Forensic Assignment. Two labs due sunday 11:59.

Forensic Assignment. Two labs due sunday 11:59.
ITN 262 Lab 2 This lab focuses on the practical application of techniques discusses in the ITN 262 lecture. The purpose of this lab is to gain experience with tools used for Network Reconnaissance, and information gathering, using popular scanner like Nmap. Nmap is so powerful that it can find out what ports the machine is listening on. Once these targets are identified, an intruder can easily be able to scan for listening ports. Download and Install Nmap form (nmap.org). Run the installer once it is finished downloading. You will be asked which components you would like to install. Please do not uncheck the Zenmap unless you are too comfortable using command line interface. ( ) Run the “Nmap – Zenmap” GUI program. Zenmap GUI makes scanning a fairly simple process. You should be able to see an icon for it on your desktop. If not, look in your Start menu. Opening Zenmap will start the program. If you are comfortable using the command line interface, you do not need Zenmap). The direction is based on CLI as such I would recommend you to use CLI If you have a Kali VM nmap is prebuilt. You do not need to install it. Just start it from terminal. Let’s do some Network discovery (the process of identifying live hosts on the network). This means that its purpose is not to find all possible information about the targets (like open ports or vulnerabilities), but just to understand their logical location inside the network. Start a basic scan. Scan a single host. What did you find? Please list their IP addresses. ( ) Then scan the more in network. (hint: http://nmap.org/book/man-target-specification.html) . you can also scan ranges of IPs or lists. See some examples below: ( 5) # nmap 192.168.30.0/24 (based on where you are please change the Ip range if required) #nmap 192.168.30.1 – 100 based on where you are please change the Ip range if required # nmap 192.168.30.13 (change to an IP of an active machine from the scan above) # nmap -iL (put a list of active hosts from above scan ) Use the flowing 5 switches ( Ex # nmap -sL 192.168.1.0/24 or # nmap -sn 192.168.1.0/24) and explain your output : (10) -sL: List Scan – simply list targets to scan -sn: Ping Scan – disable port scan – You now have a list of hosts that are up (powered on) and responding to echo requests (pings) on the network. –sS The -sS option performs a port scan of 1000 commonly used ports of each target host and reports a list of open ports. -O[upper case O] OS detection will not always possible for various reasons, but sometimes very helpful -sV nmap reports specifics about the programs providing the services on each host. Nmap is useful for reconnaissance too. During discovery one can learn about services, port numbers, firewall presence, protocol, operating system, etc. What information did you gather from your reconnaissance? ( ) Which host appears most secure? Why? Write the IP address. Which host appears least secure? Why? Write the IP address ( ) How can you do a SYN scan using Nmap. (http://nmap.org/book/man-port-scanning-techniques.html ) Provide appropriate screen captures () For local network discovery you can use a tool – Netdiscover. It is pretty fast and offers the possibility to perform both active and passive ARP reconnaissance. Download and scan with it. See if you see the same results. ( ) For scanning you can use amap too. Download amap or find it in your Kali. And repeat task 3. ( ) ITN 262 NVCC, Manassas
Forensic Assignment. Two labs due sunday 11:59.
ITN 262 LAB # 3 Traffic analysis using packet sniffers Part 1: Traffic analysis with Wireshark You have already downloaded and installed Wireshark in your LAB 1 and learnt how to read Wireshark output. In this lab we will capture raw traffic from the network interface card. Run the Wireshark, and under the ‘Capture’ Menu, go to Options. Under “Display Options”, make sure that “Update list of packets in real time” and “Automatic scrolling in live capture” are both checked. Under the “Capture” menu, choose “Interfaces”. (Remember to use the correct interface) Open up a browser and go to http://urbexforums.com ( if this site does not work please go to http://latestdot.com/ ) Register with the site, create your own login (yourName_itn262 For ex: mine is sdas_itn262) and password (password). Please do not use a preferred password Click on start in Wireshark to start capturing traffic. Sign in at the right side of the page with a username (yourName_itn262 ) and password – (password ) After the page loads up, stop the capture by clicking on “stop” under the ‘Capture’ menu. Provide a screen shot of your Wireshark capture so that see you have visited to http://urbexforums.com/ you can use filter to find http packets. Part 1 a. :(5) 1. Take a look at the Captured traffic in Wireshark. . Now you want to search for the username and password that were entered when you logged in. You will be looking at the bottom section where it displays the raw data. To make this easier, click on one of the green-colored captured packets. Then click on the ‘Analyze’ menu, and choose ‘Follow TCP Stream’. Perform a find for the username and password. What did you find? Provide a screen shot for the data where it shows the username and password. Part 1 b: (5) 2. Now you need to perform another packet capture. Go to mynova under nvcc.edu. Then start your capture. Click on start in Wireshark to start capturing traffic. Sign in to your vccs email at the right side of the page with your username. After the page loads up, stop the capture by clicking on “stop” under the ‘Capture’ menu. Provide a screen shot of your Wireshark capture so that see you have visited vccs email. Go back and perform another ‘Follow TCP stream’ from under the ‘Analyze’ menu. Can you find your username or password? Why or why not. Explain your answer briefly and provide appropriate screen shot. LAb 3 :Part 2: Traffic analysis with tcpdump You have already used Wireshark for traffic Analysis, let’s use another powerful network packet TCP/IP sniffer, tcpdump, and its basic usage Please follow the instructions below and complete each task. Use screen shots to demonstrate that you have done every task. In addition to the screen captures, if require please provide brief explanation to explain your result. We already discussed in class how packets are captured in promiscuous mode. The network card of a computer drops packets if the packets are not addressed to the system. However in the promiscuous mode, the network card forwards all packets reaching the card to the operating system so that tcpdump can capture them, regardless of their (MAC) addresses. Using tcpdump in the promiscuous mode can exam all traffic through the interface, extract sensitive information and thereby sniffer the network. Root privilege is required to use tcpdump for sniffing. I’ve also posted a reading , if you want to know how tcpdump works you can read here http://danielmiessler.com/study/tcpdump/ . Also I’d encourage to read the tutorial from https://packetlife.net/media/library/12/tcpdump.pdf You kali VM already has tcpdump installed. If it is not installed Tcpdump can be downloaded from http://www.tcpdump.org/#latest-release for the latest version, which now is tcpdump-4.99.1. However, unless you are using Campus machines I would recommend use a prebuild Kali. Before starting, use the show your IP address and the name of your network interface and record them. Kali VM IP : _____________ interface ______________________ Host IP : ________________ Interface : _____________________ 1. Open a terminal window and type the following command to start capturing TCP/IP packets from the active interface. Do not close this terminal window. Provide a screen capture . Type tcpdump ­ how many packet did you get ? you can Use Crtl+Ct to stop tcpdump any time Now type tcpdump ­ -nn What did you get ? what is the difference ? (Type “man tcpdump” in the command ­line to see all options is available for tcpdump. Use the Space Bar to move to the next page. You can also use the Page Up and Page Down keys to navigate the manual pages. When you are done, press Q to go back to the terminal. 2. Open a terminal window and type the following command to start capturing TCP/IP packets from the active interface. Do not close this terminal window and type tcpdump – ­nn Open another terminal window and ping the target computer 10 times by typing ping your host machine ping __ ___ ___ ____ Go to the terminal window where tcpdump is running. You should see ICMP echo packets between your computer and the host machine. Show the traffic . (5) 3. Open the same site that you have used before http://urbexforums.com/ to make some network traffic, meanwhile check out the output of tcpdump: your result looks like [arrivial time][source IP].[port]>[destination IP].[port]. What is the arrival time, source address? What is the destination address? Which port ? (5) Type tcpdump –e tcpdump -e -i eth0 ( my interface is eth 0 , please put yours) Compare between the results. It is also possible to capture packets based on the source or destination ports. For example, type tcpdump port 80 – ­nn (5) 4. tcpdump allows you to capture packets and show inter-arrival time instead of arrival time in result. use tcpdump to get inter-arrival time while capturing packets information. Type tcpdump –ttt What is the inter arrival time between packet form your computer and my3gb.com 5. Now use tcpdump and Log on to my http://urbexforums.com and analyze the captures traffic the same way you did with Wireshark before. Can you find your userID and password now?