How To Analyze Network Protocol With Wireshark

CIS 534 - Advanced Network Security Design 1 CIS 534 Advanced Network Security Design

CIS 534 - Advanced Network Security Design 2 Table of Contents Toolwire Lab 1:Analyzing IP Protocols with Wireshark... 6 Introduction... 6 Learning Objectives... 6 Tools and Software... 7 Deliverables... 7 Evaluation Criteria and Rubrics... 7 Hands-On Steps... 8 Part 1: Exploring Wireshark... 8 Part 2: Analyzing Wireshark Capture Information... 12 Lab #1 - Assessment Worksheet... 19 Analyzing IP Protocols with Wireshark... 19 Overview... 20 Lab Assessment Questions & Answers... 20 Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze Wireless Traffic... 22 Introduction... 22 Learning Objectives... 23 Tools and Software... 23 Deliverables... 23 Evaluation Criteria and Rubrics... 23 Hands-On Steps... 24 Part 1: Analyzing Wireless Traffic with Wireshark... 24 Part 2: NetWitness Investigator... 31 Lab #2 - Assessment Worksheet... 34 Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic... 34 Overview... 34 Lab Assessment Questions & Answers... 35 Toolwire Lab 3: Configuring a pfsense Firewall on the Client... 36 Introduction... 36 Learning Objectives... 37 Tools and Software... 37 Deliverables... 37 Evaluation Criteria and Rubrics... 37

CIS 534 - Advanced Network Security Design 3 Hands-On Steps... 38 Part 1: Planning the Configuration... 38 Part 2: Configuring the Firewall... 46 Lab #3 - Assessment Worksheet... 48 Configuring a pfsense Firewall on the Client... 48 Overview... 48 Lab Assessment Questions... 49 Toolwire Lab 4: Configuring a pfsense Firewall on the Server... 50 Introduction... 50 Learning Objectives... 51 Tools and Software... 51 Deliverables... 51 Evaluation Criteria and Rubrics... 51 Hands-On Steps... 52 Part 1: Planning the Configuration... 52 Part 2: Configuring the Firewall... 59 Lab #4 - Assessment Worksheet... 63 Configuring a pfsense Firewall on the Server... 63 Overview... 63 Lab Assessment Questions & Answers... 63 Toolwire Lab 5: Penetration Testing a pfsense Firewall... 65 Introduction... 65 Learning Objectives... 66 Tools and Software... 66 Deliverables... 66 Evaluation Criteria and Rubrics... 66 Hands-On Steps... 67 Part 1: Configuring a pfsense Server Firewall... 67 Part 2: Penetration Testing... 68 Lab #5 - Assessment Worksheet... 72 Penetration Testing a pfsense Firewall... 72 Overview... 72 Lab Assessment Questions & Answers... 72

CIS 534 - Advanced Network Security Design 4 Toolwire Lab 6: Using Social Engineering Techniques to Plan an Attack... 74 Introduction... 74 Learning Objectives... 75 Tools and Software... 75 Deliverables... 75 Evaluation Criteria and Rubrics... 76 Hands-On Steps... 76 Part 1: Targeted Social Engineering Attack... 76 Part 2: Targeted Reverse Social Engineering Attack... 82 Lab #6 - Assessment Worksheet... 84 Using Social Engineering Techniques to Plan an Attack... 84 Overview... 84 Lab Assessment Questions... 84 Toolwire Lab 7: Configuring a Virtual Private Network Server... 87 Introduction... 87 Learning Objectives... 88 Tools and Software... 88 Deliverables... 88 Evaluation Criteria and Rubrics... 89 Hands-On Steps... 89 Part 1: Configuring the VPN: Server Side... 89 Lab #7 - Assessment Worksheet... 98 Configuring a Virtual Private Network Server... 98 Overview... 98 Lab Assessment Questions & Answers... 98 Host-to-Host Configuration Worksheet... 99 IPsec.conf file... 99 Toolwire Lab 8: Configuring a VPN Client for Secure File Transfers... 100 Introduction... 100 Learning Objectives... 101 Tools and Software... 101 Deliverables... 101 Evaluation Criteria and Rubrics... 102

CIS 534 - Advanced Network Security Design 5 Hands-On Steps... 102 Part 1: Configuring a Windows VPN Client to work with a Linux VPN Server... 102 Part 2: Comparing Secure and Non-secure File Transfers in Wireshark... 107 Lab #8 - Assessment Worksheet... 116 Configuring a VPN Client for Secure File Transfers... 116 Overview... 117 Lab Assessment Questions & Answers... 117 Toolwire Lab 9: Attacking a Virtual Private Network... 118 Introduction... 118 Learning Objectives... 119 Tools and Software... 119 Deliverables... 119 Evaluation Criteria and Rubrics... 120 Hands-On Steps... 120 Part 1: Social Engineering / Reverse Social Engineering Attack... 120 Part 2: Creating Spam Emails... 126 Lab #9 - Assessment Worksheet... 129 Attacking a Virtual Private Network... 129 Overview... 129 Lab Assessment Questions & Answers... 129 Toolwire Lab 10: Investigating and Responding to Security Incidents... 131 Introduction... 131 Learning Objectives... 132 Tools and Software... 132 Deliverables... 132 Evaluation Criteria and Rubrics... 133 Hands-On Steps... 133 Part 1: Gather System Performance Information... 133 Part 2: Scan a Windows 2008 Server for Vulnerabilities... 136 Lab #10 - Assessment Worksheet... 138 Investigating and Responding to Security Incidents... 138 Overview... 138 Lab Assessment Questions & Answers... 138

CIS 534 - Advanced Network Security Design 6 Toolwire Lab 1:Analyzing IP Protocols with Wireshark Introduction Click the link below to view the network topology for this lab: Topology Wireshark is probably the most widely used packet capture and analysis software in the world. It is available free of charge and while it lacks some of the more sophisticated diagnostic tools of similar commercial products, the use of Wireshark saves many organizations thousands of dollars and thousands of hours. And, Wireshark allows capture of network packet traffic and the ability to save frame detail in multiple formats that make them usable by the more sophisticated, more expensive software tools. This lab has three parts which you should complete in order. 1. In the first part of the lab, you will either learn the basics of Wireshark, if you have not already used it, or you will improve and fine tune your Wireshark skills. In either case, you will learn about probe placement, clocking/timing issues, Wireshark traffic capture and the use of filters. 2. In the second part of the lab, you will utilize a capture file to answer basic questions about key IP protocols and the basic configuration of the IP hosts from which traffic is captured. 3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation. Learning Objectives Upon completing this lab, you will be able to: Use basic features of the Wireshark packet capture and analysis software> Apply appropriate filters to view only the traffic subset of interest Be able to reliably and consistently place probes to capture packet traffic> Determine if timing and clocking is synchronized for better reliability and repeatability

CIS 534 - Advanced Network Security Design 7 Guarantee that all traffic is being captured and that the interface rate and capture rate are compatible Capture and analyze basic Internet Protocol transactions and determine basic configuration information about the IP hosts from which traffic is captured Tools and Software The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab. Wireshark Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor: 1. Lab Assessments file; 2. Optional: Challenge Questions file, if assigned by your instructor. Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform: 1. Use basic features of the Wireshark packet capture and analysis software. - [10%] 2. Apply appropriate filters to view only the traffic subset of interest. - [20%] 3. Be able to reliably and consistently place probes to capture packet traffic. - [20%] 4. Determine if timing and clocking is synchronized for better reliability and repeatability. - [20%] 5. Guarantee that all traffic is being captured and that the interface rate and capture rate are compatible. - [20%] 6. Capture and analyze basic Internet Protocol transactions and determine basic configuration information about the IP hosts from which traffic is captured. - [10%]

CIS 534 - Advanced Network Security Design 8 Hands-On Steps Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vworkstation desktop. You should review these tasks before starting the lab. 1. From the vworkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader. If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself. Figure 1 Student Landing workstation 2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps. Part 1: Exploring Wireshark Note: Wireshark is already loaded on the vworkstation, as indicated by the Wireshark shortcut on the desktop. Wireshark can be downloaded, free of charge, from http://www.wireshark.org if you would like to have your own personal copy, though doing so is not a requirement for this lab. 1. Double-click the Wireshark icon on the desktop to start the Wireshark application. Figure 2 Wireshark splash screen The main screen of Wireshark includes several shortcuts to make your job easier. There are four categories of shortcuts. Wireshark Screen Sections SECTION TITLE DESCRIPTION

CIS 534 - Advanced Network Security Design 9 Capture Files Online Capture Help This section displays a list of the network interfaces, or machines, that Wireshark has identified, and from which packets can be captured and analyzed. This section displays the most recent list of files that you were analyzing in Wireshark. The default status for this section is blank because no files have been opened yet. This section displays shortcuts to the Wireshark website. This section displays shortcuts to the Wireshark website for help in using the tool. 2. Click Interface List to bring up a list of active interfaces. Figure 3 Wireshark Capture Interfaces Notice that only one interface, the student workstation, is available for capturing packets in the virtual lab. This Capture Interface is a virtual interface described as Citrix with an IP address of 172.30.0.2. Note: If you were running Wireshark on your local computer, it is possible that would see many interfaces. It is also possible that some interfaces you were expecting to see may not appear on the list at all. If you know that a logical or physical interface exists but it does not show up on the list, check the installation of winpcap and troubleshoot accordingly. Very often it is necessary to reinstall or update the Network Interface Card (NIC) drivers. 3. Click the checkbox to the left of the Student device to select it, and click Details to display additional information about the interface. The Interface Details dialog box displays a great deal of information about the interface that may be useful in troubleshooting and resolving packet capture problems, for instance if you are not capturing all of the packets you may be exceeding the transmit and/or receive buffers. Take a moment to review the information in this dialog box before proceeding with the lab. Figure 4 Wireshark Capture Interface Details 4. Click Close to close the Interface Details dialog box. 5. With the Student checkbox still checked, click Start to open Wireshark and begin capturing data packets affecting the Student s virtual workstation. Note: Because Wireshark is capturing traffic live, your default content will be different from the screen captures in this part of the lab. However, in Part 2, you will load a static file and your results should match the examples almost

CIS 534 - Advanced Network Security Design 10 exactly once. All of these steps are not needed for every packet analysis, but it is a good way of familiarizing yourself with the various capabilities of Wireshark. 6. Maximize the Wireshark window. The Wireshark window opens with the detailed information about the first packet captured, Frame 1, displayed in the middle pane. Use your mouse to drag the borders of any pane up or down to change its size. o o o The top pane of the Wireshark window contains all of the packets that Wireshark has captured, in time order and provides a summary of the contents of the packet in a format close to English. Keep in mind that the content will be different depending upon where you capture packets in the network. Also remember that the source and destination is relative to where a packet is captured. This area of the Wireshark window will be referred to as the frame summary. The middle pane of the Wireshark window is used to display the packet structure and contents of fields within the packet. This area of the Wireshark window will be referred to as the frame detail. The bottom pane of the Wireshark window displays the byte data. All of the information in the packet is displayed in hexadecimal on the left and in decimal, in characters when possible, on the left. This can be a very useful feature, especially if passwords for which you are looking are unencrypted. This area of the Wireshark window will be referred to as the byte data. Figure 5 Wireshark application window How Does Wireshark Work? Wireshark can be used in a variety of ways. The following figures illustrate the Wireshark Capture Environment. In the simplest terms, Wireshark is used to capture all packets to and from the IP Host on the left (a computer workstation) and the IP Host on the right (a server). Figure 6 Wireshark capture environment The most common configuration for Wireshark, and the configuration that we are running in this lab, has the software running on a local host. Figure 7 Wireshark running on local host

CIS 534 - Advanced Network Security Design 11 In the next figure, Wireshark is running on the Local Area Network of the IP Host. Wireshark can also run within the network. Figure 8 Wireshark capturing packets from a probe or hub In the final figure, Wireshark is running in a peer-to-peer configuration, as opposed to a client-server configuration, with Wireshark running on the right IP Host. Figure 9 Wireshark capturing packets in a peer-to-peer configuration Where packets are captured and how they are captured has a big impact on how the packets are analyzed. By running the Wireshark software on the same computer that is generating the packets, the capture is specific to that machine but Wireshark may impact the operation of the machine itself and its applications. On the other hand, using a network probe or hub device, or the capture port (frequently called a SPAN port (Switched Port Analyzer)) of a LAN switch can provide more accurate timing information but requires use of filters to identify traffic between the proper endpoints. 7. Click Capture on the Wireshark menu and Stop to stop the packet capture. Packet Capture must be stopped before packets can be analyzed. You may wish to look through the packets that have been captured live during this session before continuing to see the variety of data captured by Wireshark. 8. Drag the frame borders of the frame detail pane to expand it. Notice, that Wireshark displays the content in the frame detail pane in reverse order of the Open Systems Interconnection (OSI) Reference Model. In Wireshark, the physical layer appears at the top of the list and the application layer appears at the bottom of the list. Note: Remember, because Wireshark is capturing traffic live, your default content will be different from the screen captures in this part of the lab. Explore your Wireshark traffic to see how it compares. Figure 10 Frame detail pane 9. Click the plus sign at the beginning of the frame number line to expand the fields. Notice the number of fields related to time. Figure 11 Expanded frame detail Note: There are two very important considerations relative to how Wireshark handles time. Very often certain events are reported relative to clock time. It is important to

CIS 534 - Advanced Network Security Design 12 consider the fact that clock time may or may not be the same as the system time of the device or devices used to run Wireshark and capture packets. The timestamp used by Wireshark is the current system time on the machine upon which Wireshark is running. Attempting to synchronize Wireshark captures made on two different machines requires consideration of time differences, including time zone. The potential problems can be alleviated somewhat by using Network Time Protocol (NTP) on both machines but there are still a myriad issues such as which clocks were used for synchronization and even if the same clock is used there is propagation delay for the timing packets which could introduce discrepancies which, though small, matter a lot especially when capturing packets from high speed interfaces. In order to overcome time zone mismatches, a common best practice is to use the UTC (Coordinated Universal Time) time zone. Part 2: Analyzing Wireshark Capture Information Note: In this part of the lab, you will load a file of traffic that has been previously captured by Wireshark so that all of the packets reviewed within the lab are the same for every student and match the instructions. Throughout this part of the lab, you should spend a few moments looking at the data captured by Wireshark and familiarize yourself with the Wireshark format and the English language descriptions Wireshark uses to explain frame details. You may need this information to answer the questions at the end of the lab. 1. Select File > Open from the Wireshark menu to open the lab s capture file. A pop-up alert will remind you to consider saving your data. Opening any new capture file will overwrite the packets already in the Wireshark window unless those packets are explicitly saved. Figure 12 Wireshark save warning 2. At the prompt, click Continue without Saving for this part of the lab. 3. In the Open Capture File dialog box, navigate to the Desktop, select the PacketCapture file, and click Open.

CIS 534 - Advanced Network Security Design 13 The PacketCapture.pcapng capture file will open in the Wireshark application window. The first column in Wireshark is the packet frame number. These numbers appear sequentially, and there are 765 frames in the PacketCapture.pcapng file. Figure 13 PacketCapture.pcapng displayed in Wireshark 4. Click frame 546. Use the scrollbar in the frame summary pane to find the appropriate frame number. 5. In the frame detail pane, click the plus sign at the beginning of the Frame 546 line to expand the fields. If necessary, drag the frame borders of the frame detail pane to expand it. 6. Look at the frame header for frame 546. The number of bytes captured (175) was the same number as bytes on the wire (175). A difference between bytes on the wire and bytes captured can indicate that not everything is being captured or that partial or malformed packets may be captured which could lead to incorrect analysis. If there are regularly more bytes on the wire than captured it is possible that the computer on which Wireshark is running is not able to keep up with the interface. Figure 14 Wireshark frame header information 7. Click the minus sign at the beginning of the frame 546 line to close the Physical Layer detail. 8. Click the plus sign at the beginning of the Ethernet II line to expand the Ethernet II detail. Wireshark takes a lot of the work out of analyzing packets and presents a wide range of information. In this detail layer, Wireshark has determined the following: The frame type is Ethernet II The source is Intel Core hardware The destination is IPv4 multicast The type of traffic carried in the next layer is Internet Protocol (IP) Note: The MAC address for the source device is 00:22:fa:1c:eb:e6. To the left of the full MAC address Wireshark shows IntelCor_1c:eb:e6. It means that Wireshark has interpreted 00:22:fa as the IEEE-assigned manufacturer s unique ID. This information is almost always correct but can be manipulated. The first 6 hexadecimal characters of the MAC address are called the OUI (Organizationally Unique Identifier) and denote

CIS 534 - Advanced Network Security Design 14 the company that manufactured the device s network card. The company associated with each unique OUI can be found online at http://standards.ieee.org/develop/regauth/oui/public.html. Figure 15 Ethernet II frame detail 1. Record the complete hexadecimal representation for the source and destination Media Access Control (MAC) addresses. You may choose to make a screen capture of the data and paste it into a new word processing document for later reference. 2. Record the code assigned by the IEEE to Intel for use in identifying Intel Core network interfaces. You may choose to make a screen capture of the data and paste it into your document for later reference. 3. Record the MAC address used for IPv4 multicast. You may choose to make a screen capture of the data and paste it into your document for later reference. 4. Click the minus sign at the beginning of the Ethernet II line to close the Data Link Layer detail. 5. Click the plus sign at the beginning of the Internet Protocol line to expand the Internet Protocol detail. Figure 16 Internet Protocol frame detail 6. Record the version of the Internet Protocol is being used. You may choose to make a screen capture of the data and paste it into your document for later reference. A variety of packets can exist on any given network. The IP version will determine how the rest of the packet is interpreted. Almost all modern networks, except for academic and research networks, use IP version 4 or IP version 6. A different number can be faked by malicious software or might mean that a packet has been corrupted. As IPv6 gains in popularity it is increasingly likely that IPv4 and IPv6 will be encountered on the same network. Both IPv4 and IPv6 will use the same lower layer protocols, such as Ethernet, but may have their own specialized version of higher layer protocols. 7. Record the source IP address number. The source IP address is the IP address of the local IP host (workstation) from which Wireshark is capturing packets. You may choose to make a screen capture of the data and paste it into your document for later reference. 8. Click the minus sign at the beginning of the Internet Protocol line to close the Internet Protocol detail.

CIS 534 - Advanced Network Security Design 15 9. Click the plus sign at the beginning of the User Datagram Protocol line to expand the Transport Layer detail. The information in the User Datagram Protocol confirms that the source port in this capture file is an ephemeral, or temporary, port on the source computer. We know this because of its numeric range. The port on the destination computer, however, is in the range of assigned port numbers. Port number 1900 is assigned to SSDP, the Simple Service Discovery Protocol, and indicates that SSDP is being queried for the existence of services on the network. Note: The Internet Assigned Numbers Authority (IANA) maintains the official list of service names and port numbers for all services such as TCP, UDP, and SSDOP that run over the Transport Layer. See the complete list at http://www.iana.org/assignments/service-names-port-numbers/service-namesport-numbers.xhtml. Figure 17 User Datagram Protocol frame detail 10. Click the minus sign at the beginning of the User Datagram Protocol line to close the Transport Layer detail. 11. Click the plus sign at the beginning of the Hypertext Transfer Protocol line to expand the In Application Layer detail. Figure 18 Hypertext Transfer Protocol frame detail 12. Click the minus sign at the beginning of the Hypertext Transfer Protocol line to close the Application Layer detail. Note: In the next steps, you will explore the content of the related frame, number 545. This too is a UDP SSDP requests. While frame 546 used IPv4, frame 545 uses IPv6, but both carry a similarly formatted SSDP request. 13. Click frame 545. Use the scrollbar in the frame summary pane to find the appropriate frame number. 14. In the frame detail pane, click the plus sign at the beginning of the Frame 545 line to expand the fields. If necessary, drag the frame borders of the frame detail pane to expand it. Figure 19 Frame detail for frame 545

CIS 534 - Advanced Network Security Design 16 15. Repeat steps 9-20 to explore the content of this packet and note any differences between the two frames as this information may be needed to complete the lab deliverables. Note: In the next steps, you will see how applying filters can make analyzing your data much easier. Filters are one of the most powerful tools in Wireshark. They allow a very complex set of criteria to be applied to the captured packets and only the result is displayed. The rest of the packets are still there, they are just not included in a filtered analysis but can be restored very easily. It is also possible to save a filtered view of the packets without the additional packets. Filter expressions may either be built with the Filter Edit dialog widow or be typed in directly into the Filter field. For the lab we will start by focusing just on any packets in the file relating to a visit to Google.com. The IP address for Google is 74.125.227.112, an IP version 4 address. 16. Click the Expression button next to the Filter text box below the Wireshark menu to open the Filter Expression dialog box. Figure 20 The Expression button 17. In the Filter Expression dialog box, use the scrollbars in the Field name box to locate IPv4 - Internet Protocol Version 4. 18. Click the plus sign at the beginning of the IPv4 - Internet Protocol Version 4 option to reveal the many different fields within IPv4 that can be used in a filter expression. 19. Click ip.addr to select it. Figure 21 Starting a filter expression 20. In the Relation box, click == (the double equal sign) to select the equivalent of equals. 21. In the Value box, type 74.125.227.112 (the IP address for Google.com). Figure 22 Building a filter expression 22. Click OK to complete the filter and close the Filter Expression dialog box. Notice that the filter expression that you built now appears in the Filter field below the Wireshark menu, but there is no change to your data view. Figure 23 Wireshark filter expression

CIS 534 - Advanced Network Security Design 17 23. Click the Apply button. Notice the change in the frame number column. All of the packets visible in the frame summary pane now apply only to Google. All of the other packets still exist, they are just not displayed. 24. Click Statistics from the Wireshark menu, and select Flow Graph to open the Flow Graph dialog box. Figure 24 Flow Graph dialog box 25. Click the TCP flow radio button and click OK. Wireshark opens the Graph Analysis window. By selecting a TCP flow in the Flow Graph, you are telling Wireshark that you want to see all of the elements in a TCP three-way handshake (SYN, SYN-ACK, ACK). In the filter expression that you applied earlier in the lab, you filtered the packets to show only the traffic with Google.com (IP Address 74.125.227.112). Figure 25 Wireshark Flow Graph 26. Expand the center pane of the Flow Graph dialog box until you can see both the local IP host (192.168.1.64) and the Google.com IP address (74.125.227.112). Pay attention to the arrows in this pane. The arrow s direction indicates the direction of the TCP traffic, and the length of the arrow indicates between which two addresses the interaction is taking place. 27. Use the scrollbar on the right side of the Flow Graph to locate the first threeway TCP handshake between the local IP host and Google. 28. In your document, record the time (found in the Time box on the left) that each step (SYN, SYN-ACK and ACK) occurred. You may choose to make a screen capture of the data and paste it into your document. Note: This situation is a bit tricky. You will notice if you look closely at the flow graph, also known very commonly as a ladder diagram, that the interaction between 192.168.1.64 (the local IP host) and 74.125.227.112 (google.com) is already occurring when the new connection is requested. What is seen in the diagram is the SYN for the new connection at -14408.59765 but it is not followed immediately by the SYN-ACK and ACK. It is followed immediately by the PSH-ACK, ACK, PSH-ACK which is required to close the existing connection. Only then can the SYN-ACK and ACK be exchanged to open the new connection.

CIS 534 - Advanced Network Security Design 18 29. Click Close to close the Graph Analysis window. 30. Click Cancel to close Flow Graph Options. Note: In the next steps, you will manually apply a new filter to examine all DNS-related packets. You will have the opportunity to trace a recursive query to resolve a DNS request. 31. In the Filter box below the Wireshark menu, highlight ip.addr == 74.125.227.112 (the existing filter expression) and type dns to overwrite the existing filter. 32. Click Apply to display on the DNS and DNS-related packets. Figure 26 DNS filter applied 33. In the frame summary pane, click Frame 115 to select it. Frame 115 is the request from the local IP host (192.168.1.64) to its local Domain Name Server (192.168.1.254) to resolve the name of issaseries.org into an IP address. 34. Drag the frame borders of the frame detail pane to expand it. Note: In some browsers we have noticed the pane of the graphic analysis window may show the captured text in Wireshark display as small boxes for some browsers. The lab is still functional. Please ignore and continue to the next step. 35. Click the plus sign at the beginning of the Domain Name System (query) line to expand the detail. In this section of the detail pane, we learn that the query was a standard query with 1 question: what is issaseries.org, and that the response to this query can be found in Frame 116. You ll examine that frame later in this lab. 36. Click the plus sign at the beginning of the Queries line. 37. Click the plus sign at the beginning of the issaseries.org line. Figure 27 DNS query of the issaseries.org domain 38. Click the plus sign at the beginning of the Flags line. Within the Flags detail is a flag titled recursion desired. This flag indicates whether or not the local Domain Name Server should continue to query other

CIS 534 - Advanced Network Security Design 19 DNSs if it is unable to resolve the current query (in this case issaseries.org). As this DNS is local it may or may not have the enough information to allow issaseries.org to be resolved. If the recursion flag is set (as it is in this query), the local DNS will continue to query higher level DNSs until it is able to resolve the address. The resolution of this recursive query should appear later in the frame summary. Figure 28 Display DNS Detail 39. In the frame summary pane, click Frame 116 (the response to the issaseries.org query). In the Queries section of this packet we can confirm that this is the response to the query for issaseries.org. Further, in the Flags section of this packet, we learn that the response was No such name indicating that the local DNS could not find the issaseries.org domain. This does not necessarily mean that issaseries.org does not exist but, rather, that issaseries.org is not known to any of the Domain Name Servers that were searched. But, because the recursive flag is on it is likely that issaseries.org does not exist or no longer exists. Figure 29 Display DNS Detail 40. Close the virtual lab, or proceed with Part 3 to answer the challenge questions for this lab. Lab #1 - Assessment Worksheet Analyzing IP Protocols with Wireshark Course Name and Number: Student Name: Instructor Name:

CIS 534 - Advanced Network Security Design 20 Lab Due Date: Overview In this lab, you exercised a wide variety of capabilities of the Wireshark packet capture and analysis software. In the first part of the lab, you learned about probe placement, clocking/timing issues, Wireshark traffic capture, and the use of filters. In the second part of the lab, you utilized a capture file to answer basic questions about key IP protocols and the basic configuration of the IP hosts from which traffic is captured. Finally, in the third part of the lab, you explored Wireshark on your own to answer a set of challenge questions. Lab Assessment Questions & Answers 1. What are some causes of the number of bytes on the wire exceeding the number of bytes being captured? 2. What are the source and destination MAC address in Frame 546? 3. What is the manufacturer specific ID for Intel Core? 4. What is the MAC address used for IPv4 multicast? 5. What version of IP is present in Frame 546? What is the source IP address? 6. At what times did the various steps of the Google three step TCP handshake occur? 7. A DNS query failure is referred to a higher level Domain Name Server under what condition?

CIS 534 - Advanced Network Security Design 21 8. The descriptive text that accompanies the packet analysis is provided by Wireshark. True or False?

CIS 534 - Advanced Network Security Design 22 Toolwire Lab 2: Using Wireshark and Netwitness Investigator to Analyze Wireless Traffic Introduction Click the link below to view the network topology for this lab: Topology The Wireshark protocol analyzer is multi-faceted. In fact, a person can use Wireshark for many years and not use all of the various capabilities of Wireshark. For instance, Wireshark can be used by a security analyst to find anomalies in network traffic indicative of viruses or exfiltration of information while at the same time, even on the same traffic from same organization, it can be used to troubleshoot application performance issues or benchmark VoIP latencies. In this lab, we begin by using Wireshark to analyze some of the specifics of wireless transmissions and then move on to analyze the network packets using a more security-specific tool, NetWitness Investigator. It is also noteworthy that Wireshark is available at no charge while NetWitness is a commercial product that is widely utilized and may be encountered in any well-equipped cyber forensics lab and in many field investigations. This lab has three parts that should be completed in the order specified. 1. In the first part of the lab, you will use an existing capture file to view some of the wireless aspects of networks as well as some of the aspects of network traffic that remain the same regardless of the physical transport, be it wired or wireless. 2. In the second part of the lab, you will utilize the same capture file but with a more security-focused tool, NetWitness Investigator. 3. Finally, if assigned by your instructor, you will explore the virtual environment on your own in the third part of the lab to answer a set of challenge questions. The questions allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.

CIS 534 - Advanced Network Security Design 23 Learning Objectives Upon completing this lab, you will be able to: Analyze the wireless-specific portion of network traffic using Wireshark Identify the portions of network traffic that remain the same regardless of whether the packets traverse wires or fly through the air wirelessly Use features of the NetWitness Investigator tool to analyze traffic with wireless content Determine which tool, Wireshark or NetWitness Investigator, is the preferred tool for a given task Utilize both Wireshark and NetWitness Investigator together to provide a complete picture of the interactions being investigated. Be able to generalize your new knowledge of Wi-Fi traffic to other types of wireless traffic analyzed by using the Wireshark analyzer Differentiate between the more generalized capabilities of Wireshark and the more specialized cybersecurity analysis-focused uses of NetWitness Investigator Tools and Software The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab. Wireshark NetWitness Investigator Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor: 1. Lab Report file including screen captures of the following steps: Part 1 Step 15, Part 1 Step 29, Part 2 Step 8, and Part 2 Step 10; 2. Lab Assessments file; 3. Optional: Challenge Questions file, if assigned by your instructor. Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform:

CIS 534 - Advanced Network Security Design 24 1. Analyze the wireless-specific portion of network traffic using Wireshark. [20%] 2. Identify the portions of network traffic that remain the same regardless of whether the packets traverse wires or fly through the air wirelessly. [10%] 3. Use features of the NetWitness Investigator tool to analyze traffic with wireless content. [20%] 4. Determine which tool, Wireshark or NetWitness Investigator is the preferred tool for a given task. [10%] 5. Utilize both Wireshark and NetWitness Investigator together to provide a complete picture of the interactions being investigated. [20%] 6. Be able to generalize your new knowledge of Wi-Fi traffic to other types of wireless traffic analyzed by using the Wireshark analyzer. [10%] 7. Differentiate between the more generalized capabilities of Wireshark and the more specialized cybersecurity analysis-focused uses of NetWitness Investigator. [10%] Hands-On Steps Note: This lab contains detailed lab procedures which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vworkstation desktop. You should review these tasks before starting the lab. 1. From the vworkstation desktop, double-click the Common Lab Tasks file to open the file in Adobe Reader. If desired, use the File Transfer button to transfer the file to your local computer and print a copy for your reference. Instructions for transferring the file can be found in the file itself. Figure 1 Student Landing workstation 2. On your local computer, create the lab deliverable files. 3. Review the Lab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps. Part 1: Analyzing Wireless Traffic with Wireshark 1. Double-click the Wireshark icon on the desktop to start the Wireshark application. Figure 2 Main Wireshark Screen

CIS 534 - Advanced Network Security Design 25 The main screen of Wireshark include several shortcuts to make your job easier. There are four categories of shortcuts. Wireshark Screen Sections SECTION DESCRIPTION TITLE This section displays a list of the network interfaces, or machines, that Capture Wireshark has identified, and from which packets can be captured and analyzed. This section displays the most recent list of files that you were analyzing in Files Wireshark. The default status for this section is blank because no files have been opened yet. Online This section displays shortcuts to the Wireshark website. This section displays shortcuts to the Wireshark website for help in using Capture Help the tool. 2. Click Open to display a list of files that are on the desktop. Figure 3 Wireshark Open Capture File 3. Double-click the DemoCapturepcap.pcapng file to load the packet capture data into the Wireshark window. Note: Wireshark capture files, like the DemoCapture file found in this lab, have a.pcapng extension, which stands for packet capture, next generation. Figure 4 Wireshark Frame Summary Note: Many people believe that it is necessary to enable the Wireless Toolbar (View > Wireless Toolbar) any time they are looking at wireless traffic. However, even if you were to enable the Wireless Toolbar at this point, the option would remain greyed out because the toolbar is only used when capturing live traffic, and then only if the AirPcap interface is enabled. In this virtual lab, we are using a pre-captured file and are not capturing live traffic, so it is not necessary to turn on the Wireless Toolbar. 4. Drag the top border of the Frame Detail pane up to expand it until only the summaries of frames 1, 2, and 3 are shown. Figure 5 Wireshark window with enlarged Frame Detail pane 5. Click the plus sign at the beginning of the Frame 1 line in the Frame Detail pane to expand the fields. Notice the number of fields related to time. This part of the display will be the same for wired or wireless traffic. However, the Encapsulation type: Per-Packet Information indicator, a field unique to wireless traffic, confirms that this is a wireless packet.

CIS 534 - Advanced Network Security Design 26 Figure 6 Expanded frame physical detail 6. Click the minus sign at the beginning of Frame 1 line in the Frame Detail pane to collapse the fields. Note: Double-clicking headings in the Frame Detail pane will also expand or collapse the detail below. 7. Click the plus sign at the beginning of the PPI version 0 line in the Frame Detail pane to expand the fields and display the Per-Packet Information encapsulation. 8. Click the plus sign at the beginning of the Flags line in the Frame Detail pane to expand the fields. Figure 7 Expanded PPI encapsulation frame detail 9. Notice the following information contained within these headers: Alignment is set to 0, or not aligned, which means that the next byte after the field contains the next field. Header length is 84 octets refers to the length of the PPI header only and does not include any other headers that may be present in the frame. A Data Link Type (DLT) of 105, indicates that data is transferred over an 802.11n wireless network. Note: All of this information can be verified, if one wishes, by consulting the hexadecimal representation of the field at the bottom of the window in the Byte Data pane. 10. Click the plus sign at the beginning of the 802.11-Common line in the Frame Detail pane to expand the fields relative to fields common to all 802.11 wireless protocols. Along with some very specific information about radio frequencies and channels, the fields indicate that the maximum rate of transmission is 300 Mbps (Rate: 300.0 Mbps). Figure 8 Expanded 802.11-Common frame detail 11. Click the plus sign at the beginning of the 802.11n MAC+PHY line to expand those fields. 12. Use the scrollbar as necessary to view all of the newly expanded fields. Notice that data reveals a large amount of data about the 802.11n connection including signal strengths, noise ratios and other information about the antennae. Figure 9 Expanded 802.11n MAC+PHY frame detail

CIS 534 - Advanced Network Security Design 27 Note: The detailed information the Wireshark provides about the antennae, signal strengths, and other aspects of the wireless communications environment can be very useful for installation, antenna placement, and troubleshooting. It can also be very valuable in terms of computer forensics because it can be used to map who was able to communicate with whom, the measured strength of signals, what frequencies are used, and other data. In addition to forensics on standard Wi-Fi and other forms of traditional wireless communications, this information can also be very useful for jamming certain frequencies, determining which devices likely were used to set off remote bombs and Improvised Explosive Devices (IEDs), and a spectrum of other things. 13. If desired, click the minus sign in front of the PPI version 0 line to collapse the information relative to the Per-Packet Information encapsulation. You may have to use the scrollbar to return to this header line. 14. Click the plus sign at the beginning of the IEEE 802.11 QoS Data, Flags line to expand the 802.11 Quality of Service information and Flags fields. In this group of fields, Wireshark displays information about the transmitters and receivers of the data, which allow the network administrator to determine which Media Access Control (MAC) addresses match each transmitter and receiver. Figure 10 Frame Address Information 15. Make a screen capture showing the receiver address, the transmitter address, the source address, and the destination address found in the IEEE 802.11 QoS Data fields. Note: Remember, Wireshark displays transmitter/receiver addresses in both full hexadecimal (00:14:a5:cd:74:7b) and a kind of shorthand, in this case, GemtekTe_cd:74:7b. That shorthand code is Wireshark s translation of the first part of the receiver address (00:14:a5) into the manufacturer s name or alphanumeric designation (GemtekTe_). The IEEE has compiled a list of company names that correspond to the first six characters of the MAC ID, which can be accessed on their Web site at http://standards.ieee.org/develop/regauth/oui/public.html). While Wireshark s translation is most likely correct, it is also possible that some manufacturers, especially those that have acquired other companies, will have more than one numeric designation that resolves to their name or alphanumeric designation. It is therefore better to refer to the entire hexadecimal representation of the address rather than the shorthand. It is also possible, though not likely, for sophisticated criminals to spoof, or send false information to, Wireshark. It is unlikely that common criminals, even savvy cybercriminals, take into account the receiver and transmitter addresses or, even if they do, have the knowledge and skills to modify the hardware to spoof this information. It is much more common that the MAC addresses (source and/or destination addresses) are

CIS 534 - Advanced Network Security Design 28 spoofed, but matching them to their appropriate transmitter and receiver addresses can provide the needed forensic evidence of which devices were involved in a particular communication and their role in the suspect activity. 16. Click the plus sign in front of the Frame check sequence line to expand those additional fields. 17. Click the plus sign in front of the QoS Control line to expand those additional fields. Study the fields and their values. It is within the scope of this lab to understand that the fields exist but beyond the scope of this lab to explain what each field means and the interaction of the fields. Figure 11 Quality of Service detail 18. Click the minus sign in front of the IEEE 802.11 QoS Data, Flags line to collapse these fields. Note: There are literally hundreds of fields of data available, depending upon the wireless communications protocols that are present and those that are captured, and a thousand different ways to interpret it. The fields that have been examined thus far are unique to wireless networking. There are some important aspects to know about capturing the wireless data with Wireshark. Wireshark is regularly installed with a packet capture library called WinPcap. Based on the wireless interfaces and how the capture is set up, Wireshark, using this tool, will display all of the fields it can capture. However, it is possible that in some cases there is wireless information that Wireshark cannot capture, or can capture only the essence of the command and control information, but not the information itself. For this reason, packet capture add-ons, like AirPcap, are frequently installed with Wireshark. These add-ons allow you to capture more wireless information than without it. Most network analysts feel that AirPcap is absolutely required for capturing wireless traffic between devices or between other devices and, say, a wireless access point depending on your goals and the objectives of the capture. From this point of the lab forward, all of the data captured will be common to both wired and wireless networking and would have been captured with Wireshark using AirPcap or WinPcap. 19. Click the plus sign in front of the Logical-Link Control line to expand the LLC fields and familiarize yourself with the data available. 20. Click the minus sign in front of the Logical-Link Control line to collapse the LLC fields. 21. Click the plus sign in front of the Internet Protocol version 4 line to expand the header and familiarize yourself with the data available. 22. Click the plus sign in front of each subfield and familiarize yourself with the data available.

CIS 534 - Advanced Network Security Design 29 Figure 12 Internet Protocol data 23. Click the minus sign in front of the Internet Protocol version 4 line to collapse the fields. 24. Click the plus sign in front of the User Datagram Protocol line and familiarize yourself with the data available. 25. Click the minus sign in front of the User Datagram Protocol line to collapse the UDP fields. 26. Click the plus sign in front of the Domain Name System (query) line to expand its fields. These fields record data related to an Internet query. 27. Click the plus sign in front of the Flags line to expand those fields and familiarize yourself with the data available. 28. Click the plus sign in front of the Queries line and familiarize yourself with the data available. Notice that the data indicates that someone tried to access the www.polito.it Web site. Note: The ultimate payload, regardless of whether the packet is sent through the air or on a wire is a Domain Name System query. In this case, the DNS information is being requested for www.polito.it. Any DNS request, regardless of whether the packet is sent wirelessly or via wire, includes the same fields in a Wireshark packet capture, but the wireless portion of the frame information requires special consideration in a forensic investigation. Suppose that a forensic investigator needed to monitor all Web traffic within a coffee shop to determine which Web sites were accessed by the subject of an investigation, then the fact that the Web query was conducted wirelessly is really unimportant to the investigation except perhaps that the investigation was aided by getting easy access to unencrypted airborne packets. An investigator may choose to set a filter on the resulting capture file that shows only DNS requests. In this way, the investigator can determine which Web sites the subject wished to visit, and then is able to visit those Web sites himself later to determine the nature of the Web sites. It is also possible to set a filter that displays both the DNS requests and their resulting DNS responses to determine which Web sites existed at the time the capture file was made, as opposed to which Web sites still existed when subsequent research was done. Consider, for example, a drug or human trafficking case. The owner of an illegal Web site may shut down the Web site after a subject is taken into custody, but before the research is completed. This type of filter will allow investigators to determine that while they were unable to access the Web site, the subject was able to complete the transaction. Packet capture files can also be display the results of the Web page requests, such as any audio and video content, as well as provide further analysis using NetWitness Investigator. On the other hand, a key part of another investigation may be to determine what information was gathered by the subject of an investigation, or to determine by whom certain information was gathered. The investigator may use information in a packet