Introduction and Overview The chief information

PROJECT 2 LAB: NETWORK TRAFFIC CAPTURE AND ANALYSIS
Introduction and Overview
The chief information officer (CIO) of your employer is concerned about a potential cyberattack that is likely to
impact some user computers, a domain controller with a huge pile of user accounts, and external-facing web servers.
As a proactive measure, a packet capture was immediately initiated after the internal monitoring system sent an
initial alert. You have been called in to assess the situation based on your expertise. Acting as a security operations
analyst in this lab, the CIO wants you to analyze the network packets that were captured and investigate the
potential target hosts, inbound and outbound traffic, and the specific type of attack such as DDoS or SQL injection.
Additionally, you are to include in your findings whether this is an active or passive sniffing attack. As you conduct
this lab acting as a security operations analyst, you will reinforce the concepts learned in the classroom.
Goals
The purpose of this lab is to help you gain hands-on experience and get a deeper understanding of network security
concepts by capturing and analyzing network packets traversing through specified endpoints or networks. In other
words, students will gain hands-on experience running vulnerability analysis tools that can help detect potential
weaknesses in a system. In a previous project, you utilized OpenVAS to conduct vulnerability assessment; however,
you will use Nmap and Wireshark in this lab to achieve a similar but distinct goal. You may have already learned the
functionality of these tools as you studied the content within the steps in your classroom.
You will use Wireshark and Nmap as network packet analyzers, which are pre-installed in the Windows VM within
the UMGC MARS Virtual lab environment (VLE) to help you analyze network packets.
Learning Objectives
After completing this lab, you are expected to achieve the following learning objectives:
• Use network sniffing and scanning tools to scan and analyze network traffic within Windows and Linux
networked environments and get acquainted with the structure of network packets.
• Gain experience using Wireshark and Nmap as packet sniffing tools.
• Analyze network packets at four main TCP/IP layers including application, transport, network, and datalink
to develop your assessment report.
• Analyze captured network traffic using a given Wireshark file and identify suspicious traffic (such as DDoS,
SQL injection attacks), malicious data, open ports, and others.
• Develop a security assessment and risk assessment report as part of your project report.
Learning Outcomes
By the end of this lab, you are expected to satisfy the following competencies aligned with the course learning
outcomes of the Cybersecurity Technology Program.
• Organize documents or presentations clearly in a manner that promotes understanding and meets the
requirements of the assignment. Tailor communications to the audience.
• Explore and address cybersecurity concerns, promote awareness, best practices, and emerging
technology.
• Knowledge of methods and tools used for risk management and mitigation of risk.
• Demonstrate the ability to detect, identify, and resolve host and network intrusion incidents.
2
• Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle
relevant digital evidence appropriately.
General Competencies:
• Network traffic analysis; network mapping; security, vulnerability, and risk assessment; threat detection;
and endpoints protection.
GENERAL LAB REQUIREMENTS
IMPORTANT:
Please pay attention to the following general requirements:
• While your professor and classmates can be a resource if you need help, you are required to
complete the lab independently.
• The lab procedures and results need to be documented as part of your submission, and where
necessary, provide screenshots to support your submitted work.
• Before proceeding, you are encouraged to revisit the section or project steps in the classroom that
specify the requirements and the items you will need to include in your lab project.
Deliverables
Upon completing this lab, you are required to provide the following deliverables based on the Wireshark and
Nmap results and analysis.
• The lab procedures and results need to be documented as part of your submission and where necessary,
provide screenshots to support your submitted work.
• Develop a security and risk assessment report as part of your project report.
• Use the lab experience report template to share your experience to demonstrate the skills gained, as well
as confirm that experience. Then incorporate your findings into the project deliverables for submission.
IMPORTANT:
• The Project 2 Lab Experience Report Template is a Word document located in the Lab Files (Project
2) folder under the Folders & Files tab in your MARS student portal. Download and use it for your
lab.
• Please refer to the MARS Reference Guide for guidance.
Lab Topology
The MARS environment has two main virtual machines (VMs) for this course; however, there are a host of other VMs,
servers, and endpoint devices in the virtual environment.
Types of VMs in this Lab
VM # VM Name OS Type VM Type
VM1 Windows Desktop Windows Target/Attacker Machine
VM2 Linux Desktop Linux Target/Attacker Machine
NOTE:
• There is one internal IPv4 subnet (10.138.0.0/16) for both VMs in this course.
• One of the machines runs Linux OS, while the other runs Windows.
3
UMGC/MARS Virtual Lab Topology
The hypothetical lab topology shown below gives you an idea of an overall layout of the VMs in the dedicated virtual
environment with configured IP subnets and dynamically assigned IPv4 addresses. The VMs are connected as depicted in
the simplified lab topology below.
NOTE:
• All the information and software including the cybersecurity tools made available in the MARS virtual
environment are for educational purposes only.
• For safety, legal, and ethical concerns about the potential for misuse of some software tools when performing
the lab, students should exercise care when accessing the internet from the MARS environment.
• Note that many of the cybersecurity tools used in the labs in this course can potentially be misused by hackers. It
is important that you use these tools in an ethical and responsible manner. It is the end user’s responsibility to
comply with all University guidelines and policies including applicable acceptable use policy (AUP) and safety
rules.
WARNING:
• The MARS VLE is set up to use dynamic IP addresses instead of static IP addresses.
• Therefore, the assigned IP addresses to your specific lab VMs are likely to be different from what you see in
the given screenshots.
• As a result, make sure you are using the IP addresses that reflect your allocated machines.
Lab Resources and Software Requirements
You will use the Windows Desktop VM to access both Wireshark and Nmap to complete this lab.
4
Lab Credentials Required to Access MARS
• Upon accessing the MARS website, you will be prompted to enter your username and password (UMGC
SSO credentials) to access your student portal.
• Then use your 6-digit 2-Factor Authentication (MARS Security) code sent to your email address to
complete the login process and get your VMs started. Next, use your retrieved passwords to log into the
Windows Desktop and/or Kali Linux VM depending on which VM(s) to use.
TIP: Should you forget your password, you can copy it by clicking on the Click to show link under the password
field in the VM section of your student portal. If necessary, refer to the MARS Guide for additional information.
Reference Resources
Review the following open-source resources to reinforce your understanding of the key concepts and tools in this
lab.
• Refer to Wireshark, Wireshark Documentation , Wireshark Training, and NMap websites for official
documentation, white papers, user manuals, FAQs, webcast slides, online videos, and online
presentations.
• You may also refer to the optional lab reference resources provided elsewhere in this lab document.
• Alternatively, you have the liberty to use some learning tools such as the UMGC library, Google search
engine, YouTube, and others for external resources such as videos, peer review articles, white papers,
trade magazines, and online documentation. However, be mindful of digital rights infringement and cite
sources to credit authors where appropriate to support your work.
NOTE: There are active hyperlinks (URLs) to external sources in this lab instructions. Hence, for best user experience
if a weblink does not automatically open in another tab, right-click and open it in a new tab. Be aware that this
behavior can change depending on the specific types and settings of your browser and platform being used.
PART 1: CONNECTING TO THE WINDOWS DESKTOP VM
To access any Virtual Machine (VM), follow the instructions contained in the Lab Reference Guide, Common Lab
Setup Guide, or simply the Common Lab Guide, to help you get yourself acquainted with the general MARS virtual
environment, along with the lab-specific setup exercise. The Common Guide will help you navigate and connect to
the MARS virtual environment, perform any lab setup activities, as well as connect to your allocated VMs.
Specifically, it will help you with frequently performed tasks, such as logging in to the MARS, opening a VM, taking
screenshots, accessing and downloading files, and transferring files to and from your local machine.
To access any Virtual Machine (VM), follow the instructions in the Lab Reference Guide, Common Lab Setup
Guide, or simply the Common Lab Guide. The Reference Guide will help you get yourself acquainted with the
general MARS virtual environment, along with the lab-specific setup exercise. Additionally, the Guide will help you
navigate and connect to the MARS virtual environment, perform any lab setup activities, as well as connect to your
allocated VMs. Specifically, it will help you with frequently performed tasks, such as logging in to the MARS,
opening a VM, taking screenshots, accessing and downloading files, and transferring files to and from your local
machine.
5
IMPORTANT:
• Please be reminded that you are highly recommended to fully read the Reference Guide and any
other UMGC-specific materials before starting the lab. This document is linked to all the project
callout boxes, which are located in the respective project steps. This Guide is a great asset to help
you seamlessly conduct your lab exercises.
TIP:
Listed below are the main sections of the MARS Reference Guide [Common Lab Guide]:
• INTRODUCTION
• SECTION 1: Understanding the UMGC MARS Virtual Environment
• SECTION 2: Connecting and Navigating the MARS Virtual Environment
• SECTION 3: Installing OpenVPN and Remote Desktop Protocol (RDP)
• SECTION 4: Connecting and Starting the Windows Virtual Desktop
• SECTION 5: Accessing Your Courses
• SECTION 6: Downloading the Project/Lab Files
• SECTION 7: Understanding the CST Lab Alerts
• SECTION 8: Getting Help Using the Lab Support Form
Task 1: MARS Virtual Environment
As you did in the project 1 lab, you will launch your Windows Desktop via RDP connection. You are required to
complete this first task in order to accomplish the tasks associated with the lab. Make sure your virtual machines
are running by logging into MARS and starting the Windows Desktop (VM) if it is not already running.
1. Launch your Windows Desktop from the Virtual Desktops1 tab of the MARS portal by clicking the Start2
button to automatically start the VM and any VM you have access to for any course. If not, manually start
the Linux Desktop when necessary. Notice that Virtual Desktops is the selected tab.
2. You can then connect to the Windows Desktop using the RDP application after it starts running. When
prompted, enter the password that was initially retrieved from your student portal for Windows. After
successful authentication, and accepting and acknowledging any messages, the Windows Desktop will
appear as shown below.
6
NOTE:
• You are encouraged to examine the user interfaces of both VM to be familiar with the operating
systems.
• Use the scroll bars to scroll as needed. Your virtual desktop should now work just like any other
Windows machine.
• Please refer to the MARS Reference Guide to help you connect to the MARS virtual environment,
perform any lab setup activities, and connect to your allocated VMs.
PART 2: STARTING THE LAB | HANDS-ON WALK-THROUGH INSTRUCTIONS
You are required to complete each of the following tasks based on the stated objectives to produce the required
deliverables in this lab. You will use Windows Desktop, which has the required preloaded Nmap and Wireshark to
complete the lab. Carefully read and follow the step-by-step instructions provided below to complete the lab
exercises.
Task 1: A Brief Overview of the Wireshark User Interface
Wireshark—a network protocol analyzer—is an open-source tool for capturing and analyzing network traffic or
network packets. The tool can also be used for network troubleshooting, protocol development, and other similar
tasks. Additionally, Wireshark is a network packet analyzer presenting captured packet data in as much detail as
possible [1].
The Wireshark user interface (UI) contains three main sections: the packet list pane, the packet details pane, and
the packet bytes pane.
7
Packet List Pane: This pane is located at the top of the user interface and displays all active packets captured with
Wireshark. Notice that each line or row is assigned a specific number. This number is the packet number in the
capture file and does not change. When a packet is selected in the top pane, corresponding details appear in the
other panes: packet details and packet bytes/status.
Packet Details Pane: This pane, located in the middle, displays the protocols and associated fields of the selected
packet in a collapsed format. Each frame, protocol, or detail in each row can be expanded in the form of the plus
sign (“+”) or right arrow symbol (“>”) to display additional details. You can set filters, based on protocol type, by
right-clicking on the desired item within this pane.
Packet Bytes/Status Pane: This pane, located at the bottom, displays the raw data of the selected packet from the
packet list pane in a hexadecimal dump format. This is useful in identifying suspicious packet contents, as some
content will be easily viewed in ordinary ASCII characters.
You may refer to the Wireshark, Wireshark Documentation, Wireshark Training, and NMap websites for official
documentation, white papers, APIs, user manuals, FAQs, webcast slides, online videos, and online presentations.
Ensure that you thoroughly review the Wireshark resources to learn more about the tool before proceeding.
Task 2: Launching Wireshark
In the next few steps, you will conduct packet capture analysis using the Wireshark program installed in Windows
VM to complete the exercises. You will analyze HTTP web traffic and then the given Wireshark file,
CST610Project2Lab1.pcap, already pre-captured.
TIP: Keep in mind that packet capture may be examined using other sniffer tools such as PRTG network
monitor, ManageEngine, NetFlow analyzer, WinDump, and TCPdump.
1. First, First, launch the Wireshark application either from Windows Desktop1 (if there is a shortcut) or from your
Windows Start1,2 menu as shown in A and B below.
8
TIP: You may also open Wireshark using the Windows search box in the Taskbar and typing “Wireshark”. If
you prefer, create a Wireshark shortcut on the desktop of the Windows VM.
2. You should see the main Wireshark user interface as shown. Select the Ethernet 4 network interface on
the Wireshark for scanning. Take note of the various menus of the interface user interface.
NOTE: You may refer to the Reference Resources section for official documentation, white papers, APIs, user
manuals, FAQs, webcast slides, online videos, and others to get familiar with the tool..
Task 3: Loading the Given PCAP file into Wireshark for Analysis
In the next few steps, you will conduct packet capture analysis using the Wireshark program installed in Windows
VM to complete the exercises. First, you will load the PCAP file into Wireshark for analysis. Follow the steps below
to accomplish this task.
IMPORTANT/ CAUTION:
• Please be reminded that the lab instructions, related screenshots and files, and any requirements in the
CST610 course also apply to the DFC610 course.
• CST610 and DFC610 are two courses with the same content; for this reason, CST610Project2Lab1.pcap
file also applies to DFC610. You do not need a separate file, but you can choose to use
DFC610Project2Lab1.pcap in the DFC610 folder if you want.
9
1. Now, locate CST610Project2Lab1.pcap file from the CST610 folder in the File Explorer window as shown
below. You may also locate DFC610Project2Lab1.pcap file from the DFC610 folder if you want but they are
different file names with the same content.
2. Next, follow the steps below to load the PCAP file:
a. Click File and then the Open1 option under the File drop-down menu on the left side of the
window (a).
b. Navigate to the CST610 folder (b) and select the CST610Project2Lab1.pcap2 file. Then click Open3
to load it. Wireshark will load this file and get it ready to be analyzed.
10
3. Notice that Wireshark loads and displays the packets listed in rows in three panes (packet list, packet
details, and packet byte/status panes). You may refer to the Wireshark user interface as outlined above in
the introduction to understand the details of each pane. In the next task, you will analyze the loaded PCAP
file in Wireshark to identify potential network attacks and intrusions.
NOTE:
• You may scroll through the capture file by using the scroll bar in the top pane that has the colored
rows of network traffic captured.
• When a packet is selected in the packet list (top) pane, the corresponding details appear in the
packet details and packet byte panes in the middle and bottom panes respectively.
• The top pane contains an overview of captured network traffic. The middle pane shows details for
the selected row. Notice the triangles at the left of Frame 1, Ethernet II, Internet Protocol Version 4,
User Datagram Protocol (UDP), Domain Name System (DNS), etc. Each of these can be expanded to
examine the detailed contents.
• The pane at the bottom of the screen (packet bytes) displays the raw data in a column of
hexadecimal side-by-side with a column of the data in ASCII format. This is useful in identifying
suspicious packet contents, as some content will be easily viewed in ordinary ASCII characters, but
some suspicious content may not be represented in ASCII characters at all but can be identified in
the corresponding hexadecimal representation.
11
Task 4: Filtering, Inspecting, and Analyzing the PCAP File
It is now time to analyze the pre-captured network traffic in the loaded PCAP file (CST610Project2Lab1.pcap) in
Wireshark to identify potential network attacks and intrusions. You will accomplish this by filtering and inspecting
individual packets now that Wireshark has loaded packet capture and displayed them in a human-readable format.
The tool allows you to dig into the network traffic and inspect individual packets as needed for potential
compromises.
The following step-by-step instructions will guide you on how to use the Wireshark Statistics menu to analyze the
PCAP file and explore both HTTP web traffic and TCP Protocol information.
Task 4a: Using the Statistics tool to analyze the PCAP file
1. Using the Statistics menu, analyze the PCAP file by using filtering techniques. To filter, click on the
Statistics>IPv4 Statistics>Destination and Ports from the Wireshark toolbar.
2. When the Destination and Ports window opens, look for the IP address with the highest count under the
Count column. Record the IP address and take a screenshot for evidence. You will later answer questions
regarding packet counts and potential security incidents.
12
Note: The results for the Destination and Ports stats can take about a minute or two to complete. Exercise
patience and allow it to populate so you can analyze the entire statistics.
QUESTIONS:
• Think of the fact that a DoS attack tries to make a web resource unavailable to legitimate users by
flooding the target URL/host with more requests to overwhelm the server. What can you infer from the
statistical information in the Destination and Ports window as far as a DoS attack is concerned?
• Cybercriminals can illegitimately use DoS attacks to extort money from companies. They may also use
ransomware vis social engineering. Determine if this is a Distributed Denial of Service (DDoS) or DoS
attack [hint: a DDoS attack originates from multiple sources almost simultaneously].
• What is your point of view on the Rate and Percent columns of the Statistics output with respect to the
Count column? Does this information indicate any possibility of a compromise? If so, why?
Task 4b: Using the Conversations tool to analyze the PCAP file
Another approach for analyzing this information is to use the Conversations tool.
1. Click Statistics > Conversations1 in Wireshark to uncover additional details about the IP packet. The
Conversations1 tool show a summary of the IP addresses found within the capture and the number of
packets and bytes being sent to and from different source and destination endpoints/IPs in the
conversation stream.
13
2. From the Conversations window, you should be able to see the communication between IP addresses.
Click the IPv4-102 tab to see the communications3 between source and destination IP addresses (hosts).
Find the one with the highest packet count.
3. Address A3 under IPv4-10 is the source IP address and address B3 is the destination or target IP address.
The bad actor is the source address with the highest packet count.
NOTE:
• Note the different tabs in the above screenshot (Ethernet.13, IPV4.10, IPV6, TCP.516, and
UDP.25564). The number denotes the number of rows (e.g., Ethernet.13 has 13 rows). Examine each
tab to review the different details to help your analysis.
• The results for the Conversation stats can also take a while to complete. Therefore, exercise patience
and allow it to populate so you can analyze the relevant details.
QUESTIONS:
• Besides the DDoS attack, do you see any indication of an attack such as brute force, or SQL injections
attack upon analyzing the web traffic? Why or why not?
• How is this indication different from the Statistics information retrieved earlier and from the
perspective of this attack?
• What legitimate or illegitimate role does the host/user with the 192.168.10.111 IP address play in the
suspected attack?
Task 4c: Capturing and Exploring HTTP Traffic in Wireshark
You can apply a Wireshark display filter to limit your view to the HTTP traffic or specified traffic only. For example,
while a user agent can be set up correctly, it can be spoofed or compromised, making it possible for an attacker to
retrieve web content intended for legitimate users or hosts. Cookies, for example, a key part of the HTTP protocol,
enable a web server to send data to the client and then store and resubmit data to the server periodically when
needed. They can also be used to transmit sensitive data in web applications.
14
1. Prior to analyzing the captured PCAP files, let’s first capture live HTTPS traffic. Open the Chrome browser
from the taskbar and either go to twitter.com or google.com or both sites. You may also use any website
of your choice.
NOTE: Before capturing the web traffic, it may be a good idea to clear your browser’s cache. However, for the
purpose of this exercise, you don’t have to do this.
2. You will now launch Wireshark and begin to access real-time web traffic. Be sure you select the Wireshark
Ethernet 4 network interface before initiating the scan using the blue Start button to start the capture.
15
3. Notice that Wireshark displays the packets listed in rows in three panes (packet list, packet details, and
packet byte/status panes). You can go back to the Twitter page and refresh the site or click to access
another site. Next, to stop capturing traffic, go back to the Wireshark interface, and click on the red Stop
button to stop the capture.
4. You will analyze the web traffic (involving TCP, UDP, TLS, DNS, etc.) by filtering and inspecting individual
packets. To filter, follow the following steps in sequence:
a. Type dns in the Apply Display Filter bar and press enter.
b. Click on twitter.com at row 322 in the Packet List Pane. The row number in this case may be
different for you. Note the twitter.com or google.com row detail. You will analyze the packet
details in the Packet Details and Packet Bytes/Status Panes.
c. Alternatively, you can use the blue arrow button at the top right side of the Wireshark interface.
16
d. Next, type frame contains google in the filter box to filter rows containing only the word “google”.
Alternatively, you can try this for twitter too.
NOTE:
• Wireshark’s display filter bar located at the top allows you to type specific expressions to filter the
frames, IP packets, or TCP segments that can be displayed from a PCAP file.
• Examples of Wireshark apply filter search strings or filter expressions:
o tcp contains twitter | tcp.analysis | udp contains google | icmp contains google or simply dns,
udp, frame, etc. | ip.addr eq 10.138.15.15 and ip.addr == 192.168.41.2 | http.request &&
ip.addr == 192.168.10.195: http.request | http.response | dns.qry.name contains microsoft or
dns.qry.name contains windows | http.request or tls.handshake.type == 1
5. Now select www.goole.com query. Expand and pay close attention to the Packet Details from the middle
of the window from Protocol, Frame, Ethernet, and, more importantly, Internet Protocol version 4 (IPv4),
User Datagram Protocol (UDP), and Domain Name System (DNS). These packets encapsulate additional
details of the network packets. You will later be asked to analyze and answer questions based on this
information.
17
Task 4d: Exploring Web traffic and HTTP Protocol from the PCAP file
We now explore web traffic and HTTP protocol based on our pre-captured PCAP file for malicious intent. As per the
previous task for the TCP segment, you can apply a Wireshark display filter to limit your view to the HTTP traffic only. In
this task, you will do an in-depth analysis of the web traffic to find out if no sensitive data in web applications is
compromised.
1. Search HTTP in the filter box. You may also manually scroll down in the packet list pane until you
encounter an HTTP GET/Request. As before, click on the HTTP information in the packet details/middle
pane and view the contents of the HTTP header in detail.
2. Notice additional WordPress GET requests for resources that seem abnormal for standard browsing
activity and requesting resources that may or may not exist. While analyzing additional HTTP packet
captures, note the requests based on destination server IP addresses, ports used, HTTP response code,
and others. Follow the sequence below.
a. Search HTTP in the filter box. You may also manually scroll down in the packet list pane until you
encounter an HTTP GET/Request. As before, click on the HTTP information in the packet
details/middle pane and view the contents of the HTTP header in detail.
b. Also, notice the packet details pane (middle). Click the arrow next to each of the Frame, Ethernet
II, Internet Protocol version 4 (IPv4), or Transmission Control Protocols (TCP) to expand it and
review the details individually.
c. Now click on one of the WordPress GET traffic shown in the packet list pane (top). Then go to the
packet details pane and click the arrow next to the HTTP protocol to expand it and review the
details of the HTTP packet.
18
3. An alternative way of finding the HTTP packet counts being used is the Packet Counter. Click Statistics >
HTTP > Packet Counter.
19
4. In the Packet Counter window, check the item with the highest count. Compare the counts for both the
HTTP Request Packets and HTTP Response Packets.
5. Next, you will analyze network traffic by filtering and inspecting individual packets. To filter, click on the
Statistics tab and then Protocol Hierarchy to open the Wireshark Protocol Hierarchy window. Notice the
packet counts corresponding to the HTTP protocol.
NOTE: Please pay close attention to the protocol hierarchy from Protocol, Frame, Ethernet, and, more
importantly, Transmission Control Protocol (TCP), and Hypertext Transfer Protocol (HTTP), which are all
encapsulated within the Internet Protocol Version 4 (IPv4) packet. There will be questions for you to answer later.
20
6. You will now filter and inspect network traffic based on the HTTP protocols. To filter the protocol, for
example, right-click on Hypertext Transfer Protocol, select Apply as Filter, and then click Selected. Finally,
click Close to return to the Wireshark main interface.
7. As before, you can see the filtered results in the packet list (top) pane. In the Protocol column, notice that
HTTP, as well as other protocols, are encapsulated within the TCP segments. Also, note the triangle to the
left of HTTP in the packet details (middle) pane. Clicking it will expand to show the content of the HTTP
packet header.
NOTE:
• Alternatively, you can simply type http in the filter/search bar1 on the top left and then press Enter/Return
to filter. You can also click Apply display2 filter to the right to filter.
• Click the Clear display filter (the white X button next to the arrow2 in the screenshot above) to clear the
filter.
• Notice that the corresponding raw data (in hexadecimal alongside an ASCII representation) is highlighted in
the packet bytes/status (bottom) pane. A signature or anomaly-based detection system, for potentially
suspicious activity or a known active attack, may compare the header or payload contents of a TCP segment
21
to a hexadecimal or specific ASCII sequence. A typical example is when security analysts use Wireshark to
analyze hexdump for data recovery, reverse engineering, secure code development, and others.
• Take note of the details of the HTTP GET packet and review the encapsulated packets within the TCP
payload (refer to the Statistics and the Conversations for the TCP window above).
• Pay close attention as there will be questions for you to answer below and elsewhere.
8. In a similar manner, search the Internet Control Message Protocol (ICMP) packets in the filter box. As
before, click on the ICMP information in the packet details/middle pane and view the contents of the
header detail.
a. Now click on one of the WordPress GET traffic shown in the packet list pane (top). Then go to the
packet details pane and click the arrow next to the ICMP protocol to expand it and review the
details of the ICMP packet.
b. Also, notice the packet details pane (middle). Click the arrow next to each of the Frame, Ethernet
II, Internet Protocol version 4 (IPv4), or Transmission Control Protocols (TCP) to expand it and
review the details individually.
QUESTIONS:
Use your analysis and understanding to help you answer the following questions. Also, don’t forget to use this
information to complete the report.
a. If malicious actors got into your network to access your network security logs, how could they use the
packet details to their advantage? Specifically, what utilities within Wireshark can you count on?
b. Provide examples of IP addresses, hostnames, and mac addresses based on your analysis of the PCAP
files in Wireshark. What do you think is happening so far in your view?
c. From the details of the packet details pane above, why do you think there are several ICMP destination
ports unreachable? Does this suggest an indication of an attack? Please comment on your observations.
22
Task 4e: Additional use of the Apply Display Filter tool for Web-Based infection traffic
Generally, security professionals find a creative way of applying display filters in Wireshark where there is a
security incidence of attack or the suspicion of malicious web traffic. They hunt for indicators of compromise
(IOC), which consist of information derived from network traffic that relates to infected traffic. Security Analysts
often document IOCs related to network traffic such as IP addresses, protocols, ports, sockets, URLs, domain
names, and a host of others. Effective use of the Wireshark display filter feature by security professionals can help
in a swift detection of attacks or indicators.
In the next few steps, you will emulate these techniques to analyze potential incidence of attacks. Recall that you
have previously used tcp contains twitter, dns, tcp, tcp, and http contains google when you analyzed live web
traffic in the early stages of this lab (i.e. using twitter.com and google.com).
1. Go ahead and type http.request or tls.handshake.type == 1 in the Apply Display Filter bar and press enter
or filter button to filter traffic based on the prescribed search string.
2. Next, type http.request && ip.addr == 192.168.10.111 in the filter bar and press enter.
23
3. Finally, type tcp.flags.syn==1 in the filter bar and press enter. Analyze the TCP stream output for any sign
of indicators for any attack (e.g. DDoS or SQL injections).
a. Click on Follow > TCP Stream to bring the TCP stream output.
Notice that in all three (3) cases, there are some indicators of infected traffic/hosts, which might have tried to
connect with a webserver offline, refused a TCP connection, or have been hijacked by potential DoS/DDoS attacks.
You may scroll down the packet list pane and expand the Frame, Ethernet II, Internet Protocol version 4 (IPv4),
and Transmission Control Protocols (TCP) and review some interesting details individually.
24
TIP:
• The http.request part of the command indicates URLs for HTTP requests, while ssl.handshake.type ==
1 reveals domain names used in HTTPS or TLS traffic.
• Similarly, http.request part of the command indicate HTTP requests, while ip.addr == 192.168.10.111
specify the host. The && is logical operator indicating both terms.
• Below are examples of Wireshark apply filter search string or filter expressions:
o tcp contains twitter | tcp.analysis | udp contains google | icmp contains google or simply dns,
udp, frame, etc. | ip.addr eq 192.168.10.111 and ip.addr == 192.168.41.2 | http.request &&
ip.addr == 192.168.10.0: http.request | http.response | dns.qry.name contains microsoft or
dns.qry.name contains windows | http.request or tls.handshake.type == 1
• If possible, continue to practice the Wireshark filters by applying these display filter strings. You may do
your own research for additional apply filter expressions.
Task 4f: Analyzing Firewall Rules from the PCAP file
As a cybersecurity professional such as cybersecurity analysts and network security admins in the field, you may
be required to oversee or create command-line access controls list (ACL) rules for a variety of firewall products,
including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf, and Windows Firewall. Wireshark supports firewall
rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and sockets. It is assumed that the rules will be
applied to both inbound and outbound traffic.
1. Use the following steps to complete this task in sequence:
a. Now type http in the filter bar and select/highlight the GET /favicon.ico HTTP/1.1 get packet.
b. Choose Tools from the Menu and then select Firewall ACL Rules (Tools > Firewall ACL Rules).
c. You will see the Firewall ACL Rules window pop up. Review the details such as source and
destination IP addresses, network interfaces, input rules, etc.
d. If possible, copy/paste firewall/ACL rules and include them in your analysis for submission.
25
NOTE: If the cybersecurity analyst of the network admins finds the packets that need to be to be blocked by
the firewall, these firewall/ACL rules can be edited and copied/pasted into the internal firewall configurations.
You should see the type of ACL for denying traffic. You may play around to see how this works in the real
world.
Task 5: Running Network Scans Using Zenmap (Nmap GUI)
Most recent cyberattacks could have been avoided if cybersecurity analysts had been monitoring connected
devices and networks in an efficient and consistent manner. Nmap is a security scanner used to discover hosts and
services on a computer network. Based on network conditions, it sends packets with specific information to the
target host/device/endpoint and then evaluates the responses. To hack into a computer system, an attacker must
target a machine and identify which ports the machine is listening to. The attacker can sweep networks and locate
vulnerable targets using an Nmap scanner. Nmap also uses TCP stack fingerprinting to accurately determine the
type of system being scanned.
Unlike the Wireshark network protocol analyzer, which is used for capturing and analyzing network traffic or
network packets, Nmap can be used to scan a host for listening ports, discover services on a network, and others.
With Wireshark, one can log network traffic for detailed analysis. Nmap is used by network administrators to map
their networks by being able to find live hosts on a network, perform port scanning, ping sweeps, OS detection,
and more.
In this task, you will learn how to use this tool for simple network scans and understand what the tool can do, as
well as the most basic commands used for scanning. During this exercise, you will use the Windows VM to scan
two other systems such as Kali Linux and WSL Kali VMs. In addition to the command-line interface, Nmap scans
can be performed using Zenmap, which provides a graphical user interface for Nmap.
1. First, launch the Nmap – Zenmap GUI application from your Windows Start menu as shown in (a) and (b)
below.
26
NOTE: You may open Zenmap using the Windows search box in the Taskbar.
2. You should see the main Zenmap user interface shown below without any targets. Make sure to
understand the various menus/fields. If needed, refer to the lab resources section for additional details.
3. Let’s assume our local subnet/network is 10.138.0.0/24. You will run a scan on this network later. For now,
you will run a scan on Windows Desktop with an IP address of 10.138.15.15, as shown in the Target field
of the interface. Use the ipconfig in the Windows PowerShell1 cmdlet to find the IP address of the
Windows VM. Remember that this IP address may be different for you. Enter 10.138.15.15 as shown in
the Target2 field and press the Scan3 button to start canning.
27
NOTE: Be sure to launch both Kali Linux and WSL Kali VMs on the Windows Desktop before running the scans.
4. The scan results for host 10.138.15.15 display. Ensure that you review all the details to understand the
results—the IP and the command in the Target and the Command fields (the green box), the Nmap
Output, Ports/Hosts, Topology, Host Details, and the Scans tabs (the blue box), as well as the results in
the red box.
5. Next, run the Nmap port scan targeting the Windows VM by typing nmap –Pn 10.138.15.15 in the
Command field and pressing Enter. After correctly typing this command in the Command field, notice that
the Target field should be automatically populated with the correct target hostname or IP address).
28
6. Select the Host Details tab. What can you say about the security implications of the output of this tab?
Comment on the data of interest in your findings such as host status and ports used.
QUESTIONS:
Based on the output from the screen captures above, answer the following questions:
• What can you say about the results and the security implications of the output of this tab? Comment
on the data of interest in your findings such as host status and ports used.
• How many ports are reported by the scans, and how many are open ports?
• What is one most impactful security vulnerability in your opinion? Recommend a good mitigation
strategy to address any vulnerabilities identified.
Task 6: Scanning Multiple Hosts and a Network Using Zenmap
In this task, you will scan multiple IP addresses and network subnets instead of just one host, (i.e., Windows or the
Kali VM). This lab environment is set up to use dynamic IP addresses instead of static IP addresses. For this
reason, the assigned IP addresses to your specific lab VMs are likely to be different from what you see in the given
screenshots. Make sure you are using the IP addresses that reflect your allocated VM.
1. Type nmap -sP 10.138.15.15 10.138.17.14 169.254.6.31 and press Enter to execute a ping scan of these
selected host IP addresses. The 10.138.17.14 and 169.254.6.31 are the IP addresses of the Kali Linux and
WSL Kali respectively. Notice the list of IP addresses of the hosts in the screenshot below.
a. Notice that there is one space between each IP address.
29
2. You can now scan the subnet. Now type nmap –O -v 10.138.17.0/24 and press Enter to scan the entire
10.138.17.0/24 network and to detect the operating system (-O) of the network with plenty of details (-v).
Notice that only host 10.138.17.14 is up with the rest of the 255 hosts down. Why do you think this is the
case?
30
NOTE:
• The middle part of the screen capture above is truncated due to the number of hosts (i.e. 255) within
10.138.17.0/24 submit.
• If necessary, refer to the resources section to learn more about IP addressing.
QUESTIONS:
Based on the output from the two screen captures above, answer the following questions:
• What can you say about the results when scanning multiple hosts and/or a subnet compared with the
individual host scans?
• How many ports are reported by the scans, and how many are opened?
• Recommend a good mitigation strategy to address any vulnerabilities identified.
• In your opinion, why are some hosts reported as down? Do you recognize any security concerns? [Hint:
use the ping utility to see if any IP within the range is reachable from the Windows machine].
TIP:
• If this is the first time running this command, this setup process may take a while to complete with a
lengthy output due to a large number of NVTs. You need to be patient to allow the GVM setup run to
completion. From experience, the complete setup process can take between 8 minutes and 15 minutes
on average.
• If you get a permission error, run the above commands with sudo, which is an acronym for superuser do
that runs an elevated prompt without a need to change your identity.
• The web interface of the OpenVAS is configured to run locally on localhost with specific port (i.e. 9392),
which can be assessed through https://localhost:9392 URL.
This brings you to the end of the lab. Please close all open applications, exit the virtual lab, and document your
findings, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure
to include your findings in your final project report for submission to your instructor.
IMPORTANT:
• The Project 2 Lab Experience Report Template is a Word document located in the Lab Files (Project 2)
folder under the Folders & Files tab in your MARS student portal. Download and use it for your lab.
• Please refer to the MARS Reference Guide for guidance if necessary.
31
References
[1] Wireshark (2022). Wireshark User Guide – What is Wireshark? Retrieved from
https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs