## Quiz & Report
- Quiz
    - same format as quiz 1
    - 30 min
    - multiple choice
    - covers course materials up to this point
- Report
    - available on the website
    - at least 3 pages long
    - primarily a technical paper on how a tool works
        - i.e. what happens under the hood
    - must include a demonstration of the tool
    - **use a tool that is not covered in the course**
        - i.e. not nmap, zenmap, nessus, metasploit, etc.
    - include diagrams, screenshots, etc.
    - include citations
    - suggested LaTex template
        - https://www.acm.org/publications/proceedings-template
``` Report Grading Schema
Maximum number of points: 25 pts

Report:
1. (out of 4 pts) Organized and structured:
   a.(out of 2 pts) Appropriate length and structured using sections (and subsections): Introduction, Motivation, …, Conclusions, References
   b.(out of 2 pts) Pictures/diagrams and tables are numbered and have a title (may also have a brief description)

2. (out of 17 pts) Content:
   a.(out of 2 pts) Was the report focused on the given main topics/questions? 
   b.(out of 3 pts) Did the report have a logical order? Was it informative and clear? Were all the technical terms defined (e.g., spell-out acronyms and define them)?
   c.(out of 7 pts) What was the "demo component" and how was it covered? 
   d.(out of 5 pts) Was the report well-researched and without major errors?

3. (out of 4 pts) Language and Readability:
   a.(out of 2 pt) Academic/formal language
   b.(out of 2 pt) Easy to read and follow
```

## Password Cracking
- passwords can be cracked or guessed
    - weak passwords are easy to remember but also easy to guess
- guessing
    - automated trial of default and well known passwords
    - advantage: no special access or effort required
    - disadvantage: likely to be detected or logged
    - Tools
        - THC-Hydra & Medusa
            - *The Hacker's Choice*
            - fast network logon crackers
            - guess passwords on many network services
            - THC and Medusa work different ways but complement each other
        - Forking vs. Threading
            - forking: creates a new process as a copy of the current process
                - crashing a forked process does not affect the parent process
                - each process has its own memory space
            - threading: creates a new thread within the current process
                - crashing a threaded process crashes the parent process
                - threads share memory space
            - both achieve parallelism
            - hydra uses forking
                - more stable
            - medusa uses threading
                - more efficient
        - Hydra
            - `hydra -s 21 -L userlist.txt -P passwordlist.txt -vV 172.16.30.101 -f ftp`
                - `-s`: port number
                - `-L`: user list
                - `-P`: password list
                - `-vV`: verbose
                - `-f`: stop after first valid password found
        - Medusa
            - `medusa -h 172.16.30.101 -U userlist.txt -P passwordlist.txt -M ftp`
                - `-h`: host
                - `-U`: user list
                - `-P`: password list
                - `-M`: module
- cracking
    - more sophisticated than guessing
    - start with a copy of the authentication database
        - either a hashed copy or an encrypted copy
    - run a tool that attempts to crack the hash or encryption
    - advantage: can be done offline and without detection
    - disadvantage: requires access to the database which may involve detection
    - hashes
        - a hash is a one-way function
        - also called a digest
        - reveals whether two inputs are the same without revealing the inputs
        - hash size is fixed
        - collision: two different inputs produce the same hash
            - if the hash is large enough, collisions are extremely unlikely
    - encryption
        - reversible
        - reveals the inputs if the key is known
        - usually, ciphertext size = plaintext size + padding
    - hashes are good for integrity checks
        - if the hash of a file is the same as the hash of the original file, the file has not been altered
            - web hosted downloads should have the hash hosted on a different site
                - if the download site is compromised, the hash site is likely not
                - if hosted on the same site, a fake hash can be hosted if the download is compromised
        - if the hash of an entered password is the same as the hash in the database, the password is correct

# 08Oct24

## Report 1
- what a tool does vs how it works
    - may want a diagram for what it does
    - almost certainly need a diagram for how it works
        - inner workings
        - outputs
        - performance metrics
    - what it does
        - diagram describes behavior
    - how it works
        - diagram describes structure
        - describe components
- short paper can still be good

### Cryptography Basics
- mathematical method of protecting information
    - part of but not solely responsible for security
- used to remediate deficiencies in other security measures
- primitives
    - hash
    - symmetrical encryption/decryption
    - asymmetrical encryption/decryption
    - digital signatures
- using crypto primitives
    - build security protocols
        - SSL/TLS
            - SSL: Secure Socket Layer
            - TLS: Transport Layer Security
                - successor to SSL
            - used to secure web traffic
    - build more complex security systems
        - PKI (Public Key Infrastructure)
            - certificate authorities
            - used to verify the identity of a website

### Hash
- one-way function
    - $H(x) = y$
    - can't get $x$ from $y$
    - should be collision resistant
- **integrity** check
    - hash the original data
    - hash the received data
    - compare the hashes
- hash function is not assumed to be secret
    - only the data is secret
- salting
    - extra text added to the data before hashing
    - used to increase input space of the hash
    - makes brute force attacks more difficult

### Symmetric Encryption
- same key for encryption and decryption
    - $c = E(m, K)$
        - $c$: ciphertext
        - $m$: message
        - $K$: key
    - $m = D(c, K)$
- Kerckhoff's Principle
    - *A cryptosystem should be secure even if everything about the system, **except the key**, is public knowledge.*
- the problem
    - every party in a conversation needs a copy of the key
    - key distribution & management become difficult
    - leads to O(n^2) keys for n parties to communicate
        - i.e. every party needs a key for every other party
- openSSL for encrypting an aes key
    - `openssl  -aes-256-cbc -pbkdf2 -in file.txt -out file.enc`
        - `-aes-256-cbc`: encryption algorithm
        - `-pbkdf2`: key derivation function
            - used to derive a key from a password
        - `-in`: input file 
        - `-out`: output file
    - `openssl enc -d -aes-256-cbc -pbkdf2 -in file.enc -out file.txt`
        - `-d`: decrypt

### Asymmetric Encryption
- every party has a pair of keys
- public and private keys
    - $c = E(m, K_{pub})$
    - $m = D(c, K_{priv})$
- public key is shared
- private key is kept secret
    - hard to infer the private key from the public key
    - easy to infer the public key from the private key
- public key is used to encrypt
- private key is used to decrypt
- still follows Kerckhoff's Principle because the private key is secret
- key generation
    - creates a public/private key pair
    - usually involves a pseudo-random number generator
- advantage
    - does not require O(n^2) keys
    - public key can be shared with anyone in plain text
- disadvantage
    - much slower than symmetric encryption
- openSSL for creating an RSA key pair

# 22Oct

- Sniffing Network Traffic
    - intercepting and reading network traffic
        - generally of other users
    - sniffers operate at the Data Link layer of the OSI model
        - OSI model: Open Systems Interconnection model
            - used to understand how networks operate
        - between the Physical and Network layers
            - Physical: the binary data in wires and signals
            - Network: routing and addressing
                - IP addresses
            - Data Link: MAC addresses
                - Media Access Control addresses
                    - unique to each network card
- Network topologies
    - star
        - most common
        - all devices connect to a central hub
        - hub can be a switch or a router
        - a single point of failure
            - easier debugging
        - single point of control
            - easier to manage
        - can be nested
    - ring
        - each device connects to two other devices
        - forms a ring
        - if a link fails to one direction, the other direction is still available
        - often used for the main entry point to a network
    - mesh
        - every device connects to every other device
        - high reliability
        - high complexity
        - lots of infrastructure/cabling
    - bus
        - all devices connect to a single cable
        - least amount of cabling
        - e.g. CAN bus in cars
            - this is why there have been hacks of the brakes through the entertainment system
    - hybrid
        - a combination of the above
        - e.g. a ring network for entry from outside the organization $\rightarrow$ star network behind the ring
            - this is how KU's network is set up
    - the lab
        - KU network $\rightarrow$ gateway router $\rightarrow$ switches $\rightarrow$ wireless AP, physical hosts, NFS server
            - switches are just for adding ports to the router

- wired star networks
    - hub environment
        - hub duplicates the data in one port to all other ports
        - also called a repeater
            - good for extending the range of a network
            - also good for mirroring traffic
                - e.g. the lab TVs are all connected to the same hub and show the same image 
    - switch environment
        - switch sends data only to the port that the destination device is connected to
        - switches also have a public port that sends data to all ports
            - i.e. you could still emulate a hub environment
    - sniffing in a wired environment
        - network card must be in promiscuous mode
            - this allows the card to read all traffic on the network
        - in a hub, this is easy
            - all traffic is sent to all ports anyway
        - with a switch
            - network sniffing via TAP and SPAN ports
                - TAP port
                    - a physical device that copies traffic from one port to another
                - SPAN port
                    - a port on a switch that copies traffic from one port to another
                - the legitimate use of these ports is for network monitoring by network administrators
            - place a hub between the router and switch
            - network sniffing via the "wire"
                - DOS attack
                    - some switches use to revert to hub mode when overloaded
                    - not common anymore
                - ARP poisoning
                    - a device sends out false ARP messages to the network
                    - the network then sends all traffic to the device
                    - the device can then forward the traffic to the intended recipient
                    - the device can also read the traffic

- Wireshark
    - a network protocol analyzer
        - allows you to see the data in network packets
            - packages are usually encrypted
- Address Resolution Protocol (ARP)
    - used to map IP addresses to MAC addresses
    - ARP cache maintains a list of IP addresses and their corresponding MAC addresses
        - stored on a first-come-first-serve basis
        - when sending data, you need the MAC address to make it past the last node (the router)
        - router asks which host has the IP address
            - the host responds with its MAC address
            - the router then sends the data to the host
    - ARP poisoning/spoofing
        - attacker sends fake ARP messages to the network to claim that they have the IP address of the router
        - the network then sends all traffic to the attacker
        - the attacker can then forward the traffic to the router
        - since it is first-come-first-serve, to be first, the attacker must send out the ARP messages faster than the router
            - continuously send ARP responses to the network in order to be "first" when the router asks
            - This was the risk of public wifi
                - theoretically safe now because of HTTPS, see below
        - a form of EitM attack
        - goals
            - ensure attacker can forward traffic to the router
            - target thinks attacker is the gateway
            - gateway thinks attacker is the target
        - why ARP isn't dangerous anymore (mostly)
            - read only static ARP entries for the router and other critical devices
            - look for repeated ARP requests through a network monitoring tool
                - packet filtering via OS or standalone tool
            - block devices that send out too many ARP requests
            - **cryptographic network protocols** 
                - the primary reason that ARP attacks aren't as dangerous as they once were
                - e.g. HTTPS, SSH, TLS-based protocols, etc
                - encrypts the data in the packet
                - ARP poisoning is still possible but the attacker cannot read the data
                    - attacker must get the target to accept a fake certificate