RSS

Wireshark

25 Mar

Assignment

For each of these tasks, take screenshots of pertinent information and briefly describe the significance of the content in the screenshot. Please create one document in PDF file and upload to blackboard.

  • Task 1 – Analyze FTP pcap file
    • In Security Onion VM capture packets from your virtual machine (as reviewed in class)
    • Open up terminal
      • Type in ftp ftp.ed.ac.uk
      • At the username prompt type in anonymous and hit enter
      • At the password prompt type in anonymous and hit enter
      • Type ls
      • Type exit
    • Stop the Wireshark capture
    • Look through the wireshark file and see if you can spot the packets for the ftp user
    • Save the PCAP file to the desktop of the security onion vm
    • Open NetworkMiner and analyze the pcap file, take screen shots of the source/destination computers, and the commands that were executed after successful connection to the FTP server.

 

  • Task 2 – Finding interesting strings in a pcap file

Purpose of this lab is to find files contained within a pcap file. There are different techniques to achieve this objective. The following steps will enable you to see what type of strings are contained in a pcap file. Then use that information to extract file.

Note: commands are in bold, italics and underlined.

  1. In Security Onion open Terminal and change directory to your desktop & type in cd ~/Desktop
  2. Run the strings command with a minimum string length of 10 on /opt/samples/markofu/outbound.pcap. Save the output to ~/Desktop/outbound-strings.txt
    1. In Terminal window type in strings -n 10 /opt/samples/markofu/outbound.pcap > ~/Desktop/outbound-strings.txt

 

  1. View the output with less command
    1. less ~/Desktop/outbound-strings.txt

Space bar or down arrow moves down

Up arrow moves up

The / key will search for content, for example:

/GET <enter>

This will search for the string “GET” (case sensitive) below the cursor

Press “q” to quit when you are finished

 

Note the filename in the GET at the top

Some strings to look for: GET, FTP, PASS, !This program cannot be run in DOS mode

 

  • Task 3 – Extract files using Wireshark
    • In Security Onion VM, locate the PCAP files by issuing locate .pcap command on the terminal
    • Some sample files are located in /opt/samples/
    • Open /opt/samples/markofu/outbound.pcap in Wireshark
      • Right click on Packet #4 and click on Follow TCP Stream (take screenshot of the stream).
      • What is the name of the file from the GET command?
      • Close the TCP Stream window
      • Clear your filter (it should display all the packets)
      • Export the file
        • File –> Export Objects –> HTTP and clicking on “Save all”
        • Save it to your desktop and take screenshot highlighting the file

NOTE: Do not execute this file unless you have a sandbox environment

 
Leave a comment

Posted by on March 25, 2017 in academic writing, Academic Writing

 

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: