In Wireshark download this packet file and determine the following. Packet File

Question

In Wireshark download this packet file and determine the following.

Packet File -----> : https://ufile.io/kj01y

Here is a description on how to answer the questions....

Some activity is abnormal, some is normal, and some is mixture of both. If it's normal network traffic without anything suspicious, don't overthink it; report on why it's normal and move on. If you can't ascertain whether or not it's abnormal, tell me why and move on. There are examples of both of those situations in the packet capture.

(Good description vs poor description)

Poor:

IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx

While this is a fact, it's not useful information as it missing the description which makes it relevant to what's going on.

Good:

IP xxx.xxx.xxx.xxx is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx. Port 21 is ftp, which sends credentials in the clear. The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer.

1. Is the activity occurring in packets 2-3 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and explain why it’s normal traffic.

2. Is the activity occurring in packets 5-37 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained.

3. Is the activity occurring in packets 42-84 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences.

4. Is the activity occurring in packets 91-132 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences such as how many ports are involved and their associated services. What information would be gained and how could it be used by an attacker?

5. Is the activity occurring in packets 139-1157 abnormal? Hint: this is a TCP stream so you can select the first packet > Right-Click > "Follow TCP Stream" (or Follow > TCP Stream depending on your version) and Wireshark will extract those packets in to a single readable stream. Provide a detailed description and interpretation of what is occurring along with possible consequences. There is a lot going on there; tell me what happened.

6. Is the activity occurring in packets 1160-1182 abnormal? If so, provide a detailed interpretation of what is occurring. This may require a light Googling. Hint: This is also a TCP Stream; see above.

7. Is the activity occurring in packets 1184-1475 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. Hint: You guessed it – also a TCP Stream.

8. Is the activity occurring in packets 1476 through the end of the packet capture abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained.

Explanation / Answer

This technique is used to attack the host in such a way that the host won't be able to serve any further requests to the user. Finally, the server crashes, resulting in a server unavailable condition.

There are various attack techniques used in this topic. We will cover SYN flood and ICMP flood detection with the help of Wireshark.

As many are aware (as it’s now become national news), a vulnerability was recently discovered in OpenSSL dubbed Heartbleed. The attack centers around the implementation of the Heartbeat extension in OpenSSL which causes a server to return the contents of memory that should be protected. This blogpost by Troy Hunt describes the vulnerability in detail: Everything you need to know about the Heartbleed SSL bug.

Being packet geeks, naturally we wanted to get a capture of the Heartbleed attack in action. To do this, we ran a Heartbleed attack against a CloudShark server that we configured to be vulnerable to this attack and used a slightly modified version of the Heartbleed Test to attack it.

CUTTING EDGE PACKET CAPTURE CAPABILITIES
Whether you want to capture all data or just certain protocols, send them to analysis tools, search for specifics, perform full reconstruction or look for packets from bad IP addresses, we can help you:

Regardless of whether you want to capture packets for an hour, a day, a month or even a year, we can provide
you with a Packet Capture solution that gives you the complete picture of network performance issues and cyber-attacks affecting your organisation.

One of the core foundations of cyber-security is the ability to identify and analyse the attacks and breaches affecting your organisation. Without knowing this, you can’t take evasive action, assess the extent of the damage, and prevent future such harm. Furthermore, with regulatory compliances such as GDPR, MiFID II and PCI DSS requiring companies to capture and store data to support compliance reporting, and in some instances store, or specifically not store payment card data, the need for sophisticated Packet Capture becomes all the more vital.
We continuously improve our capabilities to ensure that, whether your application is Network Monitoring, Cyber Security or compliance, you can quickly find the needle in the haystack of needles, you can forensically analyse attacks, see exactly what’s happening in your network, and deliver your regulatory obligations.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.