CCIS2400: Security Essentials

Lab 2.5 --- Network Sniffing !C" #an$s%aking

&b'ecti(e Students will learn to use the Ethereal protocol analyzer to capture packets on a computer with an Internet connection. Initial TCP packets that are produced when a browser is used to view an Internet site will be observed. Observation will also be made of TCP packets when an attempt to connect fails. !C" #an$s%ake ll network protocols send and receive control packets to enable communication between the source and the destination nodes. The two transport protocols within the TCP!IP suite are TCP and "#P. $oth TCP and "#P keep track of different communications throu%h the use of &' bit ports( many of which are well) known. The use of "#P is connectionless( and thus does not re*uire acknowled%ements from recipients. $y its very nature( TCP +Transport Control Protocol, is connection)oriented. That is( it re*uires acknowled%ement from the recipient. TCP connection initiates by the three)way TCP handshake. Suppose node + , attempts to connect to node +$, via TCP. TCP-s three)way handshake between these two nodes will proceed as follows. &., S/0 packet is sent from node + , to node +$, 1., S/0! C2 packet is sent from node +$, to node + ,( acknowled%in% the receipt of a S/0 packet. 3., n C2 packet is sent from node + , to node +$,( completin% the connection. Each step places relevant ports in certain states. "nder normal circumstances( a S/0 packet is sent from a specific port on + , to a specific port on +$, that is in a 4ISTE0 state. System $ responds by %oin% into the S/056EC7 state +pendin% completion of the connection,. System $ then sends back a S/0! C2 packet to System ( acknowled%in% that it received System -s S/0 packet successfully. If all %oes well( + , will return an C2 packet to +$, and the connection will move to the EST $4IS8E# state on both + , and +$,.

Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-)

:any common applications use TCP. Some of the more common applications include Internet browsin% +usin% 8TTP( port =;,( Telnet +port 13,( >TP +port 1&,( and S0:P +port 1<,. Every time these applications are used they are initiated by a TCP three)way handshake. Network *onitoring 0etwork monitors( protocol analyzers( and ?sniffers@ are all a class of tools used by network administrators to %ather information about their network for a wide variety of protocols. It cannot be overstated how important such tools are for proper network mana%ement as well as for detectin% possible security breaches. 0etwork monitors may either be a software pro%ram runnin% on a computer( or it can be a separate stand alone device. 4ike many network devices( cost and capabilities vary widely. They ran%e from free software to platforms costin% thousands of dollars. +sing Et%ereal to Ca,ture a !C" #an$s%ake Ethereal is an open source network monitor! protocol analyzer. $ein% open source( the tool is free and runs on multiple platforms( includin% "niA( 4inuA( and Bindows. It has a robust feature set that continues to be developed by a lar%e number of contributors. It supports over <;; types of protocols which may be analyzed in very fine detail. The use of Ethereal involves the initiation of a ?capture@( which is simply the retention of protocol utilization information that the tool has detected. This information may be retained in a capture file which can be saved for later reference. Ethereal is also compatible with numerous capture file formats that are compatible with other network monitors.

Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-2

Installing Et%ereal If Ethereal is not already present on your computer( you will need to download and install it. This is an open)source product. /ou will find the installation file here. http.!!ca.htc.mnscu.edu!ccis1C;; /ou may also have to download and install -in"Ca, +drivers!dll-s for packet) capturin%,. The installation for both Ethereal and BinPCap are fairly strai%ht forward. +sing Et%ereal &. 4aunch Ethereal and be%in capturin% packets)))click on Ca,ture on the menu bar( then click Start. 0ote the keyboard shortcut CT64)2 will also start capturin% packets.

1. /ou should see the capture options dialo% boA similar to the one below. If your PC has multiple 0ICs( you will need to be sure to capture with the correct one.

/ou may specify the name of a capture file for retention and later viewin%. $e sure the interface is selected properly( but otherwise eAcept the defaults.
Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-.

3. /ou should now see the capture dialo% boA like this one.

C. 7isit a web site. If this is a site you-ve visited recently( click the 6efresh button in your browser. Once the pa%e is completely loaded!reloaded in the browser( leave the browser open and return to Ethereal. <. Stop the Ethereal capture via the capture dialo% boA shown above. fter the capture has been stopped( Ethereal should be populated with data based on network information ac*uired durin% the capture period. If no data is displayed( you probably picked the wron% 0IC in D1. '. Click on the protocol field shown below to sort the display by protocol type( and scroll down to TCP.

E. /ou should now see somethin% similar to the followin% %raphic.

Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-4

=. Observe the top( middle( and bottom displays within Ethereal( each showin% %reater detail in succession. Bith proper sortin% +you did this in D',( the first three lines of the top display should correspond to the TCP three)way handshake. 0ote the FS/0G( FS/0( C2G( and F C2G in the fi%ure. The top portion of the display shows a summary of a particular packet. The middle display lists more detailed information sorted by layers of the OSI model be%innin% with the physical layer. $e sure to eApand the middle display information by clickin% on the H( and note the port numbers. The lowest display area is the %reatest detail showin% the actual bit stream in heA. I. Open a command window and pin% the website you visited in DC. The pin% may fail( but the command output should show the actual IP address via #0S lookup. Bhat is the address of the website you pin%edJ
Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-5

55555.55555.55555.55555 &;. #oes this address match what is in the Ethereal displayJ 5555555 &&. Issue the command netstat /na. "nder the >orei%n ddress column( locate the ip address of the website you visited and pin%ed. If a session with your website is not evident( try refreshin% your browser( and repeat the command. &1. 6eferrin% only to the session+s, with your website( record the followin%. +you may 4ocal ddress 5555 . 5555 . 5555 . 5555 . 5555 5555 5555 5555 5555 5555 5555 5555 5555 5555 &bser(ing a 0aile$ #an$s%ake To observe a failure to complete a three)way handshake( attempt may be made to telnet into another computer host on the local network se%ment. Thou%h nearly all computer workstations support telnet for remote connection to other devices( they do not usually support telnet re*uests from other nodes. &. Issue the netstat /a command. "nder the 4ocal ddress column( is there a listin% for Telnet +port 13,J If yes( you will need to ?kill@ the Telnet server!service before continuin%. >orei%n ddress 5555 . 5555 . 5555 . 5555 . 5555 5555 5555 5555 5555 5555 5555 5555 5555 5555

Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-1

1. Pin% one of your classmates. ,ing 2222 . 2222 . 2222 . 2222 If the pin% is successful( attempt to Telnet to your classmate-s PC. telnet 2222 . 2222 . 2222 . 2222 +this should fail, 3. Start another Ethereal capture and attempt to telnet to your classmate-s PC a%ain. C. fter second Telnet attempt fails( stop the Ethereal capture.

<. Sort the Ethereal display by protocol +like you did earlier, and scroll down to the start of the TCP packets. '. 0ote that the FS/0G packet is not followed by a FS/0 C2G response( but rather a F6ST C2G. Telnet makes one more attempt to connect by sendin% another FS/0G packet( and after the same response( the failure messa%e displays in the command window. 3nalysis &, Bhat features of Ethereal are particularly useful for network administration and cyber securityJ

1,

Bhat happens if your computer attempts to telnet to an inactive IP address on your network se%mentJ #oes your computer send out a TCP FS/0G packetJ

3,,en$i4 This lab was developed usin% BinPCap and Ethereal ;.&;.=( both of which can be obtained from. www.ethereal.com or http.!!www.download.com 0ote that Ethereal( in particular BinPcap( may have difficulty startin% a capture from a wireless network adaptor. The OS environment for this lab was Bindows KP Professional( 7ersion 1;;1( Service Pack 1 +=!;C,.

Copyright Center for Systems Security and Information Assurance

Information ssurance 9 I

4ab :anual +71.;,

6eleased. <!;<

Pa%e 1.<.&

-5