Go up to the ICS HW page (md) | view tabbed version
This homework will have you explore a few topics related to security vulnerabilities and networking.
There are three parts to this assignment. As part of this assignment, you will have to create a document, called networks.pdf
, and submit that file. We aren’t looking for any fancy write-up - just an explanation of what you did, and the results you got. That being said, it should be legible. So make sure you indicate what answers are for what questions, etc.
You will also have to submit one source code file, keylogger.py
.
Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here. So far there aren’t any significant changes to report.
Before you start, you should determine your IP address and the route to a given machine. Visit https://whatismyipaddress.com/ to get your IP address (for reasons we’ll see in a bit, this is preferred over Googling for ‘what is my ip’).
You will need to install (and, briefly, use) Tor. You can find out out Tor here, and installation – which is particular to your operating system – is described here. If your operating system has another installation method for Tor, you are welcome to use that instead.
Load up the Tor browser and visit https://whatismyipaddress.com/ again to get your IP address. Hit reload a couple of times, and note how the IP address changes each time. These are the IP addresses of the Tor exit nodes.
Visit a LEGAL Tor hidden service. You can Google for a list of Tor hidden services – their URL will always end in “.onion”. One such site is https://thehiddenwiki.org/. As an example of a LEGAL sites to visit, consider https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/, which is the DuckDuckGo search engine.
Visit another website that is not a hidden service. Note how much slower it is to view this website. Can you stream a video from Youtube via a Tor connection?
Note that Tor is a service as well as a web browser. You may (or may not) want to stop the Tor service when you are done.
sudo service tor stop
. This will stop it for that one time only – and on the next reboot, it will reactivate. To disable it for good, you can run sudo systemctl stop tor
(or just uninstall it).In the report, you should include:
For this part, we are going to ‘listen’ to network traffic, and see what interesting information we can find. We will use a UNIX utility called tcpdump. This utility will print out all the network traffic on a given interface. tcpdump must be run as root; thus, you probably cannot run it on any UVa server. You can download the tcpdump.zip file from Canvas’ Files – that file is NOT in this repo due to its size. This file contains a dump of a tcpdump session. We will be analyzing this file.
This file contains my password, so I wanted to ensure that it was properly protected, and I used a 6-character ZIP file password on it. It’s your job to crack that password. While you can use any ZIP file password cracker that is out there (and there are lots!), we recommend fcrackzip.
brew install fcrackzip
seems to work. Also see here for another example how to install it.sudo apt-get install fcrackzip
In all cases, you will need to understand what it does - just running it with very few parameters will just spew out gibberish to the screen.
Update: as fcrackzip has issues with Windows, we are revealing the password: abcdez
.
A packet sniffing utility would run tcpdump, and parse the contents in real-time. We can write such programs using Python or, for more speed, C or C++. For this assignment, you won’t need to write a program, but can instead just search for the data using any text-search mechanism (including opening it up in your favorite editor and searching the data). The data was collected using the following command:
tcpdump -A -l -s 10000 -i eth0
The command line switches do the following:
-A
causes the packets to be printed in ASCII (as opposed to binary or hex, which are other command-line switches)-s 10000
causes the maximum printed packet to be 10,000 bytes - if not set, it will only print the first 64 bytes of each packet-i eth0
causes it to ‘listen’ to the first (and, in this case, only) Ethernet connection. If you have multiple network connections, this will allow you to monitor only one. You could set this to listen to the wireless connection, or to all connections.Many of the pages returned by tcpdump are compressed to save network bandwidth. This is particularly relevant for popular sites that send a lot of data, such as Facebook or CNN. You can see this in the packet by the ‘Content-Encoding: gzip’ header. One can easily write the data to file, reverse the base-64 encoding, and the un-gzip it (and there are programs that do just that). For this assignment, we’ll be looking just at the non-compressed data.
You will need to analyze the tcpdump.txt file. Download the tcpdump.zip file from Canvas’ Files – that file is NOT in this repo due to its size. In your report, you need to answer the following questions:
gemini.http-alt
(here http-alt
means an alternative to http) - see the example packet explanation, below. The http-alt
port is 8080 – you can find this out by looking in /etc/services
, which maps port names (such as http-alt
) to port numbers. We aren’t interested in port numbers above 10,000.A given packet could look like the following.
10:31:35.293018 IP gemini.http-alt > pegasus.58878: Flags [P.], seq 4642:4790, ack 2176, win 80, options [nop,nop,TS val 43850520 ecr 38675081], length 148
E`....@.9.....E..........O.........P.......
.....N".st">
<p>Please enter your UVa userid to obtain your balance: <input type="text" name="userid"
></p>
<input type="submit">
</form>
<hr>
</html>
This packet was sent at 10:31:35 from gemini (aka gemini.cs.virginia.edu) to pegasus (my home computer). It was a http connection (the ‘http-alt’ means the alternative http port that gemini uses) - so it was sending data. In fact, this is the last half of the SQL injection attack web page that you used above in part 2.
The uncompressed tcpdump file is 16 Mb. Thus, it may have problems opening in Notepad. And just doing Notepad-style searches for all the answers to the above questions will not get you very far - you certainly aren’t going to be able to find out all the protocols via searching through Notepad for each packet header (some of the questions may be answered via that type of search, though). The UNIX utility grep will be your friend here. Consider the following, which you type from the UNIX command line.
grep gemini tcpdump.txt
This will search the tcpdump.txt file for all occurrences of gemini. While it returns 375 lines, that is still only 8% of the entire length of the tcpdump.txt file. You can also use ‘egrep’, which allows you to enter a regular expression. Consider the following.
egrep "\[a-z\]\[4\]\[4\]+" tcpdump.txt
This takes in the regular expression [a-z][4][4]+, and searches for all occurrences of it in the file (there are 20). Make sure you put your double quotes around the regular expression.
Lastly, note that ‘sextans’ is the name of one of my routers (all my machines are named after constellations). So when you see data being transfered between sextans and another host, that’s between my computer and said host.
Honor pledge details: you are given permission to search the tcpdump.txt file to answer the above questions for this assignment. After that, you will need to delete the file.
You are going to see how easy it is to build a keyboard logger. We will use the the pynput Python package to do so. Your code will be in a keylogger.py
file.
This works on the three major platforms:
pip install pynput
. When you run the software, it will prompt you to change a setting to allow Terminal to monitor the keyboard. Be sure to change it back once this assignment is done!It does not work on a few less common platforms:
(Others will be added here as we find more that do not work)
First, start with the code sample code provided on the pynput Python package page; look at the “Monitoring the keyboard” section. Enter that code (fixing the three line breaks that Python will complain about).
When you run it in a terminal, and type hello world
, you should see some output like the following:
$ python3 keylogger.py
Key.enter released
alphanumeric key h pressed
h'h' released
alphanumeric key e pressed
e'e' released
alphanumeric key l pressed
l'l' released
alphanumeric key l pressed
l'l' released
alphanumeric key o pressed
o'o' released
special key Key.space pressed
Key.space released
alphanumeric key w pressed
w'w' released
alphanumeric key o pressed
o'o' released
alphanumeric key r pressed
r'r' released
alphanumeric key l pressed
l'l' released
alphanumeric key d pressed
d'd' released
special key Key.esc pressed
^[Key.esc released
$
Note that the exact output will be a bit different, as it depends on how quickly you type and release each of the keys.
If you see output like the following:
$ python3 keylogger.py
hello world
Then the pynput package is NOT working on your system – review the Comparability sub-section, above.
The task is create a keylogger that will monitor the keyboard and, if the userid mst3k
is entered, it will print the next 10 characters.
You need to modify that code so that:
mst3k
are entered, and ONLY that string (case-sensitive!), then keep track of the next ten characters. Once found, print those to the screen.
{}
) around the printed passwordThe output might look like the following:
{passwordXX}
{1234567890}
The best way to test this is to launch it in one terminal or window, and start typing text in another one.
You should submit two files to Gradescope:
networks.pdf
, which is your report for parts 1 (Tor) and 2 (packet sniffing). Answers to all the questions in those parts should be in that file. So that it is viable for us to read, please clearly label the various sections of the file.keylogger.py
: from part 3 (keyboard logger)