marks
Major problems. Does not demonstrate a good understanding of the material or solution is very vague
• 0 marks
Essentially nothing correct or solutions have been copied verbatim from other sources
SNORT rule correctness criteria:
• 2.5 marks
A correct, concise SNORT rule that identifies malicious packets, without false positives or false negatives, and adheres
to the assignment specification fully
• 1.5 – 2
marks A few mistakes, but still essentially correct and does not contain syntax errors
• 0 – 1 marks
Does not meet the specifications, has false positives/false negatives, or syntax errors
Question 2:
Kerberos Authentication Protocol (10 Marks)
Kerberos is one of the most secure authentication protocols being used today. The Kerberos authentication protocol is
very briefly described on page 280 in Chapter 8 of the Ciampa textbook. You are required to do personal research to
complete the following questions regarding this topic:
A. Give your general description of the Kerberos authentication protocol.
B. Explain the term: Authenticator used in the Kerberos authentication protocol.
C. In the Kerberos authentication protocol, there are 3 basic roles: client, server and Key Distribution Centre
(KDC). Give your description of each of them.
D. By explaining the term: Session Ticket, describe how a session key is created by KDC, and distributed to the
client and the server
E. Describe the mutual authentication procedure between the client and the server after the client obtains the
session ticket
To answer these questions, you should consult reference materials from other texts and the Internet. You are required to
reference these sources – DO NOT DIRECTLY COPY material from them – i.e. use your own words.
Question 2 Marking Criteria
There is a total of 10 marks available for this question. Each question (A – E) is worth 2 marks. A question that is
addressed thoroughly will score 2 mark – a lesser mark will be awarded if material is missed or the answer is unclear. 0
Marks will be awarded if the answer is copied directly from sources (i.e. isn’t in your own words).
Question 3:
Wireless Protocols (10 Marks)
WPA2 Enterprise security is an integral component of modern network infrastructure. AES/CCMP encryption and 802.1x
authentication is currently regarded as the best way of securing enterprise-level wireless networks. You are required to
do personal research to complete the following questions regarding this topic:
A. Describe 802.1x authentication and the steps that when a wireless client connects to a network using RADIUS
server for authentication.
B. Explain the PEAP protocol – how does it differ from EAP and what EAP deficiency does it address?
C. What makes a brute-force attack both particularly difficult and potentially easy on a wireless network using
AES/CCMP encryption and 802.1x authentication? Hint: What do you need to know in order to attempt the attack?
D. Assume an office wireless network was only configured with WPA2-AES encryption (i.e. no additional authentication
standards). What problems would this cause?
E. Assume an office wireless network was only configured with 802.1x authentication (i.e. no additional encryption).
What problems would this cause?
To answer some of these questions, you should consult reference materials from other texts and the Internet. You are
required to reference these sources – DO NOT DIRECTLY COPY material from them – i.e. use your own words.
Question 3 Marking Criteria
There is a total of 10 marks available for this question.
Question A – 3 Marks
Question B – 3 Marks
Question C – 2 Mark
Question D – 1Mark
Question E – 1 Mark
A question that is addressed thoroughly will score full marks – a lesser mark will be awarded if material is missed or
the answer is unclear. 0 Marks will be awarded if the answer is copied directly from sources (i.e. isn’t in your own
words).
Question 4: Steganography Exercise [10 Marks]
This exercise requires you to use Steganography to embed secret text into a graphic file and also to embed a secret
watermark into a second graphic file. To accomplish these tasks you are to download a copy of OpenStego from the
internet. You will also need to download the two graphic files cqu_logo.png and Bundaberg.jpg from the Moodle site.
a) Data Hiding in a graphic file [5 Marks]
You are to create a “message.txt” file containing the text “This is my hidden text file” to use as your Message File in
OpenStego.
You are to use “cqu_logo.png” as your Cover File in OpenStego and “extra_logo.png” as your Output Stego File.
Note: You MUST use your student number (sxxxxxxx) as the password .
You are to include both your message.txt and extra_logo.png files in your assignment submission.
b) Watermarking a second graphic file [5 marks]
You are to generate a signature file (“COIS23001Ass2.sig”) using “Copyright 2015,COIS23001” as the PassPhrase.
You can now embed your watermark in the “Bundaberg.jpg” graphic file to create your Output file called “ass2sig.jpg”.
You are to submit a copy of your COIS23001Ass2.sig ass2sig.jpg with your assignment submission.
Note: You MUST include a copy of your message.txt , extra_logo.png, your COIS23001Ass2.sig and ass2sig.jpg files with
your assignment submission.
Question 4 (a) Marking Criteria
1.5 marks for correct message.txt, 1.5 marks for correct password, 2 marks for correct extra_logo.png file.
Question 4 (b) Marking Criteria
2 marks for correct signature file, 3 marks for correct output file.
Question 5 10 marks
You are the Chief Information security Officer (CISO) of a small medium sized – accounting Services Company. In the last
few weeks, senior staff have been complaining that some confidential information has been disclosed via email without any
authorisation. You are approached by the Chief Information Officer (CIO) to discuss the issue and see the most
appropriate way to tackle this problem. You suspect that some of the employees might be using their technical skills to
access sensitive information either from the mail servers or during transmission. To counteract this malpractice, you
suggest the CIO the implementation of encryption. Before you actually implement the system, you want to conduct a pilot
using the GNU Privacy Guard (GPG) software.
The pilot requires that you install GNU Privacy Guard (GPG) software onto your own computer and complete the following
activities.
Note: The GNU Privacy Guard is available for free download from http://www.gnupg.org/ and “A Practical Introduction to
GNU Privacy Guard in Windows” by Brendan Kidwell is available at http://www.glump.net/howto/gpg_intro
After installing GPG software onto your own computer, complete the following tasks:
1. Generate your own key-pair by using GPG software and do not create a pass-phrase for your private key (in a real
world this is not a good practice. Just for the sake of this assignment, do not create a pass-phrase). You need to use
screen-shots to show that you have successfully completed this task. A valid screen-shot is similar to the one shown in
Figure 1. Pay attention to the red circles, which demonstrate the success of key pair generation ( 2 marks).
Figure 1 Key Pair Creation
2. Export your public key and paste it into your assignment document. You need to use two screen-shots to show that
you have successfully completed this task. One screen-shot is to show the use of gpg command and the other is to show the
exported public key. For example, the screen-shot in Figure 2, shows a public key, which is exported into the file:
CC-pubkey.txt (2 marks).
Figure 2 Screen-shot of a Public Key
3. Explain the steps how to import your Lecturer’s public key from the key-server http://pgp.mit.edu (your lecturer
created a public key and stored it at the MIT PGP Public Key Server). Include in the assignment document the gpg command
line, individual options you used and their meaning. As above, use screenshots of website interactions, with
accompanying explanations of the screenshots to explain the steps how to import your Lecturer’s public key from the
key-server http://pgp.mit.edu (3 marks).
4. Create an ASCII text file to store your full-name, your student number, and your student CQU email address
(please do not use any other email address). Then using your lecturer’s public key, encrypt this text file. The resulting
file should also be ASCII armored so that it is readable once decrypted by your lecturer / tutor. Failure to do so will
result in loss of marks. Submit the resulting encrypted file along with your assignment solutions document (word
document) via the online submission system and following the naming convention given above (3 marks).
An example explaining the steps to export a key
Here is a specific example for explaining the step of exporting a private key, to be imported onto another computer
running GPG. Use this example to guide you in how to give explanations in this question.
To export your private key, you need to execute the following gpg command:
gpg –output “privkey.txt” –export-secret-keys “Xiao Li”
The output option specifies the filename in which to write the private key into. Finally, the export-secret-keys option
specifies the name of the private key to be exported. The name is given as “Xiao Li”. This option is distinct from the
“export” option which exports only public keys.
Now the private key is stored in the file “privkey.txt” unencrypted and can be imported into another version of GPG.
Hints:
Where required be detailed and specific about your actions explaining exactly what you did, and why you did not. Document
the exact GPG commands you have used, and provide an explanation of what the command does, including the individual
command line options, and/or provide screenshots of any interactions with websites.
Brendan Kidwell’s practical guide is not the only one available on the Internet. There are plenty of other documents on
the Internet that explain how to use GPG for various functions.
Marking:
2 Marks for key-pair creation
2 Marks for exporting your public key
3 Marks for explaining the steps how to import your Lecturer’s public key from the key-server
3 Marks for creating an ASCII text file and encrypting it using your lecturer’s public key
Place this order with us and get 18% discount now! to earn your discount enter this code: summer17 If you need assistance chat with us now by clicking the live chat button.