WriteUp
pdf
keyboard_arrow_up
School
Portland Community College *
*We aren’t endorsed by this school
Course
373
Subject
Information Systems
Date
Nov 24, 2024
Type
Pages
9
Uploaded by ProfessorIceCat10
Defense against the Dark Arts Lab Write Up 1 Defense against the Dark Arts Lab Write Up Introduction This lab provided two sets of packet data, 'R' and 'O,' containing various network parameters like IP addresses, TCP/UDP ports, and protocol flags. These datasets were to carry out an analysis of the networks. The R dataset had 100k packets and would be used for prototyping while the O dataset had 1M packets that would be used for production. The goal was to use scripting languages like Perl or Python to rearrange and analyze the data for identifying spikes in frequency and finding common characteristics among frequently occurring items. Python was chosen as the language for this lab, and more functions were added to the already provided scancsv.py script. The objectives of this lab were: 1.
Analyze network traffic to examine the functioning of various networks (e.g., work, home, data center, ISP). 2.
Utilize a portion of the network data, such as protocol headers and security/application logs, for analysis. 3.
Use frequency spikes in rearranged data to identify common characteristics like protocols and IP addresses. 4.
Develop a script in PERL or PYTHON to analyze packet data provided in textual CSV format. 5.
Learn as much as possible about the networks from the limited data available in the 'R' and 'O' data sets. Header Analysis Headers in both the R and O datasets were: len, proto, ipsrc, ipdst, tcpflags, tcpsport, tcpdport, udpsport, udpdport, icmpcode, icmptype. The datasets were first analyzed to identify the number of packets, bytes and packets per protocol each had.
Defense against the Dark Arts Lab Write Up 2 As seen from the figures above: •
R dataset was smaller with 99142 packets than O’s 999914 packets.
•
R dataset had 4 common protocols: ICMP, IGMP, TCP and UDP. •
O dataset had 6 common protocols: ICMP, TCP, UDP, GRE, IPSEC-ESP and OSPF. Find Statistics on TCP and UDP Services This step was about finding the packets per each of the common (1-1024) TCP and UDP destination ports in the datasets.
Defense against the Dark Arts Lab Write Up 3 Here are the findings: •
Top 5 ports in the R dataset were: 139/tcp –
netbios-ssn, 80/tcp –
http, 110/tcp –
pop3, 22/tcp –
ssh and 53/udp –
dns. •
Therefore, this network is very likely to be a work network. •
It can be inferred that this network was running file sharing (NetBIOS), hosting a web server, handling email retrieval, supporting secure remote access, and providing DNS resolution services. •
Top 5 ports in the O dataset were: 25/tcp –
smtp, 80/tcp –
http, 22/tcp –
ssh, 53/udp –
dns, and 445/tcp –
Microsoft-ds (SMB file sharing). •
It can be inferred that this network was likely running an email server for outgoing emails, hosting a web server, supporting secure remote access, providing DNS resolution services, and enabling file sharing through SMB, likely in a Windows-based environment. •
Therefore, this network is very likely to be a work network.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Defense against the Dark Arts Lab Write Up 4 Investigate IP Addresses Usage and Specific Protocols (GRE, IPSEC and OSPF) IP Address Usage This step was an investigation about the distinct IP addresses with their usage counts. This analysis was performed by using the flag name
d “
-
countip” which returned a sorted usage list of IP addresses in descending order. On the R dataset:
Defense against the Dark Arts Lab Write Up 5 On the O dataset (Images below are truncated to show only those above 2500):
Defense against the Dark Arts Lab Write Up 6 Based on the above outputs from the two networks: •
For the first network (R dataset), 9 out the first 10 most used IP addresses are 10.5.63.x. •
Usage of these addresses (10.5.63.x) is likely to be in internal networks (LANs) of a workplace. •
The network number 10.5.63.x dominates this network.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Defense against the Dark Arts Lab Write Up 7 •
For the second network (O dataset), out of the first 10 IP addresses in terms of usage, 8 of them are 192.245.12.x. They are Class C, private IP address. •
Usage of these addresses (192.245.12.x) is likely to be in internal networks of a workplace. •
The network number 192.245.12.x dominates this network. •
Thus, this finding confirms the assumptions made in the previous step that both networks are work networks. IP protocols between network devices This step was to investigate specific IP protocols –
GRE, IPSEC and OSPF –
that are used for routers and other network devices intercommunication. The first network (R dataset) did not have any packet captured associated with such protocols. However, below was the output of those IP protocols on the second network (O dataset): Findings from this analysis are: •
207.182.x.x heavily dominates in the IPSEC and OSPF protocols. •
In fact, all of OSPF’s IPs are 207.182.35.x.
•
From the 5 addresses used for OSPF, the network means that there are at least 5 routes using the OSPF protocol. This is likely to be a medium sized workplace or a datacenter. Find the servers This step was about investigation of servers on the two networks. This was done by an option named ‘
-
connto’, which counted
the number of packets sent to each service (ports 1-1024) on the network. It returned the first 20 destination IP address as shown below. On first network (R dataset):
Defense against the Dark Arts Lab Write Up 8 On second network (O dataset): The findings were as follows: •
First network (R dataset): Ipdst 10.5.63.22 had the most connections with 4895 distinct connections from source IP addresses. •
Below are the servers and printers: Server IP address Web servers 32.97.255.112, 209.67.181.11, 209.67.181.20, 208.10.192.175, 208.10.192.202, 204.71.200.167 Mail server 10.5.63.6 DNS servers 10.5.63.6, 10.5.63.1 Printer 10.5.63.8
Defense against the Dark Arts Lab Write Up 9 •
Second network (O dataset): Ipdst 192.245.12.221 had the most connections with 111726 distinct connections from source IP addresses. •
mail servers, the pop/imap servers, the DNS servers: Server IP address Mail servers 192.245.12.221, 192.245.12.242, 192.245.12.230, 192.245.12.234, 192.245.12.233, 65.126.22.68, 192.245.12.8, 192.245.12.231, 192.245.12.246, 192.245.12.31, 192.245.12.245, 192.245.12.9, 192.245.12.7, 192.245.12.241, 207.182.38.90 Pop/imap servers 192.245.12.8, 192.245.12.241 DNS servers 192.245.12.8, 192.245.12.56, 192.245.12.245, 192.245.12.9, 192.245.12.7 Conclusion Using Python scripting, the analysis focused on identifying frequency spikes and common characteristics in the data. The TCP and UDP services were investigated to determine the likely network type. The 'R' dataset pointed to a work network running file sharing, web hosting, email retrieval, secure remote access, and DNS services. The 'O' dataset also indicated a work network with email, web hosting, secure remote access, DNS, and file sharing (Windows-based) services. Specific IP protocols, GRE, IPSEC, and OSPF, were found in the 'O' dataset, suggesting a medium-sized workplace or data center. Furthermore, the analysis identified servers and printers on both networks. The findings confirmed that both networks were work networks dominated by specific IP address ranges - 10.5.63.x for R dataset and 192.245.12.x for the O dataset.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help