Scribd Logo
Upload

Welcome to Scribd!

  • Thapar Institute of Engineering & Technology, Patiala: Name Roffset

    Uploaded by

    Harman Maan
    9 views1 page

    Original Title

    UCS634

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views1 page

    Thapar Institute of Engineering & Technology, Patiala: Name Roffset

    Uploaded by

    Harman Maan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    0

    Roll Number:
    Thapar Institute of Engineering & Technology, Patiala
    Department of Computer Science and Engineering
    BE CoE 3111 Year, MST UCS634: Secure Coding
    19 March 2018
    Time: 02 Hours; MM: 50 Course Instructors: Dr. Maninder Singh
    Ql. Mr. X, recently joined Thapar Institute of Engineering and Technology and has very little know-how of security being offered by the firewall
    at the network periphery. Many websites does not open when he tries to get connected to the Internet using Sophos Client, but when he
    establishes hot-spot via his cell service provider, he is able to access all these websites. He is more than happy using hotspot and blames
    slow/intermittent connectivity while using corporate client. You took this task to educate him, but you also know people doesn't understand
    security unless they themselves are attacked. Look at the sequence of events, he captured and shared with you, your job is to make him
    understand some fundamentals behind the scenes as highlighted below:
    IPConfig of Mr X's machine: 192.168.217.135/24 i) Why Mr. X's machine has IP address 192.168.217.135?
    Gateway address: 192.168.217.2 What does this signify.
    Default DNS address is: 8.8.8.8 ii) www.whatismyip.com shows IP as: 112.196.1.13,
    Hardware address is: 00:0c:29:00:00:01 what is significance of this IP?
    Part A iii) What is role of 8.8.8.8? Why it always give non-authoritative reply?
    C: \Mr. X> ping www.securecoding.com iv) Explain BIND (bind your shell to public IP) and Reverse BIND (offer your
    clinging www.securecoding.com [192.168.217.131] with shell to Public IP) in this context.
    2 bytes of data:
    lequest timed out. Part C
    Request timed out. C: \Mr. X> arp -a
    Reply from 192.168.217.131: bytes=32 time<lms TTL=64 Interface: 192.168.217.1 --- Oxf
    Ping statistics for 192.168.217.131: Internet Address Physical Address Type
    Packets: Sent = 3, Received = 1, Lost = 2 (66% loss),TTL=64 192.168.217.131 00-0c-29-00-00-02 dynamic
    i) What do you mean by www.securecoding.com 192.168.217.2 00-0c-29-00-00-02 dynamic
    [192.168.217.131]? 192.168.217.255 ff-ff-ff-ff-ff-ff static
    ii) Explain hierarchy of Domain name systems from
    Root to local DNS. i) Why two IPs are shown mapped to same physical address?
    iii) Who maintains www.securecoding.com-IP ii) Explain the role of dynamic vs static entries in arp cache.
    mapping? iii) Look at the following hexdump, captured using wireshark, find out: type
    iv) What attributed to the 66% loss? of packet, src IP address, destination IP address, src MAC address,
    destination MAC address.
    Part B
    ff ff ff ff ff ff 00 07 Od af f4 54 08 06 00 01
    C:\Mr. X>nslookup 08 00 06 04 00 01 00 07 Od af f4 54 18 a6 ac 01
    Default Server: 8.8.8.8 00 00 00 00 00 00 18 a6 ad 9f 06 01 04 00 00 0
    Address: fe80::1 00 02 01 00 03 02 00 00 05 01 03 01
    iv) Study the following captured frames and highlight the process being
    > www.securecoding.com followed:
    Server: [8.8.8.8] in Soo MOP Mill AP Mt

    ]dress: 8.8.8.8 10.86300 145.64.168.237 65.108.128.223 rro 62 3372 4 SO (SIN] 5eq46 1447* Lis4 855.1460 SKILPE08.1
    2 0.911310 65.288.228.223 145.254.168.237 TO) 62 88 4 3372 [SA, ACIO See° kck.1 Win.5848 len4 855.1380 54(8_92181-:
    39.911318 145.254.168.231 65.298.228.2/3 ICP 543372 • 88 (ACI] Seq.' Ack.10•9660 tend
    Non-authoritative answer: 4 0.911318 145.254.168.237 65.208.2/8.213 9111 5336ET gooload.htal H111/1.1
    Name: securecoding.com
    Address: 184.168.221.21
    iv) What does Part A, B and C shall be able to'achieve?
    Aliases: www.securecoding.com
    What is your final recommendation to Mr. X
    [2, 3, 2, 3, 3, 3, 3, 4, 4, 2, 4, 4, 4]
    Q2. PE Code Injection is very serious attack vector and it may allow complete access of victim's machine, answer the following in this
    context.
    While manipulating PE file, malware creator created a "Code Cave" as b) How a MessageBox shellcode can be made part
    .MSingh; of such an exploit, give complete code with proper
    a) Explain the process followed and use of this section from malware explanation of parameters passed to MessageBox()?
    creation perspective and also comment on Section fields (VOffset, VSize, c) While exploring PE header you found each PE
    ROffset and RSize) as shown in the following snippet. file starts with MZ signature string, what this string
    means, which all files would have this kind of
    Name I VOffset I VSize ROffset RSize _Rags
    .text 00001000 0005A711 00001000 00058000
    association?
    60000020
    . tdata 0005C000 0001 C65A 0005C000 0001D000 40000040
    .data 00079000 00005944 00079000 00002000 C0000040
    . MC 0007F000 000038 F8 00078000 00004000 40000040 [3, 4, 2]
    .M S ingh 00083000 00001000 0007F000 00001000 E 00000E0

    You might also like