Question 1

It is highly important to get Gaining permission via a contract. It is vitally

clear and unambiguous important to get clear and unambiguous
permission to perform a permission to perform a pen test: A written form
penetration test, which of authorisation rather than a verbal authorisation
is important. It should include:
should be a written form of
authorisation. List at least
four items this written
authorisation should 1. Systems to be evaluated
include.
2. Perceived risks

3. Timeframe

4. Actions to be performed when a

serious problem is found

5. Deliverables

Question 2 There are a total of 2048 addresses available. And it

represents IPs range from 10.1.0.0 to 10.1.7.255
What IP range does
10.1.2.16/21 (CIDR
notation) represent?

Question 3 The attacker can will receive response from the

Assume that only two server. This is because when the attack done an ACK
nmap scanning methods scan, the attacker had discovered the port is
“FIN” and “ACK” scans are unfiltered (closed). So when the port is closed, and
available. Suppose that when the attacker perform a FIN scan, the server will
after an ACK scan, an respond to the attacker by returning RST.
attacker discovered that
the port is unfiltered. What Only ACK scan, which is used to map firewall rulesets
can the attacker infer will only classifies the port is in unfiltered state,
about the status of the performing FIN scan can help resolve/determine if
port when a FIN scan is the port is open.
performed? Justify your When performing FIN scan if the server is not
answer. responding, the port is considered open or filtered.

In ACK scan, an attacker will send a packet with ACK

flag. It is used to determine whether a port is filtered or
unfiltered. But doesnt show whether a port is open or
closed. Since the ACK scan returns unfiltered, we can
presume that RST was returned.

Since the scan returned that the port is unfiltered. The

attacker can infer that the status of the port is closed.
 Because In FIN scan, an attacker will send a packet with
FIN flag. If the scan returns RST as well, we know that
the port is closed.

Question 4 Authoritative DNS servers

Assume that the attacker subdomains
wants to redirect all
connections to The level of DNS server to be compromised is the
“abc.uow.edu.au” to authoritative DNS servers as it is the hostname that is to
“def.uow.edu.au” by be redirected. The record to be modified subdomains
manipulating a DNS
record. Explain which level
of the DNS server needs to
be compromised and
which record must be
modified in the
compromised DNS server.

Question 5 SSL/TLS Strip is to downgrade those https sites to http ones

Explain the purpose of the so we can catch usernames and passwords
SSL strip attack.
 The attacker can capture every data from the user. By
answering the user with http (not https), the attacker prevents
SSL certificate errors while it communicates with the user.

Question 6 (zx) Social Engineering Toolkit (SET) can be used to

perform this attack, whereby it is installed on Kali and
Q6 it will receive the target's username and password
Assume that the attacker that has been entered by the target in the fake
wants to set up a fake website.
website to deceive users
and collect their social engineering toolkit with website attack vectors
credentials. State what
tool can be used to use by creating fake website with legitimate design
perform this attack and any credentials key in by victim can be harvested
briefly describe how it can
be performed. The tool
must be from what was
covered in CSCI369.

Question 7 VM-A,VM-B: NAT network

You have three virtual VM-C: NAT
machines, VM-A, VM-B and
VM-C, on VirtualBox. VM-A
is a server to which VM-B
requires to have access.
VM-C is a client PC, which
must not be accessed
from VM-A, VM-B and even
Host Machine (HM).
However, all VMs can
connect to the Internet and
HM. Explain which network
options in VirtualBox
should be used for each
VM to realise this network
setting.

Question 8 The PHP function $_GET[] should not be used to take

Explain how “static file any page as input for parameter page
inclusion” method can
prevent file inclusion The php function will return error message …
vulnerability using the PHP
function $_GET[] as an function $_GET['page']; will display the targeted php
example. page.
with this it is possible to back track the directory of
 the target
by adding if ($file != "include.php"){ echo "ERROR: File
NOT FOUND!"; exit; }
it prevent the input for parameter return error
message

Question 9
Assume that the initial
vector IV is reused in WEP.
Show how the attacker can an hacker has C1 = RC4(IV||KEY) XOR M1 and C2 =
exploit the reused IV to RC4(IV||KEY) XOR M2, where Mi’s are plaintexts and
decrypt all the ciphertexts Ci’s are ciphertexts (Note here that the same IV is used.)
C1 XOR C2 = M1 XOR M2 It violates the principle of
in the current WiFi session.
(any) secure encryption that there must not be any
relationship between plaintexts and ciphertexts. Assume
that an hacker inject M to get C = RC4(IV||KEY) XOR M
The attacker can definitely get RC4(IV||KEY) = C XOR
M RC4(IV||KEY) can be used to decrypt other
ciphertexts.

RC4(IV||KEY) = C XOR M -> RC4(IV||KEY)

Question 10 Firstly the attacker enable IP forwarding by making the

packet send from the client to go through the attacker:
$ echo 1 > /proc/sys/net/ipv4/ip_forward
h
Then Using head we check that IP forwarding is turn on,
the value should be set successfully by returning a value
1
$ head /proc/sys/net/ipv4/ip_forward

The attacker then sends ARP response to client

claiming that it is Default Gateway with the (real) Default
Gateway IP address and its own MAC using arpspoof.
$ arpspoof –i eth0 –t 10.1.1.1 10.20.23.124

The attacker now sends ARP response to Default

Gateway claiming that it is Client with the (real) client IP
address and its own MAC using arpspoof.
$ arpspoof –i eth0 –t 10.20.23.124 10.1.1.1

Then the client sends its packets to the external network

via the attacker (IP: 10.0.2.3) and Default Gateway
believes that it is communicating with the client. So, the
attacker’s device is in the middle of the connection
 where every packet that is going to/from the client will go
through the attacker device first.

Question 11
Suppose that there are two
client machines, C1 and C2 By using ping, it does an ICMP scan and based on
in the NAT network whose RFC 1122, every host that receives an ICMP echo
CIDR identification is given request will respond back as there are only a
as 10.0.2.0/24. Assume minority networks and hosts that blocks the
that C1 and C2 are not request. Then, using C1 IP address that is being
servers, so they do not responded back, the hacker is able to reach C2
have their public IP since both C1 and C2 are in the same NAT
addresses. Describe in network.
detail how a hacker
outside of the NAT network
(10.0.2.0/24) can use C1 as
a pivot to reach C2 through <my answer; wzx>
“ping”. When the hacker first compromised the C1, the hacker
make use C1 to reach C2. This can be done when a
reverse shell is created. Whereby the hacker will
create a reverse shell between C1 and C2. The
attacker can access C2 that reside in the C1 private
network. This is capable due C1 and C2 in the NAT
network. Reverse shell is done with the help of
backdoor Trojan, so the C2 machine must have the
backdoor Trojan to allows the reverse shell attack to
take place from C1 machine. Once trojan injected
successful the attacker can "ping" to C2 from C1. In
order to do so, C1 and C2 will be connected to the
same port.

Question 12 Import subprocess

Q12 ifconfig_output=subprocess.check_output(["ifconfig",
Write a Python code that interface])
invokes the Unix command ==========================================
ifconfig and extracts the ==
IPv6 address of the current
system. import subprocess
interface = raw_input("Enter interface name> ")
subprocess.call("ifconfig " + interface, shell = True)

Question 13
Suppose that the target
(victim) is a server on
which netcat is installed.
Describe how a hacker can
create a bind shell of the A bind shell is a shell that the victim provides to the
target machine using attacker when the attacker connects to the target.
netcat. The target (victim) will first have to be baited using
social engineering to run the command : $ nc -v -l -p
Ron <port number> -e /bin/bash
The attacker on his end will run the command:
$ nc <target IP> <port number> to connect to the victim

Question 14
Q14 Convert 14 byte to bits = 14 * 8 = 112
According to some
company's password 2^(112)/ (3*10^9) = 1.7307656e+24
policy, the length of a = 1 year
password should be 14
8760 hours
characters. Assume that a
hacker uses a CPU whose
4.8076822222222223e+20 hours
speed is 3*109 clock
cycles per second to
480,768,227,642,113,669,308,379.2897426
brute-forcing this type of
password. Also, assume
4.80768228 × 10^12 hours
that one character is one
byte. If searching one
password of a given
(bit-)entropy takes one
clock cycle, how long does
it take in hours for the
hacker to find a random
password (i.e. a password
generated by selecting
each character randomly)?

Ron

Question 15 nmap -sT -p 80 192.168.21.5

Perform a full open scan to
whether a port for the http
service on the target
machine with IP address
192.168.21.5 is open.

Ron

Question 16
arp -a
Q16
Display the IP and MAC
addresses of all cached
network neighbours (which
share the same internal
network).

Ron

Question 17 theHarvester -d uow.edu.au -b yahoo -l 20

Q17
Find the emails addresses
of 20 people related to the
domain uow.edu.au using
the source from yahoo.

Ron

Question 18 crunch 6 6 -t @,^982

Q18
Create a list of all possible
passwords of length 6,
each of which consists of
one lowercase
alphabetical character, one
uppercase alphabetical
character and a special
character followed by
number 982. (One of such
instances is “aB&982”.)

Ron

Question 19 sudo ufw status ( Must use command in i cannot use

others)
Q19
Check whether a firewall is nmap -sA 10.0.2.4
deployed in the target with
IP 10.0.2.4.

Ron

Question 20 Nslookup www.ox.ac.uk

Q20 151.101.66.216
Find the IP address of the 151.101.2.216
website www.ox.ac.uk. 151.101.130.216
151.101.194.216

???????????????????????