FIT3031: TCP Session Hijacking Attacks - Network Security Assessment

Q1: Connect from client (container) to server (container) using SSH, the username and password are same: client. Perform TCP RST attack, from attacker (container), on SSH service using Scapy (python-based) packet generator. The client terminal should show the connection is terminated. Please submit your python code and the steps, along with screenshots, you have taken to perform the attack.

Q2: Briefly explain the TCP RST attack and propose at least two theoretical countermeasures.
You do not have to do any configuration/implementation for this task.

Q3: Connect TELNET from client to server the username and password are same: client. Write a python code, using scapy, which can inject packets in the client-server telnet communication, the goal is to make a directory called “attacker” at the server (as seen in the screenshot below). You can use attacker container to run the python code. Submit python code and steps, along with screenshots, you have taken to perform the attack.

Q4: Connect TELNET from client to server, the username and password are same: client. The objective is to get a reverse shell from server. Reverse shell is a shell process running on a remote machine, connecting back to the attacker’s machine. python code, using Scapy, which can inject packets in client-server telnet communication and create a reverse shell from server, which connects back to attacker (as seen in the screenshot below). Submit python code and steps, along with screenshots, you have taken to perform the attack.

Q5: You need to complete Step 1 in the remote_dns.py to create 10000 dummy hostnames.

Q6: You need to complete Step 2 in the remote_dns.py to generate a random DNS query for each dummy hostnames.
Q7: You need to complete Step 3 in the remote_dns.py to flood about 100 random forged response packets. Each packet has:
• A randomly generated transaction ID for DNSpkt.
• The malicious DNS server “ns.FIT3031.attacker.com” is included in the nameserver authority for the domain test.com when you construct DNSpkt.  
• Additional section showing “ns.FIT3031.attacker.com” has the IP of the attacker 10.0.0.2. 
Q11: Provide your video demonstration evidence to support and verify that you have performed the attack and it worked successfully. You need to upload your demo video to your Monash Google Drive and embed its shared link to your report so that the teaching team can view and verify your works. In the video, you need to demonstrate following key points:
• Wireshark traffic captured on the Gateway on eth1 shows the transactionID in DNS packet sent by the victim DNS server to Google, and the correctly matched transaction ID in the forged packet sent by the attacker to the victim DNS server.