ec310 twelve week exam spring ay2017 06 april …...ec310 twelve week exam spring ay2017 06 april...

EC310 Twelve Week Exam Spring AY2017 06 April 2017

of 12

United States Naval Academy Electrical and Computer Engineering Department

EC310 - 12 Week Midterm – Spring AY2017

1. Do a page check: you should have 12 pages including this cover sheet. 2. You have 50 minutes to complete this exam. 3. A calculator may be used for this exam. 4. This is a closed book and closed notes exam. You may use one single-sided page of notes hand-written

by you. 5. Turn in your single-sided hand-written pages of notes with your exam. 6. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is

permitted concerning this exam with anyone who has not yet taken the exam. Name: ____________________ Instructor: ____________________

Problem Topic Possible Points

1 Privileges and Permissions 12

2 Buffer Overflow 11

3 Ethernet and ARP 22

4 IP and False Route Injection 23

5 Routing 16

6 BGP 16

TOTAL 100

Useful Diagrams and Data on pages 11 and 12


of 12

Question 1 (12 pts). A user on a Linux system enters the commands shown below:

gcc –o exam2.exe exam2.c ls –l exam2.c exam2.exe

As a result, the following is displayed on the screen:

- rw-rw---- 1 cuthbert ec310 2367 2017-03-21 05:20 exam2.c - rwxr-x--- 1 cuthbert ec310 8104 2017-03-21 05:26 exam2.exe

(a) (2 pts) Who is the owner of the file named exam2.exe?

Answer:

(b) (2 pts) Who has permission to edit the file named exam2.exe?

Answer:

(c) (2 pts) If the owner desires to allow other users on the system to read and execute exam2.exe, what single command would the owner enter on the command line? (Fill in the command below.)

Answer: chmod exam2.exe

(d) (2 pts) If the owner desires to allow anyone who executes exam2.exe to execute it as if they were the owner of exam2.exe, what single command would the owner enter on the command line? (Fill in the command below.)

Answer: chmod exam2.exe

(e) (2 pts) ( TRUE / FALSE ) If user joe, who is not a member of the ec310 group, enters the command cat exam2.c at the command line, he would see the program code being displayed.

(f) (2 pts) Which of the following statements is/are true of the command sudo in general? (circle all

that apply)

(i) sudo allows a user to execute commands as the root user

(ii) the owner of a file may grant sudo privileges to any user

(iii) the sudo command may only be used one command at a time

(iv) users in a group automatically get sudo privileges as part of the group


of 12

Question 2 (11 pts). At some point in a C program called unhackable.c, a function named exam_function is called. A hacker is attempting to take advantage of a vulnerability in the code to initiate a buffer overflow attack when the function exam_function is called.

(a) (2 pts) In the figure to the right representing the memory layout, arrange the following labels in the correct location as they would be placed in memory when a hacker uses them in conducting a buffer overflow attack:

(i) the exploit

(ii) repeated return address

(iii) NOP sled

(b) (4 pts) Which of the following statements is/are true of the buffer overflow attack in general? (circle all

that apply)

(i) The NOP sled technique lets the hacker be a little bit off with the return address as it only needs to point somewhere in the exploit section of memory

(ii) The NOP sled contains machine language code to run the exploit from the stack

(iii) the exploit is designed to run machine language from the stack

(iv) The repeated return address technique is designed to have more chances at overwriting the original return address value on the stack

Analyzing the code and using the debugger on unhackable.exe a picture of the memory layout emerges as depicted to the right (note: picture is not to scale). Note that a command line argument is copied into memory in the function’s stack frame. You are to devise a buffer overflow attack by exploiting this command line argument, and using all the hacking techniques described above.

(c) (2 pts) Which of the following values would be best used as the repeated return address to succesfully cause a buffer overflow?

(i) 0x0804834b

(ii) 0xbffff700

(iii) 0xbffff740

(iv) 0xbffff7b4

(d) (3 pts) Circle all the technical solutions that have been proposed to prevent buffer overflow exploits.

Canary Passive Interface

ASLR Plaintext password

Non-executable

stack

ARP spoofing

08048344 bffff700 esp exam_function bffff728 command line argument bffff7a0 ebp exam_function bffff7a4 return address bffff7c8


of 12

Question 3 (22 pts). An Ethernet frame containing an ARP message is shown below as it appears in Wireshark. The data and padding portion of the frame is highlighted in bold for your convenience. (note: there are four rows of hexadecimal data, read from left to right and top to bottom.)

ff ff ff ff ff ff 00 01 02 c6 3b 6a 08 06 00 01 08 00 06 04 00 02 00 01 02 c6 3b 6a 78 83 23 bb 00 04 75 72 81 fc 78 83 23 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 45 67 8a

(a) (2 pts) Who is the intended recipient of this frame?

Answer: (b) (2 pt) ( TRUE / FALSE ) An ARP Request must be received in order to send an ARP Reply. (c) (2 pts) The above Wireshark packet capture is an ARP Reply sent as an ARP spoofing attack. What is the

four-byte hexadecimal number for the IP address of the victim? (i.e. the IP address of the destination host to which the message is sent. There is no need to convert the number to dotted decimal notation.)

Answer: (d) (2 pts) The ARP Reply consists of 28 bytes of data. How much padding is required to send this packet?

Answer: (e) (2 pts) If a 3015-byte IP packet were to be transmitted, how many Ethernet frames would be required?

Show work.

Answer: Consider the 100 Mbps Fast Ethernet network depicted below. For each user, the last byte of the corresponding IP address and Ethernet address is listed.

(f) (2 pts) What is the effective data rate observed by MIDN01? Show work.

Answer:

This question continues on the next page.


of 12

(g) (2 pts) What is the effective data rate observed by INSTRUCTOR? Show work.

Answer: (h) (2 pts) What IP address – Ethernet address pairing would host MIDN01 send to launch an ARP spoofing

attack against host MIDN02?

IP address Ethernet address

(i) (2 pts) ( TRUE / FALSE ) If MIDN05 and MIDN10 were to switch places in the network, their Ethernet addresses would remain the same.

(j) (2 pts) If all users were connected directly to a switch instead, what would be the effective data rate

observed by each user? Show work.

Answer: (k) (2 pts) For each of the devices listed below, indicate in what layer of the TCP/IP model they operate.

(i) HUB

(ii) BRIDGE

(iii) SWITCH

(iv) ROUTER


of 12

Question 4 (23 pts). Consider the network diagram shown below.

(a) (6 pts) Construct the routing table for Router RA. Place your answer in the table below, leaving any unused

rows blank.

Router RA’s Routing Table

Mask Network Address Next-Hop Address Interface

(b) (2 pts) ( TRUE / FALSE ) The network address for EC310 Room is invalid. (c) (2 pts) What is the last IP address assignable to hosts in Hopper Hall in dotted decimal notation? Show your

work.

Answer:



of 12

(d) (3 pts) How many IP addresses can be assigned to hosts from the network at Ward Hall? Show your work.

Answer: (e) (4 pts) Suppose an IP packet with destination address 1.1.1.8 arrives at Router RA. Using the routing

table above, what would be the next-hop address to properly route this packet? Show work.

(i) 1.1.1.1

(ii) 1.1.1.2

(iii) 1.1.1.3

(iv) 1.1.1.4

(v) n/a

(f) (6 pts) Your instructor, LCDR Loki, intends to conduct a Man-In-The-Middle (MITM) attack to block

your access to the EC310 website hosted on a webserver in Hopper Hall at IP address 2.0.3.169. Design the false network that your instructor would use to accomplish this using the table below to show your work (note: some values have been filled out for you). Use the shortest mask possible. In your answer, state the network ID in the form W.X.Y.Z/n.

Answer: . . . /

2 0 2 0

2 0 3 169

0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1


of 12

Question 5 (16 pts). Consider the network shown below.

(a) (2 pts) Construct the link state packet (LSP) sent by Router E.

Answer: (b) (2 pts) ( TRUE / FALSE ) Link state packets (LSPs) are distributed across the entire network via a process

called controlled flooding. (c) (2 pts) ( TRUE / FALSE ) Distance vector routing is preferable over link state routing for a dynamic

network due to its ability to adjust faster to changes in the network. (d) (10 pts) You receive a new router and plug it into a new network. Your network configuration is set to

Distance Vector Routing. Your router is Router Z. Your router receives three answers to its hello packets from neighboring routers as shown on the table below to the left. Using the information from your neighboring routers, construct the router table for your router on the diagram to the right.

From To U W Y

U 0 8 9

V 7 5 6

W 10 0 1

X 5 3 13

Y 4 8 0

UZ delay: 6 WZ delay: 7 YZ delay: 5

Router Z

Router Next-hop Total Delay

U

V

W

X

Y

A D

E

F B

C G

2 1 5

1 3

4 2

6

4 3


of 12

Question 6 (16 pts). Consider the network diagram below where AS40 communicates with both AS3 and AS4, and local established policies allow transmission of data between AS3 and AS4 through AS40.

(a) (2 pts) What category of autonomous system is AS40?

Answer: (b) (4 pts) What Network Prefix and AS-Path must BGP Router R1 announce to route packets destined for

www.midtube.com?

Network Prefix: . . . / AS-Path: (c) (2 pts) The system administrator for AS2 decides to make BGP Router R2 advertise the false network prefix

and AS-Path shown in the close-up picture below. What AS-Path will the traffic from AS 1 then take to reach www.midtube.com?

AS-Path:



of 12

(d) (8 pts) Select TRUE or FALSE for each of the statements below.

(i) ( TRUE / FALSE ) In a network prefix hijacking attack the attacker would advertise a more specific network ID that includes the IP address of the victim.

(ii) ( TRUE / FALSE ) The number of autonomous systems in the path has priority over local preferences in BGP route selection.

(iii) ( TRUE / FALSE ) A router running BGP first attempts to find all paths from the router to a given destination, then judges these paths against the policies of the AS administrator, and then selects a “good enough” path to the destination that satisfies the policy constraints.

(iv) ( TRUE / FALSE ) The security of Internet routing does not depend on the accuracy, integrity, and availability of the association between ASNs and the network prefixes they own and advertise.

Turn in your equation sheet with your exam!


of 12

ARP packet format

Private IP addresses

Range 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255

Hexadecimal – Binary conversion table


of 12

ec310 twelve week exam spring ay2017 06 april …...ec310 twelve week exam spring ay2017 06 april...

Documents