Cyber Range Lab Assignment Report 2

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

MBA530

Subject

Industrial Engineering

Date

Jan 9, 2024

Type

docx

Pages

11

Uploaded by ericbraxton8

Report
IST 894 Capstone Experience Cyber Range Lab Assignment Report 2 Page 1 of 11
Table of Contents 1.0 Introduction ........................................................................................................................................ 3 2.0 General Context .................................................................................................................................. 3 3.0 Technical Context ............................................................................................................................... 4 4.0 Solution .............................................................................................................................................. 5 5.0 Activity Log ....................................................................................................................................... 10 6.0 References ........................................................................................................................................ 11 Page 2 of 11
1.0 Introduction In this lab, we will utilize the “Ubuntu with Snort and Other Tools” environment on the U.S. Cyber Range. This lab will provide hands-on experience with password cracking and buffer overflows. In Task 1, I will utilize John the Ripper to attempt to crack several hashed passwords on a text file. In the second task, I will execute a buffer overflow, in an attempt to return value/pointer that is pushed in a function, causing the program to be diverted and do things that were not intended by the program developer. 2.0 General Context In this lab exercise, I utilized the U.S. Cyber Range, which provides an environment for educators, industry, and others to allow for hands-on cybersecurity training and education in order to increase the number of skilled cybersecurity experts across all sectors ( U.S. Cyber Range , 2020). Inside the lab environment, I used a virtual environment that simulated a Linux workstation and completed several tasks that provided hands-on experience with password cracking using a program called John the Ripper, which essentially analyzes password hashes and attempts to crack the password. The next task I completed was a buffer overflow with a goal of overwriting existing data and executing the program to be diverted and do things that were not expected by the original program designer. A malicious attacker would use a tool like John the Ripper to obtain unauthorized access to a system or network using a password that was cracked from a hash or cipher. A malicious attacker would exploit a buffer overflow by intentionally adding input that the buffer cannot handle, eventually overwriting areas that contain executable code, replacing it with their own, malicious code. The attacker can overwrite a pointer, which was performed in the lab, and point it to an exploit payload, to gain unauthorized access. Page 3 of 11
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
3.0 Technical Context For this lab, I utilized the U.S. Cyber Range to get hands-on training with password cracking and buffer overflows. I utilized XRDP to remotely access a Xubuntu VM to access the lab environment. From a terminal window, I navigated to the appropriate directory, and I executed John the Ripper to analyze four different password hashes that were stored in a text file. The hashes utilized different hashing methods, such as DES, MD5, etc. The purpose of performing this password cracking tasks with John the Ripper was to show how various hash methods are more secure than others, along with the command line syntax and flags needed to successfully crack the password. The different hash methods also had an impact on the time it took to crack the password. In the second half of the lab, I utilized the same Xubuntu VM to attempt to execute a buffer overflow using two different executable files, buffer_oflow1 and buffer_oflow2. One interesting component of the lab was disassembling the buffer overflow program using the Linux utility ‘objdump’ which shows the various functions of the program. By analyzing the relevant functions, I was able to obtain the memory address of the accessGranted function, which allows us to access the program without knowing the password. Once the memory address was known, I needed to determine the overflow length of the input buffer, so I utilized a Python print command that will eventually let you know the buffer length and overwrite the return pointer. The process involves a bit of trial-and-error to get the actual buffer length. I then converted the memory address to a hex encoded memory address and combined all of the information gathered into a single command, which uses Python to print to the exact return pointer the memory address while executing the buffer overflow program. Overall, this lab provided valuable Linux skills and experience with a password cracking tool, in this case, John the Ripper as well as executing a buffer overflow to obtain access to a program when the credentials were not known. Page 4 of 11
4.0 Solution 4.1 – Initial Setup I started this lab by simply logging into my Xubuntu VM with the following credentials. Username: student Password: student Figure 4-1: XRDP Login 4.2 – Task 1 : Passwords and Hashes In this task, we opened a terminal window and switched to the /home/student.lab1 directory using the command cd /home/student/lab1 . To confirm that the file user_hashes.txt was present, I typed in the command ls -l , which shows the contents of the directory. Figure 4-2 (below) shows those two commands. Figure 4-2: Lab 1 Contents I then utilized John the Ripper, AKA JTR, or simply john, to analyze the password hashes stored in the user_hashes.txt file. Page 5 of 11
Figure 4-3: Contents of user_hashes.txt I initially used the command sudo john user_hashes.txt –show to attempt to crack one of the passwords without using one of the parameters ( --format=md5crypt or --format=crypt ). I was able to crack one of the passwords for user1, which was “Password” See the screenshot below (Figure 4-4). Figure 4-4: Crack I then utilized John the Ripper to successfully crack another of the passwords for user2, which was also “Password” The command that I used was sudo john user_hashes.txt –format=md5crypt –show , which provided the output below in Figure 4-5. Figure 4-5: MD5 Hash Page 6 of 11
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
This is a good exercise to show that while a hash may appear to be different, see figure 4-6 below, they are all the same once they’ve been cracked. The reason for this is that they are all utilizing a different type of hash. In Figure 4-5 (above), for instance, user 2 was using a MD5 hash, which stands for Message Digest 5, and is an algorithm that produces hashes that are 128 bits in length and are 32 hexadecimal characters ( Bobby, 2014) , as indicated in the screenshot below for user 2. Figure 4-6: 32-hex character MD5 has 4.3 – Task 2 : Basic Buffer Overflow A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. Buffer Overflow is one of the best known forms of software security vulnerabilities ( OWASP , 2020). To start this task, I used the Linux tar command to extract the contents of buffer_oflow.tar located at /home/student/lab1. The command I used to navigate to the directory was cd /home/student/lab1/buffer_oflow/ and then ran the command ls -l to validate the two items, buffer_oflow1 and buffer_oflow2 were present. Figure 4-7 (below) outlines those steps. Figure 4-8 provides a graphical representation of the same two items. Figure 4-7: CLI view of buffer_oflow Page 7 of 11
Figure 4-8: GUI view of buffer_oflow The next section of the lab is to attempt to run buffer_oflow1, which was accomplished by running the command, ./buffer_oflow1 . I used the password ‘test’ and ‘password’ both of which received “Access Denied” messages. Figure 4-9: Access Denied In this next step, I ran the command objdump -d ./buffer_oflow1 to disassemble the buffer_oflow1 program. The output showed the disassembly of the sections: .init, .plt, and .text. The .text section contained the information that I was interested in for this lab, which was the following functions: main, check_pw, accessGranted, and accessDenied. See below for a snippet. Page 8 of 11
Figure 4-10: buffer_oflow1 disassembly In the screenshot below, I ran the buffer_oflow1 program and entered a long string of characters in an attempt to overflow the input buffer and return a segmentation fault. Figure 4-11: Segmentation Fault In the next step, I attempted to determine the length required to overflow the buffer. I started with a single ‘A’ and then went to (10) ‘A’ and then attempted to run the program buffer_oflow1 with the password of (10) A’s, which was denied, but the length was accepted. Figure 4-12: Python In this step, I pushed the limits of the input buffer until I received a segmentation fault error message. It turns out that 81 characters is the highest number of characters that can be used before the input buffer error’s out once it hits 82. In this case, it is simply a matter of trial and error, until the correct character is determined. Page 9 of 11
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Figure 4-13: Input Buffer Limits In this step, I used the memory address of the accessGranted function, which is 080484ac, but converted it from text to a hex encoded memory address, which the computer can recognize, which is \x08\x04\ x84\xac. The command I ran was python -c ‘print “A”*82 + “\xac\x84\x04\x08”’ | ./buffer_oflow1 which granted access. Figure 4-14: Access Granted In the next section, I am looking at buffer_oflow2 to determine the address of the accessGranted function, which is ‘080484c5’. From the /lab1/buffer_oflow directory, I ran the command objdump -d ./buffer_oflow2 to get the information. Figure 4-15: Access Granted Function After a trial and error of running the command python -c ‘print “A”*X’ | ./buffer_oflow2 where X = input buffer, it was determined the max input buffer size is 72. Figure 4-16: Buffer Overflow Limits You can see in the screenshot below that I was successful in obtaining access. The last name of the author is Vonnegut. The command I used was python -c ‘print “A”*72 + “/xc5/x84/x04/x08”’ | ./buffer_oflow2 Figure 4-17: Kurt Vonnegut 5.0 Activity Log 5.1 - Member Log Member Name Task Date Task Details Eric Braxton 9/16/2021 Completed all lab steps and lab report. Page 10 of 11
6.0 References Bobby (2014). What is Cryptographic Hashing. Retrieved on 13 September 2021 from https://tiptopsecurity.com/what-is-cryptographic-hashing-md5-sha-and-more/ Openwall (2019). John the Ripper Password Cracker. Retrieved on 13 September 2021 from https://www.openwall.com/john/doc/ OWASP (2020). Buffer Overflow . Retrieved on 14 September 2021 from https://owasp.org/www- community/vulnerabilities/Buffer_Overflow U.S. Cyber Range (2020). About the U.S. Cyber Range. Retrieved on 14 September 2021 from https://www.uscyberrange.org/about Page 11 of 11

Related Documents

IEGR 367 - Report for service design.docx
Cyber Range Lab Assignment Report 10.docx
Cyber Range Lab Assignment Report 11.docx
Cyber Range Lab Assignment Report 12.docx
Cyber Range Lab Assignment Report 3.docx
nrf top 100 retail list 2022 assignment - miller.docx
IST554-Lab1-team1 v2.docx
Woolworths Benchmark Award 2022.docx
Screenshot 2023-09-11 at 12.17.42 AM.png
Screenshot 2023-09-11 at 12.17.33 AM.png
Screenshot 2023-09-20 at 6.08.49 PM.png
Screenshot 2023-09-18 at 12.10.53 PM.png