EC310 Twelve Week Exam Fall 2015 November 5, 2015 United States Naval Academy Electrical and Computer Engineering Department EC310 - 12 Week Midterm – Fall 2015 1. 2. 3. 4. 5. 6. Do a page check: you should have 10 pages including this cover sheet. You have 50 minutes to complete this exam. A calculator may be used for this exam. This is a closed book and closed notes exam. You may use two single-sided hand-written pages of notes. Turn in your two single-sided hand-written pages of notes with your exam. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is permitted concerning this exam with anyone who has not yet taken the exam. Name: ____________________ Instructor: ____________________ Problem Topic Possible 1 Buffer Overflow 10 2 Privileges and Permissions 10 3 Ethernet and ARP 31 4 IP and False Route Injection 35 5 Routing 14 TOTAL 100 Points Page 1 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 Question 1 (10 pts). Suppose that Evil Instructor is running a program and attempting to perform a buffer overflow attack. When a function prompts him to enter his name, he enters machine language instructions (an exploit) that, if executed, will delete the contents of the hard drive. Suppose the function reserves 40 bytes for the user's name. Evil Instructor's malicious code is also 40 bytes long. He guesses that his 40-byte exploit is on the stack at address bffff7cc (i.e., he guesses that the variable name, where he is entering his exploit, is located at address bffff7cc). The picture below indicates how Evil Instructor believes the stack is arranged. The picture below also shows Evil Instructor's guess about the location where the saved value of the return address is located on the stack. Evil Instructor bravely declines to use NOPs, but he does decide to follow his exploit with several repetitions of the desired return address. What Evil Instructor believes the stack looks like (a) (3 pts) What is the minimum number of times Evil Instructor will have to repeat the desired return address if his exploit is to succeed? Answer: (b) (4 pts) What is the address that Evil Instructor should place in the boxes directly below the 40-byte exploit? Answer: (c) (3 pts) Briefly (a sentence or two), explain why Evil Instructor improves the chances of his attack being successful by repeating the value of the desired return address. Answer: Page 2 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 Question 2 (10 pts). Consider the long listing for three files, shown below. The file note1.c is a C program that writes to the file /tmp/notes. The file note1.exe is the compiled version of note1.c. The system has six users: midshipman, trevor, connor, buffy, heather and, of course, root. You are, of course, midshipman. (a) (4 pts) The user trevor executes the file note1.exe and notices that his attempts to write to the file /tmp/notes are not successful. Explain why. Answer: (b) (2 pts) Suppose it is necessary to grant users the ability to write to the file /tmp/notes, but only when executing the program note1.exe. What would you (midshipman) need to do to accomplish this? Select one of the five choices below. (i) (ii) (iii) (iv) (v) You would need to transfer ownership of note1.c to root You would need to change the mode (chmod) to allow sudo access You would need to assign sudo access to the file note1.exe You would need to set the setuid flag on the file note1.exe You would need to give users the ability to switch user (su) (c) (4 pts) The user buffy proposes solving this problem (i.e., the need to grant users the ability to write to the file /tmp/notes, but only when executing the program note1.exe) by having you (midshipman) enter the following command: chmod o+rw /tmp/notes How would the effect of this command be different from the effect of the answer you selected in part (b) above? Answer: Page 3 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 Question 3 (31 pts). You are examining an Ethernet frame using Wireshark. This Ethernet frame is shown below. The hexadecimal contents of the Ethernet frame starts as shown: The frame format for an Ethernet frame is shown below: (a) (2 pts) What is the source address for this Ethernet frame? Answer: (b) (3 pts) If the Ethernet protocol is used to transmit a 6010-byte IP packet, how many frames will be needed? Show work. Answer: (c) (3 pts) Which of the following choices is (are) true (circle all that apply): (i) An Ethernet frame is encapsulated in an IP packet (ii) An Ethernet frame is decapsulated from an IP packet (iii) An IP packet is encapsulated in an Ethernet frame (iv) An IP packet is decapsulated from an Ethernet frame (v) Some of the hexadecimal digits shown in the Wireshark capture above could represent an IP address (vi) Ethernet is a network layer protocol This question continues on the next page. Page 4 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 The user who sent the frame above is named MIDN Glad. He is on the 10 Mbps Ethernet used by seven users shown below. All users are very active. For each user, we show symbols denoting the IP address and Ethernet address. For example, MIDN Glad has IP address E and Ethernet address Y. (d) (4 pts) What is the average data rate seen by MIDN Glad? Show work. Answer: (e) (4 pts) What is the average data rate seen by Evil Instructor? Show work. Answer: (f) (4 pts) If the bridge were to be replaced by a hub, what would be the average data rate seen by MIDN Jubilant? Show work. Answer: (g) (2 pts) True or False: MIDN Joyous's IP address will never change. Circle one: TRUE / FALSE (h) (2 pts) True or False: MIDN Joyous's Ethernet address will never change. Circle one: TRUE / FALSE Suppose that a number of ARP exchanges have taken place and all seven users have a complete and correct ARP cache, showing the correct IP address – Ethernet address pairings for all users. MIDN Jubilant then launches an ARP spoofing attack against MIDN Happy with the intent of stealing all of MIDN Happy's packets. (i) (5 pts) To launch his attack, MIDN Jubilant sends an unsolicited ARP Reply with an IP addressEthernet address pairing. What IP address-Ethernet address pairing does MIDN Jubilant place in this ARP Reply? Answer: (j) (2 pts) Suppose that the bridge above is replaced by a switch. What layer of the TCP/IP model does the switch reside in? Answer: Page 5 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 Question 4 (35 pts). Examine the network shown below. MIDN Happy (whose IP address is 2.2.2.70) regularly accesses the EC310 website (IP address 7.7.7.181). (a) (4 pts) Express the mask for the network 4.0.4.0/22 in dotted decimal notation. Answer: (b) (4 pts) How many IP addresses are available for assignment to hosts on the network 4.0.4.0/22 ? Answer: (c) (4 pts) What is the broadcast address for the network 4.0.4.0/22 ? Show your work! Answer: This question continues on the next page. Page 6 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 (d) (9 pts) Considering the network shown above, construct the routing table for Router B. Place your answer in the table below, leaving any unused rows blank. (e) (4 pts) Suppose Router B must route an IP packet with destination address 185.74.66.66. If the mask in the top line of your routing table (shown above) is applied to this IP address, what is the resulting network address? Show work. Answer: (f) (2 pts) In light of your routing table for Router B, shown above, what outgoing interface would Router B send the IP packet whose destination address is 185.74.66.66 ? Answer: This question continues on the next page. Page 7 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 Evil Instructor is located on the 5.5.5.48/28 network and wants to prevent MIDN Happy from reaching the EC310 website at 7.7.7.181. He turns his computer into a router using Loki and advertises a false network. The advertisement for this false network propagates to Router B. In the table below, under the target's network (7.7.7.160), and the target's IP address (7.7.7.181) the bit values corresponding to the IP address have been filled in. (g) (8 pts) Design a false network using the shortest possible mask (in other words, your mask /n should use the smallest possible value of n). State the network ID for the false network you would use. Use the table above to show your work. Your answer should be of the form W.X.Y.Z/n. Answer: Page 8 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 Question 5 (14 pts). Consider the network shown below which uses distance vector routing. You are router C. You have just received the following distance vectors from your neighbors: From B: A B C D E F From D: A B C D E F 4 0 7 13 7 2 From E: 17 11 4 0 8 10 A B C D E F 8 6 6 10 0 4 Your distance to B is 7, your distance to D is 4 and your distance to E is 6. B C A D E (a) (7 pts) What is your new routing table (include the distance and next hop for each destination) presuming that distance-vector routing is used? Place your answer in the table on the right, using as many rows as needed. F Destination Total distance Next hop (b) (2 pts) You received a distance vector from Router B. Which other routers in the network will ultimately receive this distance vector from Router B? Answer: (c) (3 pts) Suppose the routing algorithm for the network above is shifted to link-state routing. Sketch the linkstate packet that will be sent by Router C. Answer: (d) (2 pts) You send your link state packet to Router B. Which other routers in the network will ultimately receive this link state packet? Answer: Turn in your equation sheet with your exam! Page 9 of 10 EC310 Twelve Week Exam Fall 2015 November 5, 2015 This page intentionally blank. Page 10 of 10