Packet an Alys Sis

Information Assurance CNSS 4011 Lab SeriesLab 2: Packet Analysis Document Version: 2011-09-09 4011 Identifier Reference: (C.1.a, D.1.b, D.1.j) Lab Author: Belle Woodward Organization: Associate Professor Information Systems and Applied Technologies Southern Illinois University Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) The development of this document is funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746; Center for Systems Security and Information Assurance (CSSIA) is an entity of Moraine Valley Community College. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of this license can be found at http://www.gnu.org/licenses/fdl.html. Lab 2: Packet Analysis Contents 1 Introduction ................................................................................................................. 3 2 Objective: Learn the Basics of Network Sniffing ......................................................... 3 3 Pod Topology ............................................................................................................... 6 4 Lab Settings.................................................................................................................. 7 Task 1 Using Wireshark to Capture a TCP Handshake .................................................... 8 Task 1.1 Capture a TCP Handshake ............................................................................. 8 Task 1.2 Conclusion ................................................................................................... 12 Task 1.3 Discussion Questions .................................................................................. 13 Task 2 Regenerate a Webpage via Captured Data ........................................................ 14 Task 2.1 Using Wireshark to Reassemble a Webpage .............................................. 14 Task 2.2 Conclusion ................................................................................................... 18 Task 2.3 Discussion Questions .................................................................................. 18 Task 3 Observe Common TCP Vulnerabilities ............................................................... 19 Task 3.1 Connect to a Telnet/FTP Server .................................................................. 19 Task 3.2 Connect to a SSH Server ............................................................................. 22 Task 3.3 Conclusion ................................................................................................... 24 Task 3.4 Discussion Questions .................................................................................. 24 5 References ................................................................................................................. 25 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 2 of 25 Its role in networking is to ensure correct delivery of IP packets by way of the TCP handshake. TCP is sometimes slow and not considered ideal for real-time traffic like VoIP. analyze the results.Using Wireshark to regenerate a webpage  Task 2 . and identify some of the intrinsic vulnerabilities within the TCP protocol. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 3 of 25 . funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. TCP will request that data be retransmitted. etc. For this lab. In addition. In the event data is lost during transmission. the following terms and concepts will be of use: TCP [1] – One half of the TCP/IP suite. one will learn how to perform a packet capture.Lab 2: Packet Analysis 1 Introduction This lab is part of a series of lab exercises designed through a grant initiative by the Center for Systems Security and Information Assurance (CSSIA) and the Network Development Group (NDG). the network protocol and the transmitted data to and from the application (web browser. By the end of this lab. Students will learn to use the Wireshark protocol analyzer to capture packets on a computer with an Internet connection. students will have the ability to grab a web page off the network and capture it to a file for later viewing. 0702872 and 1002746. Of particular interest to this lab will be layers 3. a series of synchronization and acknowledgement packets sent by the transmitting and receiving nodes. This series of lab exercises is intended to support courseware designated as meeting NSTISSI No. Because of its connection-oriented nature.Using Wireshark to capture a TCP handshake  Task 2 .Observe common TCP vulnerabilities 2 Objective: Learn the Basics of Network Sniffing Network sniffing involves all seven layers of the OSI model since protocol analyzers first require a system that is physically plugged into the network to be monitored and then returns information related to layers 2 thru 7. 4011 certification. 4. Observation will also be made of TCP packets when an attempt to connect fails. This lab includes the following tasks:  Task 1 . and 7 since it is within these layers where one finds the transmission protocol. command prompt. or another error.). At the end of this lab. Initial TCP packets that are produced when a browser is used to view an Internet site will be observed. TCP (Transmission Control Protocol) was developed as a connection-oriented datagram service in 1974. it requires acknowledgement from the recipient. In tandem with TCP. Every time these applications are used. If all goes well. Suppose node (A) attempts to connect to node (B) via TCP. 3. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 4 of 25 .All network protocols send and receive control packets to enable communication between the source and the destination nodes. Some of the more common applications include Internet browsing (using HTTP. TCP’s three-way handshake between these two nodes will proceed as follows: 1. IP defines the addressing and datagram encapsulation across a network. and thus does not require acknowledgements from recipients. IP routes traffic from node to node across separate IP networks. A SYN/ACK packet is sent from node (B) to node (A). A SYN packet is sent from node (A) to node (B) 2. TCP (Transport Control Protocol) is connectionoriented. Many common applications use TCP. FTP (port 21).Lab 2: Packet Analysis IP [2] – Simply put. and SNMP (port 25). TCP Handshake [3] . System B responds by going into the SYN_RECV state (pending completion of the connection). A TCP connection initiates by the three-way TCP handshake. Because IP is considered an unreliable protocol. meaning it has no method of error-checking. acknowledging the receipt of a SYN packet. completing the connection. That is. Each step places relevant ports in certain states. Telnet (port 23). Both TCP and UDP keep track of different communications through the use of 16-bit ports. port 80). Under normal circumstances. The two transport protocols within the TCP/IP suite are TCP and UDP. The other half of the TCP/IP suite. (A) will return an ACK packet to (B) and the connection will move to the ESTABLISHED state on both (A) and (B). acknowledging that it received System A’s SYN packet successfully. IP (Internet Protocol) is what makes the Internet work. a SYN packet is sent from a specific port on (A) to a specific port on (B) that is in a LISTEN state. System B then sends back a SYN/ACK packet to System A. An ACK packet is sent from node (A) to node (B). By its very nature. many of which are wellknown. The use of UDP is connectionless. it relies on TCP for reliable transmission of data. they are initiated by a TCP three-way handshake. They range from free software to platforms costing thousands of dollars. including UNIX.Network monitors. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 5 of 25 . and “sniffers” are all a class of tools used by network administrators to gather information about their network for a wide variety of protocols. which is simply the retention of protocol utilization information that the tool has detected. and can be remedied by encrypting files or using services like SSH (Secure Shell) versus Telnet. the tool is free and runs on multiple platforms. which may be analyzed in very fine detail. Linux. Network monitors may either be a software program running on a computer.Lab 2: Packet Analysis Network Monitoring [3] .Wireshark is an open source network monitor/ protocol analyzer. It has a robust feature set that continues to be developed by a large number of contributors. Being open source. Like many network devices. Wireshark is also compatible with numerous capture file formats that are compatible with other network monitors. This is a dangerous practice. It supports over 500 types of protocols. cost and capabilities vary widely. This information may be retained in a capture file. which can be saved for later reference. The use of Wireshark involves the initiation of a “capture”. protocol analyzers. among other things. and Windows. It cannot be overstated how important such tools are for proper network management as well as for detecting possible security breaches. Clear Text [5] – Clear text data is data that is either stored or transmitted in an unencrypted state. or it can be a separate stand-alone device. Wireshark [4] . Lab 2: Packet Analysis 3 Pod Topology 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 6 of 25 . 111.57 Windows 7 Client admin password P@ssw0rd 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 7 of 25 .111.41 Windows XP Client admin password P@ssw0rd Windows 7 Client 192. Windows XP Client 192. The task sections below provide details on the use of this information. Required Virtual Machines and Applications This lab requires the use of the XP1 and Windows 7 virtual machines.168.168.Lab 2: Packet Analysis 4 Lab Settings The information in the table below will be needed in order to complete the lab. Access the XP1 Virtual Machine by clicking on the XP1 image in the topology. the tool is free and runs on multiple platforms. It has a robust feature set that continues to be developed by a large number of contributors. Figure 2: Interface List options 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 8 of 25 . This information may be retained in a capture file. including UNIX. which may be analyzed in very fine detail. 3. 2. which can be saved for later reference. Task 1. and Windows. Linux. which will bring up a list of the available interfaces.41 address. 4. click Interface List. Being open source. In the Capture window. Double-click the Wireshark icon on the desktop. It supports over 500 types of protocols. Login as the Administrator using P@ssw0rd as the password.111.1 Capture a TCP Handshake Start a Capture 1.Lab 2: Packet Analysis Task 1 Using Wireshark to Capture a TCP Handshake Wireshark is an open source network monitor/protocol analyzer. Wireshark is also compatible with numerous capture file formats that are compatible with other network monitors. which is simply the retention of protocol utilization information that the tool has detected.168. The use of Wireshark involves the initiation of a “capture”. Select the interface with the 192. Minimize the Wireshark window. 3. minimize the browser. Click on the protocol field box shown below to sort the display by protocol type. Wireshark should be populated with data based on network information acquired during the capture period. and stop the Wireshark capture by pressing Ctrl-E.57. 4. a. click on Wireshark on the taskbar.111. After the capture has been stopped. Open Internet Explorer and browse to http://192. The site is hosted by the WIN7 VM.168. 2.Lab 2: Packet Analysis You should now see something similar to the following: Figure 3: Wireshark Capturing Data Capture a Webpage 1. Figure 4: Click to sort by Protocol 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 9 of 25 . Once the site is observed in the browser. 2. Click the Windows Start button and select Run… 4. each showing greater detail in succession. The top portion of the display shows a summary of a particular packet. [SYN. The lowest display area is the most detailed. showing the actual bit stream in hex. Observe the top. ACK]. With proper sorting. Look for the [SYN].Lab 2: Packet Analysis You should now see something similar to the following graphic: Figure 5: Captured Data Sorted by Protocol Analyze the TCP Handshake 1. Type cd c:\ and hit Enter. the first three lines of the top display should correspond to the TCP three-way handshake. b. Be sure to expand the middle display information by clicking on the + for Transmission Control Protocol. 3. middle. and note the port numbers. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 10 of 25 . a. and [ACK] in the Wireshark top window. 5. Type cmd in the text box and click OK. The middle display lists more detailed information sorted by layers of the OSI model beginning with the physical layer. Scroll down to TCP in the protocol column. and bottom displays within Wireshark. Note that the 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 11 of 25 . When prompted. Verify connectivity with another host on the network segment via the ping command. start another Wireshark capture as in Step 1 . attempt to telnet into another computer host on your local network segment. 7.Lab 2: Packet Analysis 6. stop the Wireshark capture. If a session with your website is not evident. and repeat the command.168.111. choose Continue without Saving. You should observe something similar to the next graphic. and attempt to telnet into another host.111. Though nearly all computer workstations support telnet for remote connection to other devices. To observe a failure to complete a three-way handshake. note the ports following the colons. You should see something similar to the following graphic: Figure 6: Output of Netstat Once again. The sequence of TCP packets can be observed within Wireshark. C:\>ping 192. C:\>telnet 192.100 Once connectivity is verified.100 After the failure to connect is indicated within the command window. try refreshing your browser.168. they do not usually support telnet requests from other nodes. Type netstat –na and hit Enter. the failure message displays in the command window. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 12 of 25 . and after the same response.2 Conclusion Protocol Analyzers such as Wireshark are an essential tool in monitoring and identifying both desirable and undesirable network traffic within an organization. Figure 7: Overlay image of Telnet attempt and Corresponding Wireshark Output Task 1. Telnet makes one more attempt to connect by sending another [SYN] packet. but rather another [SYN] attempt.Lab 2: Packet Analysis [SYN] packet is not followed by a [SYN ACK] response. Due to their ability to both view traffic in a general aspect (a collection of individual packets) down to a very granular detail (the raw packet data) one is able to achieve a detailed view of the types of communication within their network as it occurs or save a session for review. Explore what happens when you ping your localhost address 127. What happens if your computer attempts to telnet to an inactive IP address on your network segment? Does your computer send out a TCP [SYN] packet? 3. 4.Lab 2: Packet Analysis Task 1.3 Discussion Questions 1. Explore what happens when you ping your local IP address. What features of Wireshark are particularly useful for network administration and cyber security? 2. What is the difference between this and pinging the localhost address? 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 13 of 25 .0.0.1. 7.org/software/wget/) can grab web sites for off-line viewing.111. click Delete again. We will follow a HTTP stream and see what can be displayed easily and that which requires more effort. packets can be seen by both those that have legitimate needs and those that are up to nefarious activities.111. Start a new capture on the 192. then select Analyze from the menu bar.) 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 14 of 25 .168. Find a TCP packet that’s part of the TCP handshake. minimize Internet Explorer. Capturing web pages requires an understanding of how they are processed by the server and rendered by the browser. Under browsing history.” (See the following screen shot for an example. When the page loads. Select Internet Options on the bottom of the drop down list. 11. Click Continue without Saving when prompted. 3. 6. Task 2.168.gnu. 5. Minimize Wireshark and click on Internet Explorer on the taskbar. click it. Select “Follow TCP Stream. click on Wireshark on the taskbar and stop the capture by pressing Ctrl+E. On a wireless or non-switched network. 8. 10.41 interface. Minimize Wireshark and close the Command Line window. The more highly formatted the page the harder it will be to reproduce. and click OK. Open Internet Explorer (if it is not already) and click Tools on the Menu bar. Products like Wget (http://www. Minimize Internet Explorer and click on Wireshark on the taskbar. 2.1 Using Wireshark to Reassemble a Webpage Capture a Webpage 1.Lab 2: Packet Analysis Task 2 Regenerate a Webpage via Captured Data Having the ability to look at and analyze packets on a network can be very informative. Alternatively. There are many reasons an administrator may want to see what is traversing the network. Wireshark will grab the stream and leave it up to the user to assemble.57. 9. click on Delete. 4. Navigate to http://192. Lab 2: Packet Analysis Figure 8: Following a TCP Stream in Wireshark 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 15 of 25 . enter TCP Stream as the Name.Lab 2: Packet Analysis The program will process the stream and display the contents. Close the Internet Explorer Window. and click Save. 13. 14. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 16 of 25 . Close Wireshark and click Quit without Saving. Click Save As. Your screen will look similar to the one shown below: Figure 9: The “Follow TCP Steam” window in Wireshark 12. Pages can start with “<html>” or “<?xml>” and end with “</html>”. 4. Figure 10: Only keep the highlighted portion 3. Save the edited file as testfile. Select Wordpad as the program to open the file and click OK.html . Cut out everything that is not part of the html page.) 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 17 of 25 . 3. Keep only the highlighted portion from the following graphic.Lab 2: Packet Analysis Edit the Saved TCP Stream File 1. 2. (The saved file should look like an HTML file. Click on the Start button and click on My Documents. Double-click the TCP Stream file. html file. What can be gleaned by capturing http traffic? 3.3 Discussion Questions 1. Task 2. Get a screen shot of your edited HTML page as it is displayed by a browser. why is some of the file in red and some in blue? 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 18 of 25 . 5.Lab 2: Packet Analysis View the Edited TCP Stream File 1. Close the My Documents window. Save to a Word document. This is a useful tool when it is necessary to view the packet payload with the packet sequence numbering in order. 3. put your name in the document and print off for your instructor. one is able to reconstitute the data flow between two hosts in order to see the exact nature of the communication that occurred between them. Here is a sample screen shot: Figure 11: The Reconstructed Webpage 4. Close Wordpad. Task 2. 2. Double click the testfile. In Figure 9. Open the My Documents folder if it isn’t open already. Can you capture the images and have the page display correctly? 2.2 Conclusion By using the “Follow TCP Stream” functionality in Wireshark. Make sure the Telnet radio button is selected: Figure 12: Configuration for a Telnet Session 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 19 of 25 .111. Next.57 as the IP address. Task 3.Lab 2: Packet Analysis Task 3 Observe Common TCP Vulnerabilities This section will require a functional Telnet and/or FTP server to demonstrate how passwords and IDs are seen in clear text.1 Connect to a Telnet/FTP Server 1. 2. a SSH server will be required to demonstrate how the raw payload is not viewable within a packet analyzer.168. Open Wireshark and start a new capture. Open the Putty client and enter 192. Make sure you have Wireshark capturing packets. then click Open. A window similar to the one below should open: Figure 13: Telnet Login 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 20 of 25 .Lab 2: Packet Analysis 3. Save the output as Telnet Data and close the window. Enter your username (administrator) and password (P@ssw0rd) at the prompt. and select Follow TCP Stream. Press Ctrl+E to end the packet capture.Lab 2: Packet Analysis 5. Right click it. 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 21 of 25 . Close the PuTTY window. You should have packets that look like this: Figure 14: Telnet Connection in Wireshark 8. Minimize the window and return to your WIreshark capture. “ in its info field. 6. 7. Find a packet with “Telnet Data . . 10. . 9. 2. Open a new PuTTY session. Start a new Wireshark capture. Figure 15: Configuration for an SSH Session 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 22 of 25 .Lab 2: Packet Analysis Task 3. although this time select SSH and enter 192.168.210 as the IP address.2 Connect to a SSH Server 1.111. Lab 2: Packet Analysis 3. then click “Open. Make sure Wireshark is running.” The SSH login screen should look like this: Figure 16: SSH Login 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 23 of 25 . The packets should look similar to the following graphic: Figure 17: SSH Connection in Wireshark 5. Task 3. P@ssw0rd). the type of technology employed to deliver or receive that data must be considered. What kind of sensitive data is captured in a SSH session? 3. If there are any differences between #1 and #2. then check Wireshark.3 Conclusion Some technologies have an extremely limited use.” Observe and note the output. what are they and what is the cause? 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 24 of 25 . Task 3. What kind of sensitive data is captured in a Telnet or FTP session? 2. When determining the nature of the data that will be shared over a network. Find a packet with “Encrypted response packet” in the field.4 Discussion Questions 1.Lab 2: Packet Analysis 4. They might be used on a nonswitched or wireless network. right-click it and select “Follow TCP stream. Login with the same credentials (administrator. This is due to the intrinsic vulnerabilities that exist within the TCP protocol by design. aspx?id=334069 4.ietf. Wireshark: http://wireshark.ietf. DARPA Protocol Specification RFC 793: http://tools.websters-onlinedictionary.org/html/rfc793 2. Defense Acquisition Guidebook: https://acc.org/definitions/CLEARTEXT?cx=partner-pub0939450753529744%3Av0qd01-tdlq&cof=FORID%3A9&ie=UTF8&q=CLEARTEXT&sa=Search#922 9/9/2011 Copyright © 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 25 of 25 .dau.org 5.org/html/rfc791#section-2.1 3.mil/CommunityBrowser.Lab 2: Packet Analysis 5 References 1. Webster’s Online Dictionary: http://www. DARPA Protocol Specification RFC 791: http://tools.