2. All the following questions are against the penetration scenario shown in Fig

Question

2. All the following questions are against the penetration scenario shown in Figure 1. In this penetration scenario,

Mallory is a remote attacker who has no user account of the corporation. The goal of Mallory is to gain root privilege on the Workstation.

2.1: Since Mallory knows nothing about the corporation, he will need to start with the reconnaissance step. In particular, since breaking into the internal Corporation LAN (see Figure 1) is much harder than breaking into the Web Server, Mallory will target the Web Server in this step. To do reconnaissance against the Web Server, Mallory will need to use a set of scanning tools. In particular, one of these scanning tools, when executed on Mallory PC, told Mallory that the Web Server was running Apache HTTP Server Version 2.0. What did the scanning tool/weapon do in order to collect such useful information? Please give a step-by-step explanation. (10 points)

2.2: When the reconnaissance step ends, Mallory knew that the Web Server httpd program had a buffer overflow bug (vulnerability). To exploit this vulnerability to break into the

Web Server, Mallory should take the Probe step and use a specific remote exploit tool. Which attack weapon would be used by Mallory? Which kind of attack packets will be

created and sent to the Web Server by this attack weapon? (10 points)

2.3: During the Toehold step, the buffer overflow bug was successfully exploited and Mallory’s malicious code was executed on the Web Server. The malicious code can enable Mallory to remotely login into the Web Server. When Mallory remotely logins into the Web Server, what are the three most urgent things for Mallory to do? Why are they urgent? (10 points)

2.4: Next, Mallory wanted to break into the Fire Server inside Firewall 2. So Mallory would take the reconnaissance step and the Probe step again. The reconnaissance tool told Mallory that the File Server has a TCP port open to accept and process RPC requests. Since Mallory knew that many RPC server programs have buffer overflow bugs, he would probe this port. Please list all the possible attack weapons that could help Mallory probe the port; then please tell which attack weapon is the best one for this attacking purpose. (10 points)

2.5: After the Probe step succeeded, Mallory would gain root privilege on the File Server and be able to remotely login into the File Server. Let’s assume Mallory was not ready at this moment to attack and break into the Workstation from the File Server. So he was worried that his attack traces could be detected and the RPC buffer overflow bug could be patched when he got ready to attack the Workstation. What could Mallory do to remove this concern? Please give a step- by-step answer. (10 points)

2.6: Now Mallory was ready to attack the Workstation from the File Server. In this stage, should Mallory use any monitoring tools? If so, what can these monitoring tools do and why are they helpful? (10 points)

2.7: When attacking the Workstation, the reconnaissance tools did not find any buffer overflow vulnerabilities. So Mallory could no longer send buffer overflow packets (or requests) to the Workstation. Now Mallory needed to do some other things. Please select all the useful ones from the attack weapons listed below and explain WHY. (10 points)

(a) packet sniffers; (b) spoofing; (c) password crackers; (d) denial-of-service; (e) virus; (f) worm (g) Malicious applets; (h) buffer overflow; (i) exploit bugs; (j) social engineering; (k) dumpster diving

2.8: After a while, Mallory was able to install a Trojan horse on the Workstation. Then he used the Trojan horse to help him steal the password of a non-root user account on the Workstation. Now Mallory was in which step of the seven penetration steps? What will Mallory do next on the Workstation? (10 points)

2.9: During the whole attack process from Mallory PC to the Workstation, password crackers can be useful in which steps and on which machines? (10 points)

Internet Mallory PC Firewall 1 Demilitarized Zone (DMZ) Web Server Firewall2 File Server Corporation LAN Workstation Figure 1: The Penetration Scenario

Explanation / Answer

Q1.

Scanning tools/ Weapons perform active reconnaissance to know the open port, Server identification and then Banner grabbing.

Steps Involve:

Port Scanning:

Scanning tool perform idle scan which revels open ports without alerting IDS or firewall. Port Scanning is achieved by the use of combination of Ping, Traceroute and netkitten command internally by the Scanning tools.

Ping: if range of IP addresses for our target network are know then ping helps in determining which IP addresses are actually in use by hosts on the network.

Traceroute: Helps to figure out the topology of the network: i.e wee the routers are with respect to the hosts.

Finally NetKitten (nk): Helps to determine which ports are open with servers listening on them.

Identify the Server OS:

After knowing the open available ports, next step is to identify the server OS.

Some port servers’s OS are obvious and can be determined by the port scan output

While to confirm ports server’s OS too there are tools like Xprobe2 test and confirm.

Banner Grabbing:

This involves Scanning tools to connect to the server ports and passing some information that will return, at best, the application name and version number running on the server. Tools internally uses Telnet command

Telnet helps to determine the server name, version and patch.

Related Questions

Navigate

• Browse (All)
• Browse 2
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.