adam's notes

Lab - Using Network Sniffers

Scenario

In this lab, you will learn about and use network sniffers to analyze network traffic for security issues, such as weak protocols or the occurrence of malicious activity.

You are a network and security analyst. You need to understand how to capture network traffic and perform network analysis on the captured communications.

  1. First, you will capture network traffic with tcpdump. This includes displaying captured data, controlling name lookups during capture, using capture filters, and saving capture into a file.
  2. Finally, you will use Wireshark to analyze a tcpdump pcap file. This includes using display filters, following TCP streams, following FTP streams, and searching for string content in the capture.

Your cybersecurity analyst (CySA) workstation, running Kali Linux, is located in Structureality’s server subnet.

Understand your environment

You will be working from a virtual machine named KALI hosting Kali Linux connected to the internal server subnet. You will also use a virtual machine named PC10 hosting Windows Server 2019 (being used as a client) to initiate traffic to be captured.

Steps

1. Capture network traffic with tcpdump

As the cybersecurity analyst, you have been tasked with capturing network traffic for later analysis. You elect to use tcpdump to perform the traffic capture. You will initially perform a few trials to verify the capture process is working as expected, next you will capture traffic related to port 80, then you will capture FTP traffic.

  1. Connect to the KALI virtual machine and sign in as root using Pa$$w0rd as the password.

  2. Open a Terminal window and then maximize the Terminal window.

  3. Enter service vsftpd start to initiate the VSFTPD service.

    • The VSFTPD service is not a standard element of Kali. However, it has been installed in this Kali instance as an example of a malware delivery mechanism (i.e., an attack vector). It is being started now for use later in this exercise.

  4. Confirm that tcpdump is already installed.

    1. which tcpdump
    2. This command should display /usr/bin/tcpdump, which confirms that tcpdump is already installed.

  5. Display a list of available interfaces that tcpdump can capture from.

    1. Run the following command to display interface options: tcpdump -D
    2. This command produces a list of available interfaces. The interface eth0 is the interface you will be using to capture traffic.

  6. Use tcpdump to capture 100 packets, display summary information to the screen, then terminate the capture automatically.

    1. Run the following command to capture 100 packets: tcpdump -i eth0 -c 100
    2. This command will only capture 100 packets before terminating the capture. It will display summary information for each packet captured to the screen. When finished, it will indicate that 100 packets were captured.
    3. This operation may only take a few seconds, or if there is little network traffic, it may take a minute or so. You could generate traffic by opening Firefox, or if the capture takes more than 2 minutes, terminate the operation using CTRL+C.

  7. Notice that the default of tcpdump is to resolve IP addresses into hostnames or FQDNs and resolve common port numbers into protocol names/acronyms.

  8. Perform a traffic capture of 100 packets but disable name and port resolution.

    1. Run the following command to disable name and number resolution: tcpdump -i eth0 -c 100 -nn
    2. This command will only capture 100 packets before terminating the capture. It will display summary information for each packet captured to the screen. When finished, it will indicate that 100 packets were captured.
    3. This operation may only take a few seconds, or if there is little network traffic, it may take a minute or so. You could generate traffic by opening Firefox , or if the capture takes more than 2 minutes, terminate the operation using CTRL+C.

  9. Notice that without name and number resolution, the output information is more compact and may be easier to read.

  10. Use tcpdump to capture up to 100 packets of only ICMP traffic and perform 25 pings against 10.1.16.1 from another Terminal window.

    • 10.1.16.1 is the IP address of the DC10 system, which is the domain controller for the local network.
    1. Run the following command to capture only ICMP traffic: tcpdump -i eth0 -c 100 icmp
    2. This command will only capture 100 ICMP packets before terminating the capture. It will display summary information for each packet captured to the screen. When finished, it will indicate that 100 packets were captured.
    3. On the Kali Linux toolbar (located at the top of the screen by default), select the Terminal Emulator. This icon looks like a black computer screen with a cursor.
    4. In this additional Terminal window, run the following command to ping 10.1.16.1: ping 10.1.16.1 -c 50
    5. Minimize the Terminal window where ping is operating by selecting Minimize on the Terminal window’s header. The Minimize icon is a line, but it is just a black circle until your mouse cursor is over it. It is the second to the left from the X close icon.
    6. The Terminal window running tcpdump should now be displayed.
    7. Look over the displayed ICMP packets as they are captured by tcpdump.
    8. If the capture of ICMP has not already ended, terminate it by pressing CTRL+C in your keyboard.

  11. Capture into a file named juiceshop-web.pcap indefinite traffic related to port 80. Use Firefox to generate traffic by visiting juiceshop.local, and then select Account, then select Login on that website. Attempt to log in using the credentials of jaime@structureality.com and Pa$$w0rd. Then terminate the capture.

    1. Run the following command to capture port 80 traffic: tcpdump -i eth0 port 80 -w juiceshop-web.pcap
    2. This command will capture packets related to port 80 and store them in the juiceshop-web.pcap file.
    3. Launch the Firefox browser by selecting the Firefox ESR icon in the Kali top icon menu. It looks like an orange fox curled around a globe.
    4. In the Firefox address bar, enter juiceshop.local.
    5. From this web site, select the Account menu item, and then select Login from the drop-down menu.
    6. Enter jaime@structureality.com and Pa$$w0rd into the Email and Password fields, respectively.
      • Ignore the Firefox warning of “This connection is not secure. Logins entered here could be compromised.”.
    7. Select Log in.
    8. The website will indicate that you provided “Invalid email and password”.
    9. Close Firefox.
    10. The Terminal window running tcpdump should now be displayed.
    11. Notice that no information was displayed on the screen related to this capture. This is because all output was redirected to be saved into a file.
    12. Terminate the capture by pressing CTRL+C on your keyboard.
    13. You should see a summary of the number of packets captured.

  12. Initiate a network traffic capture into a file named pc10-ftp.pcap of indefinite traffic.

    1. Run the following command to capture FTP traffic: tcpdump -i eth0 -w pc10-ftp.pcap
      • During development, we could not get a capture filter for FTP and FTP-DATA to work reliably. So, instead of the command tcpdump -i eth0 port FTP or port FTP-DATA -w pc10-ftp.pcap, you will capture all traffic and use a display filter to view FTP and FTP-DATA.
    2. This command will capture packets related to FTP and store them in the pc10-ftp.pcap file.

  13. Connect to the PC10 virtual machine, send Ctrl+Alt+Delete and sign in as jamie using Pa$$w0rd as the password.

  14. Use WinSCP to connect to FTP on 10.1.16.66 (i.e., the Kali VM) using the credentials of kali and Pa$$w0rd. Then transfer the file to PC10 of /Downloads/515web.ca.issuing.cert.pem.

    1. Double-click to open WinSCP from the desktop.
    2. Select the File protocol: pull-down list, then select FTP.
    3. Enter 10.1.16.66 in the Host name: field.
    4. Enter kali in the User name: field.
    5. Enter Pa$$w0rd in the Password: field.
    6. Select Login.
    7. You should now see the directories from the Kali user’s home directory displayed in the right pane.
    8. In the right pane, double-click to open Downloads.
    9. Right-click 515web.ca.issuing.cert.pem, then select Download from the pop-up menu.
    10. On the Download window that appears, select OK.
    11. The 515web.ca.issuing.cert.pem file should now appear in the left pane (i.e., downloaded to the Documents folder on PC10).

  15. Switch back to KALI virtual machine and if needed sign in as root using Pa$$w0rd as the password.

  16. Terminate the tcpdump capture.

  17. Close all windows.

2. Use Wireshark to analyze pcap files

As the cybersecurity analyst, you have been tasked with analyzing the previously capturing network traffic. You will use Wireshark to evaluate the network traffic captures into the .pcap files. You must look for insecure protocols and risky/suspicious/malicious activity. You will first assess a capture of web traffic and then a capture of FTP traffic.

Info

In this lab, you performed suspicious activities that generated network traffic captured by tcpdump. You will now analyze those captures to find the vulnerable protocols and suspicious activities. In a real-world situation, you would not necessarily already know the specific protocols, activities, or keywords to look for to find a specific instance of concern. Instead, you would have a range of protocols and search values to use to attempt to find something of interest in a capture.

  1. Connect to the KALI virtual machine and if needed sign in as root using Pa$$w0rd as the password.

  2. Launch Wireshark and maximize the window.

  3. Set the Wireshark layout to the three stacked panes.

  4. Import the juiceshop-web.pcap file into Wireshark.

    1. From the Wireshark menu, select File, then select Open.
    2. On the Wireshark - Open Capture File window, scroll down the listing of directories and file contained in the /root directory to locate juiceshop-web.pcap.
    3. Select juiceshop-web.pcap, then select Open.
    4. The contents of the capture should be displayed in Wireshark.

  5. With the pcap file loaded, create a display filter that shows captured frames which have a TCP header length above 35 bytes.

    1. Remove any existing display filter by selecting the Clear display filter button on the far right of the display filter field. This button looks like a capital X and will turn red when your mouse cursor hovers over it.
    2. Select the Apply a display filter field and type in tcp.hdr_len>35
    3. While still in the display filter field, press Enter on your keyboard or select the Apply display filter button on the far-right end of the field, which looks like an arrow pointing to the right.

  6. Now, the displayed captured frames are those with a TCP header length above 35 bytes. If your display does not show any frames, alter the number from 35 to 30, and then if needed to 25 or even 20.

  7. Use the Display Filter Expression syntax window to create a display filter to display only TCP packets with the PUSH flag set.

    1. Select the Clear display filter button.
    2. The display filter express interface is accessed by selecting Analyze from the Wireshark menu, and then selecting Display Filter Expression.
    3. It can take up to 10 seconds for the Wireshark - Display Filter Expression window to appear.
    4. Notice the massive list of protocols with expandable content listed in the Field Name area.
    5. In the Search: field (located at the bottom of the window), enter tcp.
    6. This search term will reduce the number of protocols in the Field Name area significantly, but you will still need to scroll to visually locate and then select TCP - Transmission Control Protocol.
    7. Select the arrow to the left of the TCP entry to expand its contents.
    8. Scroll down to locate and select tcp.flags.push.
    9. Verify that the Relation field has highlighted the double-equals relation (==), the Value (Boolean) is set to 1, and the Predefined Values is set to Set.
    10. At the bottom of the Display Filter Expression window is the constructed filter field. It should be displaying tcp.flags.push == 1.
    11. Select OK to insert the constructed filter into the display filter field.
    12. Press Enter on your keyboard or select the Apply display filter button on the far-right end of the field, which looks like an arrow pointing to the right.

  8. The displayed frames should all have the TCP header PUSH flag set.

  9. Manually edit the display filter to display frames with ACK set but not SYN set.

    1. Select the display filter field and select the blank area to the right of the current filter to place the cursor at the end of the current filter.
    2. Use backspace to remove push == 1.
    3. Then enter ack == 1 and tcp.flags.syn == 0.
    4. The resultant display filter should be tcp.flags.ack == 1 and tcp.flags.syn == 0.
    5. Press Enter on your keyboard or select the Apply display filter button on the far-right end of the field, which looks like an arrow pointing to the right.

  10. The displayed frames will be those with the ACK flag set but without the SYN flag set.

    • These tasks of creating and modifying display filters are to demonstrate that you can type in display filters manually, craft them using the Display Filter Expression tool, combine multiple conditions with logical expressions (i.e., AND (or &&) and OR), and edit existing filters directly in the display filter field.

  11. Use a Wireshark display filter to display only captured frames that include the IPv4 address of 10.1.16.66 as a source.

    1. Select the Apply a display filter field and enter ip.src==10.1.16.66.
    2. While still in the display filter field, press Enter on your keyboard or select the Apply display filter button on the far-right end of the field, which looks like an arrow pointing to the right.

  12. You should now see a display of the captured frames that include the IPv4 address of 10.1.16.66 as the source in the IPv4 header.

Info

You notice that there are several communications from the client’s IP address that are related to web communications - namely, the HTTP packets. You want to discover the URL of the website that the client is visiting, so you elect to implement a display filter for only HTTP GET requests.

  1. Add to the current display filter to show captured frames that have an HTTP GET payload from this client.

    1. Type in a space followed by and http contains 474554
      • The payload value of “GET” is represented in HEX as 474554. 0x47 is the HEX value of the ASCI character of “G”, 0x45 is “E”, and 0x54 is “T”. You can consult an ASCII to HEX table or use an online conversion calculator to determine the HEX sets for other key terms.

  2. The results displayed in the Wireshark interface should be only HTTP protocol packets with a payload that includes the “GET” statement from the client.

  3. Look over the HTTP GET statements in the Info column. Notice a packet containing “GET / HTTP/1.1”. Select that packet.

    • should be the first packet or appear very early

  4. Determine the plaintext URL visited by the client system

    1. Select the arrow to the left of Hyptertext Transfer Protocol to expand its details.
    2. Scroll down to view the line of [Full request URI: http://juiceshop.local/].

  5. Search for a login event to see if plaintext credentials were captured.

    1. Alter the capture filter to search for an HTTP packet containing a POST statement. The resultant display filter should be: ip.src==10.1.16.66 and http contains 504f5354
      • The payload value of “POST” is represented in HEX as 504f5354.
    2. While still in the display filter field, press Enter on your keyboard or select the Apply display filter button on the far-right end of the field, which looks like an arrow pointing to the right.
    3. There should be one or more packets shown as a result. Inspect the Packet Bytes pane of each to find the POST statement with credentials.
    4. You should see the following content in one of the POST packets: {"email";"jaime@structureality.com","password";"Pa$$w0rd"}

  6. Perform follow HTTP Stream analysis on the packet containing plaintext credentials to determine if the credentials were accurate.

    1. In the Packet List pane, select the frame/packet that contains the plaintext credentials.
    2. Select Analyze from the menu, select Follow, and then select HTTP Stream.
    3. The Follow HTTP Stream window opens.
      • Notice the presentation of the HTTP segments are color coordinated with red for client and blue for server and presented in communication or chronological order.
    4. Scroll down the display to determine the final result of the login event.
    5. Close the HTTP Stream window

  7. Import the pc1-ftp.pcap file into Wireshark.

  8. Remove any existing display filter.

  9. Create a display filter to view only FTP traffic.

    1. Enter ftp or ftp-data

  10. Determine the source and destination IP addresses of the FTP communication. Then type them into the FTPClient and FTPServer fields below:

    • FTPClient:
    • FTPServer:
    1. Locate a frame/packet with an Info value of Request, then select that packet.
    2. The Source column shows the IP address of the FTP client and the Destination column shows the IP address of the FTP server.

  11. Locate the frames containing the credentials of the FTP user.

    1. Locate the frame with an Info value of USER to determine the username.
    2. Locate the frame with an Info value of PASS to determine the password.

  12. Locate the FTP-DATA packet containing a transferred file, save a copy of the file to the original filename, then view the contents of the saved file.

    1. Alter the display filter to be ftp-data, then press Enter to apply the display filter.
    2. There should be multiple packets displayed with a Protocol value of FTP-DATA.
    3. Select any of the packets, then in the Packet Details pane, expand the Line-based text data to view the related file object names.
    4. Locate a packet with a file name value of 515web.ca.issuing.cert.pem. This is the original filename.
    5. Locate the next FTP-DATA packet. This packet is the start of the transfer of the file’s contents.
    6. Right-click this packet in the Packet List pane, then select Follow, then select TCP Stream.
    7. On the Follow TCP Stream window, locate the Show data as value near the bottom, then select the pull-down list currently showing ASCII, then select Raw.
    8. Select Save as.. from the bottom of the Follow TCP Stream window.
    9. On the Save Stream Content As… window, type 515web.ca.issuing.cert.pem into the Name: field.
    10. Notice that the save destination directory is the home folder for root (i.e., /root).
    11. Select Save at the bottom right of the Save Stream Content As… window.
    12. Close the Follow TCP Stream window.
    13. Switch to the Terminal window. Or open one if needed.
    14. Enter less 515web.ca.issuing.cert.pem to view the contents of the exported file.

You exported the certificate file. Done.

Graph View