CNT 6519, Fall 2018 Assigned: 9/23/2018 S. Lang Assignment #3

CNT 6519, Fall 2018 Assigned: 9/23/2018
S. Lang Assignment #3 (30 pts.) Due: 9 pm EDT, 10/8/2018 on UCF’s WebCourses
Objectives: To learn about IEEE 802.11 MAC frames, the CRC checksum function, hash
collision problem, and 802.11 WEP algorithm’s vulnerabilities.
Note: Be sure to include your work (i.e., brief explanations) in your answers using your own
words in the first tense (and do not copy/paste the assignment’s instructions as part of your
answer!) to each of the questions; otherwise, points will be deducted if there is
insufficient/inadequate/inappropriate explanation in your submitted work.
Submission Instructions: Submit your answer in a single file in Word or PDF format to
WebCourses, using the name of: ,_Assignment., for example, Smith,Jonathan_Assignment3.pdf.
1. (8 pts.) (802.11 MAC frames) Suppose you are a network forensics specialist assisting in
the investigation of an old (cold) case of wireless network intrusion incident. A wireless
network with an AP (access point) of MAC address 28:C6:8E:30:40:50 and SSID
“UCFKNIGHTS#1” (without the quotation marks) was allegedly being compromised, and
a suspect’s Apple laptop was seized by law enforcement after serving a search warrant.
Examination of the Apple laptop revealed its wireless adapter’s MAC address
AC:CF:5C:00:10:20; the examiner also extracted a 320-byte data block from unallocated
(free) disk space after a keyword search hit using the AP’s SSID “UCFKNIGHTS#1” as
the keyword, see below dump of the extracted data block in hexadecimal format:
Answer each of the below questions:
(a) Determine how many MAC frames are embedded in the extracted data block, and, for
each of embedded MAC frames identify the following: the frame control (FC) field
including detailed breakdown of each of its components; the duration field; the MAC
addresses including their purposes (DA, SA, RA, TA, BSSID); sequence control field
and its breakdown details. (Hint: use the charts of MAC frames in Course Notes #3
and its appendix as a guide, by first identifying the FC field of each MAC frame, for
example, the first two bytes, starting at offset 0, appear to be a MAC frame’s FC field
given its location relative to what appear to be MAC addresses starting at offset 4.)
(b) Articulate any evidence that may indicate the Apple laptop made an attempt to
associate itself to the compromised AP, and whether the attempted association (if any)
was successful.
(c) (Extra Credit, up to 2 pts.) Identify additional fields, other than those needed for
Parts (a) and (b), of the extracted MAC frames that will aid in the investigation of the
alleged hacking incident (and explain why/how the evidence would be useful).
2. (6 pts.) (CRC checksums)
(a) Use the reference “CRC16-CCITT.pdf” as a guide (and reference, if needed, and show your work to manually calculate the
CRC16-CCITT checksum for the text string of three lowercase letters “ucf” (or,
equivalently, calculate the CRC16 checksum of the file “CRC-test” of size three bytes)
(b) Verify your CRC16 checksum result of Part (a) using the checksum value calculated
by the hex editor HxD (available at
(c) Use HxD to calculate the CRC16 checksum of the string “ucg” (whose ASCII code is
different from the ASCII code of “ucf” by one single bit). How many bits are different
between the two CRC16 checksums of (b) and (c)?
(d) Estimate how many 3-byte strings (i.e., considering all 16,777,216 strings in the range
of 0x000000 to 0xFFFFFF) will have the same CRC16 checksum as that of the string
“ucf”. Explain how you determine your answer.
(e) (Extra Credit, up to 2 pts.) Identify a three-character text string consisting of letters
only (lower and/or upper-case) which has the same CRC16 checksum as that of “ucf”.
Explain how you determine your answer.
3. (4 pts.) (Birthday Attack, see references,,
The purpose of this question is to demonstrate the probability of hash collisions by using
random numbers to simulate hash values. Specifically, you are to use the link to generate sets of (pseudo) random integers in the range of
1 through 100 then check for the presence of duplicated values (i.e., collisions). The
theory presented at the link (under the
section “Mathematics”) predicts at least one pair of duplicate values appearing with 50%
probability when the size of the set of random integers is about 12 (1.1774 
100  12),
that is, the expected number of random numbers to cause a (i.e., at least one) collision
with 50% probability is 1.1774 
where H refers to the number of possible hash
values. In this question, H = 100 since you are generating random numbers in the range
from 1 to 100.
To verify this theoretical prediction you are to use the link to
generate 50 sets of random integers in which each set consists of 12 integers (be sure to
select/check proper options at the Research Randomizer link, e.g., check “No” on “Do you
wish each number in a set to remain unique?”) in the range of 1 through 100, then analyze
the results and report how many sets of the output contain at least one pair of duplicated
values. To write up your answer you need to:
(a) describe the procedures you used, including the options selected,
(b) report the results of 50 sets of 12 random numbers,
(c) present a graph/chart that plots the “empirical” probabilities of collisions within the
first 10 sets of your results (e.g., 3 sets out of 10 sets contain collisions, resulting in a
30% probability), within the first 20 sets, first 30 sets, etc., until the entire 50 sets, and
(d) compare your graph/chart of Part (c) against the theoretical predictions of 50%.
4. (12 pts.) (WEP Cracking) Suppose the network packet capture file “unknown.cap”, seized
from a suspect’s computer, is an evidence of a 2007 wireless hacking incident in which
the suspect allegedly had cracked the WEP encryption key of the victim’s wireless router
(access point). First, you are to use a Windows system download and install the network
protocol analyzer tool Wireshark ( and download the WiFi
network security tool suite Aircrack-ng ( for
this question. Answer each of the below questions and describe how you derive the
answers (including, tools used, brief descriptions of the procedure, screenshots as
appropriate, etc.):
(a) Determine the total number of packets captured in the file and the capture’s time of
duration. (Hint: Start Wireshark after installation, open the packet capture file
“unknown.cap”, choose from the main menu Statistics>Capture File Properties.)
(b) Determine the devices and sites involved in sending and/or receiving packets that
were captured in the file. In particular, identify a wireless access point (AP), the AP’s
SSID (service set identifier), wireless channel used, and whether the access point had
any protection in place. (Hint: Using Wireshark, choose Statistics>Conversions by
selecting “IEEE 802.11” and checking/unchecking the “Name resolution” box on the
bottom; also, correlate the results to those by choosing on the main menu
Wireless>WLAN Traffic.)
(c) Determine the average packet rate (number of packets per second) of the capture, and
identify/report the peak packet rates during the entire capture window. In particular,
identify the intervals when the peak packet rates were reached and describe the
activities causing the peak rates. (Hint: Using Wireshark, choose Statistics>I/O Graph
to identify traffic peaks.)
(d) Determine if and how the capture file had been (or could have been) used to crack the
access point’s encryption key by the suspect, and recommend “investigative leads” to
seeking additional forensic evidence on the suspect’s computer. (Hint: Download
Aircrack-ng-1.3 for Windows system, i.e., the zip file “aircrack-ng-1.3-” for
your Windows computer. After unzipping, open a command window cmd.exe, and
navigate (using the change directory command cd) to the subdirectory where the
executable files are located, e.g., at C:UsersownerDesktopaircrack-ng-1.3-
winbin64bit. Run the command from the command line:
to see the command options. In particular, run the command against the
“unknown.cap” file as follows assuming a copy of the file unknown.cap is located in
the same directory as the executable file:
aircrack-ng.exe unknown.cap
If successful, you will see the cracked WEP key displayed on the Windows command
window (cmd.exe).
Next, run the command
to show the command options, then run the command (with proper syntax) including
the cracked key and the original pcap file will result in a “decrypted” pcap file, saved
in the same directory. Finally, use Wireshark to open the decrypted pcap file, analyze
it, to answer this question.)

Project Management Assignment Help| PMP Homework Help Online