Due: Wednesday, October 25, 2017, 2:10 pm (start of the class)


  1. (10 points) Send yourself a brief email that includes an attachment. Find a way to make your mail client to show the raw message source. Describe the lines in the message header and outline how the attachment was included in the message.
  2. (10 points) Using nc
    1. Connect to a web server and capture its response to a well-formed GET request that you send to it. Briefly describe each line in the HTTP response. No need to analyze the documents itself.
    2. Pretend to be a server and capture an HTTP request made by a browser. Briefly describe each line in the request.

    You are expected to look up the meaning of the header lines that were not discussed in the class.

  3. (20 points) UNH provides a service that allows you to look up email address, office location, and phone number of any of the faculty or staff members (http://www.unh.edu/directories/facstaff.html). Explore the service and come up with a simple method that could be used to retrieve names/emails/addresses/phone numbers of all persons listed in the directory. The method must not rely on any blind guessing or exploration of all options (e.g., searching for all Smiths, Joneses or A, Aa, Aaa, ...).
  4. This question deals with understanding of the structure of a URL and the processing of HTTP GET requests. This NOT and exercise in trying to exploit anything beyond what the web server provides. This is not a hacking assignment, any attempts to do probe the system any further will minimally result in a zero grade for the entire assignment. If in doubt, ask! You are not expected to implement the idea and any attempt to actually retrieve the entire list or a significant portion of it would be in violation of the acceptable use policy.

    The deliverable for this assignment is a text or pseudocode description that a competent programmer could take and implement your program without having to do any further significant research.

  5. (5 points) Calculate MD5 and SHA-1 digest of a.html, the HTML description of the previous assignment (download it from http://www.cs.unh.edu/~cs725/assignments/a2.html).
  6. (5 points) What are the first few bytes of the public key in the certificate used by https://www.iol.unh.edu/? Who issued the certificate?
  7. (20 points) Analyze a trace stored on CloudShark (https://www.cloudshark.org/captures/4edd9e0bf00f) that captures a SMTP session and answer the following questions:
    1. What software (name and version) was used on client and server side of the conversation?
    2. What was the Subject of the message?
    3. Describe the content of the message. How many components does it have?
    4. The message has an attachment, what is its type and filename?
    5. What is the attachment? Describe its content.

Programming Assignment:

  1. (30 points) Study SMTP (the textbook has a good description, you can also look at RFC 5321 or Wikipedia article, which has a good example of a typical SMTP exchange). The goal of this part of the assignment is try to directly communicate with an MTA pretending to be another MTA sending a message.

    1. From a computer with a UNH IP address (this is important), connect to the mail server running at berlioz.cs.unh.edu on port 25 using nc (or a telnet client, note that telnet is not installed on agate to discourage people from using it for remote access) and pretend to be an MTA delivering a message addressed to your email address. Use subject "SMTP test" and make sure that you are identified in the body of the message. Capture the session and turn it in as a part of the assignment paper. Technically, you can use any mail server for the assignment, however, I would like to ask you to use the one specified above. While there is nothing technically wrong with connecting to any mail server, typos-filled hand-typed sessions tend to trigger various security alarms. I have learned this the hard way when the course was offered in the past and would like to avoid such problems this time around. Analyze its full header. Point out all the information that may indicate that the message did not originate from a legitimate source.
    2. Write as-short-as-possible script that delivers an email message by (partially) implementing SMTP conversation. You are not allowed to use any command or utility for direct sending of email (e.g., the mail command in Unix/Linux) or You are not allowed to use any library for sending email (e.g., javax.mail). Basic shell, nc and expect are probably good starting points in your search for the right tools. You are not expected to do extensive error checking.

Submission instructions:

Upload your submission as a single PDF file using Canvas (mycourses.unh.edu). More details can be found in the standard assignment submission instructions.

© 2017 Radim Bartos.