2. All the following questions are against the penetration scenario shown in Fig

Question

2. All the following questions are against the penetration scenario shown in Figure 1. In this penetration scenario,

Mallory is a remote attacker who has no user account of the corporation. The goal of Mallory is to gain root privilege

on the Workstation.

2.1: Since Mallory knows nothing about the corporation, he

will need to start with the reconnaissance step. In particular,

since breaking into the internal Corporation LAN (see Figure

1) is much harder than breaking into the Web Server,

Mallory will target the Web Server in this step. To do

reconnaissance against the Web Server, Mallory will need to

use a set of scanning tools. In particular, one of these

scanning tools, when executed on Mallory PC, told Mallory

that the Web Server was running Apache HTTP Server

Version 2.0. What did the scanning tool/weapon do in order

to collect such useful information? Please give a step-by-step

explanation. (10 points)

2.2: When the reconnaissance step ends, Mallory knew that

the Web Server httpd program had a buffer overflow bug

(vulnerability). To exploit this vulnerability to break into the

Web Server, Mallory should take the Probe step and use a

specific remote exploit tool. Which attack weapon would be used by Mallory? Which kind of attack packets will be

created and sent to the Web Server by this attack weapon? (10 points)

2.3: During the Toehold step, the buffer overflow bug was successfully exploited and Mallory’s malicious code was

executed on the Web Server. The malicious code can enable Mallory to remotely login into the Web Server. When

Mallory remotely logins into the Web Server, what are the three most urgent things for Mallory to do? Why are they

urgent? (10 points)

2.4: Next, Mallory wanted to break into the Fire Server inside Firewall 2. So Mallory would take the reconnaissance step

and the Probe step again. The reconnaissance tool told Mallory that the File Server has a TCP port open to accept and

process RPC requests. Since Mallory knew that many RPC server programs have buffer overflow bugs, he would probe

this port. Please list all the possible attack weapons that could help Mallory probe the port; then please tell which attack

weapon is the best one for this attacking purpose. (10 points)

2.5: After the Probe step succeeded, Mallory would gain root privilege on the File Server and be able to remotely login

into the File Server. Let’s assume Mallory was not ready at this moment to attack and break into the Workstation from

the File Server. So he was worried that his attack traces could be detected and the RPC buffer overflow bug could be

patched when he got ready to attack the Workstation. What could Mallory do to remove this concern? Please give a step-

by-step answer. (10 points)

2.6: Now Mallory was ready to attack the Workstation from the File Server. In this stage, should Mallory use any

monitoring tools? If so, what can these monitoring tools do and why are they helpful? (10 points)

2.7: When attacking the Workstation, the reconnaissance tools did not find any buffer overflow vulnerabilities. So

Mallory could no longer send buffer overflow packets (or requests) to the Workstation. Now Mallory needed to do some

other things. Please select all the useful ones from the attack weapons listed below and explain WHY. (10 points)

(a) packet sniffers; (b) spoofing; (c) password crackers; (d) denial-of-service; (e) virus; (f) worm (g) Malicious

applets; (h) buffer overflow; (i) exploit bugs; (j) social engineering; (k) dumpster diving

2.8: After a while, Mallory was able to install a Trojan horse on the Workstation. Then he used the Trojan horse to help

him steal the password of a non-root user account on the Workstation. Now Mallory was in which step of the seven

penetration steps? What will Mallory do next on the Workstation? (10 points)

2.9: During the whole attack process from Mallory PC to the Workstation, password crackers can be useful in which steps

and on which machines? (10 points)

Internet Mallory PC Firewall 1 Demilitarized Zone (DMZ) Web Server Firewall2 File Server Corporation LAN Workstation Figure 1: The Penetration Scenario

Explanation / Answer

Viruses:

Viruses have been around since the early 1980's (see article: History of Computer Viruses). A computer virus is a program that gets into a computer system by means of hardware or software without the knowledge of the computer user, and then attaches itself to a program file. The virus then starts to replicate itself and do the damage it has been programmed to do. There are many different kinds of computer viruses out there and each has a different way that they work. They can be quite damaging to a computer system, so it is important that you have a good anti virus program in place to protect your computer (for more info read: What is a Computer Virus?).

Trojan Horses:

A Trojan is not a computer virus in the sense that it doesn't get into your computer and self-replicate. The Trojan derives its name from the ancient Greek story of the Trojan Horse, where a group of warriors invades a city by hiding within a giant wooden horse. The residents of the city thought the horse to be a gift, never knowing what was hidden inside, so they rolled the horse in bringing their enemy within the city walls with it. The Greek Trojan horse appeared to be something that it was not, just as the computer Trojan appears to be something that it is not. A computer Trojan is software that appears to function in a certain way (such as a program that you may have downloaded to remove viruses or spyware), when in reality it performs another action, unknown to the user. A Trojan is not always harmful and damaging to your computer, but it can open a Backdoor for hackers to get into your computer and cause damage or retrieve information. A good firewall program is the most effective means to stop a Trojan Horse (also regular computer updates and an antivirus program help prevent Trojan Horses).

Computer Worms:

Computer Worms are like a virus in the fact that they do self-replicate themselves within your computer system. However, a computer worm does not have to attach itself to a program in your system like a computer virus does in order to function. Also, unlike a computer virus that generally corrupts and modifies files on your computer to cause damage, a computer worm generally localizes its damage to the computer network by causing increased bandwidth. However, computer worms may have a "payload" that can delete files, encrypt files or email files on the host computer. A very common payload for a worm is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Computer worms can often spread via email such as the SoBig and MyDoom worms did (from 2003 and 2004 respectively).

GIVEN SOLUTION :

ONLY ONE ANSWER COMPLETED

Buffer overflow attacks:

Buffer overflow attack is where the attacker tries to attack with the help of the memory, in the buffer overflow attack the program starts to write more data to a fixed length allocation in the program and then because of memory shortage the program starts writing what is allotted to it. So, in this case, the attacker will make buffer overflow happen and then the attacker can access the memory which is not allocated to the program but can know what the program is actually writing.

Related Questions

Navigate

• Browse (All)
• Browse 2
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.