Lab 3 - Packet Analysis With Wireshark PDF

Preview

Summary

Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes. I’m don’t even know you JPage | 1 Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This isLa...

Description

Prepared by: [email protected] | 9 August 2019 | FSKM, UiTM Shah Alam Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes. I’m don’t even know you J

Lab 3: Packet Analysis with Wireshark (5 Marks) Student Name (aka script kiddies): MUHAMMAD HAIKAL BIN SHAMSUDDIN Matric No: 2019423266 Group: M3CS2453A

3.1 Learn Display Filter On Wireshark Wireshark is a free and open-source packet analyser. It is used for network troubleshooting, analysis, software and communications protocol development, and education. i.

Run and Perform Packet Capture Generally, most of Kali Linux distribution was preinstalled with Wireshark tool. You can run Wireshark in Kali by clicking Application Menu > 09 Sniffing & Spoofing Tab > Wireshark. Once you have open Wireshark, you can begin to perform packet capture on your network interface by clicking Capture Menu > Start. You can choose the network interface and review the capture option by clicking capture menu > Options. You can stop the packet capture by clicking Capture Menu > Stop. You can save the packet capture by clicking file menu > Save as. Please state the file name extension which Wireshark used to store packet capture. Please provide screenshot of packet capture process in Wireshark (1 Marks)

-pcapng

Page | 1 Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes.

Prepared by: [email protected] | 9 August 2019 | FSKM, UiTM Shah Alam Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes. I’m don’t even know you J

ii.

Learn and Explore Display Filter Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones. Please learn to use Wireshark display filter, you need it to complete the task in below exercise. You can learn about Wireshark display filter from here: https://unit42.paloaltonetworks.com/using-wireshark-displayfilter-expressions/

3.2 Capturing Password from Packet You can use Wireshark as a packet sniffer to expose user credentials during their authentication process.

i.

Capturing password in unsecure website Open and run packet capture in Wireshark. While the packet capture is running, open your browser and open this website https://demo.testfire.net. Open up the login page and try put username and password (e.g. username: test, password: test123456) and then click the login page. After you have completed the login process, you can stop the packet capture. To analyse the packet, you can apply display filter “http” so that Wireshark only shows http protocol packet. After that, find an http packet which show “POST” in its info. Click the packet and then right click and click follow TCP stream. After that, you will show the packet content of the communication session. In the packet content, please find username and password which involve in the communication session. Please provide screenshot of Wireshark which show username and password being capture during packet capture process (0.5 Marks)

Page | 2 Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes.

Prepared by: [email protected] | 9 August 2019 | FSKM, UiTM Shah Alam Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes. I’m don’t even know you J

Why did we can read user credentials in plaintext when we login to the website? (0.5 Marks) -Because it is an unsecure website

ii.

Capturing password in Secure website For this exercise, repeat the step you do in previous exercise (3.2.i). But change the website and try to login to https://i-learn.uitm.edu.my/v3/users/loginForm/1 Can you read the credentials in plaintext? Please state why it is the case (0.5 Marks) -No, because it is a secure website

3.3 SQL Injection Attack Analysis By performing packet capture, we can also detect and investigate any attempt of SQL injection attack to your host. i.

Packet Analysis You need to repeat the lab exercise of 2.1.ii, please perform packet capture while you do the lab exercise. After you have capture the packet, use Wireshark display filter to show the packet content which shows SQL injection command is being sent to the website Please provide screenshot of Wireshark showing SQL injection capture in the packet (0.5 Marks)

Page | 3 Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes.

Prepared by: [email protected] | 9 August 2019 | FSKM, UiTM Shah Alam Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes. I’m don’t even know you J

3.4 Malware Analysis Wireshark can also be used to effectively analysis and understand how malware infection occurs on the Internet. i.

Packet Analysis Before we begin, please down a packet capture file able to capture a malware infection over the internet, you can download the file from here https://www.malwaretrafficanalysis.net/training/Using-Wireshark-diplay-filters-FTP-malware.pcap.zip Open the file with Wireshark and start analysing the file. Use what you have learnt regarding Wireshark display filter to effectively do the analysis. Please answer the following question What is the username which request the malware file from the FTP server? What is the filename of the malware? (0.5 Marks) -Size fc32.exe From you analysis, please state what is the IP address of FTP server and FTP client (0.5 Marks) FTP Server Responded : 192:168:201:14 FTP Client Request : 10:1114:102

3.5 Reflection In your opinion, why Wireshark is an important tool in investigating information security issues (0.5 Marks) In my opinion, Wireshark is important tool in investigating information security issues because Wireshark can peer inside the network and examine the details of traffic at a variety of levels, ranging from connection-level information to the bits comprising a single packet. This flexibility and depth of inspection allows the valuable tool to analyze security events and troubleshoot network security device issues. Please state the name and discuss about software / tools which able to automatically detect security threat by analysing packets (0.5 Marks) Wireless sniffer, a packet analyzer created for capturing data that is on wireless network.

Page | 4 Disclaimer: Author is not held responsible if the lab exercise is targeted to unauthorized parties or host. This is purely for educational purposes....