s

CSE 3482
Introduction to Computer Security

Lab 2
Many Faces of Spoofing

Tools: ipconfig, Wireshark, Anonymailer, Tor

For the purposes of this lab, you will need to take screenshots of results obtained in Window’s
VM. It is strongly recommended that you store these images in your Linux account, as that will
prevent you from losing your work in case of unexpected VM crashes.

1. MAC Address Spoofing in Windows

1.A) Identify the Current MAC Address(es) on Your Computer
1. Open a command prompt by clicking Start -> (type) cmd. Type ipconfig / all. Record the
MAC (physical) and IP address of your computer. (In case of multiple MAC addresses, record
both the MAC address and the name of respective NIC/adapter.)

2. Open the Wireshark application. Click on Capture -> Interfaces …, and then click Start on
one of the enlisted interfaces – ideally the one corresponding to the host’s wired NIC (i.e., the NIC
that is currently used to connect your host to the Internet).

3. In a Web browser type eecs.lassonde.yorku.ca, and wait until the page is fully loaded.

4. Back in the Wireshark, click on Capture -> Stop. Inspect the captured packets. Confirm that
some of the Web traffic captured in Step 3 has been sent over the NIC selected in Step 2 and
using a MAC address identified in Step 1. (Hint: type ‘http’ in Wireshark filter.)

5. Take screenshots of your ipconfig/all capture from Step 1 and a packet inspected in Step
3, as shown in the figures below. Include these screenshots in your lab report.
 MAC address that corresponds
to the MAC address identified in
Step 1.

1.B) Falsify the MAC Address on Wired NIC

1. Click on Start -> Control Panel -> Network and Internet Connections -> Network
Connections -> Local Area Connection (see figure below). A Local Area Connection
Status window will open.

2. Click on Properties -> Configure (see figure below) -> Advanced -> Locally Administered
Address (see figure below).
3. Check the Value field, and enter 000393B96<R1>F<R2>, where R1 and R2 are randomly
chosen numbers between 0 - 9.
The number/address that you have entered is: ________________________________ .

4. In the command window, type again ipconfig / all. Take a screenshot of the newly
obtained result (i.e., newly enlisted MAC address). Include the given screenshot in your
lab report. Verify that the number in this screenshot corresponds to the number you have
entered/chosen in the above step/question.

5. Repeat the experiment with Wireshark – try to upload a web page. Confirm that the new
MAC address has been successfully deployed in all packets generated by (i.e., sent out of)
your computer. Include the Wireshark screenshot of one of your packets in your lab report.

7. Reset the MAC address back to normal!

(At the end of this exercise, close all Wireshark and Control Panel windows in your VM.)
2. Email Phishing / Email Spoofing
In email phishing, the attacker sends a fake email which
looks like an email from a legitimate source. The email
usually contains a link which, when clicked on, directs the
victim to a fake website, whose look and feel are almost
identical to the real website. This fake website is used to
obtain sensitive information such as user names,
passwords, or credit card numbers form the victim.
In this exercise, we will examine how email phishing can be
carried out by sending a fake email and embedding a fake
hyperlink in the email.

1. In a web browser, go to www.anonymailer.net OR https://anonymousemail.me/ .

2. A form that includes “From Name:”, “From E-mail:”, “To Email:” and “Subject of the email:”
fields appears so you can enter information to send a fake email.

3. In the “From E-mail:” field type in a fake email address (e.g. customer.service@tdbank.com),
and in the “From Name:” field type “TD Bank Customer Service”.

4. In the “To Email:” field type in your own @cse.your.ca or @yorku.ca email address.

5. In the “Subject:” field, enter “Request for information update”.

6. In the “Message:” field, type: “Please update your customer information through our web site:
www.tdbank.com.”

7. Highlight the URL and click on the hyperlink icon (see figure below). A dialog box will appear
to allow you to enter in the actual URL. Enter in http://eecs.lassonde.yorku.ca. This will make
the receiver think that he is going to www.tdbank.com, when he is actually going to
eecs.lassonde.yorku.ca, when he clicks on the link.

(Before proceeding with Step 8, verify that all the fields of the spoofed email are properly set, as
anonymailer.com allows you to send only 1 email every 30 min.)

8. Click “Submit” to send out the email.

9. Log into your @cse.yorku.ca or @yorku.ca email account, and take a screenshot of the
email sent through www.anonymailer.net . (Make sure that your email editor runs in html-
enabled mode.) Include this screenshot in your lab report.

Note that in the ‘free’ version of anonymailer service, the sent emails carry a message that reveals
their true origin. However, for minimal fee of $10, this message would not be generated; hence
allowing for perfectly valid-looking email spoofing.
3. Web Site Spoofing
One of the default functionalities of your CSE account is web hosting. In this exercise, you will
first open the ‘read’ permissions over your CSE www folder. Then, you will create your home page
in the given folder by creating a ‘spoof’ copy of another web-page already existing in the WWW.

1. In VM Windows machine, launch SeaMonkey and enter the following URL in the browser’s
address bar: http://www.pearsonhighered.com/boyle

2. Once the page is uploaded, click File -> Save Page As; browse to Desktop\MyHome
directory, which will bring (i.e., switch) you to your Linux Z:<user> drive. In Z:\www directory save
the page as ‘index’ with ‘Save as type’ set to All Files. (See the figure below.) By doing so, you
have set up the retrieved page as your own home page.

Web Complete

3. Switch to the Linux system and open the “Terminal”. Set appropriate permissions to “www”
directory in your home directory of your Linux account using the following command:..

Terminal$> cd ~
Terminal$> chmod –R 755 www/

4. In the VM, open another web-browser (e.g., Internet Explorer) and enter the following URL in
the browser’s address bar: http://www.cse.yorku.ca/~<user>. (Here, <user> is the user name
of your CSE account.) Note that the saved version of Boyle’s web page comes up.

(Now, we will proceed with modifying the spoofed index page.)

5. Back in VM’s SeaMonkey, click on File -> Open File, and browse to Z:\www. Select the
previously created ‘index’ file, and click Open.

6. Once the index file is loaded, click on File -> Edit Page.
7. In the newly opened Composer window, delete Boyle in the main (blue) header, and type in
your own family name. Replace all other occurrences of ‘Randell J. Boyle’ with your own first and
last name, as well. (The figure below shows the version of Boyle’s web-page as modified by Trudy
Fraudster.)

8. Click on File -> Save.

9. In Internet Explorer re-load your home page (http://www.cse.yorku.ca/~<user>). You

should be able to see the new/spoofed version of the originally saved page.

Fake Site over the Network

Ask another student in the lab to give the URL of his/hers home page. Retrieve their version
of spoofed Boyle’s page, by typing the obtained URL in the browser’s address bar. Take a
screenshot of this page, and include it in your lab report.

(At the end of this exercise, close all SeaMonkey windows in your VM.)
4. Anonymous Surfing using Tor
Tor (The Onion Router) is a free software network for
enabling online anonymity. Tor directs Internet traffic
through a free, worldwide, volunteer network consisting of
more than four thousand relays, to conceal a user’s location
or usage from anyone conducting network surveillance or
traffic analysis.
In this exercise, you will use Tor to access your web site created in Exercise 3. Also, you will get
to observe the web traffic that is ‘anonymized’ through the use of Tor by inspecting the logs of the
CSE server hosting your and your lab partner’s home pages.

1. Take note of your Internet IP address by visiting https://whatismyipaddress.com/ (both IPv4

and IPv6 if is available).

2. Launch Tor browser. (Tor icon can be found on the desktop of you VM.)

3. Once the Tor browser successfully launches, enter your lab-partner’s URL address in the Tor-
browser’s address bar.

4. Take a screen shot of your web page in your Tor browser, and include it in your lab
report.

6. Back in your host-Linux environment, open a Terminal window, and type

% grep <user> /cs/local/share/www/log/www_access_log.
This command will allow you to capture the portion of server logs pertaining (only) to your own
home page. The logs are formatted as:

The first IP address is the address of the client that has made a request to the server, and the
GET precedes the object that has been requested.

7. Take a screenshot of your grep server-log capture and include it in your lab report.

8. Identify the IP address from which the requests have come from – the one from Question 3 that
was generated through a ‘regular’ browser, and the one generated in this question through Tor.
Examine the actual geographic origin of the client (i.e., source) IP addresses associated with each
request using http://iplocation.net web site.

9. Take a screenshot of the IP location-finder results from Step 8 and include them in your
lab report.

Where did your lab partner’s request generated through Tor actually come from? Which
results did your lab partner obtain (i.e., from which IP address did he receive your request
for his web page)?
5. Traffic Redirection / DNS Spoofing
DNS spoofing, aka DNS Cache Poisoning, is a computer hacking attack whereby false DNS data
is introduced into a DNS cache, causing a DNS server or a victim-host machine to return incorrect
IP address and divert traffic to another (often the attacker’s) computer. In this exercise, you will
perform ‘DNS poisoning’ on your host machine by ‘injecting’ forged DNS entries into Windows
‘hosts’ file.

1. In Windows, click Start -> Control Panel -> Appearances and Personalization -> Folder
Options. Under View, check ‘Show hidden files and folders’ and un-check ‘Hide protected
operating system files’ (see figure below). Click Apply, and then OK.

2. In Windows Explorer, browse to C:\WINDOWS\system32\drivers\etc. Double-click on

‘hosts’ file, and choose to open it with Notepad. Observe that the file contains one single default
DNS resolution: 127.0.0.1 localhost.

3. In a web-browser enter www.yorku.ca. Verify that the page downloads correctly. Take a
screenshot of YorkU’s web-page, with www.yorku.ca appearing correctly in the address
bar.

4. Open a command prompt by clicking Start -> Run -> cmd. Type ping www.concordia.ca.
Write down the IP address corresponding to this site <concordia_IP>. (Most likely this address
will be: 132.205.244.70.)

5. Back in hosts file, add the following entry:

<concordia_IP> www.yorku.ca
where the first field in the entry is the actual IP address obtained in Step 4.
(With this entry, we are trying to ‘force’ the browser to display/retrieve the web site of Concordia
University every time when the user requests YorkU web site.)

6. Click File -> Save.

7. Close and re-open your Web browser. Enter www.yorku.ca.

8. Take a screenshot showing Concordia’s web-page with www.yorku.ca in the address

bar. Include this screenshot in your lab report.

9. Delete your entry in hosts file to return hosts file back to normal.

10. After deleting the new entry in hosts file, click File -> Save. Close Notepad.

The War of Two Pizzerias

Assume now we would like to ‘force’ the browser to display/retrieve the web page of
Frank’s Pizza House (hosted at www.frankspizzahouse.com) every time the user requests
Pizza Pizza web site (hosted at www.pizzapizza.ca). Follow the above procedure to have
this accomplished. In your lab report include the following:
a) the line that you have added to hosts file to make such traffic redirection possible;
b) a screenshot showing Frank’s Pizza House web site with www.pizzapizza.ca in the
address bar.