Midterm Solutions and Marking Scheme

1. 1. Short answer: The integer e is chosen arbitrarily from 1 to
       (p-1)*(q-1), and thus gives no information on n
      
       Long answer:
       The difference between knowing the pair (e,n) and just n alone is knowledge of e. e is chosen to be any arbitrary integer in
       1,...,(p-1)*(q-1) avoiding only common divisors of p*q, that is
       { k*p } union { k*q }, a small fraction of the total (p-1)*(q-1)
       numbers.
      

   2. If Eve knows (e,n) and can factor n, then Eve knows p and q.
       Eve can then:
       1) Find d such that e*d = 1 mod (p-1)*(q-1), and can do this quickly > using the extended euclidean algorithm
       2) decrypt cypertext c by computing m = (c**d)%(p*q)	
      
      2/3 for above two steps without any details
      3/3 for some details (ie that Eve can do all of this quickly)
      
      

2. 1. 1. rundll32.exe can run specific functions in a dll
      2. Rundll32 Parses the command and decides the intended DLL is: javascript:"\..\mshtml
      3. Rundll32 Fails to find a manifest javascript:"\..\mshtml.manifestfor the module and so, calls LoadLibrary
      4. LoadLibrary find mshtml.dll which it finds in the System directory & loads it using RunHTMLApplication as the entry point.
      5. RunHTMLApplication eventually executes the JS “..\mshtml,…calc.exe…”
      6. Javascript treats first the first statement as a string and does nothing with it which is valid enough to cause an error
      7. 2nd part creates a new Active X object which is connected to a windows shell, and that windows shell is directed to run calc.exe

      
      5/5 Correct and Complete Answer
      3/5 Somewhat correct but evidence of misconceptions
      
      

   2. Check Windows registry, look for rundll32.exe, popular location: HKCU\Software=Microsoft=Windows=CurrentVersion\Run
   3. Remove traces of IE, being cautious of files,emails, word docs as they could be used as email vectors

3. Nikto: Open source web Server Scanner that performs vulnerability scanning, and tests for dangerous files/programs, version specific issues, server configurations, etc

   Defender can use it by:

   • Command line execution like nikto –host ip (nikto –H for other options)

   Defender can use it for:

   • Port scanning
   • Scan potentially dangerous files & outdated server software
   • vulnerability scanning against known database with references provided

   
   1 mark for definition. 2 marks for what defender can use it for.
   
   

4. 1. In Windows, applications an specify path to DLLs to load.
   2. DLLs can be linked at load time (static) or at runtime (dynamic).
   3. If specified at run time, If DLL is not in memory or part of known DLL list, it is searched using a search order hierarchy.
   4. Attacker can place a malicious DLL of the same name higher up in the search order.
   5. The application would then then load this malicious DLL instead of the legitimate one.

   How OS can prevent it:

   • Using system and windows directories higher up in the search hierarchy, prevent loading from network drives
   • Allow only signed DLLs to be loaded in memory

   How application can prevent it:

   • link DLLs at load time
   • use manifest or full path names when loading dlle

   
   3 marks for explaining DLL Hijacking correctly and with all key details
   1 mark for how OS can prevent it
   1 mark for how application can prevent it
   
   

5. Pretexting: individual lies to obtain privileged data. Ex: IRS scam with threats of consequences
   
   Quid Pro Quo: something given to you / done for you in return for something. Ex: give your creds to someone to fix a problem
   
   Baiting:  real world Trojan horse. Ex: access to a resource silently installs malware
   
   Piggybacking: Getting unauthorized access through an authorized but unaware person. Ex: holding the door open for someone else
   
   Shoulder Surfing: observing someone’s private information, commonly in public places
   
   Phishing: obtaining info via fraudulent means. Ex: fake facebook site that looks like the real one but actually submits your creds to hacker
   
   
   2 marks for each correct definition. 
   If > 4 definitions given, remaining ones ignored
   
   

6. Outline of DNS Spoofing demo & roles of each tool:
   1. Facebook site was cloned and installed on attackers web server
   2. ARP cache poisoning was performed to allow hacker to intercept communication between a target machine and the router/dns server
   3. Attacker machine redirected spoofed facebook.com DNS to point to ip address of attackers web server
   4. Attacker machine saves username and password of requests to http://facebook.com from the target machine
   5. Attacker web server enables ssl using self-signed certs, and then it is able to intercept https://facebook.com requests as well from the target (so long as the users accept the warning)

   SET: set of tools attacker can use to perform various social engineering attacks. 
   For the demo, it was used to clone facebook.com
   
   Ettercap: tool used for MITM attacks, capable of intercepting traffic on the network.
   For the demo, it was used to perform arp cache poisoning on the router so that attacker machine was able to sit in between a regular user and the DNS Server/ router. This allowed the attacker to redirect user to attacker’s web server running fake facebook.com 
   
   Apache (HTTP server):  open source HTTP server that was used to host the cloned facebook.com site in the demo
   
   DNS Server: Server that machines on the network talk to in order get IP addresses of domain names. For the demo, The attacker imitated the router/DNS server and mapped facebook.com domain to the IP address of hacker’s web server running the fake site.
   
   Creation of Digital Certs: When using HTTPS protocol, digital certificates are used to provide public key of the web server by a trusted authority to the requesting client/browser to initiate an encrypted communication. In the demo, self-signed certificates were made and added to the webserver – such that when a victim is redirected to the attacker’s servers, they’re able to communicate with https protocol so long as they accept the warning on the self-signed certificate (which people tend to do)
   
   
   1 mark for correctly identifying role of each of the 5 components
   5 marks for clear, concise outline of the demo
   
   

7. 1. Detect and alert if there is any ICMP packet from ip $EXTERNAL_NET to ip $HOME_NET on any port
      When alerting, log with message: "Incoming ICMP packet"
      The snort rule id, for identification purposeds, is 1000001
   2. First rule detects TCP packet from ip $EXTERNAL_NET to ip $HOME_NET on port 80 containing "AAAAAA"
      First rule then sets flowbits AAAAAA to true, but does not alert.
      Second rule detects TCP packets containing 111111 to port 80, and alerts only when the flow bits AAAAAA is set.
      If both rules are triggered in sequence, the only message will be "GOT 111111".

   
   Full marks for covering all important pieces without errors