Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Rules of Engagement
Teams selected by instructor
Host will read the entire questions. Only after, a team may “buzz” by
raise of hand
A team must answer the question within 5 seconds after buzzing in
(must have answer at hand)
If the answer is incorrect, the team will lose its turn and another
team may buzz in. No score will be deducted. No negative scores.
Maximum score is 100. Once reached, that team will stand down for
others to participate. Teams will earn all points scored at the end of
game.
When selecting a question, Teams must only select questions of
different value, unless there are no others, but may be from different
categories.
All team members will participate and will answer questions
Only one round - No Daily Doubles, Double Jeopardy or Final
Jeopardy … and no partial credits!
Jeopardy!
TCP/IP
Model
Ethernet Internet
Protocol
ARP Routing /
MITM
Privileges
/ Buffer
Overflow
BGP /
BGP
Routing
10 pts 10 pts 10 pts 10 pts 10 pts 10 pts
20 pts 20 pts 20 pts 20 pts 20 pts 20 pts
40 pts 40 pts 40 pts 40 pts 40 pts 40 pts
60 pts 60 pts 60 pts 60 pts 60 pts 60 pts
10 pts 10 pts 10 pts 10 pts 10 pts 10 pts
20 pts 20 pts 20 pts 20 pts 20 pts 20 pts
40 pts 40 pts 40 pts 40 pts 40 pts 40 pts
60 pts 60 pts 60 pts 60 pts 60 pts 60 pts
10 pts
20 pts
40 pts
60 pts
Which TCP/IP layer is responsible for processes
that provide services to HTTP or FTP?
TCP/IP 10 pts
Application Layer
How many bytes are in a physical address?
Ethernet 10 pts
6 Bytes
Example F2 : 45 : 17 : FF : 71 : A2
Which of the following is not a valid IP address?
(a) 192.148.2.0
(b) 0.0.0.0
(c) 200.256.32.104
(d) 172.31.22.48
Internet Protocol 10 pts
Maximum octet value = 255
Which two layers does the Address Resolution
Protocol (ARP) involve?
ARP 10 pts
Layer 2 (Data Link)
&
Layer 3 (Network)
Routing tables are maintained on which of the following:
(a) routers
(b) host computers
(c) both a & b
(d) neither
Routing Tables 10 pts
TRUE/FALSE: It is best to order the routing
table by decreasing mask value.
Routing/MITM 10 pts
True! This is “longest mask matching” principle
What does the Linux command sudo do?
Privileges/Buffer Overflow 10 pts
Executes a single command as the root user!
What is the network address for the IP address 200.32.33.234 / 23 ?
Internet Protocol 20 pts
200. 32.00100001.11101010
200. 32.00100000.00000000
(Host bits)(Network bits)
Zero out the host bits to get…
200.32.32.0
(mask)
(IP address)
(Network ID)
255.255.11111110.00000000(Mask)
An evil attacker launching an ARP-spoof
attempts to associate his ___________
address with the victim’s ___________
address.
Answer choices: hardware or IP
ARP 20 pts
hardware
IP
Routing/MITM 20 pts
If a router receives a packet with a destination
IP address that does not match any of the
networks on the routing table, what does the
router do with it?
The router sends it to the default router.
This is often indicated in the routing table by:
Mask Network
Any Any
or
/0 0.0.0.0
Privileges/Buffer Overflow 20 pts
What does setting the setuid permission on
an executable program do?
Whenever the program is executed it
will behave as though it were being
executed by the owner!
TCP/IP 40 pts
What is the name of the collection of 1’s and 0’s
at layers 5 through 2?
Layer 5 – “Message”
Layer 4 – “Segment”
Layer 3 – “Packet or Datagram”
Layer 2 – “Frame”
Calculate the bandwidth seen by user 3 if each
network is connected via 10 Mbps Ethernet.
Ethernet 40 pts
1
2
3
4
5
6
B1 B2
10Mbps ÷ 3 = 3.33Mbps
How many addresses can be assigned to hosts
on the network 138.43.29.128 / 26 ?
Internet Protocol 40 pts
32 total bits – 26 network bits = 6 host bits
26-2=62 addresses assignable to hosts.
Account for the broadcast
and network addresses.
What two types of ARP messages exist?
What is the fundamental problem with ARP that
allows an ARP-spoof to be possible?
ARP 40 pts
ARP Request
&
ARP Reply
An ARP reply can be sent (and be accepted!) without
an ARP request
Privileges/Buffer Overflow 40 pts
What is the correct order for arranging the payload in a
buffer overflow attack, and what are their purposes?
Choices are given below:
The exploit (shellcode)
Repeated return addresses
NOP sledNOP Sled – It is a series of “no operation” commands that lets the hacker
be a bit off with the return address, so that the return address just has to
point anywhere within the NOP sled. Otherwise, the return address would
need to be the precise first address of the exploit.
The exploit – This is the executable program.
Repeated return addresses – The return address points towards the exploit
as the next instruction (however, see the note regarding the NOP sled). It
is repeated so that the hacker would have a number of chances to get the
address correctly positioned in the Return Address field in the stack.
Suppose an application entity wants to send a
100 byte message to a peer entity. If each layer
from 4-2 appends a 15 byte header, what
percentage of the total frame size is actual
application entity data?
TCP/IP 60 pts
[100 / (100+15+15+15) ] x100 = 69%
Ethernet 60 pts
Assume the Network layer passes the Data Link
layer 6030 bytes of information to transmit. How
many Ethernet frames will be required?
6030÷1500 = 4.02 thus 5 Frames
What is the block of addresses assigned to the
network 56.45.100.0 / 23 ?
Internet Protocol 60 pts
56.45.01100100.00000000
56.45.01100100.00000000
56.45.01100101.11111111
(Network bits) (Host bits)
= 56.45.100.0 (First Address)
= 56.45.101.255 (Last Address)
(mask)
. . .
N1 : L1
N2 : L2
N3 : L3
N4 : L4
N5 : L5
You are user C in the network below. Design an
ARP Spoofing attack on User D. What changes
would you make to the ARP cache?
ARP 60 pts
L3
Routing/MITM 60 pts
Design an MITM attack to divert traffic from the server
Target’s
Network
40 .230 .45 .128
00101000 11100110 00101101 1 0 0 0 0 0 0 0
Target’s
IP Address
40 .230 .45 .161
00101000 11100110 00101101 1 0 1 0 0 0 0 1
Attacker’s
Lie
40 .230 .45 .160
00101000 11100110 00101101 1 0 1 0 0 0 0 0
40.230.45.161
Ans: 40.230.45.160 / 27
Other possible Answers:
40.230.45.160 / 28
40.230.45.160 / 29
40.230.45.160 / 30
40.230.45.160 / 31
Target’s
Network
40 .230 .45 .128
00101000 11100110 00101101 1 0 0 0 0 0 0 0
Target’s
IP Address
40 .230 .45 .161
00101000 11100110 00101101
Attacker’s
Lie
Name and describe two technical solutions to
prevent a buffer overflow attack.
Privileges/Buffer Overflow 60 pts
The non-executable stack: The CPU will not execute any
machine instructions located in the portion of main memory
reserved for the stack.
The stack canary: The CPU checks a known value in
memory just prior to the location of the return address (to
make sure it was not changed) before resetting the EIP.
Address space layout randomization: The stack and
the heap are placed in random memory locations,
preventing the hacker from easily predicting return
addresses’ location.
Briefly describe each of the following
Autonomous Systems Categories:
(a) Stub AS
(b) Multihomed AS
(c) Transit AS
BGP/BGP Routing 10 pts
- Has only one connection to another AS
- Has more than one connection to other ASes, but
doesn’t allow data to pass through it
- Connects to more than one AS and allows traffic to
pass through it
Describe the steps followed in BGP routing
when selecting a route.
BGP/BGP Routing 20 pts
1) a BGP router first attempts to find all paths from the
router to a given destination
2) it then judges these paths against the policies of the AS
administrator
3) it then selects a “good enough” path to the destination
that satisfies the policy constraints
BGP/BGP Routing 40 pts
What AS path would an IP packet
from 12.12.12.1 take to reach
17.17.200.2?
What AS path would an IP packet
from 13.13.13.3 take reach
17.17.200.2?
What AS path would an IP packet
from 20.20.20.1 take to reach
17.17.200.2?
40 – 2003 – 2005
40 – 2003 – 2005
60 – 40 – 2003 – 2005
Consider the network diagram and BGP route
announcement from Router 3 below, assuming no local
preferences are set.
Name and describe (include negative and positive consequences)
one technical solution that an AS network operator can use to
combat prefix hijacking an MITM attack on BGP networks?
BGP/BGP Routing 60 pts
Filtering – Best current practices for AS network operators dictate the use of filters at AS borders
to reject suspicious route announcements or alter malicious route attributes. Filters are manually
established based on the routing policies of an organization. Filtering has both a business cost
and computational cost associated with it.
Internet Routing Registries – These are repositories of the IP prefixes, ASNs, routing policy,
network topology, and human points of contact for those ASes which choose to register their
information. While this method may be effective, the downside is that these registries are only
effective if the registry data is secure, complete, and accurate, which is currently not guaranteed.
Resource Public Key Infrastructure (RPKI) – Similar to the IRRs, RPKI is a repository of Internet
routing information. The key difference is that it uses the X.509 certificate system to provide
cryptographic assurance of (1) the association between an ASN and the IP prefixes it has been
allocated, and (2) the association between an ASN and the IP prefixes it is authorized to originate.
There is nothing in RPKI which validates the route attributes, including the AS path, associated with a BGP
route announcement from an AS.
Nor does it provide certainty that the AS which has registered their information used the correct ASN or set of
prefixes.
Nor does it provide network topology information or human points of contact as with IRRs.
Lastly, it does not mandate that network operators use this information when constructing their filters.
How RPKI is applied is entirely dependent on what AS network operators choose to do with the information
available.