My Assignment Help

BN200 Cyber Attacks And Network Protocol Analysers Assignment 2 Answer

Assessment Details and Submission Guidelines
T2 2020
Unit Code
Unit Title
Network Security Fundamentals
Assessment Type
Assignment - Individual Assessment
Assessment Title
Cyber Attacks and Network Protocol Analysers
Purpose of the assessment (with ULO Mapping)
In this assignment students will demonstrate theoretical as well as practical knowledge and skills acquired from lecture and laboratory classes. Students will be able to complete the following ULOs:
  1. Discuss the main security issues and emerging trends of information security
  2. Identify common emerging threats, attacks, mitigation and countermeasures in networked information systems
  3. Explain the major methodologies for secure networks and the threats they address
  4. Identify and report network threats, select  and implement  appropriate countermeasures for network security
Total Marks
Word limit
1500 Words
Submission Guideline
  • All work must be submitted on Moodle by the due date along with a completed Assignment Cover Page.
  • The assignment must be in MS Word format, 1.5 spacing, 11-pt Calibri (Body) font and 2.54 cm margins on all four sides of your page with appropriate section headings.
  • Reference sources must be cited in the text of the report and listed appropriately at the end in a reference list using IEEE referencing style

Assignment Description

In this assignment students will demonstrate theoretical as well as practical knowledge and skills acquired from lecture and laboratory classes. The assignment consists of two parts. Description of each section is given in following sections:

Cyber Attacks

A cyber-attack is an attack launched from one or more computers against another computer, multiple computers or networks. Cyber-attacks can be categorised into two broad types: attacks where the goal is to disable the target computer or make it offline, and attacks where the goal is to get access to the target computer's data and perhaps gain admin privileges on it [1].

For this part of the assignment, write a report and address the following points:

  1. Identify and discuss an attack where attackers’ goal is to disable the target computer or make it offline.
  2. Report one such recent attack (From 2019-2020) and motives of that attack.
  3. Which techniques/tools were used to accomplish the attack?
  4. Propose and discuss a technique/technology that will control and prevent this type of attack.

Network Protocol Analysers

Protocol Analysers are devices and/or software placed on a network to monitor traffic for improving security and tracking bottlenecks. Some packet analyser performs packet captures, some are used for analysis, and some handle both. Wireshark previously called Ethereal, is one of the analysers, can be used in real time environment to open saved trace files from packet captures also to rebuild the sessions.

Download Wireshark. Start it on a system connected to a live network. Perform a capture for approximately 5 minutes and then save the trace file. Visit several web sites and ping to generate traffic. Start Wireshark again and examine the trace file.

  1. Based on your analysis, discuss what traffic patterns do you see?
  2. Find out whether you are on a network using NAT or routable IP addresses?
  3. Does any address appear more than others addresses? Identify the ports which are showing up.
  4. Write a report on your findings.


Cyber Attacks

Cyber attack is a type of spiteful attempt done by an individual or a group on a target system to get benefits from that system or network. These attacks are done mainly for two reasons, first is to disable the victim’s system and make it offline and second, is to get root or administrator level access of the system. There are so many attack methods to achieve this goal. These methods are categorized in different categories based on the level of harm and method of attack like malware, DoS or DDoS, MITM, SQL injection, etc. [1]

a. Identification of a cyber-attack – Ransomware is a type of cyber-attack where attack is done in the form of a malicious application which encrypt and lock the target system. Then the attacker demand for a ransom to restore data and unlock the system. The ransom is mostly demanded in the form of cryptocurrency. Paying the ransom will not ensure that our system will fully be restored by the attacker, in so many cases. Based on the type of business or importance of data, attacking measures are used in a more complex way. So that we cannot access even our system without entering a decryption key. Today, there are so many types of ransomwares which are used for cyber-attack. Each variant is more harmful than the previous. These are – crypto malware, lockers, scareware, doxware, Mac ransomware, RaaS and mobile devices. [2]

b. Recent attack identified – A recent ransomware attack is got identified by the Cybereason Nocturnus team and they named it – Sodinokibi. This ransomware is highly elusive and use so many measures to hide it from detecting by antivirus or any other software. This virus was dropped on the target system via a malicious link in the form of a zip file which contains a JavaScript. This file was attached with an email, like a phishing attack. When the zip file was downloaded, it initially has lower rate of detection by any the virus definition. When the user executed the malicious JavaScript, it run and completely disables the access of data stored on that system and have so many other damages. This java script file is located within a powerful power shell script which is more complicated and used for later attacks. This infective file can infect the whole network from its self-propagating feature and can infect other system in the network too, if not block or separated from the network. 

c. Technique and tools used – The attacker here use simple phishing attack to drop the infected file to the target system. An email is dropped to the victim which contains a zip file. This zipped file has a malicious java script which is stored in power shell script. When the user opens the link, the infection is spread throughout the system. They use a powerful measure that make this infection undetected from the antivirus application and easily pass the first line of defence. The infected file is primarily saved in temporary directory with the name jurhtcbvj.tmp which is a power shell script having so many exclamation marks. This file can be launched by a power shell command that remove the exclamation marks and run the true script. This power shell script encodes and execute another script which is having .NET codes encoded in Base64 module. This script combined with the previous power shell process execute another function named Install1. Which contains several modules named as test.dll and an Base64 encoded script which is then loaded into memory for further execution of processes. At the end, if it will not able to get full privileges it will attempt to gain access by User Access Control Bypass. When it gains enough access, it executes the complete process in several phases. Initially the primary module loaded into the memory and started loading another related module into the memory. It uses CheckTokenMembership to confirm the level of privilege. If the privileges are not sufficient, it again uses the UAC process and also write itself in the registry and launch a new instance of explorer.exe to execute scripts. By doing this, the attacker can execute anything stored at registry path with the highest privilege on that system. At the second phase, it executes portable executables into memory which are used as a final payload. The malware tries to insert ransomware payload into Ahnlab antivirus process. If the malware is able to find the required service, it launches an sutoup.exe process and finally run the payload Sodinokibi. This malware has encrypted data in RC4 encryption with the file extension of. grr. The related configuration file has complete details about the process to execute and being killed and how to get the access level of CVE-2018-8453. And finally, a ransom note is displayed to the user. [3]

d. Preventive measures used against the attack – here are some preventive measures in the form of best practices that can be beneficial to use against the ransomware attack. [4]

  1. Need to make sure that the system is up to date with current virus definition and updates. All the application also updated with available patches. 
  2. Do not click or access any unwanted links and respond to such unknown emails.
  3. Always keep backup of the important data in any portable storage device.
  4. Do not always follow the notification messages when going online.
  5. Do not download data or any executable from unknown source. 

B. Network Protocol Analyser

A network protocol analyser is a tool that is used to detect network packets or traffic on the communication channel. A communication channel can be from the local ethernet to satellite link. It is used to sniff the traffic, analyse network packets and find out any suspicious activities heling in the network. Wireshark is one of the mostly used network analysing tool which is used to sniff each network packet on a specific interface, in real time. This tool is free to use and majorly used in network troubleshooting. 

  1. Details of analysed traffic – Most of the traffic is of secured http traffic working with TCP protocol. Length of the traffic if vary depending on the payload size, port and protocol in use. It uses both IPv4 and IPv6 addresses as source and destination address. Many of the payload are identified as protected payload (KP0), some belongs to application data, client hello packets, data packet, standard query packet, certificate and key exchange, SYN and ACK packets. Details can be seen in the below figure 
    Figure – Wireshark captures
  2. Details of NAT or routable IP addresses – As we analyse, there is no NAT (network address translation) is used in this connection. To confirm this, we use ‘nat-pmp’ packet filter in Wireshark that did not show any packet of NAT. 
  3. Address and port details – The communication captured during this time frame, works with both IPv4 and IPv6 addresses. From the captured packets, there are several addresses which are used many times than other addresses. The most used IPv6 addresses are 2404:205:128b:caf3:558a:1041:2ffe:45e9, 2404:6800:4002:80b::200e, 2404:6800:4003:802::2004, 2404:6800:4003:c01::bd, and 192.168.434.1. The used ports with these IP addresses are 443, 80, 52742, 57574 and 53. 
  4. Details of findings – All the packets are captured from Ethernet interface. While analysing the hundreds of captured packets, we found so many entries with different source and destination IP addresses. These IP addresses are belonging to IPv4 and IPv6 addresses. The overall communication uses TCP, UDP, QUIC and DNS protocols. Corresponding packet length is depending upon the protocol used like http, https, DNS, etc. The protected payload (KP0) packet is belonging to secure http or https protocol which is secure protocol used to carry data in a secure format. The application data mostly uses this https (443) protocol and uses IPv4 address. These IPv4 addresses are same for the communication as source and destination address, respectively for each part of the communication. Many packets are using TLS version 1.2 encryption in transferring application data. Several PSH, ACK, SYN and RST packets are also captured. The Wireshark is almost capable to capture all the packets going between this system to the internet (on external server or destination) and we can view the entire captured frame with related details like frame size, interface, source address and port, destination port and address, protocol used and length of the packet. [5] 
Customer Testimonials