Packet An Alys Sis

Information Assurance CNSS 4011 Lab Series
Lab 2: Packet Analysis

Document Version: 2011-09-09
4011 Identifier Reference: (C.1.a, D.1.b, D.1.j)
Lab Author: Belle Woodward

Organization: Associate Professor
Information Systems and Applied Technologies
Southern Illinois University
Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
The development of this document is funded by the National Science Foundations (NSF) Advanced Technological Education (ATE)
program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746; Center for Systems Security and
Information Assurance (CSSIA) is an entity of Moraine Valley Community College. Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the
Free Software Foundation. A copy of this license can be found at http://www.gnu.org/licenses/fdl.html.
Contents
1 Introduction ................................................................................................................. 3
2 Objective: Learn the Basics of Network Sniffing ......................................................... 3
3 Pod Topology ............................................................................................................... 6
4 Lab Settings.................................................................................................................. 7
Task 1 Using Wireshark to Capture a TCP Handshake .................................................... 8
Task 1.1 Capture a TCP Handshake ............................................................................. 8
Task 1.2 Conclusion ................................................................................................... 12
Task 1.3 Discussion Questions .................................................................................. 13
Task 2 Regenerate a Webpage via Captured Data ........................................................ 14
Task 2.1 Using Wireshark to Reassemble a Webpage .............................................. 14
Task 2.2 Conclusion ................................................................................................... 18
Task 3 Observe Common TCP Vulnerabilities ............................................................... 19
Task 3.1 Connect to a Telnet/FTP Server .................................................................. 19
Task 3.2 Connect to a SSH Server ............................................................................. 22
Task 3.3 Conclusion ................................................................................................... 24
5 References ................................................................................................................. 25
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 2 of 25
Introduction
This lab is part of a series of lab exercises designed through a grant initiative by the
Center for Systems Security and Information Assurance (CSSIA) and the Network
Development Group (NDG), funded by the National Science Foundations (NSF)
Advanced Technological Education (ATE) program Department of Undergraduate
Education (DUE) Award No. 0702872 and 1002746. This series of lab exercises is
intended to support courseware designated as meeting NSTISSI No. 4011 certification.
At the end of this lab, students will have the ability to grab a web page off the network
and capture it to a file for later viewing. In addition, Students will learn to use the
Wireshark protocol analyzer to capture packets on a computer with an Internet
connection. Initial TCP packets that are produced when a browser is used to view an
Internet site will be observed. Observation will also be made of TCP packets when an
attempt to connect fails.
This lab includes the following tasks:
Task 1 - Using Wireshark to capture a TCP handshake
Task 2 - Using Wireshark to regenerate a webpage
Task 2 - Observe common TCP vulnerabilities
Objective: Learn the Basics of Network Sniffing
Network sniffing involves all seven layers of the OSI model since protocol analyzers first
require a system that is physically plugged into the network to be monitored and then
returns information related to layers 2 thru 7. Of particular interest to this lab will be
layers 3, 4, and 7 since it is within these layers where one finds the transmission
protocol, the network protocol and the transmitted data to and from the application
(web browser, command prompt, etc.). By the end of this lab, one will learn how to
perform a packet capture, analyze the results, and identify some of the intrinsic
vulnerabilities within the TCP protocol. For this lab, the following terms and concepts
will be of use:
TCP [1] One half of the TCP/IP suite, TCP (Transmission Control Protocol) was
developed as a connection-oriented datagram service in 1974. Its role in networking is
to ensure correct delivery of IP packets by way of the TCP handshake, a series of
synchronization and acknowledgement packets sent by the transmitting and receiving
nodes. In the event data is lost during transmission, or another error, TCP will request
that data be retransmitted. Because of its connection-oriented nature, TCP is
sometimes slow and not considered ideal for real-time traffic like VoIP.
Page 3 of 25
IP [2] Simply put, IP (Internet Protocol) is what makes the Internet work. The other
half of the TCP/IP suite, IP defines the addressing and datagram encapsulation across a
network. In tandem with TCP, IP routes traffic from node to node across separate IP
networks. Because IP is considered an unreliable protocol, meaning it has no method of
error-checking, it relies on TCP for reliable transmission of data.
TCP Handshake [3] - All network protocols send and receive control packets to enable
communication between the source and the destination nodes. The two transport
protocols within the TCP/IP suite are TCP and UDP. Both TCP and UDP keep track of
different communications through the use of 16-bit ports, many of which are wellknown. The use of UDP is connectionless, and thus does not require acknowledgements
from recipients. By its very nature, TCP (Transport Control Protocol) is connectionoriented. That is, it requires acknowledgement from the recipient. A TCP connection
initiates by the three-way TCP handshake. Suppose node (A) attempts to connect to
node (B) via TCP. TCPs three-way handshake between these two nodes will proceed as
follows:
1. A SYN packet is sent from node (A) to node (B)
2. A SYN/ACK packet is sent from node (B) to node (A), acknowledging the
receipt of a SYN packet.
3. An ACK packet is sent from node (A) to node (B), completing the
connection.
Each step places relevant ports in certain states. Under normal circumstances, a SYN
packet is sent from a specific port on (A) to a specific port on (B) that is in a LISTEN state.
System B responds by going into the SYN_RECV state (pending completion of the
connection). System B then sends back a SYN/ACK packet to System A, acknowledging
that it received System As SYN packet successfully.
If all goes well, (A) will return an ACK packet to (B) and the connection will move to the
ESTABLISHED state on both (A) and (B).
Many common applications use TCP. Some of the more common applications include
Internet browsing (using HTTP, port 80), Telnet (port 23), FTP (port 21), and SNMP (port
25). Every time these applications are used, they are initiated by a TCP three-way
handshake.
Page 4 of 25
Network Monitoring [3] - Network monitors, protocol analyzers, and sniffers are all a
class of tools used by network administrators to gather information about their network
for a wide variety of protocols. It cannot be overstated how important such tools are
for proper network management as well as for detecting possible security breaches.
Network monitors may either be a software program running on a computer, or it can
be a separate stand-alone device. Like many network devices, cost and capabilities vary
widely. They range from free software to platforms costing thousands of dollars.
Wireshark [4] - Wireshark is an open source network monitor/ protocol analyzer. Being
open source, the tool is free and runs on multiple platforms, including UNIX, Linux, and
Windows. It has a robust feature set that continues to be developed by a large number
of contributors. It supports over 500 types of protocols, which may be analyzed in very
fine detail.
The use of Wireshark involves the initiation of a capture, which is simply the retention
of protocol utilization information that the tool has detected. This information may be
retained in a capture file, which can be saved for later reference. Wireshark is also
compatible with numerous capture file formats that are compatible with other network
monitors.
Clear Text [5] Clear text data is data that is either stored or transmitted in an
unencrypted state. This is a dangerous practice, and can be remedied by encrypting
files or using services like SSH (Secure Shell) versus Telnet, among other things.
Page 5 of 25
Pod Topology
Page 6 of 25
Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
Required Virtual Machines and Applications
This lab requires the use of the XP1 and Windows 7 virtual machines.
Windows XP Client
192.168.111.41
Windows XP Client admin password
P@ssw0rd
Windows 7 Client
192.168.111.57
Windows 7 Client admin password
P@ssw0rd
Page 7 of 25
Task 1
Using Wireshark to Capture a TCP Handshake
Wireshark is an open source network monitor/protocol analyzer. Being open source,

the tool is free and runs on multiple platforms, including UNIX, Linux, and Windows. It
has a robust feature set that continues to be developed by a large number of
contributors. It supports over 500 types of protocols, which may be analyzed in very
fine detail.
The use of Wireshark involves the initiation of a capture, which is simply the retention
of protocol utilization information that the tool has detected. This information may be
retained in a capture file, which can be saved for later reference. Wireshark is also
compatible with numerous capture file formats that are compatible with other network
monitors.
Task 1.1
Capture a TCP Handshake
Start a Capture
1.
2.
3.
4.
Access the XP1 Virtual Machine by clicking on the XP1 image in the topology.
Login as the Administrator using P@ssw0rd as the password.
Double-click the Wireshark icon on the desktop.
In the Capture window, click Interface List, which will bring up a list of the
available interfaces. Select the interface with the 192.168.111.41 address.
Figure 2: Interface List options
Page 8 of 25
You should now see something similar to the following:
Figure 3: Wireshark Capturing Data
Capture a Webpage
1. Minimize the Wireshark window.
2. Open Internet Explorer and browse to http://192.168.111.57. The site is hosted
by the WIN7 VM.
3. Once the site is observed in the browser, minimize the browser, click on
Wireshark on the taskbar, and stop the Wireshark capture by pressing Ctrl-E.
a. After the capture has been stopped, Wireshark should be populated with
data based on network information acquired during the capture period.
4. Click on the protocol field box shown below to sort the display by protocol type.
Figure 4: Click to sort by Protocol

Page 9 of 25
You should now see something similar to the following graphic:
Figure 5: Captured Data Sorted by Protocol
Analyze the TCP Handshake

1. Scroll down to TCP in the protocol column.
2. Observe the top, middle, and bottom displays within Wireshark, each showing
greater detail in succession. With proper sorting, the first three lines of the top
display should correspond to the TCP three-way handshake. Look for the [SYN],
[SYN, ACK], and [ACK] in the Wireshark top window.
a. The top portion of the display shows a summary of a particular packet.
The middle display lists more detailed information sorted by layers of the
OSI model beginning with the physical layer. Be sure to expand the
middle display information by clicking on the + for Transmission Control
Protocol, and note the port numbers.
b. The lowest display area is the most detailed, showing the actual bit
stream in hex.
3. Click the Windows Start button and select Run
4. Type cmd in the text box and click OK.
5. Type cd c:\ and hit Enter.
Page 10 of 25
6. Type netstat na and hit Enter.

You should see something similar to the following graphic:
Figure 6: Output of Netstat
Once again, note the ports following the colons. If a session with your website is
not evident, try refreshing your browser, and repeat the command.
7. To observe a failure to complete a three-way handshake, attempt to telnet into
another computer host on your local network segment. Though nearly all
computer workstations support telnet for remote connection to other devices,
they do not usually support telnet requests from other nodes.
Verify connectivity with another host on the network segment via the ping
command.
C:\>ping 192.168.111.100
Once connectivity is verified, start another Wireshark capture as in Step 1 , and
attempt to telnet into another host. When prompted, choose Continue without
Saving.
C:\>telnet 192.168.111.100
After the failure to connect is indicated within the command window, stop the
Wireshark capture. You should observe something similar to the next graphic.
The sequence of TCP packets can be observed within Wireshark. Note that the
Page 11 of 25
[SYN] packet is not followed by a [SYN ACK] response, but rather another [SYN]
attempt. Telnet makes one more attempt to connect by sending another [SYN]
packet, and after the same response, the failure message displays in the
command window.
Figure 7: Overlay image of Telnet attempt and Corresponding Wireshark Output
Task 1.2
Conclusion
Protocol Analyzers such as Wireshark are an essential tool in monitoring and identifying
both desirable and undesirable network traffic within an organization. Due to their
ability to both view traffic in a general aspect (a collection of individual packets) down to
a very granular detail (the raw packet data) one is able to achieve a detailed view of the
types of communication within their network as it occurs or save a session for review.
Page 12 of 25
Task 1.3
Discussion Questions
1. What features of Wireshark are particularly useful for network administration

and cyber security?
2. What happens if your computer attempts to telnet to an inactive IP address on
your network segment? Does your computer send out a TCP [SYN] packet?
3. Explore what happens when you ping your localhost address 127.0.0.1.
4. Explore what happens when you ping your local IP address. What is the
difference between this and pinging the localhost address?
Page 13 of 25
Task 2
Regenerate a Webpage via Captured Data
Having the ability to look at and analyze packets on a network can be very informative.
There are many reasons an administrator may want to see what is traversing the
network. On a wireless or non-switched network, packets can be seen by both those
that have legitimate needs and those that are up to nefarious activities.
Capturing web pages requires an understanding of how they are processed by the
server and rendered by the browser. We will follow a HTTP stream and see what can be
displayed easily and that which requires more effort. The more highly formatted the
page the harder it will be to reproduce. Products like Wget
(http://www.gnu.org/software/wget/) can grab web sites for off-line viewing.
Alternatively, Wireshark will grab the stream and leave it up to the user to assemble.
Task 2.1
Using Wireshark to Reassemble a Webpage
Capture a Webpage
1.
2.
3.
4.
5.
6.
Minimize Wireshark and close the Command Line window.

Open Internet Explorer (if it is not already) and click Tools on the Menu bar.
Select Internet Options on the bottom of the drop down list.
Under browsing history, click on Delete, click Delete again, and click OK.
Minimize Internet Explorer and click on Wireshark on the taskbar.
Start a new capture on the 192.168.111.41 interface. Click Continue without
Saving when prompted.
7. Minimize Wireshark and click on Internet Explorer on the taskbar.
8. Navigate to http://192.168.111.57.
9. When the page loads, minimize Internet Explorer, click on Wireshark on the
taskbar and stop the capture by pressing Ctrl+E.
10. Find a TCP packet thats part of the TCP handshake, click it, then select Analyze
from the menu bar.
11. Select Follow TCP Stream. (See the following screen shot for an example.)
Page 14 of 25
Figure 8: Following a TCP Stream in Wireshark
Page 15 of 25
The program will process the stream and display the contents. Your screen will
look similar to the one shown below:
Figure 9: The Follow TCP Steam window in Wireshark
12. Click Save As, enter TCP Stream as the Name, and click Save.
13. Close Wireshark and click Quit without Saving.
14. Close the Internet Explorer Window.
Page 16 of 25
Edit the Saved TCP Stream File

1.
2.
3.
4.
Click on the Start button and click on My Documents.

Double-click the TCP Stream file.
Select Wordpad as the program to open the file and click OK.
Cut out everything that is not part of the html page. Pages can start with
<html> or <?xml> and end with </html>. Keep only the highlighted
portion from the following graphic.
Figure 10: Only keep the highlighted portion
3. Save the edited file as testfile.html . (The saved file should look like an HTML
file.)
Page 17 of 25
View the Edited TCP Stream File

1. Close Wordpad.
2. Open the My Documents folder if it isnt open already.
3. Double click the testfile.html file. Here is a sample screen shot:
Figure 11: The Reconstructed Webpage
4. Get a screen shot of your edited HTML page as it is displayed by a browser. Save
to a Word document, put your name in the document and print off for your
instructor.
5. Close the My Documents window.
Task 2.2
Conclusion
By using the Follow TCP Stream functionality in Wireshark, one is able to reconstitute
the data flow between two hosts in order to see the exact nature of the communication
that occurred between them. This is a useful tool when it is necessary to view the
packet payload with the packet sequence numbering in order.
Task 2.3
1. Can you capture the images and have the page display correctly?
2. What can be gleaned by capturing http traffic?
3. In Figure 9, why is some of the file in red and some in blue?
Page 18 of 25
Task 3
Observe Common TCP Vulnerabilities
This section will require a functional Telnet and/or FTP server to demonstrate how
passwords and IDs are seen in clear text. Next, a SSH server will be required to
demonstrate how the raw payload is not viewable within a packet analyzer.
Task 3.1
Connect to a Telnet/FTP Server
1. Open Wireshark and start a new capture.

2. Open the Putty client and enter 192.168.111.57 as the IP address. Make sure the
Telnet radio button is selected:
Figure 12: Configuration for a Telnet Session
Page 19 of 25
3. Make sure you have Wireshark capturing packets, then click Open. A window
similar to the one below should open:
Figure 13: Telnet Login
Page 20 of 25
5. Enter your username (administrator) and password (P@ssw0rd) at the prompt.

6. Minimize the window and return to your WIreshark capture.
7. Press Ctrl+E to end the packet capture. You should have packets that look like
this:
Figure 14: Telnet Connection in Wireshark
8. Find a packet with Telnet Data . . . in its info field. Right click it, and select
Follow TCP Stream.
9. Save the output as Telnet Data and close the window.
10. Close the PuTTY window.
Page 21 of 25
Task 3.2
Connect to a SSH Server
1. Start a new Wireshark capture.

2. Open a new PuTTY session, although this time select SSH and enter
192.168.111.210 as the IP address.
Figure 15: Configuration for an SSH Session
Page 22 of 25
3. Make sure Wireshark is running, then click Open. The SSH login screen should
look like this:
Figure 16: SSH Login
Page 23 of 25
4. Login with the same credentials (administrator, P@ssw0rd), then check

Wireshark. The packets should look similar to the following graphic:
Figure 17: SSH Connection in Wireshark
5. Find a packet with Encrypted response packet in the field, right-click it and
select Follow TCP stream. Observe and note the output.
Task 3.3
Conclusion
Some technologies have an extremely limited use. They might be used on a nonswitched or wireless network. This is due to the intrinsic vulnerabilities that exist within
the TCP protocol by design. When determining the nature of the data that will be
shared over a network, the type of technology employed to deliver or receive that data
must be considered.
Task 3.4
1. What kind of sensitive data is captured in a Telnet or FTP session?

2. What kind of sensitive data is captured in a SSH session?
3. If there are any differences between #1 and #2, what are they and what is the
cause?
Page 24 of 25
References
1. DARPA Protocol Specification RFC 793:
http://tools.ietf.org/html/rfc793
2. DARPA Protocol Specification RFC 791:
http://tools.ietf.org/html/rfc791#section-2.1
3. Defense Acquisition Guidebook:
https://acc.dau.mil/CommunityBrowser.aspx?id=334069
4. Wireshark:
http://wireshark.org
5. Websters Online Dictionary:
http://www.websters-onlinedictionary.org/definitions/CLEARTEXT?cx=partner-pub0939450753529744%3Av0qd01-tdlq&cof=FORID%3A9&ie=UTF8&q=CLEARTEXT&sa=Search#922
Page 25 of 25

Packet An Alys Sis

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Packet An Alys Sis

Încărcat de

Drepturi de autor:

Formate disponibile

Information Assurance CNSS 4011 Lab Series

Lab 2: Packet Analysis

Lab Author: Belle Woodward

Lab 2: Packet Analysis

Lab 2: Packet Analysis

Objective: Learn the Basics of Network Sniffing

Lab 2: Packet Analysis

Lab 2: Packet Analysis

Lab 2: Packet Analysis

Lab 2: Packet Analysis

Windows XP Client admin password

Windows 7 Client admin password

Lab 2: Packet Analysis

Using Wireshark to Capture a TCP Handshake

Wireshark is an open source network monitor/protocol analyzer. Being open source,

Capture a TCP Handshake

Figure 2: Interface List options

Lab 2: Packet Analysis

You should now see something similar to the following:

Figure 3: Wireshark Capturing Data

Figure 4: Click to sort by Protocol

Lab 2: Packet Analysis

You should now see something similar to the following graphic:

Figure 5: Captured Data Sorted by Protocol

Analyze the TCP Handshake

Lab 2: Packet Analysis

6. Type netstat na and hit Enter.

Figure 6: Output of Netstat

Lab 2: Packet Analysis

Figure 7: Overlay image of Telnet attempt and Corresponding Wireshark Output

Lab 2: Packet Analysis

1. What features of Wireshark are particularly useful for network administration

Lab 2: Packet Analysis

Regenerate a Webpage via Captured Data

Using Wireshark to Reassemble a Webpage

Minimize Wireshark and close the Command Line window.

Lab 2: Packet Analysis

Figure 8: Following a TCP Stream in Wireshark

Lab 2: Packet Analysis

Figure 9: The Follow TCP Steam window in Wireshark

Lab 2: Packet Analysis

Edit the Saved TCP Stream File

Click on the Start button and click on My Documents.

Figure 10: Only keep the highlighted portion

Lab 2: Packet Analysis

View the Edited TCP Stream File

Figure 11: The Reconstructed Webpage

Lab 2: Packet Analysis

Observe Common TCP Vulnerabilities

Connect to a Telnet/FTP Server

1. Open Wireshark and start a new capture.

Figure 12: Configuration for a Telnet Session

Lab 2: Packet Analysis

Figure 13: Telnet Login

Lab 2: Packet Analysis

5. Enter your username (administrator) and password (P@ssw0rd) at the prompt.

Figure 14: Telnet Connection in Wireshark

Lab 2: Packet Analysis

Connect to a SSH Server

1. Start a new Wireshark capture.

Figure 15: Configuration for an SSH Session

Lab 2: Packet Analysis

Figure 16: SSH Login