epbrtcybersecurityportfolio.xyz

Category: Uncategorized

  • Introduction to Wireshark

    The goal of this lab is to familiarize myself with the basic functionalities of Wireshark.

    Exercise 1 – Wireshark Profile Setup

    To kick off the lab, I started by setting up a custom Wireshark configuration profile. These profiles are really helpful because they let you tailor things like display columns, settings, and layout to match your workflow. You can switch between different profiles depending on what you’re analyzing, and it’s easy to import/export them to share with others.

    For this exercise, I used a pre-made profile provided for the class. I opened Wireshark on my system and imported the SEC503.Wireshark.profile.zip file. Once that was in place, I loaded the wireshark.pcap capture file, which set me up to move on to the next part of the lab (Exercise 2).

    Exercise 2 – Identifying TCP Protocols in the PCAP

    In this part of the lab, I analyzed the provided wireshark.pcap file to identify the different TCP-based protocols present in the capture.

    By going to the Statistics menu in Wireshark and selecting Protocol Hierarchy, I was able to quickly identify the three TCP protocols used in the capture file. This feature provides a clear breakdown of all protocols seen in the traffic, making it easy to spot which ones are running over TCP:

    -SSH

    -MySQL

    -Internet Relay Chat

    How many different IP addresses were involved in conversations in this pcap?

    To answer this, I opened the Conversations window under the Statistics menu in Wireshark. This tool displays all IP-level conversations and allowed me to easily identify how many unique IP addresses were communicating in the capture. It’s a quick way to get an overview of the network activity and see which hosts were involved.

    We can see that 4 different IP addresses were involved in 3 conversations in this file.

    What is the largest number of Bytes exchanged in any IPv4 conversation?

    To determine the largest number of bytes exchanged in any IPv4 conversation, I used the IPv4 Conversations tab under Statistics > Conversations in Wireshark. This view lists the total byte count for each conversation.

    From the output, I found that the highest byte exchange between any two hosts was 31k. This gave me a quick insight into which conversation involved the most data transfer within the capture.

    Exercise 3 – Counting TCP Conversations

    How many different TCP conversations are in this pcap?

    For this exercise, I used the Statistics > Conversations feature in Wireshark and navigated to the TCP tab. This tab lists all the unique TCP sessions found in the capture file. Each entry represents a separate conversation between two IP addresses over TCP.

    We can see 4 different TCP conversations in this file.

    What is the duration of the conversation that lasted the longest?

    To answer this, I stayed in the TCP tab under Statistics > Conversations in Wireshark. This view includes a Duration column, which shows how long each TCP conversation lasted. By scanning this column, I identified the conversation with the longest duration (776.1629 seconds)

    Exercise 4 – Inspecting Ethernet Type

    Before starting this task, I made sure that all three Wireshark panes were visible: the packet list, packet details, and packet bytes. If they weren’t showing, I adjusted the window size by dragging from the bottom-right corner until they appeared.

    Navigate to the first packet in the pcap. What is the hexadecimal value of the Ethernet type?

    I selected the first packet in the capture and expanded the Ethernet II section in the middle pane. From there, I located the Type field, which shows the Ethernet type in hexadecimal format (0x0800). This value indicates the protocol being used at the next layer (IPv4 here).

    What is the IP Time To Live Value?

    We can find it by expanding the IPv4 section in the middle pane and find that the value is equal to 64.

    What transport layer follows the IP layer?

    We can find our answer right under the TTL line under Protocol. Hre we can see that the transport layer is TCP (which corresponds to an Hexadecimal value is 0x06)

    What is the last hexadecimal byte value of the TCP header ?

    By clicking on the TCP header in the middle pane, the entire TCP header gets highlighted in the lower pane and we can see that the last hexadecimal byte value is 0xef

    Exercise 5 – Inspecting MySQL Traffic

    As identified earlier using Protocol Hierarchy Statistics, the pcap file contains MySQL traffic. According to the instructions, there is a single MySQL session that begins at packet 372.

    Locate the MySQL session that begins in packet 372. Follow the MySQL TCP conversation. What is the version of the MySQL server package for Ubuntu?

    To complete this task, I navigated to packet 372 by going to the Go menu and selecting the Go To Packet option:

    I then right-clicked on it to select Follow > TCP Stream. This allowed me to view the entire MySQL session in context. By examining the initial handshake and server response, I was able to extract the MySQL version number used in the Ubuntu server package (5.0.51a-3ubuntu5.8). This kind of inspection is useful for identifying software versions and potential vulnerabilities in network traffic.

    What is the name of the SQL Table that the user performs an Insert Into command on?

    At the bottom of the TCP stream, we can see that the command is performed on a table called “auth_users”.

    Exercise 6 – Finding a Specific String in Packet Data

    What is the last packet that contains the string “beer”?

    To complete this exercise, I used Wireshark’s Find Packet feature by pressing Ctrl + F and switching the search type to String within Packet Bytes. I then searched for the keyword “beer”.

    Wireshark highlighted each packet containing this string. I scrolled through the results to locate the last packet in the capture that contained “beer” and recorded its packet number (470). This was a fun way to practice content-based searches within packet data.

  • Concepts of TCP/IP

    Objective:
    In this lab, I explored various aspects of the TCP/IP protocol by using tcpdump to analyze network traffic. The goal was to familiarize myself with the functionality of tcpdump and practice using its command-line options to read and interpret packet capture files.

    Exercise 1: Reading a PCAP File
    The first exercise involved using tcpdump to read a packet capture file named concepts.pcap. The objective was to analyse the contents and identify the number of recorded packets. I utilized the following command to read the file:

    Six records are displayed:

    Exercise 2: Reading Specific Records from a PCAP File

    Objective:
    In this exercise, I practiced using tcpdump to read a specified number of records from a packet capture file. The goal was to extract and display the first two records from the file concepts.pcap efficiently as well as identify the source IP address of the second record .

    Command Explanation:
    To achieve this, I used the following tcpdump command:

    • The -c 2 option instructs tcpdump to limit the output to the first two records.
    • The -t option suppresses the display of timestamps, making the output more concise.
    • The -n option ensures that IP addresses are displayed as numerical values rather than being resolved to hostnames.
    • The -r option specifies that tcpdump should read from the file rather than capturing live traffic.

    These options can be combined in a single command for efficiency.

    The second source IP address is 192.168.11.13 which is found here:

    Exercise 3: Displaying Network Records in Hexadecimal

    Objective:
    In this exercise, I learned how to use tcpdump to read a single record from a packet capture file and display it in hexadecimal format. This technique is useful when analyzing raw packet data for low-level protocol analysis. I am also asked to identify the first two bytes seen on the hex dump for the first record, the IP protocol field value and the TTL located the IP header.

    Command Explanation:
    To view the first record from the file concepts.pcap in hexadecimal format, I used the following command:

    The -x option displays the packet data in hexadecimal format.

    Regarding the first two bytes question: A hexadecimal character represents 4 bits (or a nibble), so a byte corresponds to 2 hexadecimal characters. The first two bytes are 0x45 and 0x00, respectively.

    The IP protocol field value is 0x01. It is a one-byte field located in the 9th byte offset from the beginning of the IP header. This tells us that the embedded transport protocol is ICMP.

    The TTL is located in the 8th byte offset from the beginning of the IP header and like the IP protocol field is a one-byte field. it is equal to 0x40 or 16*4 + 1*0 = 64 in decimal value.

    Exercise 4: Displaying MAC/Ethernet Addresses from a PCAP File

    Objective:
    In this exercise, I practiced using tcpdump to display the MAC (Media Access Control) addresses from a packet capture file. The goal was to read the first record from the file concepts.pcap and identify both the source and destination MAC addresses.

    Command Explanation:
    To display the MAC addresses from the first record, I used the following command:

    The -e option displays the link-layer (MAC/Ethernet) headers, showing both source (00:04:00:0a:04) and destination (00:0c:29:03:23:19) MAC addresses.

    The -v option increases the verbosity of the output, providing more detailed information about each packet. I can easily identify the ethertype which indicates which protocol follows the ethernet header (in this case it is IPv4). I can also quickly see that the protocol following the IP header is ICMP (It can be seen in the “proto” field).

    Exercise 5: Analyzing DNS Traffic in UDP Packets

    Objective:
    In this exercise, I analyzed DNS traffic captured in a PCAP file using tcpdump. The goal was to identify the type of activity and data within specific UDP packets, focusing on DNS queries and responses.

    Using the same command as in the last exercise, we can see the following two packets:

    The output displayed two consecutive UDP packets related to DNS activity:

    1. Source and Destination:
      • Source IP: 192.168.11.65, Source Port: 52894
      • Destination IP: 192.168.11.53, Destination Port: 53 (DNS port)
    2. Packet Details:
      • The first packet contains a DNS query (A? giac.org.), indicating that the client is requesting the IP address for the domain giac.org.
      • The second packet contains the DNS response, indicating that the server resolved giac.org to the IP address 66.35.45.203.
      • Both packets use the UDP protocol (proto UDP (17)).
      • The length of the first packet is 54 bytes, while the response packet is 70 bytes.

    Analysis:
    The presence of port 53 in the packet indicates DNS traffic. The query type (A?) specifies that the client is requesting an IPv4 address for the domain giac.org. The response from the DNS server includes the resolved IP address, confirming that the communication was successful.