Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Hello I need help answering these 4 multi-part questions for Information Security 1. This case pertains to a Lenovo Exploit in which the attacker creates

Hello I need help answering these 4 multi-part questions for Information Security

1. This case pertains to a Lenovo Exploit in which the attacker creates a buffer in the memory containing exploit code to be executed in the system management mode (SMM). The attacker then creates a structure with a pointer to the exploit codes entry point and triggers a System Management Interrupt (SMI) passing a reference to that structure. SMM driver then calls the exploit code via the supplied function pointer. A vulnerability exists in the system management mode BIOS Extensible Firmware Interface (EFI) driver as it allows local administrator to execute arbitrary code with SMM privileges via unspecified vectors. Other know conditions include: the attacker must be able to execute kernel level code on the system. The vulnerability is built into the BIOS and, therefore, it is always there. There is no user configuration required. Normally the contents of SMRAM are hidden by hardware from access by kernel level code. This attack allows full disclosure of the precise content of SMRAM.

i. Use the CVSS Calculator 3.1(Go to the first org website/cvss/calculator/3.1) to get the base score for the above use case. Give a snapshot of calculator showing the metric and the vulnerability score. Explain your choice of metrics.

ii. Now add suitable temporal and environmental scores and see how the vulnerability score changes. Give this value and the changed vector string

2. Use the Kali Linux instance that you have created in VirtualBox for this exercise. Give the output of the following commands below:

a. Use date and cal/ncal commands to check system date and time. Does it show the correct date? If not, correct it.

b. Explain the output of the time command.

c. Find about yourself using whoami and pwd. What is the full form of pwd?

d. ls can be used to list files. How do you see hidden files? What does ls -la do?

e. Make a sub-directory temp under your directory.

f. Change to temp directory and list the contents. What do you see?

g. Use cat to create new1.txt containing the characters First new file created in temp

h. Use cat to display the contents. Use -- help to see all options of cat.

i. Use echo to create new2.txt with some content.

j. Use echo to append more content to new1.txt

k. Use cat to add the content of new1.txt to the already existing content of new2.txt

l. Locate new1.txt with the locate command

m. Copy file new1.txt to your directory.

n. Move file new2.txt to your directory

o. What does grep stand for? Use grep to find space in new2.txt

p. Check temp to verify the last two actions.

q. Remove new1.txt from temp

r. Delete sub-directory temp.

s. What outputs do uname and uname -a commands give?

t. Check users on the systems using users command

u. Add a new user Bob

v. Use passwd to change Bobs password

w. Test less command to view files and verify that new1.txt exists in your directory.

x. Give the output of history command

y. Practice nano editor on the new2.txt file. You may have to do sudo nano new2.txt. Learn about the sudo superuser option.

(Your submission must contain outputs for b., d., f., h., k., s., u. and x.)

3. In this problem you will use the hashcat password recovery tool built into Kali Linux to recover/break passwords. Use man hashcat to learn about the hashcat utility.

Passwords are stored in computers in hashed form. Well simulate that by creating a file called secret_pwd.txt using a hash function like MD5 or SHA1. The following command is one way to do it:

echo -n password123 |md5sum| > secret_pwd.txt

Use sudo nano secret_pwd.txt to see that the file has an MD5 hash of the given password. If there are extra characters (usually a space and/or a -) delete them manually or use the tr command with an appropriate option.

Now use hashcat to recover the password from the secret_pwd file.

hashcat -m 0 -a 0 secret_pwd.txt /usr/share/wordlists/rockyou.txt

Option -m indicates the type of hash and -a is the attack mode. The text file rockyou.txt is the word list file that is available in Kali and contains millions of passwords. It is in the zipped form, you have to unzip it. Change to directory /usr/share/wordlists and do ls to see the zipped file. Then do sudo gunzip rockyou.txt.gz. Confirm with ls. If you do not have gzip installed, you can do it with sudo apt- get install gzip.

Return to your folder and do the hashcat. You will get the cracked password and the time it took to crack it. Now to get an idea of the strength of a password, crack passwords pass@word and Pass12word and note the difference in the time it took to crack each of them. Answer the following:

a. Which one was more difficult to crack? How much time did it take?

b. Read about attack mode -a and hash type -m. Hash Pass12word using SHA1 and crack this. How much time did this take? Compare with the time taken to crack the same password hashed with MD5 and report.

c. Submit snapshots showing that you could crack all three passwords (two with MD5 and one with SHA1).

4. Download Wireshark and install it. Then do the following:

Part 1:

a. Start Wireshark and select the appropriate port to capture traffic. If you are accessing the Internet using Wi-Fi, then select that port. If you are using a desktop, it will usually be the Ethernet port.

b. Access the UMSL University website. Notice that you will reach an http (insecure site). After a few seconds click a few other links on the page and you will see that you will reach the https: (secure http) parts of the website. How would you know that you are now using https and not http?

c. In the packet pane select the first http packet with GET command (use the magnifying glass symbol or http as a display filter or just locate by scanning the packets). Answer the following:

i. Which protocols do you see in the packet details pane?

ii. Which layer in the packet details pane contains the target host IP address (in this case UMSL)? Give the address.

iii. Expand the Hypertext Transfer Protocol tab and examine the type of data it contains. What is the address of the target?

iv. What is the port number used by HTTP? Where did you find it?

v. In the HTTP OK packet what is the content type and when was it last modified? Examine other HTTP OK packets for type of content.

vi. Under TCP see the source and destination ports and verify that they are correct.

vii. Locate secure a http packet, what is the TCP destination port number Why is it not 80?

d. Security professionals need more columns to examine traffic. Change the display to add the following columns. Give a snapshot of the final screen.

i. Source port number next to source IP address

ii. Destination port number next to Destination IP address

iii. HTTP host, HTTP server after the Length column

iv. Finally change the Time to UTC date and time format

e. Using Statistics drop down menu, check how many http packets were sent and also give a snapshot of the I/O graph

f. Give snapshot of the output with filter (ip.addr==134.124.1.234) and (http.connection)

g. Study the TCP connection setup before the first HTTP GET. What are the flags set to in the three packets that constitute a 3-way handshake?

Part 2: Change the network setting of your VM to bridge adapter. Run Wireshark in the VM with Kali Linux using sudo wireshark command. Capture traffic on the appropriate port.

Ping is a good way to see if a host/server is up and running. In another Kali window ping 8.8.8.8 (let it run for a few seconds). Ping uses ICMP for echo and response. In the Wireshark packet pane, find a packet with destination IP address as 8.8.8.8 (Google) and answer the following questions below:

a. Which protocols do you see in the packet details pane?

b. Click v near ICMP for details and find the type and code of ICMP packets. Search on the Internet and find what type of ICMP packet this is.

c. Click a packet where source is 8.8.8.8 (ip.addr==8.8.8.8) and check the type and code. What does this type mean?

d. Check the sequence number and find this echo on the Kali window in which you are running ping, and match the response time

e. Why are there no TCP protocol details in the packet details pane?

f. What is TTL and why are TTL values different in ping and its echo?

g. Why there are no source and destination port numbers?

h. Echo request (Ping) and response should have the same sequence number and identifier in normal packets. Verify and report findings.

i. Do a traceroute 8.8.8.8. Identify different ISPs on the route (You can use an IP lookup tool like the Ultratools website). Which protocols is it using?

Please answer all parts in all 4 questions and give a proper response to each part in every question. Thank you very much.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

More Books

Students also viewed these Databases questions