For each of these tasks, take screenshots of pertinent information and briefly describe the significance of the content in the screenshot. Please create one document in PDF file and upload to blackboard.
- Task 1 – Analyze FTP pcap file
- In Security Onion VM capture packets from your virtual machine (as reviewed in class)
- Open up terminal
- Type in ftp ftp.ed.ac.uk
- At the username prompt type in anonymous and hit enter
- At the password prompt type in anonymous and hit enter
- Type ls
- Type exit
- Stop the Wireshark capture
- Look through the wireshark file and see if you can spot the packets for the ftp user
- Save the PCAP file to the desktop of the security onion vm
- Open NetworkMiner and analyze the pcap file, take screen shots of the source/destination computers, and the commands that were executed after successful connection to the FTP server.
- Task 2 – Finding interesting strings in a pcap file
Purpose of this lab is to find files contained within a pcap file. There are different techniques to achieve this objective. The following steps will enable you to see what type of strings are contained in a pcap file. Then use that information to extract file.
Note: commands are in bold, italics and underlined.
- In Security Onion open Terminal and change directory to your desktop & type in cd ~/Desktop
- Run the strings command with a minimum string length of 10 on /opt/samples/markofu/outbound.pcap. Save the output to ~/Desktop/outbound-strings.txt
- In Terminal window type in strings -n 10 /opt/samples/markofu/outbound.pcap > ~/Desktop/outbound-strings.txt
- View the output with less command
- less ~/Desktop/outbound-strings.txt
Space bar or down arrow moves down
Up arrow moves up
The / key will search for content, for example:
This will search for the string “GET” (case sensitive) below the cursor
Press “q” to quit when you are finished
Note the filename in the GET at the top
Some strings to look for: GET, FTP, PASS, !This program cannot be run in DOS mode
- Task 3 – Extract files using Wireshark
- In Security Onion VM, locate the PCAP files by issuing locate .pcap command on the terminal
- Some sample files are located in /opt/samples/
- Open /opt/samples/markofu/outbound.pcap in Wireshark
- Right click on Packet #4 and click on Follow TCP Stream (take screenshot of the stream).
- What is the name of the file from the GET command?
- Close the TCP Stream window
- Clear your filter (it should display all the packets)
- Export the file
- File –> Export Objects –> HTTP and clicking on “Save all”
- Save it to your desktop and take screenshot highlighting the file
NOTE: Do not execute this file unless you have a sandbox environment