Swansea University College of Science Prifysgol Abertawe Coleg Gwyddoniaeth May/June 2018/19 CSCM28 Security Vulnerabilities and Penetration Testing Time Available: 2 hours Coordinator: Dr P D James Queries: The Exams Office hold contact details for this paper Only University-supplied dictionaries are permitted Calculators? Not Permitted Attempt all questions Question 1: Methodologies and Legalities (a) Outline each of the six main phases of penetration testing. For each phase, describe the main activities of the phase and state one tool that can be used to support the phase. [12 marks] (b) Recently, the UK government has discussed various issues around the use of encrypted communication systems. Assume that a law stating the following, rather extreme reaction, was passed: “All encrypted communication is illegal.” For each of the phases of penetration testing explain what would be affected by this law. Use suitable examples to explain what information would now be read- ily available for penetration testers to obtain within each of the effected phases. [10 marks] (c) The investigatory powers act 2016, details new powers for UK intelligence agencies and law enforcement. Describe three of these new powers and explain why and how they affect penetration testers and security professionals working within UK intelligence agencies. [6 marks] CSCM28: Page 1 of 5 Question 2: Protocols and Techniques (a) Using Google is a good way to find out information about a target. Describe how searching for information about a target can be undertaken in a passive man- ner using Google. [4 marks] (b) Consider the following URL: http://win-or-lose.com/index.html For each of the following Google search operators, state whether or not the op- erator is applicable to the URL and if it is, highlight which part of the URL is searched. • SITE • INTITLE • INURL • FILETYPE • LINK • INTEXT [6 marks] (c) When using network scanning tools, there are four core protocols typically involved. List each of the protocols and state what their main purpose is with respect to the network stack. [8 marks] CSCM28: Page 2 of 5 (d) Consider an IP router containing entries for the following CIDR (Classless Inter-Domain Routing) networks: Name Network A 192.168.100.0/24 B 192.168.101.128/25 C 192.169.101.192/26 D 193.168.101.224/27 The router receives a packet with destination address 192.168.101.130. The router determines that it should forward the packet to network B. Part of this process will check that this packet is not addressed for networks A, C and D. Demonstrate the steps and perform the calculations that are made to check the packet is not designated for network C. [6 marks] (e) NMap provides a number of TCP scans that can be useful for fingerprinting of services, discuss two different TCP scans provided by NMap and describe how they work including details on the flags set within the communicated TCP packets. [6 marks] (f) Explain how the traceroute command works including details on the packets that are sent. What information can a penetration tester gain from running tracer- oute? [4 marks] CSCM28: Page 3 of 5 Question 3: Vulnerabilities (a) The following is a snippet of an entry from a Linux shadow file. john:$1$fnfffc$pGteyHdicpGFx:… Explain each value of the snippet, describe how the salt is used and explain why storing salt values in plaintext is acceptable. [6 marks] (b) Using gdb on a 32-bit executable that crashes with large inputs, you have detected that the stack pointer register ($esp) contains the value: 0xffffd578 and the base pointer register ($esb) contains the value: 0xffffd5f8. Describe how you could use this information to perform a buffer overflow attack. You can assume you have available shell code consisting of 24 bytes of hex. You should include in your discussion accurate lengths of strings needed to perform the attack. [10 marks] (c) Explain what ASLR means and how it would prevent your buffer overflow from Part (d) from working. [4 marks] (d) Web applications often need to perform session management in order to keep track of users interacting with the application. Explain what session management is and describe two attacks that penetration testers may use against it. [8 marks] (e) Consider the following snippet of code that has been taken from a web appli- cation: print(“Please enter the name of file to remove”); $file = $_GET[“filename”]; system(“rm $file”); ?> Explain the vulnerability exhibited by this code and why it occurs. What kind of Metasploit exploit might an attacker craft in order to exploit this vulnerability? Explain how such an exploit works. [10 marks] CSCM28: Page 4 of 5 End of Paper CSCM28: Page 5 of 5
