Wireless Network Security - VignaAssignment - Lab1

LAB: 01 Introduction to Packet Sniffing and Wireshark Part A: Introduction Packet sniffing allows for the capturing of traffic in real-time from a live network connection. Captured data can either be studied immediately or saved for future analysis. The captured data can be used not only as a valuable aid to assist in the understanding of how networked devices communicate, but also for the management and troubleshooting of production networks. Packet sniffing is invaluable in troubleshooting network problems such as broadcast storms, faulty NICs, framing problems, undue retransmissions, long response times etc.. From a security perspective, packet sniffing can be used to detect malicious network traffic and help detect vulnerabilities in the network or its use. Wireshark is an open-source packet sniffing application program capable of capturing and analyzing data from all 7 layers of the OSI model. Lab Overview The purpose of this lab is to introduce the concept of packet sniffing in general and the open- source Wireshark program in particular. This lab provides foundational material for the use of Wireshark in future studies as well as in the context of network monitoring and troubleshooting. In this lab the learner will:  Download and install the Wireshark and Winpcap programs.  Use the Wireshark application program to open a supplied capture file.  Examine the provided capture file to gain a better understanding of the TCP/IP processes discussed in lecture.  Initiate a simple packet sniffing session on a live network.  Locate and examine an ARP exchange from a live network.  Use the filter feature of Wireshark 1

Lab1: Procedure Part A: Examining a Sample capture File Task 1: Install Wireshark (Complete this step only if Wireshark is not already installed on your machine.) If Wireshark is not already installed on your machine download it from www.wireshark.org and install it. Please ask your instructor for assistance if required. The Windows install program should automatically install Winpcap. If this program is not installed automatically you can download and install it from http://www.winpcap.org/install/default.htm Task 2: Open the Wireshark application program. Open the Wireshark program and observe the main start-up page. From this page you can perform such tasks as starting a new capture, opening a previously saved capture file, opening one of the many provided sample capture files and get help on using the program. Please note, the appearance of the start-up page differs slightly between versions. Question: What information is available by following each of the start-up screen links? 2

2 Question: Examine the packet details pane. In relation to the OSI model, in what order is the information presented? From the above provided screenshot, the “74 bytes on wire” indicates Physical layer, then the ethernet and src details represents the DataLink layer, The info with source and destination ip addresses indicate Network Layer, Transmission control protocol is the transport layer. 4

Task 4: Examine frame 55 In the packet list pane select frame 55. Expand the fields in the packet details pane to answer the following question. 1. What is the source MAC address of the frame? 00:00:c0:9f:a0:97 2. What is the destination MAC address of the frame? 00:a0:cc:3b:bf:fa 3. What is the source IP address of the packet? 192.168.0.1 4. What is the destination IP address of the packet? 192.168.0.2 5. What is the source port of the segment? 23 6. What is the destination port of the segment? 1550 7. What is the data payload? PING www.yahoo.com (204.71.200.67): 56 data bytes 5

Task 7: Examine frames 89, 90, 91 and 92. Based on the content of these frames what event has taken place? Hint: Pay attention to the FIN and ACK flags. When closing a TCP session, FIN is used. In frame 89, the source sends FIN to destination and asks to acknowledge. In frame 90, the destination sends this acknowledgement. Now, in frame 91, the destination sends FIN to source and asks to acknowledge, and in frame 92, source sends this acknowledgement and the TCP session ends. Task 8: Follow a TCP stream The capture file that you are working with is a single Telnet session. To follow the session select one of the packets, right-click and then select Follow TCP Stream. ........... ..!.."..' ..... # ..% ..% ........... ..!..".." .... .... P. .... " ..... b ........ b .... B. ........................ " .... ..' ..... #..&..&..$ ..&..&.. $ .. ..... # ..... ' ......... .. .9600,9600 .... #.bam.zing.org:0.0 .... '..DISPLAY.bam.zing.org:0.0 ...... xterm- color.. ... ... ..... ! ...... ...... .." ............ OpenBSD/i386 (oof) (ttyp2) login: fake ... ... Password: user ... ... Last login: Sat Nov 27 20:11:43 on ttyp2 from bam.zing.org Warning: no Kerberos tickets issued. OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. $ /sbin/ping www.yahoo.com PING www.yahoo.com (204.71.200.67): 56 data bytes 64 bytes from 204.71.200.67: icmp_seq=0 ttl=241 time=69.885 ms 64 bytes from 204.71.200.67: icmp_seq=1 ttl=241 time=73.591 ms 64 bytes from 204.71.200.67: icmp_seq=2 ttl=241 time=72.302 ms 64 bytes from 204.71.200.67: icmp_seq=3 ttl=241 time=73.493 ms 64 bytes from 204.71.200.67: icmp_seq=4 ttl=241 time=75.068 ms 64 bytes from 204.71.200.67: icmp_seq=5 ttl=241 time=70.239 ms ..... ..... 7

.--- www.yahoo.com ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max = 69.885/72.429/75.068 ms $ ls $ ls -a . .. .cshrc .login .mailrc .profile .rhosts $ exit Copy the output of the stream and include it in your report for this lab. Task 9: Questions Use Wireshark and any available Internet resources to answer the following questions? 1. Frame 53 is labeled as a retransmission. Why did this occur? It is labelled retransmission because the sender retransmitted a packet after the acknowledgement had expired. 2. Frame 72 is labeled as a Malformed Packet. What does this mean? Malformed packet means that the protocol dissector can't dissect the contents of the packet any further. 3. Frame 78 has a PSH flag. What does this mean? PSH flag indicates that the receiving application should process the data as soon as possible, rather than waiting for more data to arrive. 4. Understanding that the capture file you are using is of a single Telnet session, outline the process that TCP/IP uses to establish, maintain and terminate a Telnet session. TCP/IP uses SYN to start session, then ACK is used to maintain the session and finally the session is terminated by using FIN. SYN stands for synchronize, ACK is acknowledgment, and FIN is finish. 8

Task 3: Collect Packets Allow Wireshark to capture packets. Watch the status bar and once about 100 packet have been captured select Capture| Stop. 10

Prepare a summary of the types of traffic that Wireshark detects on the interface. 11

94:04:e3:fa:9d:3d – destination 5. What are the source and destination IP addresses for the ARP reply? 10.0.0.35 – source 10.0.0.1 - destination 6. What data is contained in the ARP reply? 10.0.0.35 is at ec:23:98:e2:b5:05 Task 5: Save the capture file. Select File | Save As and save your capture file using your student number as the file name. 13

Part C: Introduction to Filtering Traffic On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest. Wireshark provides the capability to filter traffic either during or after data capture. The data filtering capabilities provided by Wireshark are great and this portion of the lab only introduces this capability. Filters will be revisited in a future lab. 1. Connect your PC to a network and capture about 100 packets. 2. Select an ARP request packet and expand all fields until you can see the frame type. Highlight the frame type field. 14

4. Now that you have a filter created you can use this filter to filter traffic during capture so that only the desired packets are displayed. Wireshark will keep track of any filters you have recently created and these may be selected from the drop-down list in the filter menu. Make sure that a valid filter is selected (the filter expression field will be green) and then start a new capture. If prompted, select ‘Continue w ithout Saving’. Only packets that match the applied filter should be captured. 16

17

Experiment with Wireshark filtering capabilities until you are comfortable with applying simple filters to analyze previously captured files and to filter during capture. In future labs we will build more complex filters to analyze for specific traffic. To demonstrate your ability to apply filters create a series of screen captures that show unfiltered and filtered traffic that matches a filter other than the ARP used in this exercise. 19

Unfiltered Filtered for DNS 20