User Account

All Pages

What is the network address-broadcast and range

Assignment Help Computer Networking
Reference no: EM131220209

PCAP Challenge

1 Objective

The objective of this lab is simple (although some of the questions will prove quite challenging), all you need to do is use the pcap file provided and investigate what transpired between 2 or more system using Wireshark and NetworkMiner. This is an extra credit lab that can be completed and used to earn additional points toward your overall lab score. I also assigned this as additional homework as it seems that historically many of you are not yet proficient in reading, investigating, and examining network traffic captures and could use the practice.

All answers should clearly show your logic, reasoning, and solution including screenshots. Partial answers or answers with no backing or proof will not receive ANY credit on this assignment. CLEARLY document your work! Printscreen and MSPaint are your friends to capture screenshots, crop, mark them up, etc. to show your work

Materials

For the purposes of this lab, you will need the following:
- Time and patients and Google and some luck...
- The pcap file in this zip file as well as a version of Wireshark on your system to open and filter
- A Windows desktop on which you can run NetworkMiner (also included in the zip)

The Setup
You are a security analyst at a company who has been asked to review a network capture between some internal systems. It is suspected that someone in the organization was attempting to access resources to which they don't, or shouldn't, have access to. The activity was discovered by a sysadmin who was cleaning up an FTP directly when she noticed an unusual file in the directory. Upon looking at the file she noted it may be a tool that could be considered a hacking tool and notified security (she didn't run it so she is uncertain, just guessing that it is a bad sign). The pcap provided was trimmed so that only activity around the event was captured, so consider the pcap to contain ALL of the traffic related to this event.

What follows are a series of questions that may go through an investigator's mind as they try to unravel what has transpired. I'd suggest loading the pcap into the two tools (Wireshark and NetworkMiner), examine the output, and then answer the following questions. I do expect, and where possible, that you will find the relevant information in BOTH of the tools. While NetworkMiner is good for the high-level questions I would also expect that you utilize Wireshark to get the details where needed:

Q1. How many systems are involved in the communications in this capture? What are their operating systems (including version information if you can tell), MAC addresses, IPs, services presented to the network (that you know of based on the pcap), system names? It may be helpful to create a table with this information with the systems in rows and the columns used to store the elements such as IP, name, etc. that you can updated throughout this lab

Q2. Based on the MAC addresses, what do we know about these systems? What is the network address, broadcast, and range (or can you not tell from what you have been provided)?

Q3. Which systems received the greatest amount of network traffic by bytes? Which received the least by bytes? Which system sent the greatest amount of network traffic by bytes, and which the least by bytes?

Q4. Back to their operating systems, focus on the Windows systems involved. If you examine the NetworkMiner output you may notice that it attempts to run the capture through Ettercap and p0f among other passive OS fingerprinting tools. What did these tools think the OS was? How could you validate this information (based on the pcap and information you have, not theoretically...you can't answer "I'd run an nmap -O scan")?

Q5. Were there any DNS queries and responses in this capture? If not then how are these machines communicating with each other?

Q6. Based on what you know to this point, and looking though the pcap in Wireshark, which system(s) is/are the victim(s)? Which system(s) do you think is/are the attacker(s)? Which system(s) is/are passive observer(s)?

Q7. With the basics out of the way, let's start to build a timeline of the potential attacker's activities. Focusing on the system you think is the attacker, what did they do first? Was this automated or manual (Hint: look at the patterns, timing, etc.)? What did the attacker gain from running this first test and what systems were involved as the potential victims?

Q8. Is there anything in this first test that "may" tip you off as to the operating systems used for both of these systems (i.e. is there something that is different between the two systems that may be used to help validate your answers above)? Look at the TCP settings/options in the captured traffic for clues

Q9. What did the attacker do next? Can you tell what kind of scan was performed? Do you know which TCP ports are open on the systems included in this scan? It may be helpful to add this to your table that you created above. Is there anything about the scan that may expose what tool is being used?

Q10. Was this a manual or automated scan? How do you know? Again, examine the structure, timing, type of packets sent/received, etc.

Q11. The attacker takes a break for approximately 23 seconds and then connects to a service. What is this service, including the detailed version? What system is he attacking? Does anything here help validate your answers to the operating system questions above, and if so what is it?

Q12. To test your Wireshark-fu, what is the real sequence number used by the attacker that results in a TCP connection between attacker and victim using the service from Q11?

Q13. What user names and passwords does the attacker try until he successfully guesses a correct username and password for the service? What is the valid username/password combination that allows him access? Are there any security flaws you can see in this service/protocol? What response code from this service indicates an unsuccessful log in, what response indicates a successful log in?

Q14. What are all of the commands run by the attacker in order? What does each command do and/or provide the attacker? How many systems did the attacker use and what were they? May be helpful to update your table with an additional column that shows if it is a victim or attacker...

Q15. What ports are used in this communication and what is each used for? How can you be sure?

Q16. Were any files transferred during this session? What was/were the name(s) of the file(s)? What is the contents of the file exactly and did it provide any additional information for the attacker?

Q17. What file (filename) does the attacker try to transfer in his first attempt? Was it successful yes or no, and how can you tell? What was the response code?

Q18. What does the attacker do next? How do you know? I'd expect you'd see a SYN- SYN/ACK-ACK to a new service...which is also a good hint to find new sessions to new services as they have been created. What source and estination ports were used in this new connection? What is the T.125 protocol? Can we view this data/traffic in clear test, why or why not? (Hint: use the Follow TCP stream option from the initial SYN and then view information about the protocol on line)

Q19. How long was the attacker using this service to access the system in seconds?

Q20. The attacker now goes back to the original attempt to transfer and attempts another transfer via a service. Is this transfer successful? What is the file name? How many times is the file transferred if successful? How many seconds have elapsed between the three transfer attempts, assuming the first attempt is time zero (t=0)?

Q21. Did the attacker disconnect from his session or leave it open? Better yet, what session were active when? Can you draw a timeline of activity in terms of systems connected to the victim(s) and the use of the two services?

Q22. The filename of the file he is attempting to transfer may be misleading, however the attacker had changed to a mode that allowed us to view inside the file he transferred, what is this mode called? View the file transfer, is there anything in the file that would confirm (or not) your suspicions about what the file is? Prove it is, or is not, the file you think it is based on its name.

Q23. The attacker then makes another attempt to access the victim(s). What is this new service he is using and what could he possibly use it for?

Q24. He seems to connect and then disconnect form the service (i.e. looking at the 4-way disconnect sequence of FIN/ACK-FIN/ACK-ACK. He then appears to connect to this service again. What is he attempting to access? You can see a bunch of filenames in this second connection, do you know what the attacker has done that has generated this traffic? Hint: If you think you know the answer you could test this out on your own systems and evaluate the traffic to see if you were correct.

Q25. What authentication protocol was used to authenticate the attacker to this service during the second attempt (i.e. the answer is in the packets, not the Protocol field in Wireshark)? What user account does the attacker use to connect (i.e. not the anonymous one, it is an actual username)?

What is the NTLM Client Challenge for this authentication?

Q26. Go back to Q16. For a moment and review your answer. Did the attacker use any of the information provided in the file(s), maybe in an authentication using a username and password from the file? Did the attacker know any of this information prior to viewing the file, and if so what did he know and how do you know this?

Q27. Did the attacker ever run the file he attempted to transfer? How do you know you are correct in your assumption? This one is going to take some serious thought, so put your attacker hat on, think about when it was transferred and what the attacker was, or was not, connected to and if that would allow execution across the network or on the victim(s) it was transferred to.

Attachment:- pcap_challenge01.rar

Reference no: EM131220209

Questions Cloud

What is the difference between hue and saturation : What is the difference between hue and saturation? If two colors only differ in saturation, will they have different HSV values? If so, which values will be different? Will they have different RGB values? If so, which values will be different?
Advise each of the parties of any legal rights or liabilitie : LAW00720 Legal Studies Assignment. You are required to: Advise each of the parties of any legal rights or liabilities that they may have. You are required to support your answer by reference to relevant legal authority
Why do you wish to pursue the llm or llm bridge program : Why do you wish to pursue the LLM or LLM Bridge Program with Widener University of Law? How do you think the LLM or LLM Bridge program will help you achieve your short-term and long-term professional and personal doals?
Name three different shading techniques : Name three different shading techniques. Compare them and describe how they differ from each other. Identify types of real-world materials and objects for which each shader is not suitable.
What is the network address-broadcast and range : How many systems are involved in the communications in this capture? What are their operating systems (including version information if you can tell), MAC addresses, IPs, services presented to the network
What are some of the strategic and operational objectives : What are some of the strategic and operational objectives for planning for the audit? What are different risk assessments you need to consider during an audit process?
Why conduct periodic reviews of information systems : Why conduct periodic reviews of information systems to determine whether they continue to meet the organization's objectives? What questions would you ask to understand the design and operation of the organization's policies and practices?
Designing a supersonic aircraft : Temperature of the surface of the aircraft In addition, you want to indicate regions of unsafe turbulence around the aircraft.
Derive and compute indonesia output per worker : a. Derive and compute Indonesia's output per worker. b. Derive and compute the steady-state (i.e., the steady-state capital per worker) value of capital per worker for Indonesia. c. Derive and compute the steady-state value of output per worker for..

Reviews

Write a Review

Computer Networking Questions & Answers

  What applications are mapped to the database

What applications are mapped to the database, and are they the correct ones? The next step is to continuously monitor what is going on between your application and the database.

  What is the correct subnet mask for the network

At one of your company's remote locations, you have decided to segment your class B address down, since the location has three buildings and each building contains no more than 175 unique hosts. You want to make each building its own subnet, and y..

  Which has access to the raw message

Please answer this post like discussion if you agree or disagree, and why? Please explain it. This post is the answer from somebody else about question

  Provide all specific details regarding packet information

Describe the need of encapsulation. Elaborately describe the process of encapsulation and creation of packets as a result of encapsulation. Analyze and provide all specific details regarding packet information, like headers or trailers

  Solidify the concepts of client/server computing

One-way to solidify the concepts of client/server computing and interprocess communication is to develop the requirements for a computer game which plays "Rock, Paper, Scissors" using these techniques.

  A rural medical centre in australia plans to improve its

a rural medical centre in australia plans to improve its services to the community by providing telemedicine and

  How far is it feasible and possible to use neural networks

How far is it feasible and possible to use neural networks to recognize handwritten digits? Can the same logic and functionality can be extended to recognize handwritten alphabets?

  How many published pages of 16-bit unicode text would fit

question 1 a typical published page consists of approximately forty lines at seventy-five characters per line.a.

  . label the rows that make good power ciphers and explain

a) Make a power table for numbers mod 11. Indicate how the table shows Fermat's theorem, label the primitive roots mod 11. Explain how you can tell they are primitive roots. Label the rows that make good power ciphers and explain

  Which access method is used by ethernet

Calculate the minimum length of time it would take to download a 20MByte document from a workstation to a server across each of the following networks.  This means you will have to convert bytes to bits.

  Spoofed packet to the broadcast address for a network

In a _____ attack, the attacker sends a spoofed packet to the broadcast address for a network, which distributes the packet to all the systems on that network.

  Draw dependency diagram to show the functional dependencies

Draw a dependency diagram to show the functional dependencies in the relation and decompose GRADE REPORT into a set of 3NF relations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd