| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Assignment 2: Network Security and Packet Capture Analysis

This version was saved 6 years, 1 month ago View current version     Page history
Saved by Patrick
on February 12, 2018 at 7:50:55 pm
 

Assignment 2

Network Security: Packet Capture Analysis

 

Overview

In this assignment you will conduct a detailed analysis of a packet capture. You can download Wireshark for Windows, Mac, or Linux; you do not need to run Wireshark in your virtual machine.

 

 

Deliverables

 

  • A single document either DOC, DOCX, or PDF (preferred)
  • 1/2 page management summary, written in  non-technical language, that provides a high level interpretation of what occurred
  • Answers to the questions posed in the assignment
    • Keep the questions and write your answer to each below the question

 

Hints

Some activity is abnormal, some is normal, and some is mixture of both. If it's normal network traffic without anything suspicious, don't overthink it; report on why it's normal and move on. If you can't ascertain whether or not it's abnormal, tell me why and move on. There are examples of both of those situations in the packet capture.

 

Good description vs poor description

 

Poor:

IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx

 

While this is a fact, it's not useful information as it missing the description which makes it relevant to what's going on.

 

Good:

IP xxx.xxx.xxx.xxx is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx. Port 21 is ftp, which sends credentials in the clear.  The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer.

 

 

Scenario

 

Mr. Avenal was very pleased with your work conducting the password audit and has asked again for your help a situation at Flextor, Inc, a subsidiary of Reynholm Industries. Avenal was contacted regarding a possible security breach on their network after the IT administrator was alerted to an unusual spike in the volume of network traffic and suspicious activity on one of their servers around the same time. The Flextor admin has provided a packet capture of the network traffic around the time frame of the unusual traffic. Answer the questions posed below and report back to Avenal with a half page summary of what you found.

 

Assignment Questions

 

1. Is the activity occurring in packets 2-3 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and explain why it’s normal traffic.

 

2. Is the activity occurring in packets 5-37 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained.

 

3. Is the activity occurring in packets 42-84 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences.

 

4. Is the activity occurring in packets 91-132 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences such as how many ports are involved and their associated services. What information would be gained and how could it be used by an attacker?

 

5. Is the activity occurring in packets 139-1157 abnormal? Hint: this is a TCP stream so you can select the first packet > Right-Click > "Follow TCP Stream" (or Follow > TCP Stream depending on your version) and Wireshark will extract those packets in to a single readable stream. Provide a detailed description and interpretation of what is occurring along with possible consequences. There is a lot going on there; tell me what happened.

 

6. Is the activity occurring in packets 1160-1182 abnormal? If so, provide a detailed interpretation of what is occurring. This may require a light Googling. Hint: This is also a TCP Stream; see above.

 

7. Is the activity occurring in packets 1184-1475 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. Hint: You guessed it – also a TCP Stream.

 

8. Is the activity occurring in packets 1476 through the end of the packet capture abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained.

 

9. Can you determine who was the attacker and, in your opinion, were the skills of the attacker low, moderate, or high and why.

 

 

 

Assignment Files

 

Comments (0)

You don't have permission to comment on this page.