2. All the following questions are against the penetration scenario shown in Figure 1. In this penetration scenario,

Mallory is a remote attacker who has no user account of the corporation. The goal of Mallory is to gain root privilege

on the Workstation.

2.1: Since Mallory knows nothing about the corporation, he

will need to start with the reconnaissance step. In particular,

since breaking into the internal Corporation LAN (see Figure

1) is much harder than breaking into the Web Server,

Mallory will target the Web Server in this step. To do

reconnaissance against the Web Server, Mallory will need to

use a set of scanning tools. In particular, one of these

scanning tools, when executed on Mallory PC, told Mallory

that the Web Server was running Apache HTTP Server

Version 2.0. What did the scanning tool/weapon do in order

to collect such useful information? Please give a step-by-step

explanation. (10 points)

2.2: When the reconnaissance step ends, Mallory knew that

the Web Server httpd program had a buffer overflow bug

(vulnerability). To exploit this vulnerability to break into the

Web Server, Mallory should take the Probe step and use a

specific remote exploit tool. Which attack weapon would be used by Mallory? Which kind of attack packets will be

created and sent to the Web Server by this attack weapon? (10 points)

2.3: During the Toehold step, the buffer overflow bug was successfully exploited and Mallorys malicious code was

executed on the Web Server. The malicious code can enable Mallory to remotely login into the Web Server. When

Mallory remotely logins into the Web Server, what are the three most urgent things for Mallory to do? Why are they

urgent? (10 points)

2.4: Next, Mallory wanted to break into the Fire Server inside Firewall 2. So Mallory would take the reconnaissance step

and the Probe step again. The reconnaissance tool told Mallory that the File Server has a TCP port open to accept and

process RPC requests. Since Mallory knew that many RPC server programs have buffer overflow bugs, he would probe

this port. Please list all the possible attack weapons that could help Mallory probe the port; then please tell which attack

weapon is the best one for this attacking purpose. (10 points)

2.5: After the Probe step succeeded, Mallory would gain root privilege on the File Server and be able to remotely login

into the File Server. Lets assume Mallory was not ready at this moment to attack and break into the Workstation from

the File Server. So he was worried that his attack traces could be detected and the RPC buffer overflow bug could be

patched when he got ready to attack the Workstation. What could Mallory do to remove this concern? Please give a step-

by-step answer. (10 points)

2.6: Now Mallory was ready to attack the Workstation from the File Server. In this stage, should Mallory use any

monitoring tools? If so, what can these monitoring tools do and why are they helpful? (10 points)

2.7: When attacking the Workstation, the reconnaissance tools did not find any buffer overflow vulnerabilities. So

Mallory could no longer send buffer overflow packets (or requests) to the Workstation. Now Mallory needed to do some

other things. Please select all the useful ones from the attack weapons listed below and explain WHY. (10 points)

(a) packet sniffers; (b) spoofing; (c) password crackers; (d) denial-of-service; (e) virus; (f) worm (g) Malicious

applets; (h) buffer overflow; (i) exploit bugs; (j) social engineering; (k) dumpster diving

2.8: After a while, Mallory was able to install a Trojan horse on the Workstation. Then he used the Trojan horse to help

him steal the password of a non-root user account on the Workstation. Now Mallory was in which step of the seven

penetration steps? What will Mallory do next on the Workstation? (10 points)

2.9: During the whole attack process from Mallory PC to the Workstation, password crackers can be useful in which steps

and on which machines? (10 points)

Internet Mallory PC Firewall 1 Demilitarized Zone (DMZ) Web Server Firewall2 File Server Corporation LAN Workstation Figure 1: The Penetration Scenario