Difference between revisions of "SEC520/assignments/assignment 2"

From CDOT Wiki
Jump to: navigation, search
(Created page with "<h2> <span class="mw-headline">General Details</span></h2> <br /> <h4>Objectives:</h4> <ol> <li>To understand hacker techniques to circumvent access controls.</li> <li>...")
(No difference)

Revision as of 10:58, 1 February 2018

General Details


Objectives:

  1. To understand hacker techniques to circumvent access controls.
  2. To demonstrate typical web site mistakes that can be exploited by hackers.
  3. To demonstrate how javascript injection can change variables and intent of web applications.


Due Date / Weighting:

Weight: 10% of the overall grade
Assignment Due Date: Week 13 on Friday at 11:59 p.m.


<a name="Report_Requirements" id="Alternate_Software_Installation"></a>

Assignment Requirements



Determine Work Groups:

You have two choices to complete this assignment:
  • Work Individually (reduced workload)
  • Work in Groups (maximum group size: 3 members) with increased workload.
      
Refer to Perform Required Hacking Missions to determine number of hacking missions to complete.



Overview / Warning:

The web site Hackthissite.org is the creation of hacker Jeremy Hammond to teach hacking techniques.

This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. As students of ethical hacking, this site provides an excellent opportunity (safe from prosecution).


<a href="http://zenit.senecac.on.ca/wiki/index.php/File:Caution.png" class="image" title="Important.png"><img alt="" src="../labs/SEC520_Lab_1_files/Caution.png" height="35" border="0" width="35"></a>
DO NOT REVEAL YOUR REAL IDENTITY!

you ARE NOT SAFE in leaving personal information on the site. The owner of this site has served jail-time for FRAUD. There is also the possibility that a member of the hacker community may be able to access your personal information and use it for their personal advantage (at your expense).

You have been warned!


Create a FAKE Account on hackthissite.org:


  1. Open a web-browser (Firefox is recommended based on security issues).
  2. Navigate to: <a href="http://www.hackthissite.org" target="_blank">www.hackthissite.org</a>
  3. Create an account. Perform the following steps to safely register for an account:
    1. Use a real e-mail address, but it is strongly recommended to create a new "fake" e-mail account (eg. on Yahoo or Google). It is recommended to keep the correct email format and create a fictitious account (so hackers don't try to penetrate your e-mail ACTUAL account). You will be required to respond to a confirmation e-mail message they send to your "fictitious account".
    2. Create a strong password.
    3. Set the time zone and complete the form (say no to all of the radio button questions)
    4. Complete the image validation.
    5. Click Submit.
  4. When you have properly registered, login with your fake username, password, and image validation.



Perform Required "Hacking Missions":

The Challenges are organized as hacking missions. Each mission gives a brief description to what you are supposed to do.
You should see a page labeled Basic Test: Levels 1-10.

The number of mission depends if you are performing the assignment individually, or in groups. Follow the rules below to determine the number of missions you are to perform:
  • Group members of one (individual): Perform hacking missions 1 to 4.
  • Group members (2-3): Perform hacking missions 1 to 6.

    NOTE: A bonus of 5% of value of assignment will be awarded if group reached an additonal 3 levels beyond the maximum intended level.


Once you have determined the number of hacking missions to perform, follow these steps to perform and document the hacking missions:

  1. Click on Level 1. This should take you to the "Idiot Test". There is a form asking for a password. Your job is to figure out the password.
  


<a href="http://zenit.senecac.on.ca/wiki/index.php/File:Idea.png" class="image" title="Important.png"><img alt="" src="../labs/SEC520_Lab_1_files/Idea.png" height="35" border="0" width="35"></a>
Think Like a Hacker

Note: Each mission is progressively more difficult and requires you to understand how the source code works in a client/server environment. There is a link at the bottom which provides help and gives basic clues in the Mission description. Also, if you still can't figure it out, there is lots of additional information on the Forum link on the Main Page. Try to solve the mission on your own without doing a Google search. Think and act like a hacker...


  1. When you have completed each level take a screen shot by pressing ALT + PntSc.
    Paste the screen shots into PAINT and name the file HTS_MISSION1.jpg, HTS_MISSION2.jpg, etc...

    NOTE: The screen shots must show your custom host desktop name to receive credit.

  2. You are required to create a Google Document demonstrating (proving) your hacking missions and answering additional questions (listed below).

    Required Contents

    • Report Title (with full names of group members, and your host desktop name).

    • Answers to the following questions (each answer should have an appropriate heading title, and answer should be in paragraph form using appropriate spelling and grammar):
      1. At the main hackthissite.org page, in the upper left, click Realistic Missions. Take time to read those realistic missions.
        What do those missions say about the motivation and ethics (Ethics – a set of moral principles that guide human conduct) of the hacking community?

      2. Open a browser and go to: <a href="http://en.wikipedia.org/wiki/Jeremy_Hammond" target="_blank">en.wikipedia.org/wiki/Jeremy Hammond</a> . Read about the life of Jeremy Hammond – what he did, how he did it, and what happened to him.
        Write a paragraph and address these points:
        1. Was Jeremy Hammond an Ethical Hacker? Why or why not?
        2. Was Jeremy's sentencing fair? Should it have been more or less severe? Why?

      3. Most mail servers run antivirus software which automatically blocks attached files that are deemed to be dangerous, such as exe, vbs, bat, or MIME types application/octet-stream, text/vbscript. From a security point of view, what flaw does such an approach present?

      4. You are the network administrator of a small 6 workstation network connected to the Internet across a firewall. Several users have called you to complain that a virulent worm that exploits a weakness in the TCP connections has caused their computers to continually reboot. What immediate steps would you take to stop the worm from propagating? What measures would you undertake to restore the workstation's operation?

      5. What is the difference between an IP spoofing attack and a TCP hijacking attack in terms of the OSI transport layer?

    • Conclusion outlining any observations and conclusions from conducting this assignment with emphasis on using this hacking web-site.

    • An Appendix with screen captures (inserted or hypertext links) of completed hacking missions.


<a name="Assignment_Submission" id="Alternate_Software_Installation"></a>

Assignment Submission


Upon completion of the assignment, one group member is required to send an e-mail to their completed assignment (include Google Document link).

Assignment Due Date

  • Assignment Requirements: End of week 13 (Friday @ 11:59 p.m.)



<a name="Marking_Guidelines" id="Install_a_second_Linux_distribution_as_a_Virtual_Machine"></a>

Marking Guidelines

  • Report Requirements:
    • Title Page (Listing of Group Member Names)
    • Appropriate answers to assignment questions
    • Appendix: Proof of Hacking Missions

  • Additional Criteria:
    • Report Format / Appearance
    • Correct Page Breaks (to send Google Doc to printer)
    • Spelling & Grammar
    • Content
    • Analysis
    • References (Bibliography)