Final exam

Due 5:00PM Monday, June 6
Hand in as final.pdf via Moodle

This is an open-notes, open-Internet, open-book exam. You may post questions about the exam on #questions on our Slack workspace, but otherwise you may not discuss the exam with anybody other than Jeff Ondich.

1. Pen testing, one more time (15 points)

For this problem, you will continue the work with Metasploit that we started during the pen testing lab #2. See that lab for background.

Metasploitable is set up with a ton of vulnerabilities. Your job for this exercise is to find a Metasploitable vulnerability that you find interesting, exploit it, and describe the process.

Specifically, here's what you need to do.

  1. Pick an exploit. It should be an exploit that is available in Metasploit on our installation of Kali and that applies to a vulnerability found in our installation of Metasploitable 2. Before settling on a specific vulnerability and exploit, play around with your choices a little bit by trying to run the exploit with at least two different payloads. Once you have picked your vulnerability and exploit, read up on them and experiment with them in Metasploit to make sure you understand what they're doing.

  2. Describe how to run your exploit. Give me a list of simple, step-by-step instructions on how to perform the exploit with each of your two chosen payloads. This might be a list of command-line commands, or a sequence of screenshots, etc. Shoot for clear, easy-to-follow instructions.

  3. Explain how your exploit works. I'm not looking for "Metasploit's X/Y/Z module does magic, and you get a shell!" Rather, you need to do the research on how the exploit in question takes advantage of some bug or misconfiguration on the target machine, and then share that research with me briefly and clearly, with citations as appropriate.

  4. Describe your payloads. Provide a brief description of each payload you tried out, including an explanation of how the payloads differ.

  5. Exfiltrate the file /etc/passwd. Figure out how to use your exploit and one of your payloads to enable you to "exfiltrate" (i.e. steal) the /etc/passwd file from Metasploitable. Provide a brief description of how you managed to transfer /etc/passwd to your attacking machine.

  6. Discuss detection of this attack. When your payload is running on the target machine and you are doing whatever you're doing, is there a way that your activity might be detected? Describe in concise detail at least one way that you could be spotted. One possibility: consider the Unix command ps ("process status"). Is there something about the output of this command, with the right flags, that might give you a clue that you've been hacked?

2. Same-origin policy (12 points)

This term, we have studied many scenarios where there are various human, organizational, and software entities exchanging information in a sequence of steps over time. Often, these scenarios have included a "normal flow" of information and then one or more "attack flows". For example, the normal flow for the Diffie-Hellman key exchange procedure Alice and Bob exchanging g, p, g^a mod p, and g^b mod p at various times. But there's also an attack flow, where Mal acts as persion-in-the-middle and engages in a different sequence of exchanges with both Alice and Bob. (Then, of course, there are a bunch more information flows showing how TLS and a certificate-based public key infrastructure can thwart the person-in-the-middle attack on Diffie-Hellman.) Practicing how to articulate these flows clearly and in detail has been an important part of your work this term.

For this exercise, you will read about the same-origin policy and describe some flows associated with it.

The best answers to the following questions will be detailed but easy to read. For many information flows, I like to use a simple diagram showing the communicating entities (e.g. a browser and a web server) on the left and right, with arrows running horizontally labeled with the pertinent information being conveyed. Sometimes, there's more to say for a step than an arrow label can contain, or there might be more than two entities exchanging information, so use your judgment on how to express your answers clearly and simply.

  1. Assume that the browser is not using the same-origin policy. Show an information flow illustrating how an attacker could harm the user of the browser. (Even the simplest attacks of this sort have several steps and several types of information sent between more than two entities, so this will require a little care to answer clearly.)

  2. Now assume that the browser is using the same-origin policy. Show the step(s) in the flow from your previous answer at which this policy thwarts the attack. Explain clearly why the attack fails.

  3. Suppose a website wanted to provide web pages from port 443 and also an API from port 8888. For example, suppose there's a search form at https://tapirsunlimited.com/search/, but when the user clicks the Submit button on that page, the Javascript on the search page issues a query to https://tapirsunlimited.com:8888/ to get the search results. This architecture separates the user interface from the database access in a fairly natural way, so you can imagine why a web developer might want to organize things this way.

    • What about this system architecture would violate the same-origin policy on the user's browser? (This question has a very short answer.)

    • In specific detail, what would the tapirsunlimited.com developer need to do to take advantage of Cross-Origin Resource Sharing (CORS) to enable the two-port architecture to work?

3. Practicing your security mindset (10 points)

Let's go back to the beginning of the term, when we were all-Schneier-all-the-time, and we read Bruce's Inside the Twisted Mind of the Security Professional, in which he talks about the security mindset. For this exercise, I'm asking you to do a little creative thinking with your security mindset activated.

  1. Come up with a real-life situation that involves some sort of security system. You may but need not make your security scenario computer-related. Clearly and concisely describe your scenario and the nature of the relevant security system.

  2. Clearly and concisely describe an attack on the system.

  3. Clearly and concisely describe a possible mitigation against your chosen attack.

Here's how I'm going to score this one. If you just want to get the hell out of town and put this year behind you, just answer (a) "a house with door locks", (b) "use a hammer to break the pane in the door", and (c) "install doors containing no glass", and I'll give you 5 points. If you give me something more interesting and a little more thoughtful than that, with good, clear, and concise answers to (a), (b), and (c), I'll give you 9 points.

If I read your idea and say "cool!" or "what a wacky yet intriguing idea!" or something along those lines, I'll give you 1 more point, bringing you to 10.

Let's call it a term

Congratulations on getting through this year, and if you're a senior, big big congratulations on graduating. It was a tremendous pleasure working with you all this term. Thanks for being the best part of the term for me. Have a great summer, and if you're graduating, good luck out there and keep in touch!