CS671 Spring 2021 Homework 5

TTPs, Vulnerabilities, and Recon

Dr. Greg M. Bernstein

Due Wednesday, April 14th, 2021 by 11:59PM, 50 points.

General Instructions

The goals of this assignment are getting hands on with digital signatures and certificates, to understand malware, get hands on with some malware detection technology and more.

Create and Use a new Branch hw5

We will create a new git branch called hw5 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 4. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw5. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.


Question 1. (10 pts)

(a) Ransomware and APT

Would you consider ransomware an APT? Explain your reasoning.

(b) RAT and APT

Would you consider a RAT an APT? Explain your reasoning.

(c) Cyber Kill Chain

Explain and give an example of the weaponization step in the cyber kill chain model.

(d) Courses of Action

In your own words explain with an example the following courses of action (humor is encouraged!):

  1. Discover
  2. Degrade
  3. Deceive

Question 2. (10 pts)

Understanding TTPs via the Mitre ATT&CK model. Below are three different attack analysis written up by Talos Intelligence. You will read one of these based on the last digit of your NetId

  1. Masslogger – digits 1-3
  2. Xanthe Miner – digits 4-6
  3. Wasted Locker – dgits 7-9

(a) Mitre ATT&CK Items

List the identifiers of the Mitre ATT&CK technique mentioned in the article, i.e., an identifier like: “T1059.003”, or “T1059”. You do not need to explain them here.

(b) Mitre ATT&CK Techniques Explanation

For four of the techniques you listed about provide an explanation of that technique in a way understandable to someone who is taking this class and not a security, windows, Mac, or Linux expert. If the reader cannot understand your explanation you will lose points.

Question 3. (10 pts)

For parts (a)-() you will need to look at the CWE Top 25 list.

(d) CVE

Go to the CVE list search page and search for dnsmasq which is a library commonly used in home routers. Show a screenshot of a portion (first couple) of results. Review the first four or so returns. List the “the highest threat from this vulnerability” for each of the first four CVE you found here. In these first four CVEs did you see any mention of an attack that we studied in class? If so what was that attack?

(e) NVD

For one of the CVEs you found in part (d) look up that item in the NIST NVD. Show a screenshot of what you see. Show the severity score here. Show the common weakness enumeration here.

Question 4. (10 pts)

For this question you will need to download NMap and install it on your machine.

(a) Show NMap Running

Take a screenshot of NMap running on your machine, either a GUI version or in a terminal. I show both below:

NMap running on my machine

(b) Find the IPv4 Address and Type of your Machine

Different operating systems have different commands to determine the IP address of your machine. In addition a machine can have multiple IP addresses for different purposes. Find the IPv4 address of your machine that is used for communicating with local network. Write that address here. For example my laptop has the address

Is your IPv4 address a Private IPv4 address? For example my address is in the range – so is a private IPv4 address. Write your answer here.

(c) Quick Scan your own machine

Use either the NMap GUI or the command nmap -T4 -F your_ip_address to scan your own machine from your machine. Take a screenshot. I get:

Self Scan

How many open ports did NMap find on your machine? (answer here)

(d) Scan your cell phone

Find the IPv4 address of your cell phone and write it here. You need your cell and computer to be on the same WiFi network for this to work. For example my cell has IP address: on my local network.

Scan your cell phone with an “intense scan” (GUI) or command nmap -T4 -A -v your_ip_address. Take a screenshot of the results. How many open ports did NMap find? Did NMap correctly identify the device/operating system? Can you get device manufacturing information from the MAC address?

I get:

Cell Scan

(d) Scan another device or subnetwork

Scan another device on your network or scan for devices on a subnetwork. Please respect others privacy and do not scan devices or networks without permission. Describe what you scanned and how well NMap identified devices here.

See an example of my home network scan and analysis in the course slides Recon: NMap Home Network.

Question 5. (10 pts)

Project/Report will be graded based on the Grading Rubric for Written Assignments. See, in particular, the Level of Content section where to acheive a “B” level requires:

Content indicates original thinking and develops ideas with sufficient and firm evidence.

This is not easy. In addition in the final version of your report will need to point out how your report is different from that of your references and other material easily found on the internet. As a reviewer for technical journals this is one fault that I see that leads me to quickly reject a paper, i.e., it is up to the author to explain at the beginning of the paper (typically in the introduction section) how this work is original and how it differs from that of its references.

Due date of the report will be Friday May 7th at 11:59PM. The goal for the next few weeks of your project will be to refine your topic via literature/web site searches and review and if you want discussions with your instructor.

To facilitate interactions with your instructor create a markdown document called ProjectNotes.md in your repository. Structure it in a manner similar to that shown below:

        # Topic Area
        Let me know the general topic area you are investigating.
        ## Next Steps
        Write what are you going to do next week on the project here.
        ## Ideas for Originality
        Put ideas down here as you review references (sites/papers) on what you could do beyond that covered by a reference, or questions the references made you think about. This is "brain storming". You are not committing to any of these ideas at this point.
        ## Good Looking References
        Put your assessments of and links to references you like here. Include date of reference, and brief summary of topic covered, technical depth, comprehensiveness, authoritative (reliability of source), and other relevant.
        ## Rejected or Not so good References
        For sites/papers that you looked at and don't think were so good keep a list here with link, title, date, and issue.

I will look at this document if you request me to or if you come to office hours to discuss the project. For grading this question please include a short summary of the work you did this week on your project here.