Progress Report 1. Group RP16. All work done by Ivan Gromov and Andrew McConnell

Transcription

1 Progress Report 1 Group RP16 All work done by Ivan Gromov and Andrew McConnell

2 Steps completed: Task Mode Task Name Duration Start Finish Predecessor s Resource Names Manually Schedule d First Lab research 5 days Sun Ivan Manually Schedule d IFS lab hardware 2 days Mon Ivan Manually Schedule d Second Lab research 7 days Andrew Assessing IFS Lab Environment During my conversation with Clive I was provided with a network topology of the current lab environment for DPI911. Also we have discussed if there are any resources available to run additional hardware to accommodate all of our labs. This is the current set up of IFS virtual environment reserved for DPI911:

3 We are planning to introduce the first three labs into this environment within a month and reuse some of the existing resources. One of the examples would be a DNS cache poisoning attack to redirect the traffic from one of the Moodle web servers to a malicious source. Resources we are thinking to add at this stage is another server running a DNS service.

4 Lab 1: DNS Cache poisoning Overview The goal of this lab is to generate a DNS poisoning attack that would leave a trace on the network. Attack will be launched from an attacker s machine located on the different LAN from the Victim s machine by forging a fake DNS response to redirect the traffic. One of the problems that we are going to face during this attack is Cached DNS queries that will prevent us from brute forcing the randomly generated 16 bit transaction ID for the DNS query. In order to negate the caching effect we will use Kaminsky s method which exploits the ability to include additional information into a DNS response. In the scenario where two machines are located on different networks prevents us from sniffing all DNS related communication that takes take place over an insecure channel. The idea of this method is make DNS server busy by trying to resolve a non-existing address such as qqq.ifslab.net which would not be cached. This request would have to be passed to the Root DNS server that has a record of ifslab.net name space and while it s waiting for response an attacker will send thousands of fake responses to the DNS server and eventually guess the transaction ID. Kaminsky has estimated that it takes roughly 10 seconds for a false answer with a false IP, included in additional information, to be accepted and cached.

5 In order to poison DNS server we will use an open-source tool called pacgen.c to craft a spoofed DNS response ( ) and Netwox 105 to sniff a request from a Victim s machine and reply with a spoofed response ( ) During next week the lab will be implemented in Testing environment.

6 Lab 2 Payload Delivery Using VBA Macro I don t have anything as prepared as Ivan, so I ll just state some of what I ve researched so far. VBA (Visual Basic for Applications) is a subset of Microsoft's proprietary Visual Basic programming language, it is designed to run within Microsoft Word and Excel in order to automate repetitive tasks, operations and create custom commands, among other things. While it s not particularly advanced, it can call in outside libraries, including the entirety of Window s API, which means that and can be used for a lot more than the basic things it was designed for, such as what I ll be using it to do, which is deploy malware. I will have to have a computer open a Word/Excel document, the book(advanced Penetration Testing, Will Allsopp, 2017) gives an example of a VBA code that will be detected by virus scanners, so depending on what mike wants, I may do one version with the easily found executable, and another without. Have not yet decided on what I will have the code execute as of yet, but the book s execution of a dual stage attack is interesting and would give the students more things to detect, so I will probably do something similar. Future Steps Task Name Duration Start Finish Predecessors Resource Names Implementation in Testing environment 7 days Ivan Implementation in Testing environment 7 days Andrew First Milestone: Completion of first two labs 14 days