Sniffing

This homework consists of three parts, in increasing levels of difficulty. In parts 1 and 2, you will analyze network traffic. In part 3, you will write a script to modify network traffic.

Part 1: I know what you did last minute

Note 1: For this exercise you need to download pcap1.pcap and pcap2.pcap from http://com301-pcap-validation.epfl.ch. Wireshark is your friend when it comes to interpreting PCAP files, use it! A tutorial for Wireshark can be found here: Wireshark Tutorial

Note 2: You have a limited number of attempts to get a token (3 attempts per day). Check that the website you found is in the whitelist, website_whitelist.csv, before submitting your answers for Parts 1.1 and 1.2. If you find several websites in the PCAPs that are also in the whitelist, submit the first website present in the PCAP.

1.1 Coffee Break

The semester ended a few weeks ago. The grades are out on IS-academia for COM-301, but are not visible to the students until the end of the week. You are too impatient to wait till then. Therefore, you decided to hack the account of Morty Smith, the TA who is in charge of grading the students. In the past, you saw Morty several times at this small cafe called Meeseeks. Luckily for you, the owner of the coffee shop, Mr. Meeseeks, is not tech savvy and did not change the default password of the cafe's router. After 5 minutes of trials, you obtained the router password. Now that you own the router, you are able to run a man-in-the-middle attack against Morty to monitor him and discover his secrets.

After finishing his latte, Morty starts browsing the Internet. You can finally capture some of his traffic, and you store it in pcap1.pcap. Unexpectedly, Morty is browsing the Internet using HTTP, everything is in plain text! Can you find which website he has been visiting? Submit it to the server to get your token (remember Note 2).

Food for Thought: Some of you may have noticed that the HTTP request you got was redirected to the HTTPS version of the website. What is the mechanism behind this redirection and what is its purpose?

1.2 Let's Encrypt

You are not satisfied with the website you found, so you decide to continue monitoring Morty. Unfortunately for you, Morty noticed that the green lock symbol next to his URL was missing and finally remembered what he had learnt in COM-301. He does not want to be spied on, so he starts using HTTPS. Can you find another way to find out which website he is visiting in the capture file, pcap2.pcap? Submit it to the server to get your token (remember Note 2). Do you see any other connection that is interesting in this capture?

Part 2: Catch Them All!

You are still not satisfied since you couldn't find relevant information to blackmail Morty. However, the monitoring was not that unsuccessful. Thanks to what you discovered in pcap2.pcap, you know that Morty tried to visit a weird website belonging to the EPFL. Could it be the secret grading server? You have to scratch this itchy part of your brain that tells you to continue the hack and find out if you can obtain the credentials for the database containing the grades. Once you have them, what are you going to do? Why not dump all the grades and share them with your friends?

Assume that Morty's connection to the grading server is unencrypted. You decide to deploy a man in the middle attack to steal the credentials. You have a program hw04, to simulate this situation.

To run hw04, we provide binaries for 3 operating systems. Use the Linux binary if you are doing the exercise from within the VM. For your convenience, we provide binaries for Windows or MacOS X if you prefer to work from your main OS, but the TAs will not provide support if you encounter problems when running these binaries on your main OS. This program works in two modes:

    mitm to perform a man-in-the-middle to steal the credentials. Observe the traffic while running this to see if you can get the credentials.
    dump-grades to retrieve the grades from the database using the stolen credentials. You can use this to check that you have obtained the right credentials.

For the mitm mode, you need to provide your SCIPER number, and the host and port you found in the previous exercise, as arguments. For the \texttt{dump-grades}, in addition to the arguments mentioned above, you need to provide the user name (an email address) and the password you found.

    ./hw04 mitm SCIPER hostname port
    ./hw04 dump-grades SCIPER hostname port email password

When you obtain a correct password, use that as your token for submission to the grading server.

Part 3: Let's go Phishing

The TAs have done their job and the connection to the grading server is encrypted. You wonder whether you can use other material from the class to steal the credentials. What better way to do this than to make Morty connect to your fake grading server instead of the actual one? In class, you learned about changing DNS records so that the DNS response has the attacker's IP instead of the legitimate one. You decide to try this out such that when Morty sends out a DNS query for the EPFL grading server, you replace the grading server's IP with a fake entry in the DNS response.

For this exercise, you will use the Python library Scapy to perform packet manipulation. With Scapy, you can read a PCAP file, iterate through the packets in the PCAP file, and analyze each packet field. We have installed Scapy on the COM 301's VM. If you are not using the VM, you can install it with the following command (you might need sudo to install it system wide):

pip3 install scapy

Your goal is to modify the trace in pcap2.pcap. Write a script using the skeleton code we provide, modify_pcap.py. The script has to take in pcap2.pcap as input, find the DNS responses for the grading server, and replace the server's IP in the response with your SCIPER. Write the trace to a new file pcap2new.pcap (the file has to contain all the packets as in the original file). Submit pcap2new.pcap at https://com301-pcap-validation.epfl.ch. If the PCAP is correct, you will receive a token. We expect you to modify only the DNS records of type A (IPv4). The skeleton code modify_pcap.py contains more details.

Food for Thought: Note that this is a simplified version of an actual man-in-the-middle attack, since you are changing a PCAP file instead of modifying network traffic on the fly. Read up about how you could perform an actual attack.

Scapy tips

Scapy can take some time to master, so we're providing a few tips to help you use it.

  • Useful Scapy commands for debugging: pkt.summary() and pkt.show(). pkt.summary() displays a short description of the packet, pkt.show() displays all the fields in the packet.
  • Scapy follows a "layer" system to analyze packets (at each network layer). For example, pkt[IP] extracts the IP layer, pkt[UDP] extracts the UDP layer, and so on. Once you extract the layer, the fields parameter can be used to access different field values in that layer. Fields are stored as dictionaries. For example, pkt[IP].fields will give you a dictionary of field names and values at the IP layer.
  • To recalculate checksums and lengths, this discussion is useful: Packet checksum
  • All documentation on Scapy can be found here: Scapy documentation.

Note: If your SCIPER number produces some leading 0 in some bytes of the IP address, you might need to remove them to obtain a valid IPv4 address. i.e. 195507 becomes "0.19.55.7" instead of "00.19.55.07".

PDF hw04 (x86_64 Linux) hw04 (ARM64 Linux) hw04 (Windows) hw04 (x86_64 MacOS X) hw04 (ARM64 MacOS X) website_whitelist modify_pcap.py Validation Website

Submission

Log in to submit or see your history.