CMPUT 299, Assignment 3, Winter 2008

Due Tuesday, April 3rd (submit by 6:59 pm)

Worth 15%

(input validation attacks, worm propagation, fuzzing)


Attacking a Web Server

In the first part of the assignment, you will be applying a "warhead" logic similar to that of the Nimda worm. The Windows host you discovered in the 2nd assignment is running a web server known for a number of vulnerabilities. Your tasks (which you must detail in your report for this assignment) are as follows:
  1. Determine which of the URL validation attacks in the "List of Attacks" appearing at the end of page 6 and beginning of page 7 of this document allow you to access resources outside the c:\inetpub (and which ones don't), and indicate what tool you used to send the URL requests. Provide the full request contents for at least one of the successful requests.
  2. Using one of the successful validation attacks that you found, upload to the attacked host using a "propagation engine" of your choice an executable with name ncX.exe where X is your group's number. Indicate what URL you used to accomplish this step. Report any failed attempts and explain why. In which directory did you place your executable and why? 
    1. ncX.exe should be the executable of the netcat utility. Find it (a version that floats around quite a bit is named nc111nt.zip) download it, unzip it and try it first on your group's Windows machine to make sure it works. Keep in mind that many security suites out there consider nc.exe as malware. It's just a very useful tool. As long as you trust that the version you downloaded is not malware, you should feel free to use it. Do not forget to rename nc.exe to ncX.exe to reflect the identify of your group. You are now ready to read about the uses of netcat for intrusion purposes.
    2. Your propagation engine will very likely require the use of a server installed on one of your machines,.e.g., a tftp server, accessible from the attacked machine. You have to enable or install a corresponding server on either your Unix or Windows system. Indicate which server you used, how you installed it, any changes to firewall rules that you may had to perform (for the duration of the transfer anyway) if you had already implemented special firewalling rules (as per the 2nd assignment)
  3. The next step is to ensure that the ncX.exe is executed. Again, you may want to resort to weaknesses in URL validation to get your executable running on the attacked machine. Indicate what kind of URL you used to force the execution of  ncX.exe such that: 
    1. it listens for incoming connections on port 990X where X is your group number, and that, 
    2. upon receiving a connection request, it invokes the Windows command line shell cmd.exe
  4. Retrieve the password hashes file (and include it in your report) and crack it with the best techniques you have found from the first assignment. You might want to consider RainbowCrack. Indicate whether there were any challenges in retrieving the hashes file and also include the password hashes file you obtained and the passwords you cracked. We are interested in the Administrator password of course. 
  5. As a final act, you should also plant your group's "virtual" flag, in the form of a file with filename groupXwashere.html placed in the documents directory of the web server and accessible by anyone visiting the server's pages. Indicate the process by which you placed it there and if you had any problems making it accessible.

Important: This assignment does not include any competition element. You should not attempt to defeat the attack mounted by another group. The system under attack, as no doubt you found out from the earlier assignment, is quite fragile. Avoid any action that will lead to the system crashing or halting. Your objective is to let the host carry on its regular routine, as you are supposed to be mimicking a worm that installs a backdoor shell. Also, before sending anything to the host, e.g., a malformed URL, make sure you understand what it is supposed to do.

Fuzzing 

(Note this part of the assignment can be submitted up to a week after the April 3rd deadline.)

Fuzzing is a "black box" testing technique, whereby a program under test is sent random input to reveal if it can handle it with grace (terminate gracefully, complain, send error messages, etc.) or via a crash (or alternatively, exhibit abnormally excessive resource usage, e.g. CPU, memory, etc.). The latter behavior  indicates usually some bug in the program. Because the particular bug is manifested when particular user input is sent, the vulnerable input routines are plausible candidate for more focused techniques, e.g, buffer overflow attacks. In this part of the assignment you will test your ftp servers (that were set up in the first assignment) by using a targeted "fuzzer" against them (the Indigo FTPStress Fuzzer).
  1. You will run your fuzzer on your Windows host against (a) your Linux and (b) your Windows ftp servers and report your findings. 
  2. Then you will uninstall your Windows ftp server (temporarily) and install first this ftp server and run the fuzzer against it, and then uninstall it and install this ftp server and run the fuzzer against it.
Note that the two sample servers need certain user accounts to be created, before they can be used. Also, once you are done with the above steps, install the Windows ftp server you originally had installed in your Windows system. In you report where you describe your findings indicate whether the server under test crashed or not and on what kind of input (provide evidence from log files or window image captures) as well as from the fuzzer window. Check also whether the ftp process started misbehaving with respect to CPU and/or memory usage (use the ps command on Linux and the Task Manager under Windows to find this information). Feel free to play with the options of the fuzzer if you cannot seem to get a server to misbehave. Obviously, some servers can withstand FTPStress's strategies, and you may not be able to cause them to misbehave. Also, a useful tool for the Windows servers is faultmon since it provides more informative messages about programs that terminate abnormally. 

Deliverables

All submissions are electronic using astep. The assignment ID is asg3 Only one of the group members need to submit on behalf of the entire group (in the event of more than one submission, the last one will be considered). Your submission should include all supporting files/reports/output that you have used as well as indication of which tools you used and how you invoked them (e.g. command line parameters). You must include enough comments along the files you submit (or in a separate file) to explain the process you followed. By default it is assumed that all group members equally contribute to the assignment. If you need to deviate from this model of cooperation, explain why and indicate who was responsible for what.

[Optionally: add a single paragraph at the end of the report indicating whether you found any difficulties with this assignment and if you think there are ways in which it could be improved. In particular, we are interested to know if the assignment forced you to learn something new that you did not know of before, and how much effort it took you. Was the workload reasonable?]

***************