I have these two assignments, for assignment 6 you can do it in C# or java and I have attached 2 example files
12/5/22, 7:01 PM Assignment 5 (Packet Sniffing) https://uwwtw.instructure.com/courses/498247/assignments/5520454 1/3 Assignment 5 (Packet Sniffing) Due Thursday by 11:59pm Points 10 Submitting a file upload Available Dec 1 at 3:30pm - Dec 8 at 11:59pm Start Assignment Assignment 5 Packet Sniffing Due Thursday, Dec 8 at 11:59 PM Late submissions will not be accepted for this assignment Overview Throughout the semester, we have discussed a wide variety of topics related to networks, network security, cryptography, and protocol. Under the surface, our everyday browsers (such as Chrome, Firefox, Edge, Safari, Opera, et.) are utilizing the very same topics. The information sent from your computer- the client- to the server (and vice versa) can be easily tracked using a packet sniffer. For this assignment, we will use a packet sniffer called WireShark to 'spy' on our own network traffic so that we can see topics discussed in class applied in practice. Programming is not required for this assignment. Answer all questions in full and in detail to receive full credit. PDF documents are preferred. Preparation Any web browser is acceptable. Make sure you download and install Wireshark (https://www.wireshark.org/#download) before you start. It is recommended that you use a private network if one is available to you. In addition, you might find it easier to close all non-essential programs before starting (more programs create more traffic, which will be harder to sift through). Consider closing background apps that perform frequent updates with the server, such as email clients (Outlook), messaging systems (Discord), game services (Steam), etc. https://www.wireshark.org/#download 12/5/22, 7:01 PM Assignment 5 (Packet Sniffing) https://uwwtw.instructure.com/courses/498247/assignments/5520454 2/3 Part 1 (2.5 pts) Choose a website you frequently visit or are familiar with. Start capturing packets with WireShark and go to this website using your browser. If there is a sign-in option, perform the sign-in. Once satisfied, you can stop capturing packets. Inspect your captured trace. Most communications should start with a ClientHello record. Find the one that matches the website you visited. Include a screenshot of the entire 'conversation' between your computer and the server (if there are more than 8 records in the conversation, you don't need to include more). Include as much of the conversation as possible! Don't just use consecutive 'Application Data' packets! Part 2 (2.5 pts) Draw a timing diagram between the client and the server. Each directional arrow should represent an SSL/TLS record along with the time and info. Include all of the records listed from Part 1. See the following figure for an example 12/5/22, 7:01 PM Assignment 5 (Packet Sniffing) https://uwwtw.instructure.com/courses/498247/assignments/5520454 3/3 Note: your captured trace will be different than this example- that's okay! The info, records, and times in this example are fictional Part 3 (2.5 pts) Search your captured records to find the cipher suite agreed upon by the client and the server. Did it use any algorithms we discussed in class (such as SHA-01 or MD5)? Did the client and the server exchange a nonce? What is the purpose of the client and server exchanging a nonce in secure communication? Part 4 (2.5 pts) Network traffic can be easily analyzed (as we have seen by running WireShark). While valuable information is (hopefully!) encrypted, some information in records is not- and cannot- be encrypted. Notable examples are the client and server IP addresses. Using an IP-lookup service (such as https://www.iplocation.net/ (https://www.iplocation.net/) ), search for the server IP address obtained from your records. Where in the world is the server? Who owns and operates it? How does this compare to the website you were visiting? https://www.iplocation.net/ 12/5/22, 6:58 PM Assignment 6 (Password Cracking) [OPTIONAL] https://uwwtw.instructure.com/courses/498247/assignments/5520520 1/4 Assignment 6 (Password Cracking) [OPTIONAL] Due Thursday by 11:59pm Points 10 Submitting a file upload Available Dec 1 at 3:30pm - Dec 8 at 11:59pm Start Assignment Assignment 6 [OPTIONAL] Packet Sniffing Due Thursday, Dec 8 at 11:59 PM Late submissions will not be accepted for this assignment Optional This assignment is optional. If you do not submit anything, it will not impact your grade. If your submission would lower your Assignments grade, it will not be counted. The purpose of this assignment is to help raise your Assignments grade if necessary. In short: this assignment can only help (not hurt) your final grade! However, since the assignment is optional and due to its close proximity to the date at which grades are due to the registrar, no late submissions will be accepted- no exceptions! Note that this assignment is not extra credit. The closer you are to 100% in the Assignments category, the less of an impact this assignment will make on your final grade. Mathematically, it raises both the numerator and denominator of your grade. Overview In this assignment, you will play the role of an attacker who has stolen a password hash file from a database with the intention of stealing a single account. This file was poorly secured, using only an MD5 hash algorithm using ASCII encoding with no salt. In addition, the passwords are lowercase, between 5-8 characters long, and only contain alphanumeric characters (no symbols). Ordinarily, this would not be enough information to crack a hashed password. Absent a pre-existing rainbow table, you will have to rely on social engineering to assist your attack. 12/5/22, 6:58 PM Assignment 6 (Password Cracking) [OPTIONAL] https://uwwtw.instructure.com/courses/498247/assignments/5520520 2/4 Attack Information You are trying to steal the password of the following individual: Public Information: Name: Bob Smith Date of Birth: Dec. 23, 1985 Born: Chicago, IL Residence: Whitewater, WI Occupation: Software Engineer Spouse: Jane Doe Spouse Date of Birth: Apr. 1, 1989 Stolen Information: Bob's MD5 password hash is the following hex sequence: 74B104101A970A5408262B50F2082D65 Requirements Programming Part: Write a program which constructs a rainbow table with all the possible passwords you think are viable. Each plaintext password should include its associated MD5 hash value (in hex) You can hard-code possible plaintext passwords or have the program generate them. In practice, you will likely do a little of both Crack the password by providing it in plaintext somewhere in your submission (code comment, text file, print statement, Canvas comment, etc). The MD5 hash of this password must match the stolen hash exactly. Note that it is entirely possible (though unlikely) that for any given hash algorithm H and unique values x and y, H(x)=H(y). There are potentially multiple plaintext password values which would hash to the same sequence and be considered equally 'correct'! Written Part (2-3 double-spaced pages expected, no maximum, PDF Preferred): Provide your analysis on the password you recovered using social engineering and your rainbow table. How did you generate possible passwords? What led you to believe these might be possibilities? Describe your process in detail from start to finish. 12/5/22, 6:58 PM Assignment 6 (Password Cracking) [OPTIONAL] https://uwwtw.instructure.com/courses/498247/assignments/5520520 3/4 How could the server have provided more security in their password hash file? What steps could they have taken to make your job more difficult? Note: Code must compile and run to receive a grade. Programs which do not compile or fail to run properly will receive a zero. Examples The MD5 hash algorithm is widely used and consistent throughout implementations. That is to say that an MD5 digest/hash from one language should be equal to that of another language (if given the same values). To help with your assignment, here are some examples. You can modify the code files in any way you see fit: Assignment6Helper.cs (https://uwwtw.instructure.com/courses/498247/files/55013859?wrap=1) (https://uwwtw.instructure.com/courses/498247/files/55013859/download?download_frd=1) Assignment6Helper.java (https://uwwtw.instructure.com/courses/498247/files/55013858?wrap=1) (https://uwwtw.instructure.com/courses/498247/files/55013858/download?download_frd=1) https://www.md5hashgenerator.com/ (https://www.md5hashgenerator.com/) Hints To generate a large number of potential passwords, consider defining a list of potential password 'fragments' and writing a program which combines these into every possible combination. Remember, passwords are all lowercase, 5-8 characters long, and only contain alphanumeric characters. Don't bother generating passwords which don't follow these rules! Also consider defining some hard-coded passwords as well. Use your pre-existing knowledge of how people create passwords and include some of these guesses in your dictionary! Don't manually compare your computed hashes to the stolen one! Write a program to do this instead! Once you've constructed a rainbow table of plaintext passwords and MD5 hashes, simply iterate through all of the hashes to find one that matches the target. When this happens, you're done! Otherwise, you'll have to add more potential password/hash pairs to your list and try again. This assignment would be borderline impossible without a provided rainbow table or information about the target. Since no rainbow table was provided, you can assume all of the information you need to crack the password was provided... Group Work https://uwwtw.instructure.com/courses/498247/files/55013859?wrap=1 https://uwwtw.instructure.com/courses/498247/files/55013859/download?download_frd=1 https://uwwtw.instructure.com/courses/498247/files/55013858?wrap=1 https://uwwtw.instructure.com/courses/498247/files/55013858/download?download_frd=1 https://www.md5hashgenerator.com/ 12/5/22, 6:58 PM Assignment 6 (Password Cracking) [OPTIONAL] https://uwwtw.instructure.com/courses/498247/assignments/5520520 4/4 This assignment can be completed as part of a group, just make sure that everyone uploads a submission to Canvas. Ensure that all group members' names can be found somewhere in the submission!