HW#1

62_009411688_HW#.doc




























[Question 5] (20 points) 2. MITM ARP Poisoning in DeterLab. Answer these questions about the
above MITM ARP poisoning exercise:

1)If node1 is a "man in the middle" then node4 is an "odd man out." In particular, node 4 was
unaccounted for in section 2 "Recording actual address mappings." Later you arp poisoned node2 and
node0 from node1; how about arp poisoning node 4 from node1?You accomplish poisoning by sending
a crafted arp message to a node. Comment on the ways and means of poisoning node4 from node1.

Ans:.As it is seen from the topology that node 4 is in the different subnet from node1,thus node4 cannot
be directly poisoned by node1,but as it is seen that node4 is connected to node0 such that all the traffic
of node4 flows through node0.Hence node4 can be poisoned indirectly by poisoning node0.

2)Answer the question at the end of section 5. Under the circumstances of that section,"How does
traffic between node2 and node0 get from node2 to node0?"

Ans:As the ettercap utility is used for arp poisoning,the traffic of between node2 and node0 first goes
to node1,which is the attacker and then it reaches its destinantion.The attacker node1 has spoofed its ip
address and as a result all the commmunication between node2 and node0 takes place via node1.

3)Answer the question at the end of section 6, "How?" That is, recall that node2 logged into ftp on
node4 and somehow node1 figured out the user password given by node2.How?

Ans:ettercap -T -M arp:remote /10.1.1.2/ /10.1.1.6/. By executing the following command,node1 has
gained access to both node2 and node0.Thus node1 can now dynamically read the data and sniff out
the passwords.As,node2 tries remotely to connect to node4,the data will pass from node1 to node4 and
as a result,the passwords are recorded in node1.

4)Imagine you run a web hosting company. The manager at one of your clients, a medium sized
business, calls you in alarm and reports the apparent defacement of his website running on your host
machine. Images on the site have all been replaced with various hacker images like the laughing skull.
He heard about it from several of his employees, then saw it with his own eyes on their terminals. His
website has fallen victim to the same mischief as the one on our node4. What is your course of action?

Ans: As it is clear in this case that there is no problem in node4,similarly there is no security issue with
the webserver. It the clients of the office, which are having the problem. A MITM attack has been
executed on the machines of the clients and as a result the attacker is controlling their machines. I
would recommend the manager to clear the arp cache table of all the clients. Thus new arp mappings
will take place between clients and servers and as a result the problem can be resolved.









[Question 6] (20 points) 3. Man-in-the-middle attacks in DeterLab

(1) Eavesdropping Tasks: Answer these questions as completely as you can:
What kind of data is being transmitted in cleartext?












































[Question 8] (40 points) 11. DNS Hijacking in DeterLab.

(1)Park 1: Understanding DNS
Login to the client machine and use the dig command to lookup the IPv4 address
www.google.com using the command "dig www.google.com A".



The dig command sent a DNS query to some DNS server and received a response from that
server. What is the IP address that server?

Ans:10.1.1.3

The DNS response includes a status. What was the status of the response?

Ans:The response of the status is no error.

The response identified the IP address of www.google.com. What is the reported IP
address of www.google.com?
Ans:10.1.2.155

How long will the www.google.com IPv4 address be cached?

Ans:23mseconds

The response listed the nameserver that is authoritative for www.google.com.What is the
authoritative name server for google.com?

Ans:ns.google.com

Finally, the response listed the IPv4 address for the google.com nameserver For each such
server what is its IPv4 address?

Ans:10.1.2.3



Part 2: The Big Picture
Before doing any ARP spoofing, we want to understand the network topology. Use the
DETER Visualization tab to show the network and use arp and ifconfig commands to detect MAC
and IP addresses for each machine.







State the source MAC and IP addresses as well as destination MAC and IP addresses for a
packet going from the client to the cache.

Ans:Source ip address is 10.2.1.4 whereas source mac address is 00:04:23:A6:5B:75 and
Destination ip address is 10.1.2.155 whereas destination mac address is 00:04:23:a6:ce:dd.

Does the packet travel through the attacker box?

Ans:Yes

State the source MAC and IP addresses as well as destination MAC and IP addresses for a
packet going from the cache to the authoritative server.

Ans:Source ip address is 10.1.2.4 and destination mac adress is
Destination ip address of packet is 10.1.1.3 and Destination mac address is 00:04:23:a6:ce:dd.

Does the packet travel through the attacker box?
Ans:yes

3)Using Ettercap

The command you used
Ans:ettercap -Tq -i eth4 -M arp -P dns -spoof /10.1.2.2/ /10.1.2.3/

What each option in the command means
Ans:ettercap is the utility used for DNS hijacking.-T denotes that data should be retrived in text form.-i
denotes interface 4 of ethernet.-M denotes the type of attack,which is Man in the middle.arp -P denotes
that it is in promiscous mode.dns -spoof represents the spoofing attack by DNS./10.1.2.2/ /10.1.2.3/
denotes the network address range on which attack is to be performed.
State the source MAC and IP addresses as well as destination MAC and IP addresses for a
packet going from the cache to the authoritative server
Ans:Source ip address is 10.1.2.2 whereas Macaddress is 00:04:23:A6:BA:67.Destination address
is 10.1.2.4 and mac address is 00:04:23:A6:5B:75.

Does the packet travel through the attacker box?
Ans:Yes