Write a three-page summary and what you found. Please look at the screenshots to get answers.

1 answer below »
Write a three-page summary and what you found. Please look at the screenshots to get answers.


Project 2: Nations Behaving Badly Step 14: Conduct Wireshark Packet Capture Analysis It is time to help the CISO with the network intrusion. Your role here is to assume responsibility of analyzing a network packet capture file that was created during the network attack. You will conduct packet sniffing with Wireshark to gather information about the attacker, determine the resources that may have been compromised during the attack, and how the attacker compromised the resources. The CISO and response team believe there were attempts to scan the network for vulnerabilities and that an attacker may have discovered and exploited a vulnerability on one of the network servers. The attack may involve a brute-force password attack followed by a data breach where the attacker was able to download and read one or more files from a compromised server. Your objectives are to identify the attacker, identify the compromised server and service, identify the vulnerability that was exploited, and determine what data was breached or stolen. Use your analysis and findings to help answer the following questions for the HTTP traffic directed at the internal web server: 1. Was the web server under some sort of an attack, and if so, what type(s)? 1. Was the attack(s) successful in any way (if any)? 1. What next steps can be recommended for further investigation? 1. What is the name of the resource that is being requested in the GET request? 1. What is the server's HTTP response code, and what is the IP of the requesting computer? 1. What is the user-agent string for this request? 1. What HTTP response code is returned for each abnormal request, and what URL is attempted to be used as part of one of the web attacks? Wireshark Packet Capture Analysis Starting the Lab In order to get started, you must first access the Virtual Labs environment using the instructions provided in the UMGC Virtual Lab document (Navigating UMGC Virtual Labs and Lab Setup) in the classroom. The link to this document is found in the "Complete This Lab" box of the project step where the link to these instructions is located and labeled. Launch the Lab Broker application as instructed in the above document to connect to the lab VMs. Note: · After Lab Broker is launched, you will see a list of modules reflecting your course names. If you are accessing the lab for the first time, after expanding the list of nodes available for your course (CYB670), you will notice that the connect and start buttons are grayed out and only the Allocate Lab button is clickable. · If necessary, refer to the lab setup document described above for additional details. In the next few steps, you will conduct packet capture analysis in Wireshark. First, you need to download the .pcap files. Downloading the cyb670PCAP File 1. Once you log in to the VM, you need to download the cyb670PCAP file from the Resources page/bookmark in the Lab Resources folder of the desktop of the VM. Double-click the Resources bookmark to open the CYB 670 Resources folder. 2. Next, you will proceed to download the cyb670PCAP.zip file in the PROJECT 2 folder. Click the cyb670PCAP.zip file to download it to the Downloads folder (the default way). 3. Click cyb670PCAP.zip to download the folder. 4. Once you download the cyb670PCAP.zip file to the downloads folder, right-click on the downloaded folder and select Show in folder to open the Downloads folder. 5. This brings you to the Downloads folder containing the cyb670PCAP.zip file. 6. Right-click on the .zip file and select Extract ALL to extract it to the same folder. 7. Finally, in the following window Select a Destination and Extract Files, click Extract to extract the .pcap file to the Downloads folder. 8. You can now access the cyb670PCAP.pcap file. You will load this file into Wireshark for analysis. Starting Wireshark and Analyzing Network Packets It is time to start Wireshark. Wireshark is configured to allow you to analyze individual .pcap files in this lab, and you will analyze the just-downloaded cyb670PCAP.pcap file. Note that Wireshark files have the .pcap extension. 1. Start Wireshark on the WINATK01 VM from the Applications folder under the Lab Resources folder located on the desktop of the VM as shown below (Desktop>Lab Resources> Applications). 2. Double-click on the Wireshark icon to launch the application and open the main Wireshark user interface. 3. Next, click the Open option under the File menu on the left side of the window. 4. Navigate to the cyb670PCAP folder to select the cyb670PCAP.pcap file. Click Open to load the file into Wireshark. 5. Notice that Wireshark displays the packets as a packet capture (.pcap) file listed in rows in three panes (packet list, packet details, and packet byte/status panes). Refer to the Wireshark user overview above to understand the details of each pane. Filtering, Inspecting, and Analyzing Network Packets You will analyze network traffic by filtering and inspecting individual packets now that Wireshark has loaded packet captures and displayed them in human-readable format. The tool includes filters, color coding, and other features that allow you to easily dig deeper into the network traffic and inspect individual packets. Note: Scroll through the capture file by using the scroll bar in the packet list pane that has the colored rows of network traffic. That's a lot of information; however, you can filter the results if needed. Exploring TCP Protocol 1. It is time to analyze network traffic by filtering and inspecting individual packets. To filter, click on the Statistics tab and then Protocol Hierarchy from the resulting drop-down menu to open the Wireshark Protocol Hierarchy window. 2. You will now filter and inspect network traffic based on any of the UDP, TCP, or HTTP protocols. To filter the TCP protocol, for example, right-click on Transmission Control Protocol, select Apply as Filter, and then click Selected. Finally, click Close to return to the Wireshark main interface. 3. You can now see the filtered results in the packet list (top) pane. In the Protocol column, notice that TCP as well as other protocols are encapsulated within the TCP segments. 4. Note the triangle to the left of Transmission Control Protocol (TCP) in the packet details (middle) pane. Clicking it will show the content of the TCP segment header. Notice that the corresponding raw data (in hexadecimal alongside an ASCII representation) is highlighted in the packet bytes/status (bottom) pane. 5. Using Wireshark's Statistics menu, select Conversations to show a summary of the IP addresses found within the capture and the number of packets and bytes being sent to and from different source and destination endpoints/IPs in the conversation. Exploring UDP Protocol There appears to be a large amount of UDP traffic, so you need to apply a Wireshark display filter to limit your results to only UDP traffic as was done for the TCP segment. Scroll down to any row to review any captured UDP packet for additional details. 6. Select the row as shown below and examine both the packet details and packet byte panes. You will use the information to answer the questions that follow. Refer to the section that details the Wireshark user interface if necessary. Exploring HTTP Protocol In further review of the packet capture, you note a significant amount of HTTP traffic directed at the internal web server. As you did previously for TCP/UDP, you can apply a Wireshark display filter to limit your view to the HTTP traffic only. For example, while a user-agent can be set up correctly, it can be spoofed or compromised, thereby making it possible for an attacker to retrieve web content intended for legitimate users or hosts. For example, cookies, a key part of the HTTP protocol, enable a web server to send data to the client, which then stores it and resubmits to the server periodically when needed. Cookies can also be used to transmit sensitive data in web applications.  7. Now, search HTTP in the filter box or scroll down in the packet list pane until you encounter an HTTP GET/Request. As before, click on the HTTP information in the packet details/middle pane and view the contents of the HTTP header in detail. Review the encapsulated HTTP packets within the TCP payload (you may refer to the Wireshark Protocol Hierarchy window). Use your analysis and findings to help answer the following questions for the HTTP traffic directed at the internal web server: · Was the web server under some sort of an attack, and if so, what type(s)? · Was the attack(s) successful in any way (if any)? · What next steps can be recommended for further investigation? · What is the name of the resource that is being requested in the GET request? · What is the server's HTTP response code, and what is the IP of the requesting computer? · What is the user-agent string for this request? · What HTTP response code is returned for each abnormal request, and what URL is attempted to be used as part of one of the web attacks? What did you find particularly useful about this lab (be specific)? What value does this bring to your professional career?
Answered 2 days AfterMay 11, 2022

Answer To: Write a three-page summary and what you found. Please look at the screenshots to get answers.

Naveen Kumar answered on May 13 2022
93 Votes
Wireshark Packet Capture Analysis                             17
Wireshark Packet Capture Analysis
Introduction
Cyberattacks nothing but compromising the sensitive data of individual or group of organization and searching for weak spo
t of network and crating the entry to deploy the malicious or curved packets in a network.
Every organization Network & communication will play main role in its business as it connects all kind of user, allowing employees and guest users to work more efficiently across the organization and get more productivity.
Objective
Equipment Used:
Wireshark
Row TCP traffic:
Checksum verification:
Checksum valid traffic:
Checksum unverified traffic:
1. Was the web server under some sort of an attack, and if so, what type(s)?
Answer:
No.
HOST DISCOVERY ATTACK:
Identifying adversaries trying to find alive systems on our network.
Useful for: Detect various network discovery scans, ping sweeps
ARP scanning
Command:
arp.dst.hw_mac==00:00:00:00:00:00
Total ARP Packets: 28 and request has been generated from multiple internal and external sources, there is no Uniqe (attacker) IP is trying to find the IP details with the help of ARP sweep command.
Result: Negative
IP Protocol scan:
Command:
icmp.type==3 and icmp.code==2
IP protocol scanning is a technique allowing an attacker to discover which network protocols are supported by the target operating system
Result: Negative
ICMP ping sweeps:
Command:
icmp.type==8 or icmp.type==0
This Filter useful for filtering ICMP echo requests (8) or ICMP echo replies (0).
In case multiple requests or packets in a short period of time targeting multiple IP addresses and different subnets, then we are probably witnessing ICMP ping sweeps attack. Attacker was trying to identify all alive IP addresses on our network.
Result:
Negative
TCP ping sweeps
Command:
tcp.dstport==7
TCP ping sweeps use port 7 (echo). Higher volume of such traffic pointed to many different IP addresses, it means somebody is running TCP ping sweeping to find alive hosts on the network.
Result: Negative
UDP ping sweeps
Command:
udp.dstport==7
UDP ping sweeps utilize port 7. High volume...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here