[SOLVED] CS6035 Assignment 1-Man in the Middle

95.00 $

Category:
Click Category Button to View Your Next Assignment | Homework

You will receive the following solution file(s) instantly after successful payment:

zip file icon project_mitm-82cdfn.zip (1.7 KB)
zip file icon pcapanalysis-oargkp.zip (1 KB)
Assignment Instructions Updated Recently? Submit Below and we will provide new Solution!
Submit New Instructions
πŸ”’ Securely Powered by:
Secure Checkout
5/5 - (4 votes)

2026 SUMMER SOLUTION CLICK HERE

2025 SOLUTION LINKΒ 

FALL 2024 SOLUTION LINK: Click here

CS6035 Man in the Middle Summer 2024 Solved Click here

Background and Setup


The Necrocryptors (TNC) is a hacking group known for multiple data leaks and has been active at underground forums selling personally-identifiable information (PII) and credit card data stolen from vulnerable websites.

Recently, TNC led a DDoS campaign against multiple targets in the United States, leading to a Federal Investigation by​​ the National Cyber Investigative Joint Task Force (NCIJTF). This investigation was coordinated by the FBI Cyber Crime division and after months of undercover investigation, NCIJTF was able to capture unencrypted communication between members of TNC. While NCIJTF did not disclose how this communication was captured, we can infer that either it came from an insider member of the organization or a sophisticated attack led by NCIJTF allowed this communication to be captured.

In this project, you are playing the role of Mark, an FBI agent from the Cyber Crime division.

You walk into the office, just back from a nice vacation in the Bahamas, and pour some coffee from the shared pot near your cubicle when you hear, β€œMark! Great to see you are back! Come over to my desk right now, we need to talk.” It’s your boss, Bill. You think to yourself, Geez! I just came back. This guy doesn’t give me a break.

You take your coffee to Bill’s office, close the door and listen as Bill starts.

β€œMark, I have a task for you. We finally got our hands on some incriminating evidence against TNC. With this pile of evidence, the Attorney General is on my neck to bring those guys to justice. But we need some strong evidence of criminal activity that can’t be disputed in court.”

β€œOkay…” My wife told me to take some extra days off, but no. I had to come back today…

β€œI’m sending the packet your way,” Bill says, β€œYou have one week to analyze the data and find clear evidence of criminal activity. The Attorney General sent us a list of things they are looking for. It’s all on your desk.”

β€œSounds good, boss. It’s great to be back.”

You leave his desk, take a sip of coffee and go back to your computer. No time to slowly get up to speed, you think, but that’s OK. I’m excited to help take TNC down.

Flag 1


Your first task is to figure out where the hackers are spending their time and gather some evidence for the Attorney General. This will also give you a good overview of Wireshark filters.

The Attorney General needs some evidence of The Necrocryptors’ associates and where the group meets.
For this, you need to gather the following information:

Task 1.1

  • What is the server address used by the hackers to communicate?
    • Example: irc.someplace.net
    • Points: 1

Task 1.2

  • What is the nickname of the malicious actors involved in this conversation? Add the names in the order they appear in the conversation.
    • Example: firstactor,secondactor,thirdactor
    • Points: 1

Task 1.3

  • What channel do they use to communicate? Hint: Channel names always start with #, so include # in your answer.
    • Example: #WOW
    • Points: 1

Task 1.4

  • What is the hash used by the malicious actor to validate its identity?
    • Example: a12342342bcde393202013434
    • Points: 1

      Flag 2


      Your second task will require you to recover a payload from the conversation. There are multiple ways to do this. You can use Wireshark, pyShark or any other library available.

      As part of the evidence gathering, the Attorney General needs concrete evidence of malicious intent. For Task 2, you will need to review the conversation between members of TNC and gather incriminating data from this conversation.

      Task 2.1

      • One of the hackers transfers a file to another hacker, after confirming their identity. What is the name of the file? (Including extension
        • Example:somefile.extension
        • Points: 6

      Task 2.2

      • It seems that the file transferred is encrypted. What encryption method or algorithm was used to encrypt the file? (Just the 3-letter name)
        • Example:something
        • Points: 4

      Task 2.3

      • If you decrypt and run the file, you’ll get a unique hash based on your GTID. What is the hash generated?
        • Example:a123242342342342342934234
        • Points: 18
        • Flag 3


          The Attorney General lets you know that they think there is a web server in here that is phishy and is spitting out long numbers and letters. The Necrocryptors hacking group is known to play tricks with these values. The Attorney General needs the following information to track the folks operating the website:

          Task 3.1

          • The site domain name (Record just the site’s domain name and the top-level-domain (TLD) name, with the period. E.G: host-name.tld)
            • Example: something.something
            • Points: 2

          Task 3.2

          • What is the public IP address?
            • Example: 192.168.1.10
            • Points: 2

          Task 3.3

          • The primary nameserver for this TLD (You may need to look outside the pcap for this information. Think about tools that will give you the nameserver data for a specific domain)
            • Example: ns-something-something.something.something
            • Points: 6

          Task 3.4

          • The hash provided by entering your Georgia Tech ID in the field (i.e. 9021042) (NOTE: The website is real and safe to access)
            • Example: abcdef1234567890953453434
            • Points: 11
            • Flag 4


              The Attorney General is impressed by you but says they believe the group is also using another server to host a malicious file. It appears that one of the hackers recently accessed this server and downloaded a file from it. As a last minute request, the Attorney General is asking you to investigate what this file is, and where it is hosted.

              Task 4.1

              • What is the IP address for the server in question?
                • Example: 192.168.8.7
                • Points:2

              Task 4.2

              • What is the username used to log in the server?
                • Example: something
                • Points:4

              Task 4.3

              • What is the password used to log in the server?
                • Example: something
                • Points:4

              Task 4.4

              • One file is downloaded from the server, what is the file name?
                • Example: something
                • Points:3

              Task 4.5

              • What is the programming language used to create this file? (The hackers are using a common encoding format to hide the real contents)
                • Example: something
                • Points:5

              Task 4.6

              • If you run this file you’ll get a Combined hash. What is the unique hash for your GTID (i.e 902042)?
                • Example: 12123123129413249121249aa
                • Points:9
                • Flag 5


                  Exhausted from the prior exercises, the attorney general has two more exercises for you to prove you belong here and that he shouldn’t fire you despite doing a good job. He mentions to you the hackers are getting smart and they have a website called didazfwbreak.com that has absolutely nothing to do with Azure Firewalls but everything to do with web application firewalls. Apparently there are some weaknesses integrated into the website which allow you to get to different parts of the website something called a path traversal attack.

                  Task 5.1

                  • There is a flag labeled 5.1 that outputs a hash when you input in your GTID. Try to find the page and recover the flag
                    • Example: tr95843fkdspugr8euyre0gfd
                    • Points: 2

                  Task 5.2

                  • What is the directory name that contains the hint for 5.3?
                    • Example: something
                    • Points: 1

                  Task 5.3

                  • There is a flag labeled 5.3 that outputs a hash when you input in your GTID. Try to find the page and recover the flag
                    • Example: 58437594ejgfdiohr8e054309
                    • Points: 2

                  Suddenly, your phone rings. You see that the call is coming from Bill’ extension.You were ready to head back home and watch Netflix. Here we go again…

                  β€œMark, great job so far! I was thinking here. This will not be the last time you will be doing this analysis on pcaps, so why don’t we start building a python class with several methods to automate some of the work for next time?” β€œWhen you say we, you are saying, why dont I build this class right?” you say.

                  β€œOf course not! I already created some skeleton code to help you out. You just need to build 3 functions now” Bill says.

                  β€œOh, ok. Thank you Boss..”

                  As you hang up the call, Bill sends you via IM a zip file containing the python class and a attack pcap from a past incident so you can create the functions and test.

                • Flag 6


                  For this task, you need to use the provided pcapanalysis.py and TCP.reflection.pcap files to create three functions. The snippet below shows where you need to code the functions and the expected output on each variable n. You can create as many functions and variables you need, however the provided functions need to return the expected output.

                  Function Skeleton

                  # TODO: 
                  #   Task 1: Return n being:
                  #       n = Number of packets with only SYN+ACK flags
                  def syn_ack(self):
                      n = 0
                  
                      # TODO: Implement me 
                  
                      return n
                  
                  # TODO: 
                  #   Task 2: Return n being:
                  #       n = Number of packets with only RST flag
                  def rst(self):
                      n = 0
                  
                      # TODO: Implement me 
                  
                      return n
                  
                  # TODO: 
                  #   Task 3: Return d,p, being:
                  #       d = IP Address of the victim
                  #       p = Port being attacked
                  def victim_ip_port(self):
                      d,p = 0,0
                  
                      # TODO: Implement me 
                  
                      return d,p
                  
                  if __name__ == '__main__':
                      pcap_analysis = MITMProject()
                      ip,port = pcap_analysis.victim_ip_port()
                      synack = pcap_analysis.syn_ack()
                      rst = pcap_analysis.rst()
                      print("IP and Port: ",ip,port)
                      print("Number of SYN+ACK Packets : ", synack)
                      print("Number of RST Packets : ", rst)
                  

                  Β 

                  To start, make sure that the package pyshark is installed on your system. Please review pyshark Github page to install the package and its dependency (tshark) : https://github.com/KimiNewt/pyshark/ and https://tshark.dev/setup/install/ When you open pcapanalysis.py, make sure student_id is updated with your 9-digit Georgia Tech id

                  # TODO: Change this to YOUR Georgia Tech ID!!!
                  # This is your 9-digit Georgia Tech ID
                  self.student_id = '900000000'
                  

                  Β 

                  Do not modify the import statements. All you need to complete this assignment is there. New imports may be ignored by the autograder and your code will fail.

                  Deliverables:

                  Task 6.1

                  • ModifyΒ def syn_ack(self):Β function to returnΒ n, beingΒ nΒ (int) the number of packets on TCP.reflection.pcap file that contains ONLY the SYN+ACK flags
                  • Points: 3

                  Task 6.2

                  • ModifyΒ def rst(self):Β function to returnΒ n, beingΒ nΒ (int) the number of packets on TCP.reflection.pcap file that contains ONLY the RST flag
                  • Points: 2

                  Task 6.3

                  • ModifyΒ def victim_ip_port(self):Β function to returnΒ d,Β p, beingΒ dΒ the IP address of the host involved with the attack (string) in the TCP.reflection.pcap file andΒ pΒ (int), being the TCP port of the service being attacked.
                  • Points: 10
  • project_mitm-82cdfn.zip
  • pcapanalysis-oargkp.zip