Networks and Security Lab. Network Forensics



Similar documents
Networks & Security Course. Web of Trust and Network Forensics

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Exercise 7 Network Forensics

Network Security. Network Packet Analysis

Network Forensics. Toolset, Document for students. February

Safe network analysis

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Multifaceted Approach to Understanding the Botnet Phenomenon

7. Exercise: Network Forensic

7. Exercise: Network Forensic

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

The HoneyNet Project Scan Of The Month Scan 27

Concierge SIEM Reporting Overview

Firewalls and Software Updates

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Malicious Network Traffic Analysis

Network Traffic Analysis

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

CS5008: Internet Computing

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

A Critical Investigation of Botnet

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Lab Conducting a Network Capture with Wireshark

Wireshark Tutorial INTRODUCTION

Nemea: Searching for Botnet Footprints

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Introduction to Network Security Lab 1 - Wireshark

APPLICATION PROGRAMMING INTERFACE

Packet Sniffing and Spoofing Lab

Network Intrusion Analysis (Hands-on)

CS 558 Internet Systems and Technologies

Wireshark Deep packet inspection with Wireshark

Network Forensics. Handbook, Document for teachers. February


How To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Monitor Network Activity

Malware Detection in Android by Network Traffic Analysis

EKT 332/4 COMPUTER NETWORK

HoneyBOT User Guide A Windows based honeypot solution

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Monitor Network Activity

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Operation Liberpy : Keyloggers and information theft in Latin America

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

Detecting Botnets with NetFlow

COMP416 Lab (1) Wireshark I. 23 September 2013

Figure 1. Wireshark Menu Bar

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Build Your Own Security Lab

SECURING APACHE : DOS & DDOS ATTACKS - II

Network Forensics Network Traffic Analysis

2010 Carnegie Mellon University. Malware and Malicious Traffic

IDS and Penetration Testing Lab ISA656 (Attacker)

Six Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study

Getting Ahead of Malware

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Computer Networking LAB 2 HTTP

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

IBM Protocol Analysis Module

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

How To Mitigate A Ddos Attack

Web Application Worms & Browser Insecurity

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Transformation of honeypot raw data into structured data

Remote DNS Cache Poisoning Attack Lab

Network Security In Linux: Scanning and Hacking

1. LAB SNIFFING LAB ID: 10

Chapter 14 Analyzing Network Traffic. Ed Crowley

Network Monitoring using MMT:

Network Security, ISA 656, Angelos Stavrou. Snort Lab

UNMASKCONTENT: THE CASE STUDY

Denial of Service Attacks

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

Network Security in Practice

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Fighting Advanced Threats

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

JOOMLA REFLECTION DDOS-FOR-HIRE

Tracking Anti-Malware Protection 2015

Streamlining Web and Security

Application Firewalls

Security Toolsets for ISP Defense

Detecting peer-to-peer botnets

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

Storm Worm & Botnet Analysis

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Penetration Testing with Kali Linux

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Transcription:

Networks and Security Lab Network Forensics

Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite search engine Optional exercises: Virustotal (web service), Linux command line tools (uniq, file, hexdump, md5sum, xxd), tshark (Wireshark command line). Check Lab 2 slides for Wireshark basics.

PCAP Files (reminder) Network traffic data captured during the attacks. Relatively small and filtered, contains information relevant to the attacker and victim only. A PCAP from an actual personal computer will have much more variety in traffic. In some of the PCAPs, the attacker uses exploits and malware to break into the victim s system. If you choose to use your own PC instead of the virtual machine, the malware binaries in the files could trigger your anti-virus, but you are safe as long as you don t convert them into.exe files and run them on a Windows XP machine.

Installing tshark Wireshark commandline extensions sudo apt-get install tshark (you will be prompted for password) Useful for some of the optional exercises.

Exercise 1: TCP port scan (f1.pcap) 1. Identify the IP addresses of the attacker and the target. 2. How many connection attempts have been made by the attacker? 3. How many of the ports are open? 4. Identify / guess the services running on the open ports. 5. (optional) Extract a complete list of ports tried by the attacker, and the ports that are open on the target host.

Exercise 2: Attack against the Windows Service (f2.pcap) Overview: The victim is compromised by an automated attacker (possibly a botnet) using the vulnerabilities of the operating system. 1. Which IP addresses are involved? 2. What is the duration of the packet capture? 3. Which application-layer protocols are detected by Wireshark? 4. How many TCP sessions are in the file?

Exercise 2 (continued) 5. Identify the attacker s IP address and location (use a free online tool such as ip2location.com). 6. Check the conversation content in TCP stream #3. Which application-level protocol is used?

Execise 2 (optional) 7. Identify the attacker s and the victim s native operating system and version (Hint: check packets #16 and #17) 8. Identify the script used by the attacker after compromising the system. (Hint: TCP stream #2) 9. A malware binary is downloaded by the host at TCP stream #4. Obtain a copy of the file (might trigger your anti-virus if not using VM). Get the md5 sum of the binary and identify it at virustotal.com.

Exercise 3: Malicious PHP query (f3.pcap) 1. List the hosts (IP addresses) in the traffic. 2. Identify the packet that sends the initial malicious query. 3. Identify the attacker (malicious client) and the victim (web server). 4. (optional) Analyze the contents of the packet containing malicious query. What do you think is the effect of the query on the web server? How does the attacker follow-up on the initial malicious query?

Exercise 4: Spear Phishing (f4.pcap) Overview: The victim is targeted by a spear-phishing attack containing a 0-day vulnerability for the victim s web browser. 1. What are the IP addresses of victim and attacker? 2. What is the address of the victim s original HTTP request (i.e. the malicious web server)? 3. The victim made a second request for another HTTP object. What is the file s name and type? 4. What is the name and version of the victim s browser? 5. What is the operating system of the victim? Hint: Look out for a broadcast address. 5. How long was the TCP session at port 4444? 6. The infected victim made repeated attempts to connect to the server via port 4445. When was the relative time of the first attempt, and how long did the attempts continue until the victim made a successful connection?

Exercise 4 (optional) 7. The server replied with a page containing obfuscated Javascript. An array with the length 1300 is created with the label COMMENT. What string does the array s "data" section contain? 8. Two files were sent to the client. Identify the types of the files. (Check packet #17, and the connection on port 4445) 9. Extract the content and md5 sums of both files and use Virustotal to analyze them (might trigger your anti-virus if not using VM). Hint: First two bytes in the TCP conversation denote the file length in little endian notation.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information