Network Traffic Analysis with Wireshark: Examples and Techniques

 
Traffic Analysis– Wireshark
Traffic Analysis– Wireshark
Simple Example
Simple Example
 
CIS 6395, Incident Response Technologies
Fall 2021, Dr. Cliff Zou
czou@cs.ucf.edu
 
Acknowledgement
 
The second wireshark example comes
from 
programming project 2 in Dr. Dawn
Song’s course “CS161: computer security”
in Fall 2008:
http://inst.eecs.berkeley.edu/~cs161/fa08/
 
 
 
 
 
2
 
Example #1: What traffic does
Nmap generate?
 
“Nmap (Network Mapper) is a security
scanner used to discover hosts and
services on a computer network”
Definition comes from Wikipedia.com
Question: What traffic does it generate?
How can we detect if someone is using
Nmap?
 
Nmap Basic Usage Examples
 
Scan a single IP:   
nmap 192.168.1.1
Scan a range of IPs
nmap 192.168.1.1-20      nmap 192.168.1.0/24
Scan a range of ports
nmap -p 1-100 192.168.1.1
Scan 100 most common ports (Fast)
nmap -F 192.168.1.1
Scan all 65535 ports
nmap -p- 192.168.1.1
Nmap --script banner 192.168.0.101
Setup TCP connection, get the first response text from the
target
 
 
 
Testing on Kali Linux
 
Your Kali Linux VM contains both nmap
and Wireshark
Use the wireshark to see what traffic does
an nmap command sends out
On Kali VM, run wireshark first, start the traffic
capturing
Run nmap to scan another VM on the same
VLAN (such as Win7 VM)
Don’t try to scan an Internet target!
Stop capturing, and then check the captured
traffic
 
Example #2:  Wireshark trial
 
Q1: you sent a private message to your best friend
on Facebook. But your message got also posted
publicly on your friend’s wall, which means someone
posted it impersonated as your friend.
Examine the HTTP web traffic in q1.pcap (in
webCourse) to find evidence of the attack used for the
wall post.
Find the secret wall post, the timestamp when it
occurred and the cookie value (c_user) of the attacker.
    
Hints: Check POST requests, cookie values
 
Question 1
 
Answer:
Based on the hint, use display filter: “http 
contains
POST and http 
contains
 c_user”
There is one attacking IP: 10.0.0.4 using the same user
cookie value that have appeared in many other
normal posts by 192.168.121.185
.
The secret wall post was :  “
Be sure not to tell anyone this!
But M.C. is actually lactose- intolerant”. with a time 
Sun, 17 Apr
2011 06:30:02 GMT  (based on server’s response message)
 
Question 2
 
There was a leakage of an exam file, so you pull
out the data collected to analyze.
Analyze the HTTP web accesses in the q2.pcap (in
webCourse). Determine the type of attack used to
access the file.
What was the file name? How do you know it was
successfully accessed?
 
Question 2
 
Answer:
Check ‘http’ traffic, and find ‘
/../../../../..
” type of
abnormal requests, which is a typical directory
traverse attack.
Use display filter “
http contains "../"
”, find out
that directory traverse attack happened on
getting password file, the other file is
cheddar.pdf requested in several attempts.
Is the cheddar.pdf access successful?
 
Question 2
 
Answer:
a single packet, # 41321, successfully obtained
the pdf file.
How can we obtain this PDF file from the
trace?
Since it belongs to http traffic, use Menu
“File”
”Export Objects…” 
 “HTTP….” to check
all objects in http traffic
Many cheddar.pdf objects, but all except one are
not success file.
Check the packet Number, find Packet #41321, save the
object and we have the PDF now!
Slide Note
Embed
Share

Explore the world of network traffic analysis using Wireshark through examples and practical techniques. Learn how tools like Nmap and Wireshark can be used for network scanning and detecting suspicious activities. Dive into real examples, including identifying attackers through HTTP web traffic analysis. Enhance your incident response skills with hands-on network analysis scenarios.


Uploaded on Jul 16, 2024 | 1 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Traffic AnalysisWireshark Simple Example CIS 6395, Incident Response Technologies Fall 2021, Dr. Cliff Zou czou@cs.ucf.edu

  2. Acknowledgement The second wireshark example comes from programming project 2 in Dr. Dawn Song s course CS161: computer security in Fall 2008: http://inst.eecs.berkeley.edu/~cs161/fa08/ 2

  3. Example #1: What traffic does Nmap generate? Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network Definition comes from Wikipedia.com Question: What traffic does it generate? How can we detect if someone is using Nmap?

  4. Nmap Basic Usage Examples Scan a single IP: nmap 192.168.1.1 Scan a range of IPs nmap 192.168.1.1-20 nmap 192.168.1.0/24 Scan a range of ports nmap -p 1-100 192.168.1.1 Scan 100 most common ports (Fast) nmap -F 192.168.1.1 Scan all 65535 ports nmap -p- 192.168.1.1 Nmap --script banner 192.168.0.101 Setup TCP connection, get the first response text from the target

  5. Testing on Kali Linux Your Kali Linux VM contains both nmap and Wireshark Use the wireshark to see what traffic does an nmap command sends out On Kali VM, run wireshark first, start the traffic capturing Run nmap to scan another VM on the same VLAN (such as Win7 VM) Don t try to scan an Internet target! Stop capturing, and then check the captured traffic

  6. Example #2: Wireshark trial Q1: you sent a private message to your best friend on Facebook. But your message got also posted publicly on your friend s wall, which means someone posted it impersonated as your friend. Examine the HTTP web traffic in q1.pcap (in webCourse) to find evidence of the attack used for the wall post. Find the secret wall post, the timestamp when it occurred and the cookie value (c_user) of the attacker. Hints: Check POST requests, cookie values

  7. Question 1 Answer: Based on the hint, use display filter: http contains POST and http contains c_user There is one attacking IP: 10.0.0.4 using the same user cookie value that have appeared in many other normal posts by 192.168.121.185. The secret wall post was : Be sure not to tell anyone this! But M.C. is actually lactose- intolerant . with a time Sun, 17 Apr 2011 06:30:02 GMT (based on server s response message)

  8. Question 2 There was a leakage of an exam file, so you pull out the data collected to analyze. Analyze the HTTP web accesses in the q2.pcap (in webCourse). Determine the type of attack used to access the file. What was the file name? How do you know it was successfully accessed?

  9. Question 2 Answer: Check http traffic, and find /../../../../.. type of abnormal requests, which is a typical directory traverse attack. Use display filter http contains "../" , find out that directory traverse attack happened on getting password file, the other file is cheddar.pdf requested in several attempts. Is the cheddar.pdf access successful?

  10. Question 2 Answer: a single packet, # 41321, successfully obtained the pdf file. How can we obtain this PDF file from the trace? Since it belongs to http traffic, use Menu File ExportObjects HTTP . to check all objects in http traffic Many cheddar.pdf objects, but all except one are not success file. Check the packet Number, find Packet #41321, save the object and we have the PDF now!

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#