Security Exercise 14

advertisement
Security Exercise 14
Part I: The Geography of the Internet
At this point you should appreciate that the Internet is, to a great extent, a large collection of routers along with the
interconnecting media (copper wires, fiber optic cables, and, as we will see later in the course, wireless links). We have talked
about the Internet (its routers, its interconnecting media) within the confines of the lecture notes and within the confines of
mathematical algorithms. Which may leave you wondering: Where is the Internet physically? And what does it look like
geographically?
The original vision for the Internet was that it would be a small enterprise, and would be appear somewhat flat: each router
would be just as important as any other router. The original intent was that the network would be fully distributed and
decentralized so that it could survive a nuclear war. Stated another way, the original intent was that the Internet would have
no routers serving as choke points that could serve as single points of failure. If—the theory went—every router is connected
to the same number of other routers, then every router is equally unimportant to the survival of the Internet. So, with this vision
in mind, we might expect the number of "routers per square mile" to be roughly the same.
This is not how things turned out, to say the least. The Internet has, in fact, physical focal points—single buildings where a
large number of routers are collocated—single buildings where a large amount of the Internet's traffic funnels through.
To see how this came about, let's go way back to 1980. A USNA grad was President, disco was dying out, and the Internet
(then called the ARPANET) looked like this:
In 1980 the listing of everyone on the Internet totaled 5000 names. These were names, not computers. The number of
computers with Internet access was far fewer.
In the mid-1980's the Internet (i.e., ARPANET) shifted to TCP/IP. In 1990 the ARPANET was retired and the Internet, as
such, was then run by the National Science Foundation, and renamed NSFNET. The National Science Foundation decided that
the NSFNET should only be accessed by lofty high-minded academics, and not by grungy businesses that are out to make a
seedy profit by providing services to the unwashed masses. As a result of the National Science Foundation's Acceptable Use
Policy, businesses found they were not permitted to connect to each other by using the NSFNET.
What to do? What to do? Businesses decided to bypass the NSFNET and directly connect to each other! If Business A wanted
to connect to Business B, the solution was to run a physical cable between a router in Business A's network to an intermediate
router, and run a cable from a router in Business B's network to this same intermediate router. The only problem, then, was to
find a location where one of Business A's routers and one of Business B's routers could be placed adjacent to this intermediate
router. Once all three routers are collocated, running the two cables to connect Business A and Business B would be easy.
Along came a company named MFS. MFS purchased a building, installed a very expensive (very capable) router and advertised
itself as Metropolitan Area Exchange-East (MAE-East). MFS basically advertised: "Bring your router to MAE-East, and we
will connect your router to our central router (thus connecting everyone's routers together)." The response to this advertisement
was overwhelming: Companies showed up at MAE-East, Internet Service Providers showed up at MAE-East—basically,
335
anyone who wanted to interconnect to others showed up at MAE-East. By 1997, half of the Internet's traffic went through
MAE-East.
The surprising thing is that MAE-East is not a logical location that exists in theory. MAE-East is the fifth floor of 8100 Boone
Boulevard in Tysons Corner Virginia (with equipment overflowing into an adjacent parking garage). The original notion of
the Internet being geographically distributed and spread-out was over; there were now just a few chokepoints through which
all the Internet's traffic passed.
McDonald’s
MAE-East
1997: 50% of Internet traffic
goes through the fifth floor of
this building.
NSFNET eventually dissolved and sold off its components, and the Internet in turn evolved into a collection of independent
networks—termed autonomous systems—all interconnected to each other through locations such as MAE-East. Today, in
fact, the Internet is a collection of about 42,000 independent networks (again—autonomous systems is the proper term),
interconnected to each other.
But we are getting a little ahead of ourselves—let's go back to the 1990's! In the late 1990's, organizations decided that it was
technologically better to directly connect their autonomous systems to each other without a middleman router (such as that
provided in MAE-East). Digital Equipment Corporation purchased a building at 529 Bryant Street in Palo Alto California,
christened it the Palo Alto Internet Exchange (PAIX) and advertised: "Bring a router connected to your autonomous system to
529 Bryant Street, and we will directly connect it to other autonomous systems in our building." By 2000, PAIX was the
Internet's main connectivity hub. 529 Bryant Street? What's that you ask? That would be this nondescript building:
336
Gee. What a nice building.
I wonder what goes on
inside?
Surprisingly, even today this unremarkable building remains one of the Internet's most critical locations, one of the few major
key connectivity nodes. Another key focal point, where various autonomous systems are connected together is MAE-West at
55 Market Street in San Jose. By some estimates, a third of the nation's Internet traffic goes through this single building:
The surprising point bears emphasizing: There exists a discrete set of geographic locations through which a large percentage
of the Internet's traffic is funneled. More examples: Almost all Internet traffic Between North and South America travels
through a building at address 50 N.E, Ninth Street, Miami, FL. You might be happy to know that in recent years the Internet
has moved back to the East coast! One of the main Internet focal points today is the Equinix campus in Ashburn Virginia near
Dulles Airport:
While it is true that the Internet of today is decentralized in terms of control (no one independent autonomous system is able to
control another independent autonomous system), it is decidedly not decentralized in terms of geography. There are, in fact,
many geographic choke points of great connectivity.
337
In summary, today there are approximately 42,000 autonomous systems (networks) connected together to form the Internet.
The locations where these autonomous systems are connected together (those beautiful buildings we have shown pictures of)
are termed Internet Exchanges. These Internet Exchanges allow networks to connect directly to each other. The street
addresses for these Internet Exchanges are readily accessible. See, for example, the Internet Exchange map published by
TeleGeography located here:
http://www.internetexchangemap.com/
Question 1: How many Internet exchanges are within 100 miles of Washington, D.C.?
Question 2: What is the address for the Internet Exchange located in Milwaukee?
Journalist Andrew Blum describes a visit he made to this building (the address you gave in your answer to Question 2) with a
colleague named Jon Auer in 2011:
A sleepy-eyed guard sat listlessly behind a worn-out desk in the empty lobby. Auer nodded in her direction and led
us down a narrow tiled passageway to the basement... Auer pointed to a steel box tucked into a dark corner, its LED
lights blinking away. This was the main access point for Milwaukee's municipal data network, connecting libraries,
schools and government offices. "All this talk about Homeland Security, but look what someone could do in here with
a chainsaw".
Question 3: There are 68 Internet exchanges in the United States. If you had a small terrorist army and wanted to
cripple the United States by obliterating it's Internet connectivity, how many well-placed car bombs would you need
(to the nearest 100)?
There must be some other reason why we showed you pictures of those pretty buildings, right?
Well, besides being critical security weak spots, these buildings became very popular locations for small NSA field offices
following the attacks on September 11, 2001. In his bestseller The Shadow Factory, James Bramford details how the NSA
went to these various Internet Exchanges in the United States, and installed taps at the main interconnections. In this way, the
NSA was able to monitor what amounted to, roughly, ALL Internet traffic.
Question 4: If you worked for the NSA and wanted to install taps on the Internet to monitor all Internet traffic, how
many locations would you need to visit (to the nearest hundred)?
The issues involving the invasion of privacy suffered by everyday Americans through the NSA's tapping of traffic at the Internet
Exchanges remains controversial to this day.
Part II: Your NSA Internship!
CONGRATULATIONS! You have been selected for a summer NSA internship! How exciting! You are now meeting your
new boss!
Well hello there! Welcome
aboard! I'm Eric. What is your
name?
I'm sorry… what did you say
your first name was?
Ok… welcome aboard,
Midshipman!
Your boss Eric tells you that the NSA suspects a midshipman living in Bancroft Hall (where else?) is allied with a terrorist
group. The midshipman's last name is Roy and the NSA has been tapping into his Internet traffic for some time through a tap
at MAE-East. You will be asked to analyze several captures of MIDN Roy's traffic using the Wireshark program. In fact, you
are given three tasks. Again, it is difficult to contain the excitement, and we again congratulate you.
Task 1: Capturing a password
Eric tells you that the first capture of MIDN Roy’s Internet traffic is located in the file telnetdata.pcap. The NSA
suspects that this packet capture contains MIDN Roy’s use of a Telnet session. Telnet is a networking protocol that provides
communication to a remote server. Many Telnet servers require the user to enter a username and password to access the service,
and the NSA is hoping you can extract MIDN Roy’s username and password from the file. The NSA suspects that MIDN Roy
is using the IP address 192.168.1.7.
338
Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting:
Applications > Internet > Wireshark (as root)
Under File, Click Open and highlight the file named telnetdata.pcap as shown below
And then hit Open.
Recall that MIDN Roy has the IP address 192.168.1.7. The very first packet (Packet 1) is a DNS request. Recall that DNS is
used to determine the IP address for a given URL. In other words, if we give DNS a website address such as www.foxnews.com,
DNS will tell us that the IP address is 23.15.7.144.
So, in the very first line of the capture (we will call this "packet 1" although, technically, this is not a packet…it's a packet
inside an Ethernet frame) we see that MIDN Roy is trying to find the IP address for a website. What website might this be?
Look in the Info field of Line 1 in the Packet List pane, and look at the Domain Name System Query information in the middle
pane (the Packet Details pane).
Question 5. What website is MIDN Roy attempting to find the IP address for?
Packet 2 is the DNS reply to the DNS request in packet 1.
Question 6. What is the IP address that corresponds to the website that MIDN Roy is accessing?
MIDN Roy is attempting to establish a telnet session with the server located at the IP address you provided in Question 6 above.
Let's focus on just the telnet packets by entering telnet in the filter field as shown below and then hitting Enter:
339
Now, we are attempting to determine the username and password that MIDN Roy entered in order to logon to the remote server.
So, we wish to concentrate only on the packets that have MIDN Roy’s IP address (192.168.1.7) as a source. Click the Source
field to order the packets by IP address:
You should now see this:
Notice the packets are no longer in sequence, the first packet listed is packet 7… this is the first TELNET packet send by MIDN
Roy.
340
To examine the Telnet data, concentrate on the middle pane (the Packet Details Pane) and click the arrow next to Telnet for the
first listed packet (which is packet number 7). You should see:
So, you notice that for the very first Telnet packet sent from MIDN Roy, he is telling the remote server to please echo back
(Do Echo) what he types, so that he sees it on his screen as he is typing. For information (although it does not apply to this
particular packet), \r is the escape sequence for carriage return back to the beginning of the same line and \r\n moves us
to the beginning of the next line. (Some Unix variants interpret \n as a line feed without a carriage return; hence we often will
use "Carriage Return Line Feed" as \r\n).
Examine the Telnet data for each of these packets.
Question 7: What username is MIDN Roy using?
Question 8: What password is MIDN Roy using?
So, you know the password that MIDN Roy uses for this one specific site. But…check out this recent short news item:
http://www.reuters.com/article/2014/08/05/us-cybercrime-breach-russia-idUSKBN0G52HS20140805
Question 9: What use might it be to know MIDN Roy’s password for this one specific site?
341
Task 2: Capturing a search term
Eric has just returned from his break and he is very proud of your work in Task 1. He has now given you a second packet
capture obtained by snooping on MIDN Roy. This second packet capture is located in the file secondcapture.pcap.
In Wireshark, close the file you were working on, and open the file secondcapture.pcap. Clear the Filter if you see that
it is still set to telnet.
Question 10. How many packets are in this capture?
You are told: "Analyze this packet capture." What do you do? So many packets. So little time. You know from the prior
packet analysis that the user has IP address 192.168.1.7, so you hit the Source IP address field to order the packets by IP
address:
Question 11. Is MIDN Roy’s old IP address (192.168.1.7) listed?
You ask a fellow intern what to do, and he says that he heard that it is sometimes a good idea to see all the conversations that
have gone on in the packet capture.
Let's select Statistics => Conversation List => IPv4 as shown below:
342
Question 12. Is How many separate conversations are taking place in this packet capture?
So… which of these IP addresses correspond to MIDN Roy? To answer this, look at the third column that says Packets.
This lists how many packets have been sent between the two endpoints for that line. For example, in the picture below, we see
that 2 packets were sent between IP addresses 10.52.49.232 and 224.0.0.1.
So… if this is indeed a packet capture from MIDN Roy, then it stands to reason that MIDN Roy should have been doing the
most talking…i.e., sending or receiving the most packets.
So… focusing on the conversations that involved the most packets (the bottom of the list), we should be able to determine
MIDN Roy’s IP address. Note that if MIDN Roy is checking out a website, you should assume that he will receive more traffic
from the website than he will send to the website.
Question 13. What would be your guess about MIDN Roy’s IP address?
Question 14. Given your answer above (MIDN Roy’s IP address), which IP address does MIDN Roy seem to be
communicating with the most?
Verify your answers to Questions 13 and 14 with your instructor or lab tech before proceeding!
So… who owns this IP address that MIDN Roy is communicating with? Glad you asked! IP addresses in North America and
Canada are assigned by the American Registry for Internet Numbers. Let's go to their website:
https://www.arin.net/
and, in the Search Whois box at the upper-right (see picture below for the location), enter the IP address that MIDN Roy is
communicating with (which was your answer to Question 14):
343
Question 15. Who owns this IP address?
Does this corporation sound familiar? Go to the Wikipedia page for Wikipedia (i.e., go to Wikipedia, and then enter the search
term "Wikipedia"). Review the summary shown on the right sidebar of the webpage.
Question 16. Who owns Wikipedia?
Question 17. To summarize, in this packet capture that you are examining, where is MIDN Roy spending most of his
time?
So, let's focus on the packets that are sent from MIDN Roy to this particular website. Let's click on the Destination header:
and then scroll down to the first packet that is from MIDN Roy to this IP address we are interested in.
You recall from SI110 that webpages are retrieved using the GET command. Let's focus just on the packets that are from
MIDN Roy, to the website of interest, that use the GET command (which, if used, will appear as the word GET in the Info
field.
Question 18. How many packets do you need to focus on—How many packets have MIDN Roy’s IP address as the
Source, have the target's IP address as the Destination, and have the word GET appearing as the first item in the Info
field?
Question 19. Okay, time to put all your cyber skills to use! What are the two terms that MIDN Roy searched for on
Wikipedia? Hint: Look for "search=" somewhere in the string following the word GET in the Info field.
344
Task 3: Capturing browsing history
Eric has just returned from lunch and he is thrilled with the work you have done. He has given you a third packet capture from
MIDN Roy and has asked you to analyze the capture to determine the websites where MIDN Roy has been spending his time.
You are given a packet capture named webtraffic.pcap. Your goal is to determine three distinct websites that MIDN
Roy has visited.
In Wireshark, close the file you were working on, and open the file webtraffic.pcap. Click on the No field (i.e., the
leftmost field) if necessary so that the first packet listed is Packet 1.
Question 20. What is the time duration of this packet capture?
Question 21. How many total packets were captured?
Select Statistics => Summary.
Question 22. How many total bytes are in this packet capture?
Question 23. On average, how many bytes per second were captured?
This is just a packet capture from one midshipmen!
Question 24. Let's say there are 1 billion people on line. If they generate traffic at approximately the same rate as
MIDN Roy, what is the total Internet traffic generated (in bytes) per second?
Question 25. Using this value, how many bytes of Internet traffic are generated per day?
Note that the printed collection of the U.S. Library of Congress is estimated to be 11013 bytes.
Question 26. If the NSA is vacuuming up all of the Internet's data, can the data actually be used… or is there simply
too much data for anyone, even the NSA, to make sense of?
Question 27. Looking at the TCP Conversations Statistics => Conversation List => IPv4 , guess
MIDN Roy’s IP address.
Verify your answer to Questions 27 with your instructor or lab tech before proceeding!
Since we want to determine the websites that MIDN Roy has visited, let's filter our display so that it shows only http packets
by entering http in the filter.
Now, click the Source header to group IP addresses together, and scroll down to where MIDN Roy’s packets start.
Now, here is what you need to do: You need to search through the GET packets to find the websites that MIDN Roy browses.
You might be saying: "AGHHH… that's a lot of GET commands"!
But… it's not so bad. Click on the eighth GET packet from MIDN Roy. If you examine the GET info for this command you
will see:
345
We see that this host he is contacting is www.bbc.com! This provides a very good clue that one of the websites that MIDN
Roy is visiting is www.bbc.com. There, you have found one of the three websites MIDN Roy visited.
Question 28. What are the other two sites that MIDN Roy visited in this packet capture? Note that the HTTP GET
/ HTTP/1.1 provides a good indication of an initial request to a website. Much of the traffic that follows are assorted
advertisements, tracking and monitoring sites, and related sites (e.g.: "Follow us on Facebook")
HINT: Advertisements from sites such as googlesyndication.com are NOT what you are looking for.
346
Security Exercise 14 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
347
Question 16:
Question 17:
Question 18:
Question 19:
Question 20:
Question 21:
Question 22:
Question 23:
Question 24:
Question 25:
Question 26:
Question 27:
Question 28:
348
Download