Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Network Forensics Network Traffic Analysis BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk
1. Learning Objectives This lab is to understand and learn how to use Wireshark to perform network forensic analysis 2. Preparation 1) Under Linux environment 2) Some files that you will need from /home/user/blossomfiles/networkforensics: 'labforensics.pcap 3) Some documents that you may need to refer to: 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf 3. Tasks Setup & Installation: Start a single virtual machine as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one
Task 1: Wireshark Basics 1.1 Wireshark is an open source packet analyser that allows us to perform such tasks as network troubleshooting and analysis, but can also provide very useful forensic information when logging packets from a network. Wireshark also has the capability to log network packets; however, we will focus on the analysis of packets in this lab. Start Wireshark using the following command: #wireshark After Wireshark has started, select File -> Open -> labforensics.pcap to open up the packet capture file that will be used for this lab. Browse through the packets to see all of the different protocols and source / destination addresses listed in the main capture window. Beneath this, is a more in depth analysis of each individual packet that appears when a packet is selected, and underneath that is a hexadecimal view of the packet. Each window can contain extremely valuable forensic information. Select packets in the main capture window and then view the individual packet information to discover information such as the source and destination MAC addresses. 1.2 As we can see, there is a significant amount of packets being displayed, so in order to be able to process this information, we must know how to filter it accordingly. As an example, if through the analysis of this packet capture file, we develop a further interest in a specific source IP address, we can then right click on the source IP address in the main packet capture window, and then select Apply as Filter -> Selected. We will now be presented with every packet that has the same source address as the one we selected. 1.3 Moving more in to the area of analysis now, we can use TCP conversations to discover important information about the suspects involved with the packet capture. Select Edit -> Find Packet, and input tcp.flags.syn == 1 in to the search parameters, then click Find. This will automatically find the first SYN packet sent to the web server, signifying the start of a TCP 3-way handshake. After this packet has been found, right click on the packet that has been selected and select Follow TCP Stream from the menu. This will show the entire TCP conversation is a more readable format (Client packets are displayed in red, server packets are displayed in blue -
Select the drop down menu Entire conversation in order to switch between client and server packets). Another useful function is that the TCP Stream can be viewed in multiple different formats, such as ASCII to make the stream more readable. We could also view the TCP Stream of protocols such as HTTP, SMTP and FTP, allowing us to reconstruct web pages, or to view unencrypted emails. Question: From the TCP Stream of the first SYN packet, can you discover both the incorrect and correct login details used to access the Microsoft Telnet Service? Task 2: Wireshark Statistics 2.1 Wireshark also supports statistical information, allowing us to narrow the focus of a network forensic investigation by providing overall packet statistics, conversation information and information on the systems involved in the aforementioned conversations. Select Statistics -> Protocol Hierarchy to display a breakdown of all of the protocols involved in the packet capture. Question: What percentage of packets in the capture is TCP? And also, what higher level protocols are present in the hierarchy that use TCP? 2.2 Flow Graph allows us to view a graphical representation of the follow of packets throughout the capture, allowing us to build a more in depth understanding of what the user was actually doing. Select Statistics -> Flow Graph and choose the options General Flow as the flow type, and Network source/destination addresses as the node address type. We should now be shown a large graph displaying the flow of packets. Take a moment to analyse this and develop an understanding of the packet flow. 2.3 IP Addresses is another important statistic, which allows us to find out the key IP addresses involved in the packet capture. Select Statistics - > IP Addresses, and then click Create Stat. Question: What are the two key IP addresses in the labforensics.pcap file?
Task 3: Packet Analysis Questions 3.1 The following are questions relating to what you should have learnt over the past few tasks. Question 1: For the TELNET traffic, what are MAC & IP addresses involved? After the user has logged in to Telnet successfully, what commands are used? Question 2: For the HTTP traffic, what are the MAC & IP addresses involved? What webpages are requested? Question 3: For the FTP traffic, what are the MAC & IP addresses involved? What are both the correct and incorrect login details supplied? What files were downloaded?