In this assignment you will conduct a detailed analysis of a packet capture. You can download Wireshark for Windows, Mac, or Linux; you do not need to run Wireshark in your virtual machine.
A single document either DOC, DOCX, or PDF (preferred)
1/2 page management summary, written in non-technical language, that provides a high level interpretation of what occurred
Answers to the questions posed in the assignment
Some activity is abnormal, some is normal, and some is mixture of both. If it's normal network traffic without anything suspicious, don't overthink it; report on why it's normal and move on. If you can't ascertain whether or not it's abnormal, tell me why and move on. There are examples of both of those situations in the packet capture.
Poor:
IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx
While this is a fact, it's not useful information as it missing the description which makes it relevant to what's going on.
Good:
IP xxx.xxx.xxx.xxx is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx. Port 21 is ftp, which sends credentials in the clear. The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer.
Read and re-read the Good vs. Poor description above. Done? Great! Make sure your answers contain details. All answers won't require more than a paragraph, but some will (especially 5), but for every answer it should be clear who was connecting to whom (IPs), relevant ports and their services, etc. I'm not expecting you to analyze individual packets, break down headers, or anything like that rather explain as a whole what's occurring in each group of packets listed.
Try to stay away from vague terms like "they", "the attacker", "the server", etc. Something like "The attacker connected to the server" doesn't give us any concrete information. What IP are you saying is the attacker in this? What IP is the server? They connected - how? Over what port(s)? What service is that port running?
See how many questions just the one vague statement creates - we don't want that. The more vague the answer, the less points I can award for that answer.
Mr. Avenal was very pleased with your work conducting the password audit and has asked again for your help a situation at Flextor, Inc, a subsidiary of Reynholm Industries. Avenal was contacted regarding a possible security breach on their network after the IT administrator was alerted to an unusual spike in the volume of network traffic and suspicious activity on one of their servers around the same time. The Flextor admin has provided a packet capture of the network traffic around the time frame of the unusual traffic. Answer the questions posed below and report back to Avenal with a half page summary of what you found.
Remember: Detail and thoroughness matter. For each question, make sure to include where appropriate: information such as what IPs are involved (both the IP which originated the communication initially and the original destination address), destination ports, service being used on that port, commands ran or actions taken if any, so on and so forth. In other words, just from someone reading your description, someone should be able to understand what took place and "who" was involved.
1. Is the activity occurring in packets 2-3 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and explain why it’s normal traffic.
2. Is the activity occurring in packets 5-37 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained.
3. Is the activity occurring in packets 42-84 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences.
4. Is the activity occurring in packets 91-132 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences such as how many ports are involved and their associated services. What information would be gained and how could it be used by an attacker?
5. Is the activity occurring in packets 139-1157 abnormal? Hint: this is a TCP stream so you can select the first packet > Right-Click > "Follow TCP Stream" (or Follow > TCP Stream depending on your version) and Wireshark will extract those packets in to a single readable stream. Provide a detailed description and interpretation of what is occurring along with possible consequences. There is a lot going on there; tell me what happened.
6. Is the activity occurring in packets 1160-1182 abnormal? If so, provide a detailed interpretation of what is occurring. This may require a light Googling. Hint: This is also a TCP Stream; see above.
7. Is the activity occurring in packets 1184-1475 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. Hint: You guessed it – also a TCP Stream.
8. Is the activity occurring in packets 1476 through the end of the packet capture abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained.
9. Can you determine who was the attacker and, in your opinion, were the skills of the attacker low, moderate, or high and why.