packet an alys sis

Information Assurance CNSS 4011 Lab Series

Lab 2: Packet Analysis

Document Version: 2011-09-09

4011 Identifier Reference: (C.1.a, D.1.b, D.1.j)

Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA) The development of this document is funded by the National Science Foundations (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746; Center for Systems Security and Information Assurance (CSSIA) is an entity of Moraine Valley Community College. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of this license can be found at http://www.gnu.org/licenses/fdl.html.

Lab Author: Belle Woodward Organization: Associate Professor Information Systems and Applied Technologies Southern Illinois University


9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA) Page 2 of 25

Contents 1 Introduction ................................................................................................................. 3 2 Objective: Learn the Basics of Network Sniffing ......................................................... 3 3 Pod Topology ............................................................................................................... 6 4 Lab Settings .................................................................................................................. 7 Task 1 Using Wireshark to Capture a TCP Handshake .................................................... 8

Task 1.1 Capture a TCP Handshake ............................................................................. 8 Task 1.2 Conclusion ................................................................................................... 12 Task 1.3 Discussion Questions .................................................................................. 13

Task 2 Regenerate a Webpage via Captured Data ........................................................ 14 Task 2.1 Using Wireshark to Reassemble a Webpage .............................................. 14 Task 2.2 Conclusion ................................................................................................... 18 Task 2.3 Discussion Questions .................................................................................. 18

Task 3 Observe Common TCP Vulnerabilities ............................................................... 19 Task 3.1 Connect to a Telnet/FTP Server .................................................................. 19 Task 3.2 Connect to a SSH Server ............................................................................. 22 Task 3.3 Conclusion ................................................................................................... 24 Task 3.4 Discussion Questions .................................................................................. 24

5 References ................................................................................................................. 25



1 Introduction

This lab is part of a series of lab exercises designed through a grant initiative by the Center for Systems Security and Information Assurance (CSSIA) and the Network Development Group (NDG), funded by the National Science Foundations (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746. This series of lab exercises is intended to support courseware designated as meeting NSTISSI No. 4011 certification. At the end of this lab, students will have the ability to grab a web page off the network and capture it to a file for later viewing. In addition, Students will learn to use the Wireshark protocol analyzer to capture packets on a computer with an Internet connection. Initial TCP packets that are produced when a browser is used to view an Internet site will be observed. Observation will also be made of TCP packets when an attempt to connect fails. This lab includes the following tasks:

Task 1 - Using Wireshark to capture a TCP handshake

Task 2 - Using Wireshark to regenerate a webpage

Task 2 - Observe common TCP vulnerabilities 2 Objective: Learn the Basics of Network Sniffing

Network sniffing involves all seven layers of the OSI model since protocol analyzers first require a system that is physically plugged into the network to be monitored and then returns information related to layers 2 thru 7. Of particular interest to this lab will be layers 3, 4, and 7 since it is within these layers where one finds the transmission protocol, the network protocol and the transmitted data to and from the application (web browser, command prompt, etc.). By the end of this lab, one will learn how to perform a packet capture, analyze the results, and identify some of the intrinsic vulnerabilities within the TCP protocol. For this lab, the following terms and concepts will be of use: TCP [1] One half of the TCP/IP suite, TCP (Transmission Control Protocol) was developed as a connection-oriented datagram service in 1974. Its role in networking is to ensure correct delivery of IP packets by way of the TCP handshake, a series of synchronization and acknowledgement packets sent by the transmitting and receiving nodes. In the event data is lost during transmission, or another error, TCP will request that data be retransmitted. Because of its connection-oriented nature, TCP is sometimes slow and not considered ideal for real-time traffic like VoIP.



IP [2] Simply put, IP (Internet Protocol) is what makes the Internet work. The other half of the TCP/IP suite, IP defines the addressing and datagram encapsulation across a network. In tandem with TCP, IP routes traffic from node to node across separate IP networks. Because IP is considered an unreliable protocol, meaning it has no method of error-checking, it relies on TCP for reliable transmission of data. TCP Handshake [3] - All network protocols send and receive control packets to enable communication between the source and the destination nodes. The two transport protocols within the TCP/IP suite are TCP and UDP. Both TCP and UDP keep track of different communications through the use of 16-bit ports, many of which are well-known. The use of UDP is connectionless, and thus does not require acknowledgements from recipients. By its very nature, TCP (Transport Control Protocol) is connection-oriented. That is, it requires acknowledgement from the recipient. A TCP connection initiates by the three-way TCP handshake. Suppose node (A) attempts to connect to node (B) via TCP. TCPs three-way handshake between these two nodes will proceed as follows:

1. A SYN packet is sent from node (A) to node (B) 2. A SYN/ACK packet is sent from node (B) to node (A), acknowledging the

receipt of a SYN packet. 3. An ACK packet is sent from node (A) to node (B), completing the

connection. Each step places relevant ports in certain states. Under normal circumstances, a SYN packet is sent from a specific port on (A) to a specific port on (B) that is in a LISTEN state. System B responds by going into the SYN_RECV state (pending completion of the connection). System B then sends back a SYN/ACK packet to System A, acknowledging that it received System As SYN packet successfully.

If all goes well, (A) will return an ACK packet to (B) and the connection will move to the ESTABLISHED state on both (A) and (B).

Many common applications use TCP. Some of the more common applications include Internet browsing (using HTTP, port 80), Telnet (port 23), FTP (port 21), and SNMP (port 25). Every time these applications are used, they are initiated by a TCP three-way handshake.



Network Monitoring [3] - Network monitors, protocol analyzers, and sniffers are all a class of tools used by network administrators to gather information about their network for a wide variety of protocols. It cannot be overstated how important such tools are for proper network management as well as for detecting possible security breaches. Network monitors may either be a software program running on a computer, or it can be a separate stand-alone device. Like many network devices, cost and capabilities vary widely. They range from free software to platforms costing thousands of dollars.

Wireshark [4] - Wireshark is an open source network monitor/ protocol analyzer. Being open source, the tool is free and runs on multiple platforms, including UNIX, Linux, and Windows. It has a robust feature set that continues to be developed by a large number of contributors. It supports over 500 types of protocols, which may be analyzed in very fine detail.

The use of Wireshark involves the initiation of a capture, which is simply the retention of protocol utilization information that the tool has detected. This information may be retained in a capture file, which can be saved for later reference. Wireshark is also compatible with numerous capture file formats that are compatible with other network monitors. Clear Text [5] Clear text data is data that is either stored or transmitted in an unencrypted state. This is a dangerous practice, and can be remedied by encrypting files or using services like SSH (Secure Shell) versus Telnet, among other things.



3 Pod Topology



4 Lab Settings

The information in the table below will be needed in order to complete the lab. The task sections below provide details on the use of this information. Required Virtual Machines and Applications This lab requires the use of the XP1 and Windows 7 virtual machines. Windows XP Client

192.168.111.41

Windows XP Client admin password

P@ssw0rd

Windows 7 Client

192.168.111.57

Windows 7 Client admin password

P@ssw0rd



Task 1 Using Wireshark to Capture a TCP Handshake

Wireshark is an open source network monitor/protocol analyzer. Being open source, the tool is free and runs on multiple platforms, including UNIX, Linux, and Windows. It has a robust feature set that continues to be developed by a large number of contributors. It supports over 500 types of protocols, which may be analyzed in very fine detail. The use of Wireshark involves the initiation of a capture, which is simply the retention of protocol utilization information that the tool has detected. This information may be retained in a capture file, which can be saved for later reference. Wireshark is also compatible with numerous capture file formats that are compatible with other network monitors. Task 1.1 Capture a TCP Handshake

Start a Capture

1. Access the XP1 Virtual Machine by clicking on the XP1 image in the topology. 2. Login as the Administrator using P@ssw0rd as the password. 3. Double-click the Wireshark icon on the desktop. 4. In the Capture window, click Interface List, which will bring up a list of the

available interfaces. Select the interface with the 192.168.111.41 address.

Figure 2: Interface List options



You should now see something similar to the following:

Figure 3: Wireshark Capturing Data

Capture a Webpage

1. Minimize the Wireshark window. 2. Open Internet Explorer and browse to http://192.168.111.57. The site is hosted

by the WIN7 VM. 3. Once the site is observed in the browser, minimize the browser, click on

Wireshark on the taskbar, and stop the Wireshark capture by pressing Ctrl-E. a. After the capture has been stopped, Wireshark should be populated with

data based on network information acquired during the capture period. 4. Click on the protocol field box shown below to sort the display by protocol type.

Figure 4: Click to sort by Protocol



You should now see something similar to the following graphic:

Figure 5: Captured Data Sorted by Protocol

Analyze the TCP Handshake

1. Scroll down to TCP in the protocol column. 2. Observe the top, middle, and bottom displays within Wireshark, each showing

greater detail in succession. With proper sorting, the first three lines of the top display should correspond to the TCP three-way handshake. Look for the [SYN], [SYN, ACK], and [ACK] in the Wireshark top window.

a. The top portion of the display shows a summary of a particular packet. The middle display lists more detailed information sorted by layers of the OSI model beginning with the physical layer. Be sure to expand the middle display information by clicking on the + for Transmission Control Protocol, and note the port numbers.

b. The lowest display area is the most detailed, showing the actual bit stream in hex.

3. Click the Windows Start button and select Run 4. Type cmd in the text box and click OK. 5. Type cd c:\ and hit Enter.



6. Type netstat na and hit Enter. You should see something similar to the following graphic:

Figure 6: Output of Netstat

Once again, note the ports following the colons. If a session with your website is not evident, try refreshing your browser, and repeat the command.

7. To observe a failure to complete a three-way handshake, attempt to telnet into another computer host on your local network segment. Though nearly all computer workstations support telnet for remote connection to other devices, they do not usually support telnet requests from other nodes. Verify connectivity with another host on the network segment via the ping command. C:\>ping 192.168.111.100 Once connectivity is verified, start another Wireshark capture as in Step 1 , and attempt to telnet into another host. When prompted, choose Continue without Saving. C:\>telnet 192.168.111.100 After the failure to connect is indicated within the command window, stop the Wireshark capture. You should observe something similar to the next graphic. The sequence of TCP packets can be observed within Wireshark. Note that the



[SYN] packet is not followed by a [SYN ACK] response, but rather another [SYN] attempt. Telnet makes one more attempt to connect by sending another [SYN] packet, and after the same response, the failure message displays in the command window.

Figure 7: Overlay image of Telnet attempt and Corresponding Wireshark Output

Task 1.2 Conclusion

Protocol Analyzers such as Wireshark are an essential tool in monitoring and identifying both desirable and undesirable network traffic within an organization. Due to their ability to both view traffic in a general aspect (a collection of individual packets) down to a very granular detail (the raw packet data) one is able to achieve a detailed view of the types of communication within their network as it occurs or save a session for review.



Task 1.3 Discussion Questions

1. What features of Wireshark are particularly useful for network administration

and cyber security? 2. What happens if your computer attempts to telnet to an inactive IP address on

your network segment? Does your computer send out a TCP [SYN] packet? 3. Explore what happens when you ping your localhost address 127.0.0.1. 4. Explore what happens when you ping your local IP address. What is the

difference between this and pinging the localhost address?



Task 2 Regenerate a Webpage via Captured Data

Having the ability to look at and analyze packets on a network can be very informative. There are many reasons an administrator may want to see what is traversing the network. On a wireless or non-switched network, packets can be seen by both those that have legitimate needs and those that are up to nefarious activities. Capturing web pages requires an understanding of how they are processed by the server and rendered by the browser. We will follow a HTTP stream and see what can be displayed easily and that which requires more effort. The more highly formatted the page the harder it will be to reproduce. Products like Wget (http://www.gnu.org/software/wget/) can grab web sites for off-line viewing. Alternatively, Wireshark will grab the stream and leave it up to the user to assemble. Task 2.1 Using Wireshark to Reassemble a Webpage

Capture a Webpage

1. Minimize Wireshark and close the Command Line window. 2. Open Internet Explorer (if it is not already) and click Tools on the Menu bar. 3. Select Internet Options on the bottom of the drop down list. 4. Under browsing history, click on Delete, click Delete again, and click OK. 5. Minimize Internet Explorer and click on Wireshark on the taskbar. 6. Start a new capture on the 192.168.111.41 interface. Click Continue without

Saving when prompted. 7. Minimize Wireshark and click on Internet Explorer on the taskbar. 8. Navigate to http://192.168.111.57. 9. When the page loads, minimize Internet Explorer, click on Wireshark on the

taskbar and stop the capture by pressing Ctrl+E. 10. Find a TCP packet thats part of the TCP handshake, click it, then select Analyze

from the menu bar. 11. Select Follow TCP Stream. (See the following screen shot for an example.)



Figure 8: Following a TCP Stream in Wireshark



The program will process the stream and display the contents. Your screen will look similar to the one shown below:

Figure 9: The Follow TCP Steam window in Wireshark

12. Click Save As, enter TCP Stream as the Name, and click Save. 13. Close Wireshark and click Quit without Saving. 14. Close the Internet Explorer Window.



Edit the Saved TCP Stream File

1. Click on the Start button and click on My Documents. 2. Double-click the TCP Stream file. 3. Select Wordpad as the program to open the file and click OK. 4. Cut out everything that is not part of the html page. Pages can start with

or and end with . Keep only the highlighted portion from the following graphic.

Figure 10: Only keep the highlighted portion

3. Save the edited file as testfile.html . (The saved file should look like an HTML

file.)



View the Edited TCP Stream File

1. Close Wordpad. 2. Open the My Documents folder if it isnt open already. 3. Double click the testfile.html file. Here is a sample screen shot:

Figure 11: The Reconstructed Webpage

4. Get a screen shot of your edited HTML page as it is displayed by a browser. Save

to a Word document, put your name in the document and print off for your instructor.

5. Close the My Documents window. Task 2.2 Conclusion

By using the Follow TCP Stream functionality in Wireshark, one is able to reconstitute the data flow between two hosts in order to see the exact nature of the communication that occurred between them. This is a useful tool when it is necessary to view the packet payload with the packet sequence numbering in order. Task 2.3 Discussion Questions

1. Can you capture the images and have the page display correctly? 2. What can be gleaned by capturing http traffic? 3. In Figure 9, why is some of the file in red and some in blue?



Task 3 Observe Common TCP Vulnerabilities

This section will require a functional Telnet and/or FTP server to demonstrate how passwords and IDs are seen in clear text. Next, a SSH server will be required to demonstrate how the raw payload is not viewable within a packet analyzer. Task 3.1 Connect to a Telnet/FTP Server

1. Open Wireshark and start a new capture. 2. Open the Putty client and enter 192.168.111.57 as the IP address. Make sure the

Telnet radio button is selected:

Figure 12: Configuration for a Telnet Session



3. Make sure you have Wireshark capturing packets, then click Open. A window similar to the one below should open:

Figure 13: Telnet Login



5. Enter your username (administrator) and password (P@ssw0rd) at the prompt. 6. Minimize the window and return to your WIreshark capture. 7. Press Ctrl+E to end the packet capture. You should have packets that look like

this:

Figure 14: Telnet Connection in Wireshark

8. Find a packet with Telnet Data . . . in its info field. Right click it, and select Follow TCP Stream.

9. Save the output as Telnet Data and close the window. 10. Close the PuTTY window.



Task 3.2 Connect to a SSH Server

1. Start a new Wireshark capture. 2. Open a new PuTTY session, although this time select SSH and enter

192.168.111.210 as the IP address.

Figure 15: Configuration for an SSH Session



3. Make sure Wireshark is running, then click Open. The SSH login screen should look like this:

Figure 16: SSH Login



4. Login with the same credentials (administrator, P@ssw0rd), then check Wireshark. The packets should look similar to the following graphic:

Figure 17: SSH Connection in Wireshark

5. Find a packet with Encrypted response packet in the field, right-click it and

select Follow TCP stream. Observe and note the output. Task 3.3 Conclusion

Some technologies have an extremely limited use. They might be used on a non-switched or wireless network. This is due to the intrinsic vulnerabilities that exist within the TCP protocol by design. When determining the nature of the data that will be shared over a network, the type of technology employed to deliver or receive that data must be considered. Task 3.4 Discussion Questions

1. What kind of sensitive data is captured in a Telnet or FTP session? 2. What kind of sensitive data is captured in a SSH session? 3. If there are any differences between #1 and #2, what are they and what is the

cause?



5 References

1. DARPA Protocol Specification RFC 793: http://tools.ietf.org/html/rfc793

2. DARPA Protocol Specification RFC 791: http://tools.ietf.org/html/rfc791#section-2.1

3. Defense Acquisition Guidebook: https://acc.dau.mil/CommunityBrowser.aspx?id=334069

4. Wireshark:

http://wireshark.org

5. Websters Online Dictionary: http://www.websters-online-dictionary.org/definitions/CLEARTEXT?cx=partner-pub-0939450753529744%3Av0qd01-tdlq&cof=FORID%3A9&ie=UTF-8&q=CLEARTEXT&sa=Search#922

packet an alys sis

Documents

lab series lab

systems security

lab author

lab settings

information assurance

discussion questions

tcp handshake

later version