Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1. What IP address CIDRs are not allowed to be communicated with by our malware?

ID: 3594190 • Letter: 1

Question

1. What IP address CIDRs are not allowed to be communicated with by our malware?
a. Hint: Cuckoo uses the IP addresses 192.168.56.1 and 192.168.56.101 to
connect the malware to the Internet.
2. What IP address is all email traffic forwarded to?
3. Do the rules accept SSH connections? (yes or no)
4. Do the rules allow the analysis machine to be ping'd on the eth0 interface? (yes or no)
5. Why do the rules drop outbound connections to ports 135, 139, and 445? (Pick your
letter answer from the choices below)
a. They are primarily used by malware to send spam.
b. They are primarily used by malware to propagate.
c. They are primarily used by malware to launch DoS attacks.
d. They are primarily used by malware to detect themselves being analyzed.


*filter
:INPUT ACCEPT [355:30722]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6802:11203599]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.56.0/24 -d 143.215.130.30/32 -j ACCEPT
-A FORWARD -s 192.168.56.0/24 -d 54.202.185.61/32 -j ACCEPT
-A FORWARD -s 192.168.56.0/24 -d 130.207.0.0/16 -j DROP
-A FORWARD -s 192.168.56.0/24 -d 143.215.0.0/16 -j DROP
-A FORWARD -s 192.168.56.0/24 -d 128.61.0.0/16 -j DROP
-A FORWARD -p udp -m udp --dport 135:139 -j DROP
-A FORWARD -p tcp -m tcp --dport 135:139 -j DROP
-A FORWARD -p udp -m udp --dport 445 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -s 192.168.56.0/24 -i vboxnet0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Tue Oct 17 05:09:22 2017
# Generated by iptables-save v1.4.21 on Tue Oct 17 05:09:22 2017
*mangle
:PREROUTING ACCEPT [5842:8384010]
:INPUT ACCEPT [5837:8383447]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6802:11203599]
:POSTROUTING ACCEPT [6868:11212697]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Oct 17 05:09:22 2017
# Generated by iptables-save v1.4.21 on Tue Oct 17 05:09:22 2017
*nat
:PREROUTING ACCEPT [28:2457]
:INPUT ACCEPT [23:1894]
:OUTPUT ACCEPT [427:28533]
:POSTROUTING ACCEPT [7:650]
-A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination 143.215.130.30:25
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT

Explanation / Answer

(1) As per set of access rules provided

-A FORWARD -s 192.168.56.0/24 -d 130.207.0.0/16 -j DROP

-A FORWARD -s 192.168.56.0/24 -d 143.215.0.0/16 -j DROP

-A FORWARD -s 192.168.56.0/24 -d 128.61.0.0/16 -j DROP

so, finally packets from following source and destination ranges are not allowed to connect the malware to the internet

---------------------------------------------------------------------------------------------------------------------------------------------------------

(2)  As per set of access rules provided

-A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination 143.215.130.30:25

---------------------------------------------------------------------------------------------------------------------------------------------------------(3) No.

-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

---------------------------------------------------------------------------------------------------------------------------------------------------------

(4) Yes

  -A INPUT -i eth0 -p icmp -j ACCEPT

Source IP Range Destination IP Range 192.168.56.0 to 192.168.56.255 130.207.0.0 to 130.207.255.255 192.168.56.0 to 192.168.56.255 143.215.0.0 to 143.215.255.255 192.168.56.0 to 192.168.56.255 128.61.0.0 to 128.61.255.255

Related Questions

1. We know that 10 cans are sold each period within the problem at $10 per can,
Question #2568050
1. We know that the heat flow takes place from the hot body to the cold body. He
Question #700553
1. We know we have a corporate spy in the organization, probably in the manageme
Question #3489599
1. We learned about morphogen gradients and how a dominant negative receptor was
Question #267616
1. We learned that an 802.11 network can choose to operate using any of the 11 d
Question #3864211
1. We never had any trouble with the TV until John moved back into our house. I
Question #3486539
1. We often use the term \'melting pot\' to describe America. However, I have he
Question #3443672
1. We record treasury stock at the cost of the shares acquired. True or false. 2
Question #2560044

Navigate

Previous
1. What DNS record details server IP addresses that are allowed to send Email fo
Next
1. What Microsoft tools are you working with. Provide a screen shot of each of t

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.