Lab on Offensive Computer Security (2IC80)
Summary Q4 2021
Lectures 1 to 5 are about Network Security. Lecture 6 to 12 are about System Security.
Contents
L1 – Intro + foundations ................................................................................................................................ 2
L2 – Data Link and Network Layers .............................................................................................................. 3
L3 – Transport layer ..................................................................................................................................... 5
L4 – Application Layer .................................................................................................................................. 7
L5 – Network reconnaissance....................................................................................................................... 9
L6 – Vulnerabilities ..................................................................................................................................... 11
L7 – Vulnerability and exploit ecosystem .................................................................................................... 13
L9 – Hacking a human ................................................................................................................................ 15
L10 – Web vulnerabilities............................................................................................................................ 16
L11 – Malware ............................................................................................................................................ 18
L12 – Malware Distribution Networks.......................................................................................................... 19
Labs 0 – 5................................................................................................................................................... 21
Challenges – OSINT and Forensincs.......................................................................................................... 22
OSINT challenge..................................................................................................................................... 22
Forensincs challenge .............................................................................................................................. 22
1
Lab on Offensive Computer Security (2IC80) Summary Q4 2021 by Isabel Rutten
,L1 – Intro + foundations
Computer security is about preserving security / maintaining already established security properties. All a
computer system is about information. Security properties: confidentiality (only read by those allowed),
integrity (correct), availability (reachable). There are both human and automated users. Computer systems
do not know what they are doing and can only be instructed to preserve the security properties of that
information by means of some mechanism. The core idea of computer security is to instruct and trust a
computer system not to compromise the security properties of the information itself manages. The user
trusts the authentication mechanism, but is this trust funded?
The source code is high level code written by a human programmer. This is not executable by a computer
and must first be compiled i.e. translated in assembly code. Assembly code is the lowest level at which
humans operate. This can then be directly translated in machine code by the assembler. For example, a
compiler is written in C and is compiled by a previous version of itself: it takes one generation to add a
“backdoor’ that will automatically be included in the code with the next compiler (i.e. 11 (ASCII for |) => \v).
Chicken or egg problem: can increase trust in software by looking at source code, but who generated
that? Human who wrote code? Compiler? Human who wrote compiler? Etc. Thompson’s view: The
compiler can be modified in any way to include code that never appears in the source code. Don’t trust!
From Client (web browser) to a Server (website), the data needs to cross many routers/servers. The
problem is whether all these nodes can be trusted. Possible attack scenarios:
Attack models:
- outright malicious attacker: typically reads or modifies some information (in part or fully)
- honest-but-curious attacker: use the client’s information after correctly handling the service, resides at
service level e.g. server provides agreed service but uses given data to perform user profiling
2
Lab on Offensive Computer Security (2IC80) Summary Q4 2021 by Isabel Rutten
, L2 – Data Link and Network Layers
Internet is made of several Autonomous Systems (AS) which are logically separated networks. Each AS
autonomously manages communications within itself using Interior Gateway Protocols (IGP). Each AS
can communicate to other ASs using Exterior Gateways Protocols and Border Gateway Protocol.
The OSI model means that a “network” packet is really composed of several layers which are transmitted
“stacked” on top of the other. L1: bits. L2: frame. L3: packet/datagram. L4: segment. L5-L7: mapping.
Data link layer (L2): lowest logical level, interconnects physical interfaces. Two sub layers:
- Logical Link Control (LLC): error control physical layer
- Media Access Control (MAC): physical addressing, scheduling
Each physical interface is uniquely identified by a MAC address (“Ethernet address”) which are 48-bit
Network interface identifiers with HEX notation. First 24 bits are set by IEEE standard. You can identify the
network interface producer/vendor in the MAC. The MAC is used to route packets in local networks.
Network layer (L3): provides information on how to reach other systems (addressing) and uses IP: high-
level representation of a host’s addresses, dynamically assigned by an authority. The IP is used to route
datagrams. IP provides a structured way to abstract host addresses away from their physical attributes
which makes it possible to efficiently talk between systems in different networks/not in proximity. Two
version: IPv4 (most common, 32 bits), IPv6 (new, 128 bits). Routing with IP addresses is done by querying
the nearest router about the destination of an IP packet and them forwarding the question to the next router
until an answer is found and returned.
ARP protocol (Address Resolution Protocol) allows systems to associate an IP address to a MAC address
by using ARP tables which contains the necessary info. All addresses in an ARP table are added by one of
two mechanisms: ARP request-reply (who is <requested IP> tell <sender IP>. <requested IP> is at <MAC
address>), Gratuitous ARP (<requested IP> is at <MAC>). The discovery process happens through
queries to neighbor devices. The system with the requested IP replies back with its correct MAC address.
ARP frame header contains the header OPERATION where 1 = request, 2 = reply. ARP answers or
Gratuitous ARP frames do not require an (additional) answer/confirmation (declarative protocol). Nodes are
not authenticated. Thus ARP poisoning can occur: C can tell A “B is at <C MAC address>” and can tell B
“A is at <C MAC address>”. This works only on local networks and because systems are not authenticated.
Subnets are logical divisions of IP addresses, so we can split a network into multiple sub-networks. IP bits
are divided in x network bits, y subnet bits and z host bits. Subnet mask indicates sections of IP addresses
meant for network + subnet. CIDR (Classless Inter-Domain Routing) is a synthetic way to represent subnet
masks and indicate number of bits covered by the mask.
Example: See table below. IP address: 132.134.15.96. Network mask: 255.255.0.0 (prefix length of 6, so to
get nr of bits covered by the mask 6*8/3=16. To prefix length, calculate 16*3/8=6).
CIDR representation: 132.134.15.96/16. Nr of hosts: 2^16 = 65536-1.
3
Lab on Offensive Computer Security (2IC80) Summary Q4 2021 by Isabel Rutten
Summary Q4 2021
Lectures 1 to 5 are about Network Security. Lecture 6 to 12 are about System Security.
Contents
L1 – Intro + foundations ................................................................................................................................ 2
L2 – Data Link and Network Layers .............................................................................................................. 3
L3 – Transport layer ..................................................................................................................................... 5
L4 – Application Layer .................................................................................................................................. 7
L5 – Network reconnaissance....................................................................................................................... 9
L6 – Vulnerabilities ..................................................................................................................................... 11
L7 – Vulnerability and exploit ecosystem .................................................................................................... 13
L9 – Hacking a human ................................................................................................................................ 15
L10 – Web vulnerabilities............................................................................................................................ 16
L11 – Malware ............................................................................................................................................ 18
L12 – Malware Distribution Networks.......................................................................................................... 19
Labs 0 – 5................................................................................................................................................... 21
Challenges – OSINT and Forensincs.......................................................................................................... 22
OSINT challenge..................................................................................................................................... 22
Forensincs challenge .............................................................................................................................. 22
1
Lab on Offensive Computer Security (2IC80) Summary Q4 2021 by Isabel Rutten
,L1 – Intro + foundations
Computer security is about preserving security / maintaining already established security properties. All a
computer system is about information. Security properties: confidentiality (only read by those allowed),
integrity (correct), availability (reachable). There are both human and automated users. Computer systems
do not know what they are doing and can only be instructed to preserve the security properties of that
information by means of some mechanism. The core idea of computer security is to instruct and trust a
computer system not to compromise the security properties of the information itself manages. The user
trusts the authentication mechanism, but is this trust funded?
The source code is high level code written by a human programmer. This is not executable by a computer
and must first be compiled i.e. translated in assembly code. Assembly code is the lowest level at which
humans operate. This can then be directly translated in machine code by the assembler. For example, a
compiler is written in C and is compiled by a previous version of itself: it takes one generation to add a
“backdoor’ that will automatically be included in the code with the next compiler (i.e. 11 (ASCII for |) => \v).
Chicken or egg problem: can increase trust in software by looking at source code, but who generated
that? Human who wrote code? Compiler? Human who wrote compiler? Etc. Thompson’s view: The
compiler can be modified in any way to include code that never appears in the source code. Don’t trust!
From Client (web browser) to a Server (website), the data needs to cross many routers/servers. The
problem is whether all these nodes can be trusted. Possible attack scenarios:
Attack models:
- outright malicious attacker: typically reads or modifies some information (in part or fully)
- honest-but-curious attacker: use the client’s information after correctly handling the service, resides at
service level e.g. server provides agreed service but uses given data to perform user profiling
2
Lab on Offensive Computer Security (2IC80) Summary Q4 2021 by Isabel Rutten
, L2 – Data Link and Network Layers
Internet is made of several Autonomous Systems (AS) which are logically separated networks. Each AS
autonomously manages communications within itself using Interior Gateway Protocols (IGP). Each AS
can communicate to other ASs using Exterior Gateways Protocols and Border Gateway Protocol.
The OSI model means that a “network” packet is really composed of several layers which are transmitted
“stacked” on top of the other. L1: bits. L2: frame. L3: packet/datagram. L4: segment. L5-L7: mapping.
Data link layer (L2): lowest logical level, interconnects physical interfaces. Two sub layers:
- Logical Link Control (LLC): error control physical layer
- Media Access Control (MAC): physical addressing, scheduling
Each physical interface is uniquely identified by a MAC address (“Ethernet address”) which are 48-bit
Network interface identifiers with HEX notation. First 24 bits are set by IEEE standard. You can identify the
network interface producer/vendor in the MAC. The MAC is used to route packets in local networks.
Network layer (L3): provides information on how to reach other systems (addressing) and uses IP: high-
level representation of a host’s addresses, dynamically assigned by an authority. The IP is used to route
datagrams. IP provides a structured way to abstract host addresses away from their physical attributes
which makes it possible to efficiently talk between systems in different networks/not in proximity. Two
version: IPv4 (most common, 32 bits), IPv6 (new, 128 bits). Routing with IP addresses is done by querying
the nearest router about the destination of an IP packet and them forwarding the question to the next router
until an answer is found and returned.
ARP protocol (Address Resolution Protocol) allows systems to associate an IP address to a MAC address
by using ARP tables which contains the necessary info. All addresses in an ARP table are added by one of
two mechanisms: ARP request-reply (who is <requested IP> tell <sender IP>. <requested IP> is at <MAC
address>), Gratuitous ARP (<requested IP> is at <MAC>). The discovery process happens through
queries to neighbor devices. The system with the requested IP replies back with its correct MAC address.
ARP frame header contains the header OPERATION where 1 = request, 2 = reply. ARP answers or
Gratuitous ARP frames do not require an (additional) answer/confirmation (declarative protocol). Nodes are
not authenticated. Thus ARP poisoning can occur: C can tell A “B is at <C MAC address>” and can tell B
“A is at <C MAC address>”. This works only on local networks and because systems are not authenticated.
Subnets are logical divisions of IP addresses, so we can split a network into multiple sub-networks. IP bits
are divided in x network bits, y subnet bits and z host bits. Subnet mask indicates sections of IP addresses
meant for network + subnet. CIDR (Classless Inter-Domain Routing) is a synthetic way to represent subnet
masks and indicate number of bits covered by the mask.
Example: See table below. IP address: 132.134.15.96. Network mask: 255.255.0.0 (prefix length of 6, so to
get nr of bits covered by the mask 6*8/3=16. To prefix length, calculate 16*3/8=6).
CIDR representation: 132.134.15.96/16. Nr of hosts: 2^16 = 65536-1.
3
Lab on Offensive Computer Security (2IC80) Summary Q4 2021 by Isabel Rutten
