CBS2413 Assignment 10% Jan2021

GMI German-Malaysian Institute

DIPLOMA PROGRAMME

ASSIGNMENT

Academic Period : January 2021

Subject : SECURING NETWORK
Code : CBS 2413
Submission Date : 9/5/2021
Total Marks : 100 MARKS

Student’s Name : Mohamad Luqman Hakim Bin Mohd Zainudin
Student’s I/D No. : NWS19010059
Semester/Trade/Group : Semester 6
Date : 4/5/2021

CBS2413 SECURING NETWORK
Title: Researching network attacks and security audit tools/attack tools.
Objective
Researching network attacks:
To research network attacks that have occurred.
To select a network attack and develop a report.
Researching network security audit tools and attack tools:
To research network security audit tools.
To select a tool and develop a report.
Scenario
Attackers have developed many tools over the years to attack and compromise networks.
These attacks take many forms, but in most cases, they seek to obtain sensitive information,
destroy resources, or deny legitimate users access to resources. When network resources are
inaccessible, worker productivity can suffer, and business income may be lost.
To understand how to defend a network against attacks, an administrator must identify
network vulnerabilities. Specialized security audit software, developed by equipment and
software manufacturers, can be used to help identify potential weaknesses. These same tools
used by individuals to attack networks can also be used by network professionals to test the
ability of a network to mitigate an attack. After the vulnerabilities are discovered, steps can
be taken to help protect the network.
Directions/Guideline
Step 1:
Research various network attacks. List some of the attacks you identified in your search.
Examples:
Code Red, Flame, Nimba, Back Orifice, Blaster, MyDoom, SQL Slammer, SMURF, Tribe flood
network (TFN), Stacheldraht, Sobig, Netsky, Witty, Stuxnet and Storm.

Page 2 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Step 2: Report (Select only ONE name of attack)
Fill in the following form for the network attack selected.

Name of attack: Code Red
Server Jamming Worm
Type of attack: July 15, 2001
Microsoft's IIS web server
Dates of attacks:

Computers / Organizations
affected:

How it works and what it did:
The worm spread itself using a common type of vulnerability known as a buffer overflow. It
did this by using a long string of the repeated letter 'N' to overflow a buffer, allowing the
worm to execute arbitrary code and infect the machine with the worm. Kenneth D. Eichmann
was the first to discover how to block it, and was invited to the White House for his
discovery.

The payload of the worm included:

Defacing the affected web site to display: “HELLO! Welcome to http://www.worm.com!
Hacked By Chinese!”

Other activities based on day of the month:

Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet.

Days 20–27: Launch denial of service attacks on several fixed IP addresses. The IP address
of the White House web server was among those.

Days 28-end of month: Sleeps, no active attacks.
Mitigation options:
You can also attempt to block the Code Red Worm at network ingress points using Network-
Based Application Recognition (NBAR) and Access Control Lists (ACLs) within Cisco IOS
Software on Cisco routers.
References and info links:
https://en.wikipedia.org/wiki/Code_Red_(computer_worm)

Page 3 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Name of attack: Smurf attack
Type of attack: distributed denial-of-service attack
Dates of attacks: In the late 1990s
Computers / Organizations affected: computer network

How it works and what it did:

large numbers of Internet Control Message Protocol (ICMP) packets with the intended
victim's spoofed source IP are broadcast to a computer network using an IP broadcast
address. Most devices on a network will, by default, respond to this by sending a reply to
the source IP address. If the number of machines on the network that receive and respond
to these packets is very large, the victim's computer will be flooded with traffic. This can
slow down the victim's computer to the point where it becomes impossible to work on

Mitigation options:

1. Configure individual hosts and routers to not respond to ICMP requests or
broadcasts.

2. Configure routers to not forward packets directed to broadcast addresses. Until
1999, standards required routers to forward such packets by default. Since then,
the default standard was changed to not forward such packets.

Another proposed solution is network ingress filtering, which rejects the attacking packets
on the basis of the forged source address.

References and info links:
https://en.wikipedia.org/wiki/Smurf_attack

Page 4 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Name of attack: Mydoom
Type of attack: distributed denial-of-service attack
Dates of attacks:
Computers / Organizations affected: 26 January 2004
Microsoft Windows

How it works and what it did:

MyDoom appears to have been commissioned by e-mail spammers so as to send junk e-
mail through infected computers. The worm contains the text message "andy; I'm just
doing my job, nothing personal, sorry," leading many to believe that the worm's creator
was paid

Mitigation options:

1) organizations filter at the gateway for MyDoom's various subject headings. They
include: test, hi, hello, Mail Delivery System, Mail Transaction Failed, Server Report,
Status, and Error.

References and info links:

https://en.wikipedia.org/wiki/Mydoom

Page 5 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Name of attack: Stacheldraht
Type of attack: distributed denial-of-service
Dates of attacks: July 1999
Computers / Organizations affected: Linux and Solaris

How it works and what it did:

It detects and automatically enables source address forgery. It was written by "random",
of the Austrian hacker group TESO.

Stacheldraht uses a number of different denial-of-service (DoS) attacks, including ICMP
flood, UDP flood, TCP SYN flood, and Smurf attack.

It combines features of Trinoo and of Tribe Flood Network, and adds encryption.

Mitigation options:

1) Developing an incident response plan is the critical first step toward comprehensive
defense strategy. Depending on the infrastructure

References and info links:

https://en.wikipedia.org/wiki/Stacheldraht

Page 6 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK
Researching Network Security Audit Tools/Attack Tools

Research network security audit tools and attack tools. Investigate one that can be used to
identify host or network device vulnerabilities. Fill in the report below based on your
findings.

Step 1: Research various network security audit tools/attack tools.

Examples:
Microsoft Baseline Security Analyzer (MBSA), NMAP, Cisco IOS AutoSecure, Sourceforge
Network Security Analysis Tool (NSAT), Solarwinds Engineering Toolset.
Attacker tools:
L0phtcrack, Cain and Abel, John the Ripper, Netcat, THC Hydra, Chkrootkit, DSniff, Nessus,
AirSnort, AirCrack, WEPCrack.

Page 7 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Step 2: Report (Select only ONE name of tool)

Fill in the following form for the network security audit tool/attack tool
selected.

Name of tool: Cain and Abel

Developer: Massimiliano Montoro

Type of tool (character-based or GUI): Password cracking/Packet analysis

Used on (network device or computer host): Microsoft Windows

Cost: Free

Description of key features and capabilities of product or tool:
a) WEP cracking

In order to crack WEP, we need first to capture the large number of packets that means
we can capture a large number of IVs. Once we have done that, we will use a Attack
tools. This tool will be able to use statistical attacks to determine the key stream and
the WEP key for the target network.

b) Speeding up packet capture speed by wireless packet injection

Wireless packet injection is spoofing packets on a network to appear as if they are part of
the regular network communication stream. Packet injection allows to intercept, disrupt
and manipulate network communication

c) Ability to record VoIP conversations

VoIP call recording is a secure way to record audio files of a phone conversation in the
cloud. Both incoming calls and outcoming calls can be recorded. After the call has been
recorded, you can go back and play it as many times as you'd like.

References and info links:
https://en.wikipedia.org/wiki/Cain_and_Abel_(software)

Page 8 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Name of tool: Aircrack-ng

Developer: Thomas d'Otreppe de Bouvette

Type of tool (character-based or GUI): Packet sniffer and injector, WEP encryption,
key recovery

Used on (network device or computer Cross-platform
host):

Cost: Free

Description of key features and capabilities of product or tool:

a) aircrack-ng, Cracks WEP keys using the Fluhrer, Mantin and Shamir attack (FMS) attack,
PTW attack, and dictionary attacks, and WPA/WPA2-PSK using dictionary attacks.

b) airdecap-ng, Decrypts WEP or WPA encrypted capture files with known key.

c) airmon-ng, Places different cards in monitor mode.

References and info links:

https://en.wikipedia.org/wiki/Aircrack-ng

Page 9 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK

Name of tool: chkrootkit

Developer: Pangeia Informatica

Type of tool (character-based or Rootkit Detector
GUI):

Used on (network device or Linux, FreeBSD, OpenBSD, NetBSD, Solaris, HP-
computer host): UX, Tru64, BSD/OS, Mac OS X

Cost: Free

Description of key features and capabilities of product or tool:

A few great features of chkrootkit are that it detects more than 60 old and new kits, is
capable of detecting network interfaces in promiscuous mode, can efficiently detect
altered lastlog and wtmp files

a) chkrootkit, Main script to check for tampered system files

b) strings.c, Detects and performs string replacement

c) ifpromisc.c, Checks network interface for promiscuous mode

References and info links:

https://en.wikipedia.org/wiki/Chkrootkit

Page 10 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK Hydra (software)
Name of tool: THC

Developer: Password cracking
Unix
Type of tool (character-based or GUI): Free

Used on (network device or computer
host):
Cost:

Description of key features and capabilities of product or tool:

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is
also supports:

Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-
POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy

References and info links:

https://en.wikipedia.org/wiki/Hydra_(software)

Page 11 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CBS2413 SECURING NETWORK
Reflection
The main impact of a cyber-attack is lost productivity, potentially all across the organization
Some key steps organizations that can take to help protect their networks and resources is
Fortify Your Network Defenses such as set up firewalls suited for your particular network
architecture. Whether stateless or stateful, ensure that your first line of defense is one of
your strongest.
The impact is a sudden and unusual surge of bandwidth usage or network traffic, unfamiliar
applications requesting data transmissions or frequent pop-ups or sudden ransomware
messages. I should Notify Your Supervisor and IT Team Immediately or I should activate
our back-up network. Step that I can take to protect my PC or laptop computer is Keep up
with system and software security updates, Enable a firewall or adjust your browser settings
that enable you to adjust the level of privacy.

Page 12 of 13

Copyright of German-Malaysian Institute. All rights reserved.

CRITERIA MARKS 0 - None 1 - Poor Assignment
ALLOCATED None MARK
Step 1:
Ability to research 20 None 2 - Fair
attacks that have None
None Able to give 1 Able to give 2
occurred. types of types of
network network
attack. attacks.

Step 2: Report 20 Able to give
Ability to select a little
information Limited
network attack about network discussion of
and develop a attack. findings.

report.

Step 1: 20 Able to give 1 Able to give 2
Ability to research network network
network security security audit security audit
tools. tools.
audit tools.

Step 2: Report 20 Able to give Limited
Ability to select a little discussion of
tool and develop information findings of
about tool. tools.
a report.

TOTAL 80

t Rubrics [10%] 4 - Excellent WEIGHTED 1st Assessor
KS (M) MARKS
Excellent. Able to
3 - Good give more than 4 OBTAINED
types of network M/5 x 20 =
Good. Able to give attacks that had
3 types of network been occurred.
attacks.

M/5 x 20 =

Generally clear Clearly discusses
discussion of what results of
results network network attacks.
attacks.

Able to give 3 Able to give 4 M/5 x 20 =
network security network security M/5 x 20 =
audit tools. audit tools.

Generally clear Clearly discussion
discussion of tool what result of
result. network security
audit tools.