Transcript Repeated return addresses

EC310
12-week
Review
Rules of Engagement








Teams selected by instructor
Host will read the entire questions. Only after, a team may “buzz” by
raise of hand
A team must answer the question within 5 seconds after buzzing in
(must have answer at hand)
If the answer is incorrect, the team will lose its turn and another
team may buzz in. No score will be deducted. No negative scores.
Maximum score is 100. Once reached, that team will stand down for
others to participate. Teams will earn all points scored at the end of
game.
When selecting a question, Teams must only select questions of
different value, unless there are no others, but may be from different
categories.
All team members will participate and will answer questions
Only one round - No Daily Doubles, Double Jeopardy or Final
Jeopardy … and no partial credits!
Jeopardy!
TCP/IP
Model
Ethernet
Internet
Protocol
ARP
Routing /
MITM
Privileges /
Buffer
Overflow
10
pts
10 pts
10
pts
10 pts
10
10 pts
pts
10
10 pts
10
10 pts
pts
10
10 pts
pts
20
pts
20 pts
20
20 pts
pts
20
20 pts
pts
20
20 pts
pts
20
20 pts
pts
20
20 pts
pts
40 pts
40
pts
40 pts
pts
40
40 pts
pts
40
40 pts
pts
40
40 pts
pts
40
40 pts
pts
40
60 pts
60
pts
60 pts
60
pts
60 pts
pts
60
60 pts
pts
60
60 pts
pts
60
60 pts
pts
60
TCP/IP 10 pts

Which TCP/IP layer is responsible for processes
that provide services to HTTP or FTP?
Application Layer
Ethernet 10 pts

How many bytes are in a physical address?
6 Bytes
Example F2 : 45 : 17 : FF : 71 : A2
Internet Protocol 10 pts

Which of the following is not a valid IP address?
(a)
(b)
(c)
(d)
192.148.2.0
0.0.0.0
200.256.32.104
172.31.22.48
Maximum octet value = 255
ARP 10 pts

Which two layers does the Address Resolution
Protocol (ARP) involve?
Layer 2 (Data Link)
&
Layer 3 (Network)
Routing Tables 10 pts
Routing tables are maintained on which of the following:
(a) routers
(b) host computers
(c) both a & b
(d) neither

Routing/MITM 10 pts

TRUE/FALSE: It is best to order the routing
table by decreasing mask value.
True! This is “longest mask matching” principle
Privileges/Buffer Overflow 10 pts

What does the Linux command sudo do?
Executes a single command as the root user!
TCP/IP 20 pts

The Transport layer is encapsulated by which
layer?
Network Layer (Layer 3)
Ethernet 20 pts

What is the purpose of the CRC field in an
Ethernet frame?
Used for Error Detection
Internet Protocol 20 pts
What is the network address for the IP address
200.32.33.234 / 23 ?

(mask)
(Network bits)
(Host bits)
(Mask)
200. 32.00100001.11101010
255.255.11111110.00000000
(Network ID)
200. 32.00100000.00000000
(IP address)
200.32.32.0
Zero out the host bits to get…
ARP 20 pts

An evil attacker launching an ARP-spoof
hardware
attempts to associate his ___________
IP
address with the victim’s ___________
address.
Answer choices: hardware or IP
Routing/MITM 20 pts

If a router receives a packet with a destination
IP address that does not match any of the
networks on the routing table, what does the
router do with it?
The router sends it to the default router.
This is often indicated in the routing table by:
Mask
Network
Any
Any
or
/0
0.0.0.0
Privileges/Buffer Overflow 20 pts

What does setting the setuid permission on
an executable program do?
Whenever the program is executed it
will behave as though it were being
executed by the owner!
TCP/IP 40 pts

What is the name of the collection of 1’s and 0’s
at layers 5 through 2?
Layer 5 – “Message”
Layer 4 – “Segment”
Layer 3 – “Packet or Datagram”
Layer 2 – “Frame”
Ethernet 40 pts

Calculate the bandwidth seen by user 3 if each
network is connected via 10 Mbps Ethernet.
4
1
B1
B2
5
2
3
6
10Mbps ÷ 3 = 3.33Mbps
Internet Protocol 40 pts

How many addresses can be assigned to hosts
on the network 138.43.29.128 / 26 ?
32 total bits – 26 network bits = 6 host bits
26-2=62 addresses assignable to hosts.
Account for the broadcast
and network addresses.
ARP 40 pts

What two types of ARP messages exist?
ARP Request
&
ARP Reply

What is the fundamental problem with ARP that
allows an ARP-spoof to be possible?
An ARP reply can be sent (and be accepted!) without
an ARP request
Routing/MITM 40 pts

Fill in the missing information in the routing table for
R1.
Privileges/Buffer Overflow 40 pts
What is the correct order for arranging the payload in a
buffer overflow attack, and what are their purposes?
Choices are given below:
The exploit (shellcode)
Repeated return addresses
NOP sled

NOP Sled – It is a series of “no operation” commands that lets the hacker
be a bit off with the return address, so that the return address just has to
point anywhere within the NOP sled. Otherwise, the return address would
need to be the precise first address of the exploit.
The exploit – This is the executable program.
Repeated return addresses – The return address points towards the exploit
as the next instruction (however, see the note regarding the NOP sled). It
is repeated so that the hacker would have a number of chances to get the
address correctly positioned in the Return Address field in the stack.
TCP/IP 60 pts

Suppose an application entity wants to send a
100 byte message to a peer entity. If each layer
from 4-2 appends a 15 byte header, what
percentage of the total frame size is actual
application entity data?
[100 / (100+15+15+15) ] x100 = 69%
Ethernet 60 pts

Assume the Network layer passes the Data Link
layer 6030 bytes of information to transmit. How
many Ethernet frames will be required?
6030÷1500 = 4.02 thus 5 Frames
Internet Protocol 60 pts
What is the block of addresses assigned to the
network 56.45.100.0 / 23 ?
(mask)
(Network bits)
(Host bits)
56.45.01100100.00000000
56.45.01100100.00000000 = 56.45.100.0
(First Address)
...

56.45.01100101.11111111 = 56.45.101.255 (Last Address)
ARP 60 pts

You are user C in the network below. Design an
ARP Spoofing attack on User D. What changes
would you make to the ARP cache?
N1 : L1
N2 : L2
N3 : L3
N4 : L3
L4
N5 : L5
Routing/MITM 60 pts

Design an MITM attack to divert traffic from the server
Target’s
Network
40.230.45.161
Target’s
IP Address
Attacker’s
Lie
40
.230
.45
00101000
11100110
00101101
40
.230
.45
00101000
11100110
00101101
40
.230
.45
00101000
11100110
00101101
Ans: 40.230.45.160 / 27
Other possible Answers:
40.230.45.160 / 28
40.230.45.160 / 29
40.230.45.160 / 30
40.230.45.160 / 31
.128
1
0
0
0
0
0
0
0
0
0
1
0
0
0
.161
1
0
1
0
0
.160
1
0
1
0
0
Privileges/Buffer Overflow 60 pts

Name and describe two technical solutions to
prevent a buffer overflow attack.
The non-executable stack: The CPU will not execute any
machine instructions located in the portion of main memory
reserved for the stack.
The stack canary: The CPU checks a known value in
memory just prior to the location of the return address (to
make sure it was not changed) before resetting the EIP.
Address space layout randomization: The stack and
the heap are placed in random memory locations,
preventing the hacker from easily predicting return
addresses’ location.