Traffic Analysis– Wireshark Simple Example

Slides:

Advertisements

Similar presentations

Workshop 5: IPSec Security Ricky Mok 4 Apr Preparation Group yourself into groups of 2 people. – You will take turn to be “client” and “server”.

Advertisements

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.

CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.

Computer Security and Penetration Testing

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Penetration Testing.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Ana Chanaba Robert Huylo

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL

CIS 450 – Network Security Chapter 3 – Information Gathering.

--Harish Reddy Vemula Distributed Denial of Service.

Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Linux Networking and Security

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.

Integrating and Troubleshooting Citrix Access Gateway.

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Networks Part 3: Packet Paths + Wireshark NYU-Poly: HSWP Instructor: Mandy Galante.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

NetTech Solutions Protecting the Computer Lesson 10.

CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.

Hands-On Ethical Hacking and Network Defense

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Firewalls Fighting Spyware, Viruses, and Malware Ch 5.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Midterm Exam Review Release questions via webcourse “assignment” around 12:00pm, Mon. Oct. 28 th, due via webcourse at 12:00pm next day Submit format:

General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Traffic Analysis– Traffic Forensic Example

Penetration Testing Exploiting I: Password Cracking

Penetration Testing Reconnaissance 2

Traffic Analysis– Wireshark Simple Example

Penetration Testing Scanning

Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.

Networks Problem Set 3 Due Nov 10 Bonus Date Nov 9

Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou

A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.

Penetration Testing Offline Password Cracking

CITA 352 Chapter 5 Port Scanning.

The Linux Operating System

FORTINET Network Security NSE8 Dumps - 100% Success

COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.

Networks Problem Set 3 Due Oct 29 Bonus Date Oct 26

Due: a start of class Oct 26

Metasploit a one-stop hack shop

Introduction to Networking

Metasploit assignment

Exploiting Metasploitable

Packet Sniffing.

6. Operating Systems Finger printing & Scanning

A Distributed DoS in Action

TCP/IP Networking An Example

Using Splunk – A Case Study

Traffic Analysis– Traffic Forensic Example

Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.

Lecture 3: Secure Network Architecture

Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.

Acknowledgement Content from the book:

Intro Cyber Security Labs on GENI

Midterm Exam Review Release questions via webcourse “assignment” around 10:30am, Thur. Oct. 25th, due via webcourse at 10:30am next day Submit format:

Presentation transcript:

Traffic Analysis– Wireshark Simple Example Incident Response Technologies Dr. Cliff Zou

Acknowledgement The second wireshark example comes from programming project 2 in Dr. Dawn Song’s course “CS161: computer security” in Fall 2008: http://inst.eecs.berkeley.edu/~cs161/fa08/

Example #1: What traffic does Nmap generate? “Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network” Definition comes from Wikipedia.com Question: What traffic does it generate? How can we detect if someone is using Nmap?

Nmap Basic Usage Examples Scan a single IP: nmap 192.168.1.1 Scan a range of IPs nmap 192.168.1.1-20 nmap 192.168.1.0/24 Scan a range of ports nmap -p 1-100 192.168.1.1 Scan 100 most common ports (Fast) nmap -F 192.168.1.1 Scan all 65535 ports nmap -p- 192.168.1.1 Nmap --script banner 192.168.0.101 Setup TCP connection, get the first response text from the target

Testing on Kali Linux Your Kali Linux VM contains both nmap and Wireshark Use the wireshark to see what traffic does an nmap command sends out On Kali VM, run wireshark first, start the traffic capturing Run nmap to scan another VM on the same VLAN (such as Win7 VM) Stop capturing, and then check the captured traffic

Example #2: Wireshark trial Q1: Youtube becomes Notube In your company network YouTube page could not be loaded when people tried to access YouTube. Analyze the web traffic in q1.pcap trace (in webCourse) to find out how the attacker disrupted your YouTube access. Find out the type of attack being launched? What were the victims’ IP addresses? Hint: search for failed connections, there are 4 victims.

Question 1 Answer The 4 victims IP: 192.168.121.147, 192.168.121.148, 192.168.121.149, 192.168.121.150 The attack is TCP/RST attack by sending RST packets to youtube server whenever a victim sends TCP connection requests to youtube

Question 2 Q2: you sent a private message to your best friend on Facebook. But your message got also posted publicly on your friend’s wall, which means someone posted it impersonated as your friend. Examine the web traffic in q2.pcap (in webCourse) to find evidence of the attack used for the wall post. Find the secret wall post, the timestamp when it occurred and the cookie value (c_user) of the attacker. Hints: Check POST requests, cookie values

Question 2 Answer: There is one attacking IP: 10.0.0.4 using the same user cookie value. The secret wall post was : “Be sure not to tell anyone this! But M.C. is actually lactose- intolerant”. with a time Sun, 17 Apr 2011 06:30:02 GMT (based on server’s response message)

Question 3 There was a leakage of an exam file, so you pull out the data collected to analyze. Analyze the web accesses in the q3.pcap (in webCourse). Determine the type of attack used to access the file. What was the file name? How do you know it was successfully accessed?

Question 3 Answer: Directory traverse attack happened on getting password file, the other file is cheddar.pdf requested in several attempts. a single packet, # 41321, successfully obtained the pdf file.