Documente Academic
Documente Profesional
Documente Cultură
Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
The development of this document is funded by the National Science Foundations (NSF) Advanced Technological Education (ATE)
program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746; Center for Systems Security and
Information Assurance (CSSIA) is an entity of Moraine Valley Community College. Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the
Free Software Foundation. A copy of this license can be found at http://www.gnu.org/licenses/fdl.html.
Contents
1 Introduction ................................................................................................................. 3
2 Objective: Learn the Basics of Network Sniffing ......................................................... 3
3 Pod Topology ............................................................................................................... 6
4 Lab Settings.................................................................................................................. 7
Task 1 Using Wireshark to Capture a TCP Handshake .................................................... 8
Task 1.1 Capture a TCP Handshake ............................................................................. 8
Task 1.2 Conclusion ................................................................................................... 12
Task 1.3 Discussion Questions .................................................................................. 13
Task 2 Regenerate a Webpage via Captured Data ........................................................ 14
Task 2.1 Using Wireshark to Reassemble a Webpage .............................................. 14
Task 2.2 Conclusion ................................................................................................... 18
Task 2.3 Discussion Questions .................................................................................. 18
Task 3 Observe Common TCP Vulnerabilities ............................................................... 19
Task 3.1 Connect to a Telnet/FTP Server .................................................................. 19
Task 3.2 Connect to a SSH Server ............................................................................. 22
Task 3.3 Conclusion ................................................................................................... 24
Task 3.4 Discussion Questions .................................................................................. 24
5 References ................................................................................................................. 25
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 2 of 25
Introduction
This lab is part of a series of lab exercises designed through a grant initiative by the
Center for Systems Security and Information Assurance (CSSIA) and the Network
Development Group (NDG), funded by the National Science Foundations (NSF)
Advanced Technological Education (ATE) program Department of Undergraduate
Education (DUE) Award No. 0702872 and 1002746. This series of lab exercises is
intended to support courseware designated as meeting NSTISSI No. 4011 certification.
At the end of this lab, students will have the ability to grab a web page off the network
and capture it to a file for later viewing. In addition, Students will learn to use the
Wireshark protocol analyzer to capture packets on a computer with an Internet
connection. Initial TCP packets that are produced when a browser is used to view an
Internet site will be observed. Observation will also be made of TCP packets when an
attempt to connect fails.
This lab includes the following tasks:
Task 1 - Using Wireshark to capture a TCP handshake
Task 2 - Using Wireshark to regenerate a webpage
Task 2 - Observe common TCP vulnerabilities
Network sniffing involves all seven layers of the OSI model since protocol analyzers first
require a system that is physically plugged into the network to be monitored and then
returns information related to layers 2 thru 7. Of particular interest to this lab will be
layers 3, 4, and 7 since it is within these layers where one finds the transmission
protocol, the network protocol and the transmitted data to and from the application
(web browser, command prompt, etc.). By the end of this lab, one will learn how to
perform a packet capture, analyze the results, and identify some of the intrinsic
vulnerabilities within the TCP protocol. For this lab, the following terms and concepts
will be of use:
TCP [1] One half of the TCP/IP suite, TCP (Transmission Control Protocol) was
developed as a connection-oriented datagram service in 1974. Its role in networking is
to ensure correct delivery of IP packets by way of the TCP handshake, a series of
synchronization and acknowledgement packets sent by the transmitting and receiving
nodes. In the event data is lost during transmission, or another error, TCP will request
that data be retransmitted. Because of its connection-oriented nature, TCP is
sometimes slow and not considered ideal for real-time traffic like VoIP.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 3 of 25
IP [2] Simply put, IP (Internet Protocol) is what makes the Internet work. The other
half of the TCP/IP suite, IP defines the addressing and datagram encapsulation across a
network. In tandem with TCP, IP routes traffic from node to node across separate IP
networks. Because IP is considered an unreliable protocol, meaning it has no method of
error-checking, it relies on TCP for reliable transmission of data.
TCP Handshake [3] - All network protocols send and receive control packets to enable
communication between the source and the destination nodes. The two transport
protocols within the TCP/IP suite are TCP and UDP. Both TCP and UDP keep track of
different communications through the use of 16-bit ports, many of which are wellknown. The use of UDP is connectionless, and thus does not require acknowledgements
from recipients. By its very nature, TCP (Transport Control Protocol) is connectionoriented. That is, it requires acknowledgement from the recipient. A TCP connection
initiates by the three-way TCP handshake. Suppose node (A) attempts to connect to
node (B) via TCP. TCPs three-way handshake between these two nodes will proceed as
follows:
1. A SYN packet is sent from node (A) to node (B)
2. A SYN/ACK packet is sent from node (B) to node (A), acknowledging the
receipt of a SYN packet.
3. An ACK packet is sent from node (A) to node (B), completing the
connection.
Each step places relevant ports in certain states. Under normal circumstances, a SYN
packet is sent from a specific port on (A) to a specific port on (B) that is in a LISTEN state.
System B responds by going into the SYN_RECV state (pending completion of the
connection). System B then sends back a SYN/ACK packet to System A, acknowledging
that it received System As SYN packet successfully.
If all goes well, (A) will return an ACK packet to (B) and the connection will move to the
ESTABLISHED state on both (A) and (B).
Many common applications use TCP. Some of the more common applications include
Internet browsing (using HTTP, port 80), Telnet (port 23), FTP (port 21), and SNMP (port
25). Every time these applications are used, they are initiated by a TCP three-way
handshake.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 4 of 25
Network Monitoring [3] - Network monitors, protocol analyzers, and sniffers are all a
class of tools used by network administrators to gather information about their network
for a wide variety of protocols. It cannot be overstated how important such tools are
for proper network management as well as for detecting possible security breaches.
Network monitors may either be a software program running on a computer, or it can
be a separate stand-alone device. Like many network devices, cost and capabilities vary
widely. They range from free software to platforms costing thousands of dollars.
Wireshark [4] - Wireshark is an open source network monitor/ protocol analyzer. Being
open source, the tool is free and runs on multiple platforms, including UNIX, Linux, and
Windows. It has a robust feature set that continues to be developed by a large number
of contributors. It supports over 500 types of protocols, which may be analyzed in very
fine detail.
The use of Wireshark involves the initiation of a capture, which is simply the retention
of protocol utilization information that the tool has detected. This information may be
retained in a capture file, which can be saved for later reference. Wireshark is also
compatible with numerous capture file formats that are compatible with other network
monitors.
Clear Text [5] Clear text data is data that is either stored or transmitted in an
unencrypted state. This is a dangerous practice, and can be remedied by encrypting
files or using services like SSH (Secure Shell) versus Telnet, among other things.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 5 of 25
Pod Topology
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 6 of 25
Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
Required Virtual Machines and Applications
This lab requires the use of the XP1 and Windows 7 virtual machines.
Windows XP Client
192.168.111.41
P@ssw0rd
Windows 7 Client
192.168.111.57
P@ssw0rd
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 7 of 25
Task 1
Task 1.1
Start a Capture
1.
2.
3.
4.
Access the XP1 Virtual Machine by clicking on the XP1 image in the topology.
Login as the Administrator using P@ssw0rd as the password.
Double-click the Wireshark icon on the desktop.
In the Capture window, click Interface List, which will bring up a list of the
available interfaces. Select the interface with the 192.168.111.41 address.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 8 of 25
Capture a Webpage
1. Minimize the Wireshark window.
2. Open Internet Explorer and browse to http://192.168.111.57. The site is hosted
by the WIN7 VM.
3. Once the site is observed in the browser, minimize the browser, click on
Wireshark on the taskbar, and stop the Wireshark capture by pressing Ctrl-E.
a. After the capture has been stopped, Wireshark should be populated with
data based on network information acquired during the capture period.
4. Click on the protocol field box shown below to sort the display by protocol type.
Page 9 of 25
Page 10 of 25
Once again, note the ports following the colons. If a session with your website is
not evident, try refreshing your browser, and repeat the command.
7. To observe a failure to complete a three-way handshake, attempt to telnet into
another computer host on your local network segment. Though nearly all
computer workstations support telnet for remote connection to other devices,
they do not usually support telnet requests from other nodes.
Verify connectivity with another host on the network segment via the ping
command.
C:\>ping 192.168.111.100
Once connectivity is verified, start another Wireshark capture as in Step 1 , and
attempt to telnet into another host. When prompted, choose Continue without
Saving.
C:\>telnet 192.168.111.100
After the failure to connect is indicated within the command window, stop the
Wireshark capture. You should observe something similar to the next graphic.
The sequence of TCP packets can be observed within Wireshark. Note that the
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 11 of 25
[SYN] packet is not followed by a [SYN ACK] response, but rather another [SYN]
attempt. Telnet makes one more attempt to connect by sending another [SYN]
packet, and after the same response, the failure message displays in the
command window.
Task 1.2
Conclusion
Protocol Analyzers such as Wireshark are an essential tool in monitoring and identifying
both desirable and undesirable network traffic within an organization. Due to their
ability to both view traffic in a general aspect (a collection of individual packets) down to
a very granular detail (the raw packet data) one is able to achieve a detailed view of the
types of communication within their network as it occurs or save a session for review.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 12 of 25
Task 1.3
Discussion Questions
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 13 of 25
Task 2
Having the ability to look at and analyze packets on a network can be very informative.
There are many reasons an administrator may want to see what is traversing the
network. On a wireless or non-switched network, packets can be seen by both those
that have legitimate needs and those that are up to nefarious activities.
Capturing web pages requires an understanding of how they are processed by the
server and rendered by the browser. We will follow a HTTP stream and see what can be
displayed easily and that which requires more effort. The more highly formatted the
page the harder it will be to reproduce. Products like Wget
(http://www.gnu.org/software/wget/) can grab web sites for off-line viewing.
Alternatively, Wireshark will grab the stream and leave it up to the user to assemble.
Task 2.1
Capture a Webpage
1.
2.
3.
4.
5.
6.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 14 of 25
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 15 of 25
The program will process the stream and display the contents. Your screen will
look similar to the one shown below:
12. Click Save As, enter TCP Stream as the Name, and click Save.
13. Close Wireshark and click Quit without Saving.
14. Close the Internet Explorer Window.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 16 of 25
3. Save the edited file as testfile.html . (The saved file should look like an HTML
file.)
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 17 of 25
4. Get a screen shot of your edited HTML page as it is displayed by a browser. Save
to a Word document, put your name in the document and print off for your
instructor.
5. Close the My Documents window.
Task 2.2
Conclusion
By using the Follow TCP Stream functionality in Wireshark, one is able to reconstitute
the data flow between two hosts in order to see the exact nature of the communication
that occurred between them. This is a useful tool when it is necessary to view the
packet payload with the packet sequence numbering in order.
Task 2.3
Discussion Questions
1. Can you capture the images and have the page display correctly?
2. What can be gleaned by capturing http traffic?
3. In Figure 9, why is some of the file in red and some in blue?
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 18 of 25
Task 3
This section will require a functional Telnet and/or FTP server to demonstrate how
passwords and IDs are seen in clear text. Next, a SSH server will be required to
demonstrate how the raw payload is not viewable within a packet analyzer.
Task 3.1
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 19 of 25
3. Make sure you have Wireshark capturing packets, then click Open. A window
similar to the one below should open:
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 20 of 25
8. Find a packet with Telnet Data . . . in its info field. Right click it, and select
Follow TCP Stream.
9. Save the output as Telnet Data and close the window.
10. Close the PuTTY window.
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 21 of 25
Task 3.2
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 22 of 25
3. Make sure Wireshark is running, then click Open. The SSH login screen should
look like this:
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 23 of 25
5. Find a packet with Encrypted response packet in the field, right-click it and
select Follow TCP stream. Observe and note the output.
Task 3.3
Conclusion
Some technologies have an extremely limited use. They might be used on a nonswitched or wireless network. This is due to the intrinsic vulnerabilities that exist within
the TCP protocol by design. When determining the nature of the data that will be
shared over a network, the type of technology employed to deliver or receive that data
must be considered.
Task 3.4
Discussion Questions
Page 24 of 25
References
1. DARPA Protocol Specification RFC 793:
http://tools.ietf.org/html/rfc793
2. DARPA Protocol Specification RFC 791:
http://tools.ietf.org/html/rfc791#section-2.1
3. Defense Acquisition Guidebook:
https://acc.dau.mil/CommunityBrowser.aspx?id=334069
4. Wireshark:
http://wireshark.org
5. Websters Online Dictionary:
http://www.websters-onlinedictionary.org/definitions/CLEARTEXT?cx=partner-pub0939450753529744%3Av0qd01-tdlq&cof=FORID%3A9&ie=UTF8&q=CLEARTEXT&sa=Search#922
9/9/2011 Copyright 2003-2011 Center for Systems Security and Information Assurance (CSSIA)
Page 25 of 25