Software Security - S18

CSE 545

Assignment 2

Assignment 2 is due 2/20/17 on or before 11:59:59pm MST.

Part 1 — Reflector (60 points)

The goal of this project is to create a “reflector” which will relaunch attacks sent to a given ip address and ethernet address to the IP address that sent the attack. This acts as a mirror, such that when an adversary is portscanning a network, they will actually be portscanning themselves. When they launch an exploit at the reflector, the attack will be reflected back at them.

This project can be written in any programming language.

Your program will be a single executable, called reflector.

Interface

You must implement the following command-line interface for your program (all parameters are required, but not necessarily in this order):

./reflector --interface eth0 --victim-ip 192.168.1.10  --victim-ethernet 31:16:A9:63:FF:83 --reflector-ip 192.168.1.20 --reflector-ethernet 38:45:E3:89:B5:56

Your program should listen to the given network interface, and any IP, TCP, or UDP packets sent to the given victim IP address should be taken and sent (without modification) on the given interface to the src IP from the reflector IP address. Then, when there is a response from the src IP address to the reflector IP address, that response should be sent back to the src IP address as if it was from the victim IP address.

In this way, your program will impersonate two IP address (victim and reflector), and any packets that are sent to the victim will get resent to the src IP from the reflector IP. One good way to test this is to try to SSH to the victim IP from a machine that you have SSH access. You should find yourself SSHing into that same machine.

Note, that you will need to implement ARP so that those nodes on your local network will know that your interface is the victim and reflector IP.

Testing

I’ve written a script test_reflector.sh which will allow you to test the reflector on a single Ubuntu 16.04 machine (without using a virtual machine or another computer on the network to simulate the attacker). This uses network namespaces, a Linux kernel feature that allows having multiple network namespaces. The script uses this feature to simulate having multiple computers on a network (by using a virtual ethernet device). Also, this is a similar environment to how the automated grading server tests your code.

First, download the test_reflector.sh script to the same directory that your reflector is in.

Then, make test_reflector.sh executable:

chmod +x ./test_reflector.sh

Then, run test_reflector (which will compile your reflector, set up the networking, run the reflector, then cleanup the networking)

./test_reflector

If everything goes correctly, you should see some instructions (which will document different ways to debug/test this environment), and from another terminal you can run ping 10.0.0.3 to try to ping the victim IP.

To debug further, you’ll need to look into the network namespaces functionality. This will help you understand what the shell script is trying to do.

Implementation

For this project, while you can choose any language you wish, I highly recommend that you use Scapy. I will make sure that the submission server has the python-scapy package installed.

Another option is to use libnet. You are free to use whatever library you want, however it must allow arbitrary packet creation. It is your responsibility to do the research about an unsupported library (it will also be more difficult for us to help you).

Note that you must run your program as root to be able to get access to the raw sockets. This means that the submission system will be running your code as root, so please do not attempt anything malicious.

Your program must work on Ubuntu 16.04 64-bit with the default packages installed. You’ll probably need to set up a virtual machine to do the development.

If you wish to use packages that are not installed on Ubuntu 16.04 64-bit by default, please submit a file entitled packages, with a list of the Ubuntu 16.04 64-bit packages that you would like installed before calling make. Each line of packages must be a valid package name, one package per line. The submission system will automatically install all the dependencies that the package lists.

For example, if you were going to write your assignment in Haskell, you could install the GHC compiler with the following packages file:

ghc
ghc-dynamic

Submission Instructions

You will need to submit your source code, along with a Makefile and README. The Makefile must create an executable called reflector when the command make is ran. Your README file should contain your name, ASU ID, and a description of how your program works.

Prior course’s TA compiled some resources on how to write a Makefile:

Part 2 — Crack the Password (40 points)

Being able to read assembly code is incredibly important to analyzing binary code for vulnerabilities.

Your challenge is to figure out the correct password that this binary re_check_passwd expects.

Use your knowledge of assembly, and tools such as file, objdump, readelf, and others.

Submission Instructions

You will need to submit the password, any files that you used to crack the password, and a README. Your README file must contain your name, ASU ID, and a precise description of how you cracked the password.

Submission Site

Create an account to submit your homework on the course submisison site.

Please don’t forget your password.