Difference between revisions of "SEC520/assignments/assignment 2"

From CDOT Wiki
Jump to: navigation, search
m (Protected "SEC520/assignments/assignment 2": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(One intermediate revision by one other user not shown)
Line 4: Line 4:
  
 
<ol>
 
<ol>
  <li>To understand hacker techniques to circumvent access controls.</li>
+
<li>To understand hacker techniques to circumvent access controls.</li>
  <li>To demonstrate typical web site mistakes that can be exploited by hackers.</li>
+
<li>To demonstrate typical web site mistakes that can be exploited by hackers.</li>
  <li>To demonstrate how javascript injection can change variables and intent of web applications.</li>
+
<li>To demonstrate how javascript injection can change variables and intent of web applications.</li>
 
</ol>
 
</ol>
 
<br />
 
<br />
Line 12: Line 12:
  
 
<dl>
 
<dl>
<dd><b>Weight</b>: 10% of the overall grade</dd>
+
<dd><b>Weight</b>: 10% of the overall grade</dd>
<dd><b>Assignment Due Date</b>: Week 13  on Friday at 11:59 p.m. </dd>
+
<dd><b>Assignment Due Date</b>: Week 13  on Friday at 11:59 p.m. </dd>
<dd></dl>
+
<dd>
<br />
 
<a name="Report_Requirements" id="Alternate_Software_Installation"></a><h2> <span class="mw-headline">Assignment Requirements</span></h2>
 
<br />
 
 
 
 
 
<h4>Determine Work Groups:</h4>
 
 
 
<dl>
 
  <dd>You have two choices to complete this assignment:
 
      <ul>
 
          <li><b>Work Individually</b> (<u>reduced</u> workload)</li>
 
          <li><b>Work in Groups</b> (maximum group size: 3 members) with <u>increased</u> workload.</li>
 
      </ul>
 
      <br />
 
  </dd>
 
  <dd>Refer to <b>Perform Required Hacking Missions</b> to determine number of hacking missions to complete.</dd>
 
</dl>
 
<br />
 
 
 
 
 
<h4>Overview / Warning:</h4>
 
 
 
<dl>
 
  <dd>The web site <b>Hackthissite.org</b> is the creation of hacker Jeremy Hammond to teach hacking techniques. 
 
<br /><br />
 
This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. As students of ethical hacking, this site provides an excellent opportunity (safe from prosecution).
 
  </dd>
 
</dl>
 
<br />
 
{{Admon/caution|DO NOT REVEAL YOUR REAL IDENTITY!|
 
you ARE NOT SAFE in leaving personal information on the site.  <b>The owner of this site has served jail-time for FRAUD</b>. There is also the possibility that a member of the hacker community may be able to access <b>your personal information</b> and use it for their personal advantage (at your expense).
 
<br><br>
 
<b>You have been warned!</b>
 
<br /><br />
 
|}}
 
 
 
<br />
 
<h4>Create a <u>FAKE</u> Account on hackthissite.org:</h4>
 
 
 
 
 
<ol>
 
  <li>Open a web-browser (Firefox is recommended based on security issues).</li>
 
  <li>Navigate to: <a href="http://www.hackthissite.org" target="_blank">www.hackthissite.org</a></li>
 
  <li>Create an account. Perform the following steps to <b>safely register</b> for an account:<ol type="a">
 
    <li>Use a real <b>e-mail address</b>, but it is strongly recommended to create a new "fake" e-mail account (eg. on Yahoo or Google). It is recommended to keep the correct email format and create a fictitious account (so hackers don't try to penetrate your e-mail ACTUAL account). You will be required to respond to a confirmation e-mail message they send to your "fictitious account".</li>
 
    <li>Create a <b>strong password</b>.</li>
 
    <li>Set the <b>time zone</b> and complete the form (say no to all of the radio button questions)</li>
 
    <li>Complete the <b>image validation</b>.</li>
 
    <li>Click <b>Submit</b>.</li>
 
  </ol></li>
 
    <li>When you have properly registered, login with your <b>fake username</b>, <b>password</b>, and <b>image validation</b>.</li>
 
</ol>
 
<br /><br />
 
<h4>Perform Required "Hacking Missions":</h4>
 
 
 
<dl>
 
  <dd>The Challenges are organized as <b>hacking missions</b>.  Each mission gives a brief description to what you are supposed to do.<br />You should see a page labeled <b>Basic Test: Levels 1-10</b>.<br /><br /></dd>
 
  <dd>The number of mission depends if you are performing the assignment individually, or in groups. Follow the rules below to determine the number of <b>missions</b> you are to perform:
 
  <ul>
 
    <li><b>Group members of one (individual)</b>: Perform <i>hacking missions</i> <b>1 to 4</b>.</li>
 
    <li><b>Group members (2-3)</b>: Perform <i>hacking missions</i> <b>1 to 6</b>.<br /><br /><b>NOTE: A bonus of 5% of value of assignment will be awarded if group reached an additonal 3 levels beyond the maximum intended level.</b> </li>
 
  </ul>
 
 
</dl>
 
</dl>
<br />
+
<br />
 
+
<h2> <span class="mw-headline">Assignment Requirements</span></h2>
<dl>
+
<br />
  <dd>Once you have determined the number of <b>hacking missions</b> to perform, follow these steps to <u>perform</u> and <u>document</u> the hacking missions:<br /><br />
+
<h4>Determine Work Groups:</h4>
    <ol>
+
<dl>
      <li>Click on <b>Level 1</b>. This should take you to the "Idiot Test".   There is a form asking for a password.  Your job is to figure out the password. </li>
+
<dd>You have two choices to complete this assignment:
    </ol>
+
<ul>
  </dd>
+
<li><b>Work Individually</b> (<u>reduced</u> workload)</li>
</dl>
+
<li><b>Work in Groups</b> (maximum group size: 3 members) with <u>increased</u> workload</li>
<br />
+
</ul>
 
+
</dd>
{{Admon/tip|Think Like a Hacker|
+
</dl>
Note: Each mission is progressively more difficult and requires you to understand how the source code works in a client/server environment.  There is a link at the bottom which provides help and gives basic clues in the Mission description. Also, if you still can't figure it out, there is lots of additional information on the Forum link on the Main Page. Try to solve the mission on your own without doing a Google search. <b>Think and act like a hacker...</b>
+
<dl>
<br /><br />
+
<dd>Refer to <b>Perform Required Hacking Missions</b> to determine number of hacking missions to complete</dd>
|}}
+
</dl>
<br />
+
<dl>
+
<h4>Overview / Warning:</h4>
  <dd>
+
      <ol>
+
<dl>
        <li value="2"> When you have completed each level take a screen shot by pressing <b>ALT + PntSc</b>.<br />Paste the screen shots into PAINT and name the file <b>HTS_MISSION1.jpg</b>, <b>HTS_MISSION2.jpg</b>, etc...<br /><br />  
+
<dd>The web site <b>Hackthissite.org</b> is the creation of hacker Jeremy Hammond to teach hacking techniques. 
<b>NOTE:</b> The screen shots must show your custom host desktop name to receive credit.<br /><br /></li>
+
<br /><br />
        <li> You are required to create a <b>Google Document</b> demonstrating (proving) your <b>hacking missions</b> and <b>answering additional questions</b> (listed below).<br /><br />
+
This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. As students of ethical hacking, this site provides an excellent opportunity (safe from prosecution).
<u>Required Contents</u>
+
</dd>
<br/><br />
+
</dl>
<ul>
+
<br />
  <li><b>Report Title</b> (with full names of group members, and your host desktop name).<br /><br /></li>
+
{{Admon/caution|DO NOT REVEAL YOUR REAL IDENTITY!|
  <li><b>Answers to the following questions</b> (each answer should have an appropriate heading title, and answer should be in paragraph form using appropriate spelling and grammar):
+
you ARE NOT SAFE in leaving personal information on the site.  <b>The owner of this site has served jail-time for FRAUD</b>. There is also the possibility that a member of the hacker community may be able to access <b>your personal information</b> and use it for their personal advantage (at your expense).
    <ol type="a">
+
<br><br>
        <li>At the main hackthissite.org page, in the upper left, click <b>Realistic Missions</b>.  Take time to read those realistic missions.<br />What do those missions say about the motivation and ethics (Ethics – a set of moral principles that guide human conduct) of the hacking community?<br /><br /></li>
+
<b>You have been warned!</b>
        <li>Open a browser and go to: <a href="http://en.wikipedia.org/wiki/Jeremy_Hammond" target="_blank">en.wikipedia.org/wiki/Jeremy Hammond</a> .  Read about the life of Jeremy Hammond – what he did, how he did it, and what happened to him.<br />Write a paragraph and address these points:
+
<br /><br />
            <ol type="i">
+
|}}
            <li>Was Jeremy Hammond an Ethical Hacker?  Why or why not?</li>
+
            <li>Was Jeremy's sentencing fair?  Should it have been more or less severe?  Why?<br /><br /></li>
+
<br />
            </ol></li>
+
<h4>Create a <u>FAKE</u> Account on hackthissite.org:</h4>
        <li>Most mail servers run antivirus software which automatically blocks attached files that are deemed to be dangerous, such as exe, vbs, bat, or MIME types application/octet-stream,  text/vbscript. From a security point of view, what flaw does such an approach present?<br /><br /></li>
+
        <li>You are the network administrator of a small 6 workstation network connected to the Internet across a firewall. Several users have called you to complain that a virulent worm that exploits a weakness in the TCP connections has caused their computers to continually reboot. What immediate steps would you take to stop the worm from propagating? What measures would you undertake to restore the workstation's operation?<br /><br /></li>
+
        <li>What is the difference between an <b>IP spoofing</b> attack and a <b>TCP hijacking</b> attack in terms of the <b>OSI transport layer</b>?<br /><br /></li>
+
<ol>
    </ol></li>
+
<li>Open a web-browser (Firefox is recommended based on security issues).</li>
        <li><b>Conclusion</b> outlining any observations and conclusions from conducting this assignment with emphasis on using this hacking web-site.<br /><br /></li>
+
<li>Navigate to: [http://www.hackthissite.org www.hackthissite.org]</li>
        <li>An <b>Appendix with screen captures</b> (inserted or hypertext links) of completed <b>hacking missions</b>.</li>
+
<li>Create an account. Perform the following steps to <b>safely register</b> for an account:<ol type="a">
</ul>
+
<li>Use a real <b>e-mail address</b>, but it is strongly recommended to create a new "fake" e-mail account (eg. on Yahoo or Google). It is recommended to keep the correct email format and create a fictitious account (so hackers don't try to penetrate your e-mail ACTUAL account). You will be required to respond to a confirmation e-mail message they send to your "fictitious account".</li>
  </li>
+
<li>Create a <b>strong password</b>.</li>
  </ol>
+
<li>Set the <b>time zone</b> and complete the form (say no to all of the radio button questions)</li>
</dd>
+
<li>Complete the <b>image validation</b>.</li>
</dl>
+
<li>Click <b>Submit</b>.</li>
<br />
+
</ol></li>
 
+
<li>When you have properly registered, login with your <b>fake username</b>, <b>password</b>, and <b>image validation</b>.</li>
<a name="Assignment_Submission" id="Alternate_Software_Installation"></a><h2> <span class="mw-headline">Assignment Submission</span></h2>
+
</ol>
<br />
+
<br /><br />
Upon completion of the assignment, one group member is required to send an e-mail to their completed assignment (include Google Document link).
+
<h4>Perform Required "Hacking Missions":</h4>
<br /><br />
+
<u>Assignment Due Date</u><br /><br />
+
<dl>
<ul>
+
<dd>The Challenges are organized as <b>hacking missions</b>.  Each mission gives a brief description to what you are supposed to do.<br />You should see a page labeled <b>Basic Test: Levels 1-10</b>.<br /><br /></dd>
    <li><b>Assignment Requirements:</b> End of week 13 (Friday @ 11:59 p.m.) </li>
+
<dd>The number of mission depends if you are performing the assignment individually, or in groups. Follow the rules below to determine the number of <b>missions</b> you are to perform:
</ul>
+
<ul>
<br /><br />
+
<li><b>Group members of one (individual)</b>: Perform <i>hacking missions</i> <b>1 to 4</b>.</li>
 
+
<li><b>Group members (2-3)</b>: Perform <i>hacking missions</i> <b>1 to 6</b>.<br /><br /><b>NOTE: A bonus of 5% of value of assignment will be awarded if group reached an additonal 3 levels beyond the maximum intended level.</b> </li>
<a name="Marking_Guidelines" id="Install_a_second_Linux_distribution_as_a_Virtual_Machine"></a><h2> <span class="mw-headline">Marking Guidelines</span></h2>
+
</ul>
<ul>
+
</dl>
  <li>Report Requirements:
+
<br />
      <ul>
+
        <li>Title Page (Listing of Group Member Names)</li>
+
<dl>
        <li>Appropriate answers to assignment questions</li>
+
<dd>Once you have determined the number of <b>hacking missions</b> to perform, follow these steps to <u>perform</u> and <u>document</u> the hacking missions:
        <li>Appendix: Proof of Hacking Missions<br /><br /></li>
+
      </ul>
+
<br>
  </li>
+
<ol><li>Click on <b>Level 1</b>. This should take you to the "Idiot Test". There is a form asking for a password.  Your job is to figure out the password.</li></ol></dd>
  <li>Additional Criteria:
+
</dl>
      <ul>
+
{{Admon/tip|Think Like a Hacker|
        <li>Report Format / Appearance</li>
+
Note: Each mission is progressively more difficult and requires you to understand how the source code works in a client/server environment.  There is a link at the bottom which provides help and gives basic clues in the Mission description. Also, if you still can't figure it out, there is lots of additional information on the Forum link on the Main Page. Try to solve the mission on your own without doing a Google search. <b>Think and act like a hacker...</b>
        <li>Correct Page Breaks (to send Google Doc to printer)</li>
+
<br /><br />
        <li>Spelling &amp; Grammar</li>
+
|}}
        <li>Content</li>
+
<br />
        <li>Analysis</li>
+
<dl>
        <li>References (Bibliography)</li>
+
<dd>
      </ul>
+
<ol>
</ul>
+
<li value="2"> When you have completed each level take a screen shot by pressing <b>ALT + PntSc</b>.<br />Paste the screen shots into PAINT and name the file <b>HTS_MISSION1.jpg</b>, <b>HTS_MISSION2.jpg</b>, etc...<br /><br />  
 +
<b>NOTE:</b> The screen shots must show your custom host desktop name to receive credit.<br /><br /></li>
 +
<li> You are required to create a <b>Google Document</b> demonstrating (proving) your <b>hacking missions</b> and <b>answering additional questions</b> (listed below).<br /><br />
 +
<u>Required Contents</u>
 +
<br/><br />
 +
<ul>
 +
<li><b>Report Title</b> (with full names of group members, and your host desktop name).<br /><br /></li>
 +
<li><b>Answers to the following questions</b> (each answer should have an appropriate heading title, and answer should be in paragraph form using appropriate spelling and grammar):
 +
<ol type="a">
 +
<li>At the main hackthissite.org page, in the upper left, click <b>Realistic Missions</b>.  Take time to read those realistic missions.<br />What do those missions say about the motivation and ethics (Ethics – a set of moral principles that guide human conduct) of the hacking community?<br /><br /></li>
 +
<li>Open a browser and go to: [http://en.wikipedia.org/wiki/Jeremy_Hammond en.wikipedia.org/wiki/Jeremy Hammond] .  Read about the life of Jeremy Hammond – what he did, how he did it, and what happened to him.<br />Write a paragraph and address these points:
 +
<ol type="i">
 +
<li>Was Jeremy Hammond an Ethical Hacker?  Why or why not?</li>
 +
<li>Was Jeremy's sentencing fair?  Should it have been more or less severe?  Why?<br /><br /></li>
 +
</ol></li>
 +
<li>Most mail servers run antivirus software which automatically blocks attached files that are deemed to be dangerous, such as exe, vbs, bat, or MIME types application/octet-stream,  text/vbscript. From a security point of view, what flaw does such an approach present?<br /><br /></li>
 +
<li>You are the network administrator of a small 6 workstation network connected to the Internet across a firewall. Several users have called you to complain that a virulent worm that exploits a weakness in the TCP connections has caused their computers to continually reboot. What immediate steps would you take to stop the worm from propagating? What measures would you undertake to restore the workstation's operation?<br /><br /></li>
 +
<li>What is the difference between an <b>IP spoofing</b> attack and a <b>TCP hijacking</b> attack in terms of the <b>OSI transport layer</b>?<br /><br /></li>
 +
</ol></li>
 +
<li><b>Conclusion</b> outlining any observations and conclusions from conducting this assignment with emphasis on using this hacking web-site.<br /><br /></li>
 +
<li>An <b>Appendix with screen captures</b> (inserted or hypertext links) of completed <b>hacking missions</b>.</li>
 +
</ul>
 +
</li>
 +
</ol>
 +
</dd>
 +
</dl>
 +
<br />
 +
 +
<h2> <span class="mw-headline">Assignment Submission</span></h2>
 +
<br />
 +
Upon completion of the assignment, one group member is required to send an e-mail to their completed assignment (include Google Document link).
 +
<br /><br />
 +
<u>Assignment Due Date</u><br /><br />
 +
<ul>
 +
<li><b>Assignment Requirements:</b> End of week 13 (Friday @ 11:59 p.m.) </li>
 +
</ul>
 +
<br /><br />
 +
 +
<h2> <span class="mw-headline">Marking Guidelines</span></h2>
 +
<ul>
 +
<li>Report Requirements:
 +
<ul>
 +
<li>Title Page (Listing of Group Member Names)</li>
 +
<li>Appropriate answers to assignment questions</li>
 +
<li>Appendix: Proof of Hacking Missions<br /><br /></li>
 +
</ul>
 +
</li>
 +
<li>Additional Criteria:
 +
<ul>
 +
<li>Report Format / Appearance</li>
 +
<li>Correct Page Breaks (to send Google Doc to printer)</li>
 +
<li>Spelling &amp; Grammar</li>
 +
<li>Content</li>
 +
<li>Analysis</li>
 +
<li>References (Bibliography)</li>
 +
</ul>
 +
</ul>

Latest revision as of 15:01, 21 July 2023

General Details


Objectives:

  1. To understand hacker techniques to circumvent access controls.
  2. To demonstrate typical web site mistakes that can be exploited by hackers.
  3. To demonstrate how javascript injection can change variables and intent of web applications.


Due Date / Weighting:

Weight: 10% of the overall grade
Assignment Due Date: Week 13 on Friday at 11:59 p.m.


Assignment Requirements


Determine Work Groups:

You have two choices to complete this assignment:
  • Work Individually (reduced workload)
  • Work in Groups (maximum group size: 3 members) with increased workload

Refer to Perform Required Hacking Missions to determine number of hacking missions to complete

Overview / Warning:

The web site Hackthissite.org is the creation of hacker Jeremy Hammond to teach hacking techniques.

This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. As students of ethical hacking, this site provides an excellent opportunity (safe from prosecution).


Stop (medium size).png
DO NOT REVEAL YOUR REAL IDENTITY!

you ARE NOT SAFE in leaving personal information on the site. The owner of this site has served jail-time for FRAUD. There is also the possibility that a member of the hacker community may be able to access your personal information and use it for their personal advantage (at your expense).

You have been warned!


Create a FAKE Account on hackthissite.org:


  1. Open a web-browser (Firefox is recommended based on security issues).
  2. Navigate to: www.hackthissite.org
  3. Create an account. Perform the following steps to safely register for an account:
    1. Use a real e-mail address, but it is strongly recommended to create a new "fake" e-mail account (eg. on Yahoo or Google). It is recommended to keep the correct email format and create a fictitious account (so hackers don't try to penetrate your e-mail ACTUAL account). You will be required to respond to a confirmation e-mail message they send to your "fictitious account".
    2. Create a strong password.
    3. Set the time zone and complete the form (say no to all of the radio button questions)
    4. Complete the image validation.
    5. Click Submit.
  4. When you have properly registered, login with your fake username, password, and image validation.



Perform Required "Hacking Missions":

The Challenges are organized as hacking missions. Each mission gives a brief description to what you are supposed to do.
You should see a page labeled Basic Test: Levels 1-10.

The number of mission depends if you are performing the assignment individually, or in groups. Follow the rules below to determine the number of missions you are to perform:
  • Group members of one (individual): Perform hacking missions 1 to 4.
  • Group members (2-3): Perform hacking missions 1 to 6.

    NOTE: A bonus of 5% of value of assignment will be awarded if group reached an additonal 3 levels beyond the maximum intended level.


Once you have determined the number of hacking missions to perform, follow these steps to perform and document the hacking missions:
  1. Click on Level 1. This should take you to the "Idiot Test". There is a form asking for a password. Your job is to figure out the password.
Idea.png
Think Like a Hacker

Note: Each mission is progressively more difficult and requires you to understand how the source code works in a client/server environment. There is a link at the bottom which provides help and gives basic clues in the Mission description. Also, if you still can't figure it out, there is lots of additional information on the Forum link on the Main Page. Try to solve the mission on your own without doing a Google search. Think and act like a hacker...


  1. When you have completed each level take a screen shot by pressing ALT + PntSc.
    Paste the screen shots into PAINT and name the file HTS_MISSION1.jpg, HTS_MISSION2.jpg, etc...

    NOTE: The screen shots must show your custom host desktop name to receive credit.

  2. You are required to create a Google Document demonstrating (proving) your hacking missions and answering additional questions (listed below).

    Required Contents

    • Report Title (with full names of group members, and your host desktop name).

    • Answers to the following questions (each answer should have an appropriate heading title, and answer should be in paragraph form using appropriate spelling and grammar):
      1. At the main hackthissite.org page, in the upper left, click Realistic Missions. Take time to read those realistic missions.
        What do those missions say about the motivation and ethics (Ethics – a set of moral principles that guide human conduct) of the hacking community?

      2. Open a browser and go to: en.wikipedia.org/wiki/Jeremy Hammond . Read about the life of Jeremy Hammond – what he did, how he did it, and what happened to him.
        Write a paragraph and address these points:
        1. Was Jeremy Hammond an Ethical Hacker? Why or why not?
        2. Was Jeremy's sentencing fair? Should it have been more or less severe? Why?

      3. Most mail servers run antivirus software which automatically blocks attached files that are deemed to be dangerous, such as exe, vbs, bat, or MIME types application/octet-stream, text/vbscript. From a security point of view, what flaw does such an approach present?

      4. You are the network administrator of a small 6 workstation network connected to the Internet across a firewall. Several users have called you to complain that a virulent worm that exploits a weakness in the TCP connections has caused their computers to continually reboot. What immediate steps would you take to stop the worm from propagating? What measures would you undertake to restore the workstation's operation?

      5. What is the difference between an IP spoofing attack and a TCP hijacking attack in terms of the OSI transport layer?

    • Conclusion outlining any observations and conclusions from conducting this assignment with emphasis on using this hacking web-site.

    • An Appendix with screen captures (inserted or hypertext links) of completed hacking missions.


Assignment Submission


Upon completion of the assignment, one group member is required to send an e-mail to their completed assignment (include Google Document link).

Assignment Due Date

  • Assignment Requirements: End of week 13 (Friday @ 11:59 p.m.)



Marking Guidelines

  • Report Requirements:
    • Title Page (Listing of Group Member Names)
    • Appropriate answers to assignment questions
    • Appendix: Proof of Hacking Missions

  • Additional Criteria:
    • Report Format / Appearance
    • Correct Page Breaks (to send Google Doc to printer)
    • Spelling & Grammar
    • Content
    • Analysis
    • References (Bibliography)