10

.docx

School

Green River College *

*We aren’t endorsed by this school

Course

360

Subject

Information Systems

Date

Jun 13, 2024

Type

docx

Pages

7

Uploaded by ChiefSeaLion3752

Lab - Using Wireshark to Examine HTTP and HTTPS Traffic Objectives Part 1: Capture and view HTTP traffic Part 2: Capture and view HTTPS traffic Background / Scenario HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a web browser. With HTTP, there is no safeguard for the exchanged data between two communicating devices. With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true meaning of the data that is being exchanged. This is done through the use of certificates that can be viewed later in this lab. Regardless of HTTP or HTTPS, it is only recommended to exchange data with websites that you trust. Just because a site uses HTTPS does not mean it is a trustworthy site. Threat actors commonly use HTTPS to hide their activities. In this lab, you will explore and capture HTTP and HTTPS traffic using Wireshark. Required Resources CyberOps Workstation VM Internet connection Instructions Part 1: Capture and View HTTP Traffic In this part, you will use tcpdump to capture the content of HTTP traffic. You will use command options to save the traffic to a packet capture (pcap) file. These records can then be analyzed using different applications that read pcap files, including Wireshark. Step 1: Start the virtual machine and log in. Start the CyberOps Workstation VM. Use the following user credentials: Username: analyst Password: cyberops Step 2: Open a terminal and start tcpdump. a. Open a terminal application and enter the command ip address . [analyst@secOps ~]$ ip address b. List the interfaces and their IP addresses displayed in the ip address output. 2017 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 7 www.netacad.com
Lab - Using Wireshark to Examine HTTP and HTTPS Traffic c. While in the terminal application, enter the command sudo tcpdump –i enp0s3 –s 0 –w httpdump.pcap . Enter the password cyberops for the user analyst when prompted. [analyst@secOps ~]$ sudo tcpdump –i enp0s3 –s 0 –w httpdump.pcap [sudo] password for analyst: tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes This command starts tcpdump and records network traffic on the enp0s3 interface. The -i command option allows you to specify the interface. If not specified, the tcpdump will capture all traffic on all interfaces. The -s command option specifies the length of the snapshot for each packet. You should limit snaplen to the smallest number that will capture the protocol information in which you are interested. Setting snaplen to 0 sets it to the default of 262144, for backwards compatibility with recent older versions of tcpdump. The -w command option is used to write the result of the tcpdump command to a file. Adding the extension .pcap ensures that operating systems and applications will be able to read to file. All recorded traffic will be printed to the file httpdump.pcap in the home directory of the user analyst. Use the man pages for tcpdump to determine the usage of the -s and -w command options. d. Open a web browser from the launch bar within the CyberOps Workstation VM. Navigate to http://www.altoromutual.com/login.jsp Because this website uses HTTP, the traffic is not encrypted. Click the Password field to see the warning pop up. e. Enter a username of Admin with a password of Admin and click Login . f. Close the web browser. g. Return to the terminal window where tcpdump is running. Enter CTRL+C to stop the packet capture. 2017 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 7 www.netacad.com
Lab - Using Wireshark to Examine HTTP and HTTPS Traffic Step 3: View the HTTP capture. The tcpdump, executed in the previous step, printed the output to a file named httpdump.pcap. This file is located in the home directory for the user analyst . a. Click the File Manager icon on the desktop and browse to the home folder for the user analyst . Double- click the httpdump.pcap file, in the Open With dialog box scroll down to Wireshark and then click Open . b. In the Wireshark application, filter for http and click Apply . c. Browse through the different HTTP messages and select the POST message. 2017 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 7 www.netacad.com
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help