Sniff the packets from a web browser to your server using 1)http and (optional) 2)https while a legitimate user logs in to your website. Write a program that takes the packet capture file (txt format is fine), the URL of your website, and launches a replay attack on your website to access the restricted content as the legitimate user. Make sure that your web server responds with the restricted content only when the cookie is valid. In other words, this replayed cookie is an authentication cookie. Does the capture file from 1) works? (Optional) How about from 2)? Explain your answer in the README. You will need to do some socket programming to make your program act like a web browser.
Submit your source code of the website, README, the user-side program, and a sample packet capture file by 2/10 in Canvas. Grading will be done by demo.
You will implement a server (website) and a client in this step. Let's call your server ZBoxlive.com. When a user sets up an account, ZBoxlive.com provides a unique public and private key pair. You may assume that the account setup is already done, so your client knows the private key and the server knows the username, the hash value of the password, and the corresponding public key.
When the user wants to log into ZBoxlive.com, he or she types in username and password to the client program. The client program sends (username, password hashed and encrypted with his private key) to the server, i.e. (username, Ru < H(password) >), where Ru is the private key of the user, H is a secure hash function and H(password) is a hash value of the password. Based on the username, the server pulls the public key for that user from its database and decrypts the second part using this public key. The descrypted hash value is compared with the hash value stored in the database. If the two values match, access is granted. Assume that ZBoxlive.com does not share the public key of a user with other users.
Submit your source code of the website and the client program by 3/1 in Canvas. Grading will be done by demo, along with the Step 5 demo. Demo of both steps will take about 30 minutes, and should be done by 3/27. A demo sign-up will be circulated in Canvas on 3/21. Failure to schedule a demo is not an excuse for extension.
Design and implement a server (website) for multiple users in this step. You may design the login protocol and the cookie content in any way you wish, as long as your website satisfies the following requirements. You may not use https.
Submit the source code of this website, including any database if you are using one, and README to Canvas by 3/22. Grading will be done by demo, along with Step 4 demo. Demo of both steps will take about 30 minutes, and should be done by 3/27. Sign-up link will be available in Canvas on 3/21.
Implement the man-in-the-middle attack on slide 3 of SSL lecture. You will need to implement Alice, Bob, Charlie separately, demonstrate how Alice and Bob work in a normal situation, and also demonstrate how Charlie can sit between Alice and Bob to authenticate himself as Alice to Bob. Note that Bob needs to be a website, but you may implement Alice and Charlie as a stand-alone program. You may use a 3rd-party RSA library, e.g. PHPseclib.
Submit the source codes of Alice, Bob, Charlie, and README to Canvas by 3/27. Grading will be done by demo, along with the Step 7 demo. Demo of both steps will take about 30 minutes, and should be done by 11/5. Sign-up link will be available in Canvas on 10/22.
Add a database (e.g. MySQL) as the backend to your website that stores username and password. Build a login website so that you can demonstrate an SQL injection attack that will show all the usernames and passwords. (Hint: your website can login to the database as the admin to read username and password for the user.) This login website should act normally, e.g. this website should not be displaying the username and password in clear in a normal login process even for an admin account. Implement another version of the login website that prevents the attack you showed. (Hint: input sanitization)
Submit the source codes of two websites and a README to Canvas by 4/17. Grading will be done by demo, along with optional revised Steps 4 and 5. Demo of both steps will take about 30 minutes, and should be done by 5/1. Sign-up link will be available in Canvas on 4/18.
Install suricata on your computer and analyze three pcap files in step8.zip in Canvas.
For each pcap file, explain what intrusions are detected, and how they are detected. For example, when there is a traffic from a well-known spam host, then suricata finds out that this is a spam host by comparing the IP address to a blacklist, e.g. spamhaus blacklist. Submit your report to Canvas by 4/24. No demo necessary.