Network Forensics Network Traffic Analysis



Similar documents
Network Packet Analysis and Scapy Introduction

Network Attacks. Blossom Hands-on exercises for computer forensics and security

Python Scripting with Scapy

Introduction to Websites & Dynamic Content

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Introduction to Network Security Lab 1 - Wireshark

Wireshark. Fakrul (Pappu) Alam

TCP Packet Tracing Part 1

Network Security: Workshop

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Lab VI Capturing and monitoring the network traffic

EXPLORER. TFT Filter CONFIGURATION

Lab 1: Packet Sniffing and Wireshark

Firewall Firewall August, 2003

EKT 332/4 COMPUTER NETWORK

1. LAB SNIFFING LAB ID: 10

Lab Configuring Access Policies and DMZ Settings

Packet Sniffing with Wireshark and Tcpdump

SQL Injection. Blossom Hands-on exercises for computer forensics and security

Monitor network traffic in the Dashboard tab

Lab Configuring Access Policies and DMZ Settings

Lab Conducting a Network Capture with Wireshark

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Wireshark Tutorial INTRODUCTION

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

This sequence diagram was generated with EventStudio System Designer (

Networks & Security Course. Web of Trust and Network Forensics

Wireshark Tutorial. Figure 1: Packet sniffer structure

Lab 7: Introduction to Pen Testing (NMAP)

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Practical Network Forensics

Wireshark Deep packet inspection with Wireshark

Attack Lab: Attacks on TCP/IP Protocols

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Network setup and troubleshooting

Sniffer s Network Packet Analyzer. Basics

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Websense Web Security Gateway: What to do when a Web site does not load as expected

Network Traffic Analysis

Lab Module 3 Network Protocol Analysis with Wireshark

Computer Networks/DV2 Lab

Cover. White Paper. (nchronos 4.1)

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Getting Started with PRTG Network Monitor 2012 Paessler AG

Passive Vulnerability Detection

Implementing Network Address Translation and Port Redirection in epipe

Multi-Homing Dual WAN Firewall Router

WiFi Security Assessments

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Solution of Exercise Sheet 5

Routing concepts in Cyberoam

Troubleshooting Tips and Tricks

Wireshark Lab: Assignment 1w (Optional)

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Quick Scan Features Setup Guide

New York University Computer Science Department Courant Institute of Mathematical Sciences

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Web attacks and security: SQL injection and cross-site scripting (XSS)

Configuring and Monitoring FTP Servers

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

13.1 Backup virtual machines running on VMware ESXi / ESX Server

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

HW/Lab 3: SSL/TLS. CS 336/536: Computer Network Security DUE 11am on Nov 16 (Monday)

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Lab - Using Wireshark to View Network Traffic

idatafax Troubleshooting

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

FILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL

Configure Backup Server for Cisco Unified Communications Manager

F-SECURE MESSAGING SECURITY GATEWAY

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Remote Desktop In OpenSUSE 10.3

Chapter 11 Phase 5: Covering Tracks and Hiding

Modern snoop lab lite version

Introduction on Low level Network tools

Lab 3.4.2: Managing a Web Server

PIX/ASA 7.x with Syslog Configuration Example

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Volume SYSLOG JUNCTION. User s Guide. User s Guide

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

Fundamentals of UNIX Lab Networking Commands (Estimated time: 45 min.)

Lab Objectives & Turn In

Install and configure SSH server

Lab Developing ACLs to Implement Firewall Rule Sets

IP Filter/Firewall Setup

Introduction to Network Security Lab 2 - NMap

HoneyBOT User Guide A Windows based honeypot solution

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Connecting to the School of Computing Servers and Transferring Files

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Networks and Security Lab. Network Forensics

Extracting a Print Capture From a Network Packet Capture Using Wireshark White Paper

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2013 Colasoft LLC. All rights reserved. 0

Transcription:

Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Network Forensics Network Traffic Analysis BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk

1. Learning Objectives This lab is to understand and learn how to use Wireshark to perform network forensic analysis 2. Preparation 1) Under Linux environment 2) Some files that you will need from /home/user/blossomfiles/networkforensics: 'labforensics.pcap 3) Some documents that you may need to refer to: 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf 3. Tasks Setup & Installation: Start a single virtual machine as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one

Task 1: Wireshark Basics 1.1 Wireshark is an open source packet analyser that allows us to perform such tasks as network troubleshooting and analysis, but can also provide very useful forensic information when logging packets from a network. Wireshark also has the capability to log network packets; however, we will focus on the analysis of packets in this lab. Start Wireshark using the following command: #wireshark After Wireshark has started, select File -> Open -> labforensics.pcap to open up the packet capture file that will be used for this lab. Browse through the packets to see all of the different protocols and source / destination addresses listed in the main capture window. Beneath this, is a more in depth analysis of each individual packet that appears when a packet is selected, and underneath that is a hexadecimal view of the packet. Each window can contain extremely valuable forensic information. Select packets in the main capture window and then view the individual packet information to discover information such as the source and destination MAC addresses. 1.2 As we can see, there is a significant amount of packets being displayed, so in order to be able to process this information, we must know how to filter it accordingly. As an example, if through the analysis of this packet capture file, we develop a further interest in a specific source IP address, we can then right click on the source IP address in the main packet capture window, and then select Apply as Filter -> Selected. We will now be presented with every packet that has the same source address as the one we selected. 1.3 Moving more in to the area of analysis now, we can use TCP conversations to discover important information about the suspects involved with the packet capture. Select Edit -> Find Packet, and input tcp.flags.syn == 1 in to the search parameters, then click Find. This will automatically find the first SYN packet sent to the web server, signifying the start of a TCP 3-way handshake. After this packet has been found, right click on the packet that has been selected and select Follow TCP Stream from the menu. This will show the entire TCP conversation is a more readable format (Client packets are displayed in red, server packets are displayed in blue -

Select the drop down menu Entire conversation in order to switch between client and server packets). Another useful function is that the TCP Stream can be viewed in multiple different formats, such as ASCII to make the stream more readable. We could also view the TCP Stream of protocols such as HTTP, SMTP and FTP, allowing us to reconstruct web pages, or to view unencrypted emails. Question: From the TCP Stream of the first SYN packet, can you discover both the incorrect and correct login details used to access the Microsoft Telnet Service? Task 2: Wireshark Statistics 2.1 Wireshark also supports statistical information, allowing us to narrow the focus of a network forensic investigation by providing overall packet statistics, conversation information and information on the systems involved in the aforementioned conversations. Select Statistics -> Protocol Hierarchy to display a breakdown of all of the protocols involved in the packet capture. Question: What percentage of packets in the capture is TCP? And also, what higher level protocols are present in the hierarchy that use TCP? 2.2 Flow Graph allows us to view a graphical representation of the follow of packets throughout the capture, allowing us to build a more in depth understanding of what the user was actually doing. Select Statistics -> Flow Graph and choose the options General Flow as the flow type, and Network source/destination addresses as the node address type. We should now be shown a large graph displaying the flow of packets. Take a moment to analyse this and develop an understanding of the packet flow. 2.3 IP Addresses is another important statistic, which allows us to find out the key IP addresses involved in the packet capture. Select Statistics - > IP Addresses, and then click Create Stat. Question: What are the two key IP addresses in the labforensics.pcap file?

Task 3: Packet Analysis Questions 3.1 The following are questions relating to what you should have learnt over the past few tasks. Question 1: For the TELNET traffic, what are MAC & IP addresses involved? After the user has logged in to Telnet successfully, what commands are used? Question 2: For the HTTP traffic, what are the MAC & IP addresses involved? What webpages are requested? Question 3: For the FTP traffic, what are the MAC & IP addresses involved? What are both the correct and incorrect login details supplied? What files were downloaded?