Snoopy Due Date: Nov 1 Points: 25 Points Objective: To gain experience intercepting/capturing HTTP/TCP traffic on a network. Equipment Needed Use the Ubuntu OS that you originally downloaded from the course s Experience web page. The OS has the WireShark network protocol analyzer software properly configured and installed. You will also need an Ethernet connection, i.e. a cat 5 cable. Background A packet sniffer or commonly called a network analyzer is often used by a network or system administrator to monitor and troubleshoot network traffic. Using the information captured by the network analyzer an administrator can pinpoint bottlenecks and maintain efficient network data transmission. The network analyzer behaves by simply capturing all data packets that pass through a given network interface (e.g. Ethernet or Wireless adapters). Typically, the network analyzer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination. By placing a network analyzer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the data that passes through a network. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted. Procedure 1. Configuring VirtualBox Network Settings In the VirtualBox window with your Ubuntu machine Powered Off, highlight the Ubuntu machine and the click on the Network selection in the right pane. In the Attached to: pull down menu select Bridged Adapter. This selection will allow your Ubuntu OS to obtain an IP address for its exclusive use instead of using the IP address of the host OS. You will no longer be able to use the wireless connection for any outgoing connections from Ubuntu. Hence, you might want to change the network setting back to Nat when you finish this experience. 2. Configuring WireShark 2.1 To start WireShark open a Terminal and type sudo wireshark (you will be prompted to enter the root password). 2.2 Before you can begin click Ok on the pop-up dialog indicating you are running this program as root; it may be hiding behind WireShark.
2.3 Once WireShark opens, click the icon (first icon below file ) to choose a network interface to listen for packets; the dialog below should appear. 2.4 Choose eth*, where * represents a number (your device could be 0 9). Make a note of the IP address 130.127.49.105 (yours will be different). We will be using this IP address in Step 4 for interactions with your web-server. 2.5 Select Start; WireShark will immediately begin intercepting packets. 2.6 From the top menu, Select Capture -> Stop 3. Intercepting, Filtering, & Analyzing Raw Packets 3.1 It is suggested that you close all open internet browsers; if you prefer to keep them on, it may be necessary to comb through more data to complete this experience. 3.2 Select Capture -> Start 3.3 In Ubuntu open Firefox and go to http://www.clemson.edu 3.4 After the page completes loading Select Capture -> Stop WireShark will continuously report all packets to your machine of all network activity that is not filtered once capturing starts. To avoid being inundated with HTTP/TCP data we stop capturing data at this point to analyze the data. By default WireShark intercepts the raw data from hundreds of protocols. To prevent information overload, we must configure WireShark to only allow protocols that are of interest and filter out all others. 3.5 Select Capture -> Capture Filters *Dialog Box Below Should Appear*
3.6 Select HTTP TCP port (80) -- If this is not shown, choose TCP or UDP port 80 (HTTP) 3.7 Click Ok This sets a filter to only allow the reporting of data flowing through the TCP protocol that is an HTTP data session. WireShark User Interface 3.8 WireShark is partitioned into three sections 3.8.1 Section 1 (top): Sequence of Packets captured 3.8.2 Section 2 (middle): Data extracted from Hex Dump of packet in humanreadable Format (of a selected packet) 3.8.3 Section 3 (bottom): Raw Hex Dump (of a selected packet) 3.9 Notice the green highlighted rows; this is HTTP/TCP network traffic 3.10 In Section 1 3.10.1 Right Click the first HTTP protocol, the info column should read GET / HTTP 1.1 3.10.2 Select -> Follow TCP Stream. Scroll through the data; what do you see? Is the data encrypted or in plaintext? Carefully review its contents. * Perform a Print-Screen for Reporting* 3.11 Still in Section 1, now click the first HTTP protocol, the info column should read GET / HTTP 1.1 *Your WireShark screen should look similar to below*
3.12 In section two, inspect all of the data the packet is carrying. What is the destination host? What type of user-agent is being used? 3.13 Review the complete HTTP connection, start to finish. What do you notice? You may notice that there is an awful lot of GET requests and we only requested the http://www.clemson.edu webpage. Inspect the other GET requests. Find anything of interest? Yes, after the initial request for www.clemson.edu, there is an equal number of GET requests for each image, css-sheet, and others required to fully load the page. What is most interesting is that all of the data that you have been sifting through is unencrypted! 4. Snoopy the Password Sniffer 4.1 Leave WireShark open (and not capturing) 4.2 Using the IP-address found in Step 2.3 Point the HOST OS browser to http://<ip-found-in-step-2.3>/login.php The remaining efforts of Step 4 will be snooping usernames/passwords being sent to your APACHE Web-Server. 4.3 In WireShark Select Capture -> Start 4.4 Switch to your web-browser and fill-in any username and any password. 4.5 Click Submit 4.6 In WireShark Select Capture -> Stop 4.7 In addition to filtering packets based on protocol we can also filter based on their packet source, destination, address, etc. For a complete list of IP filters click Expression *The Below Dialog Box Should Appear*
4.8 Find & Expand Internet Protocol 4.8.1 Select ip.dst from the right-most column 4.8.2 Select == from the middle column 4.8.3 Type <IP-FOUND-IN-STEP-2.3> in the left-most text box (the IP-address of http://mmlab.cs.clemson.edu/) This tells WireShark to only show those packets that have a destination address of <IP-FOUND-IN-STEP-2.3>. *Sample Screen* 4.9 Click Ok 4.10 Select Apply to the far-right of Expression...
4.11 In Section 1 of WireShark, select the packet with protocol HTTP and info POST 4.12 Carefully search through Section 2 & Section 3 of WireShark OR Right Click the packet and select Follow TCP Stream what do you notice? * Perform a Print-Screen for Reporting* 5. Sniffing Secure Connections 5.1 Leave WireShark open (and not capturing) 5.2 In UBuntu point your browser to http://webmail.clemson.edu 5.3 In WireShark Select Capture -> Start 5.4 Switch to your web-browser and fill-in your username and password. 5.5 Click Submit 5.6 When the page completes loading Select Capture -> Stop What do you see? First, you should recognize that there aren t any rows/packets highlighted green! Remember, rows highlighted in green are for HTTP! Webmail uses secure http (HTTPS); however, you should see TCP data packets. 5.7 Right click on a TCP data packet and choose Follow TCP Stream. What do you see? Is the data traveling in plaintext or is it encrypted? * Perform a Print-Screen for Reporting* 5.8 To verify that the information is being sent as we think: Click a TCP data packet who s info column reads Application Data. 5.9 Now looking In Section 2 - look through the data under the Secure Socket Layer heading. What did you find? Are the packets encrypted? Reporting E-mail in one message the following to grossman@cs.clemson.edu with a subject line of Snoopy : Failure to use the correct subject line will result in a 10 point deduction for this experience. 1. Attach the screenshots, uncompressed, taken in steps 3.10.2, 4.12, & 5.7