CSC347 Introduction to Information Security
Assignment 2

Due:November 16, 2017 at 11:59 PM
Late penalty: 10% for 1 day, 20% for 2 days
Hand in: Please place your solutions in a2.zip and then electronic submit here
Marking:
Groups: Groups of size 2. Both students receive the same mark.

Setup

This assignment involves VMs that can be downloaded via cut and paste from this script Included among these are a Kali Linux VM. Make sure you set Kali for host only networking. Also, for question 2, please add the Clean and Compromised vmdk as new scsi drives to the Kali machine.

Software Security

  1. [23 Marks] Ubuntu804Server_owasp running fourFours. This web application which, when run on a lab machine, is available at http://THIS.VMS.IP.ADDRESS/fourFours/. You should run there unless you know how to configure networking for vmware at home.
    1. [10 Marks]

      The fourFours web application has many vulnerabilities. For this exercise, we will explore some of the vulnerabilities and then fix them. /var/www/fourFours/index_fixed.php has directions outlining the vulnerabilities in the application as well as how you can fix them. For this question, just explore the outlined vulnerabilities documenting each with an example. For SQL Injection, please use SQLMAP in Kali Linux. You should attack index.php

      For reference, please take a look at The OWASP Top 10.

    2. [10 Marks]

      For this question, follow the instructions and fix the vulnerabilities. Submit index_fixed.php

      Some pointers: To change to root, execute

      sudo bash entering arnolds password. I am in the sudoers group. You can find the web application at /var/www.

    3. [3 Marks] You have the VM, so you essentially have physical access to the system. Figure out how to get /etc/shadow and /etc/passwd from the VM, without initially having any accounts or passwords. Document your approach. Is there any way to prevent these attacks?

    System Security

    [17 Marks] We suspect that one of the RH72 VMs has been compromised. We have an uncompromised image, and are hoping you can either declare the image clean or say what you think has happened to the image. At the very least we feel it has been attacked. For each step below, explain
    1. Unpack the clean and compromised images.
    2. You don't want to run the images, especially the potentially compromised one, because of the potential malware it contains. Instead, mount the images HD in KaliLinux. This is the equivalent of removing the HD, putting it in an enclosure and then reading it on another system. Of course, you would first take an image of the initial state of the drive. Do this by adding new scsi HDs to Kali under VMWare settings. Then browse for the existing vmdk in the Clean and Compromised VMs.
    3. Unfortunately, the compromised image was killed instead of being shutdown properly. In general, you might have to fix up the improperly shutdown system. We have already done this for you. FYI, we did the following... The drive itself is corrupted, fixed via... On VMWare Fusion, but vmware-vdiskmanager is on other platforms.
    4. Kali linux: login as root/toor
    5. [1 Marks] Check most recently updated files in the compromised system. A well chosen find will do the trick. Report your find command and the results.
    6. [2 Marks] Check for differences in files on both systems: recursive diff is your friend (check the options) Do a brief recursive diff and send it to a file, do a full diff and send it to a file. Make sure to check both volumes. Report your two diff commands as well as their results.
    7. [1 Mark] Check bash history for all users. If you found nothing, does this mean that nothing happened to that account?
    8. [1 Mark] Any account passwords changed? New accounts added? Anything suspicious? Report your results.
    9. [1 Mark] Who logged in when? see wtmp
    10. [1 Mark] Determine if they installed any software, for example via rpm. Hint: The time that stuff was installed matters if it is to come in question.
    11. [1 Mark] Check which processes are run via cron (/etc/cron.d). Anything unusual?
    12. [1 Mark] Are there any unexpected services setup, check xinetd.d. Anything unusual?
    13. [1 Mark] Which process run at system startup, check rc.d. Anything unusual?
    14. [3 Marks] Check the logs in /var/log anything interesting?
    15. [2 Marks] If you see any funny IP addresses, try dig, whois, nslookup as well you can see if they are in a list of bad ip addresses, another one, or run the ip address through virustotal.
    16. [1 Mark] Just for fun, pull the shadow and passwd file from the compromised system and run john on it in kali linux.
    17. [1 Mark] Whats your preliminary opinion of the VM, was it attacked? If so by whom? Was it compromised? Is it still clean? These are not yes/no answers in some cases. Talk about how confident you are in the system.

    Cryptography

    1. [2 Marks] Use openssl (see dgst) (installed on cslinux and on linux lab machines) to determine which of threeLaws1.txt or threeLaws2.txt or threeLaws3.txt the sha256 hash came from.
    2. [4 Marks] Write a python program mine.py which behaves as follows: mine.py "000" this.txt # output files this.txt.mined # such that sha256 this.txt.mined starts with the given prefix # Do this by repeatedly appending "[SOME STRING]" to this.txt and sha256 # the result until the specified prefix is present. Then write the new file.
    3. [10 Marks] Public Key Cryptography (openssl on cslinux and linux lab machines)

      Please find the following:

      • Arnolds Certificate: arnoldscert.pem. View this via openssl x509 -in arnoldscert.pem -inform pem -text -noout.
      • Sergueis Certificate: sergueiscert.pem. View this via openssl x509 -in sergueiscert.pem -inform pem -text -noout.
      • A Certificate Signing Request: req.pem. View this via openssl req -in req.pem -text -noout.
      • openssl.zip (to be unzipped in your directory on cslinux).

      Your job, understand and document the following scripts (in this order):

      • openssl/caSetup
      • openssl/caAnswerCSR
      • makeCSR/doIt
      • crypto/doIt (you need to complete this one)
      The result of running these scripts leaves files in the openssl directory. Zip all of this and submit it back, again, with your documented scripts.

    Questions and Answers

    Question:
    How do I access the system?
    Answer:
    ssh into the vm with arnold/password then sudo bash
    Question:
    How do I get into the db?
    Answer:
    psql -U ff -d fourfours -h localhost # find the password in the index.php script
    Question:
    How do I reset the db?
    Answer:
    Login to the db as above and then \i /var/www/fourFours/dev/schema.sql
    Question:
    tapanscert.pem has been removed from question crypto, part 3.
    Answer:
    I have changed tapanscert.pem to sergueiscert.pem, so we are now using a different digital certificate. Also updated is openssl/crypto/doIt, similarly replaced tapan with serguei. There are no other changes. Please make sure you are solving the new version of this question. You can find the updates in openssl.zip.
    Question:
    How do I ssh into Kali linux?
    Answer:
    Not sure why you want to do this, you just login using root/toor, but if you like, see this.