Packet Sniffing and Analysis: A Lab Guide for IT 4076C

IT 4076C – Penetration Testing Name: __Johnny Makris_____ Lab 4 – Packet Analysis and Sniffing Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. In this lab we will take a look at how to analyze and sniff packets on the network with techniques such as ARP poisoning. Virtual Environment Needed:  Kali Linux (u: root, p: toor)  Metasploit2 (u:msfadmin, p:msfadmin)  Windows 7 (u:administrator, p: Pa$$w0rd ) + Wireshark  All on the same network. ( If using your own equipment, do not use a bridge connection. This will place the system directly on the network your workstation is attached to. )  If you are using the Sandbox, shutdown all other systems. Part One: Pack Analysis Open each of the packet captures from Blackboard using Wireshark and answer the following questions. NOTE: You can use Wireshark on your own system or you Kali Linux system. (2 Points Each) File: Challenge101-0.pcapng 1. How many packets are in this trace file? There are 20 packets in the trace file 2. What IP hosts are making a TCP connection in frames 1, 2, and 3? 192.168.1.108 and 50.19.229.205 3. What HTTP command is sent in frame 4? GET 4. What is the length of the largest frame in this trace file? 1428, is the length of the largest frame in the trace file. 5. What protocols are seen in protocol column? HTTPS and TCP are seen in the protocol column 6. What responses are sent by the HTTP server? Some responsibilities sent from HTTP Server would be HTTP and being found would be 1.1 302 File: Challenge101-1.pcapng 7. What frame number does the client request the default root web page (“/”)? 13 8. What response does the server send in frame 17? HTTP and the response would be 1.1 200OK 9. What is the largest TCP delta (delay) value seen in this trace file? The largest delay 6.006083000 seconds. 10. How many SYN packets arrived after at least 1 second delay? 4

IT 4076C – Penetration Testing Name: __Johnny Makris_____ Lab 4 – Packet Analysis and Sniffing Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. File: Challenge101-2.pcapng 11. How many frames travel to or from 80.78.246.209? 17 src + 15 dst = 32 total 12. How many DNS packets are in the trace file? There are 8 DNS packets 13. How many frames have the TCP SYN bit set to 1? 12 14. How many frames contain the string “set-cookie” in upper case or lower case? There are 4 frames total. 15. How many frames contain a TCP delta time greater than 1 second? There are 8 frames Part 2: Capturing Packets using ARP poisoning  On your Windows 7 system, install WinSCP, Filezilla , or your favorite FTP client.  On you Kali Linux system, start a packet capture with Wireshark on the eth0 interface.  Turn on packet forwarding with the following command: echo 1 > /proc/sys/net/ipv4/ip_forward  Start ARP poisoning your Windows 7 and metaploitable2 systems: arpspoof –i eth0 –t <IP of Windows 7> <IP of metasploitable2> In a new terminal run the same command, but rearrange the IP addresses so you are capturing both sides of the conversation.  On you Windows 7 system, connect to FTP on your metaploitable2 system using port 21 .  Login with user: msfadmin password: msfadmin  Create a text file on your Windows 7 system with the words “ Hello World ” in the text.  Transfer this file to the metasploitable2 system using ftp.  Stop the packet capture and hit ctrl-c in both terminal windows to stop the ARP poisoning.  Analyze the packet capture and answer the following questions/paste screen shots. Find the packets that contain the username and password for the ftp server 16. Paste a screen shot showing each of these packets. (5 Points)

IT 4076C – Penetration Testing Name: __Johnny Makris_____ Lab 4 – Packet Analysis and Sniffing Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. Find the packet that contains the text file you transferred. 17. Paste a screen shot showing the FTP Data for this file. (5 Points) 18. Are there any packets that might send up a red flag that an ARP poisoning attack is occurring? Yes

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

IT 4076C – Penetration Testing Name: __Johnny Makris_____ Lab 4 – Packet Analysis and Sniffing Warning: Any use of penetration testing techniques on a live network could result in expulsion and/or criminal prosecution. Techniques are to be used in lab environments, for educational use only or on networks for which you have explicit permission to test its defenses. 19. In this example, are attack focused on two systems on the same network. If you were trying to capture traffic coming and going from two systems on different networks, what IPs would you want to poison? You would ARP poison the default gateway and the client. By ARP poisoning the default gateway and the client, an attacker can intercept and manipulate network traffic between them. This technique is commonly used in man-in-the-middle attacks to eavesdrop on communication or to perform various malicious activities such as session hijacking or sniffing sensitive information. 20. What could likely occur alerting security to an attack in the last question? You would ARP poison the gateway to the whole network.

Lab 4- Packet Analysis and Sniffing-1

Related Documents