Hands-On Projects
The following Hands-On Projects assume that you are working in a
Windows 7 or Windows 10 Professional environment, that you have
installed the Wireshark for Windows software, and that you have acquired
the trace (data) files necessary to work through many of the Hands-On
Projects in this book.
Hands-On Project 12-1
Time Required: 10 minutes
Objective: Examine a local scan in Wireshark.
Description: This project lets you examine a trace file of an ARP-based reconnaissance
probe. As you scroll through the ARP broadcasts, you should notice that this scan has some
redundancy built in—for example, it repeats a broadcast for 10.0.0.55 and a few other IP
addresses.
To examine a local scan:
1. 1.
Start Wireshark. (In Windows 7, click the Start button, point to All Programs, and then
click Wireshark. In Windows 10, click the Startbutton, click All apps, and then
click Wireshark. Alternatively, use the Start menu search box [Windows 7] or the Search
box on the taskbar [Windows 10], type Wireshark, and then click Wireshark in the
resulting list.)
2. 2.
Click File on the menu bar, click Open, select the ch12_Arpscan.pcapngtrace file, and then
click the Open button. The packet summary window appears. This file contains a
reconnaissance probe using ARP broadcasts to find active hosts.
3. 3.
Select Packet #1 in the trace file (if not already highlighted). The packet details pane
(middle pane) displays the content of this frame. You see the Ethernet header addressed to
broadcast (0xff-ff-ff-ff-ff-ff).
4. 4.
Expand the Ethernet II and Address Resolution Protocol subtrees in the middle pane.
Then click each packet in the upper pane and answer the following questions:
1. What is the IP address of the device sending out the ARP broadcasts?
2. What hosts were discovered?
3. How could this type of scan be used on a small routed network?
5. 5.
Close Wireshark.
Hands-On Project 12-2
Time Required: 15 minutes
Objective: Examine a port scan in Wireshark.
Description: This project lets you examine a TCP-based port scan. TCP and UDP port
scans are effective methods of reconnaissance, so you should learn to spot them as they
take place.
1. 1.
Start Wireshark. (In Windows 7, click the Start button, point to All Programs, and then
click Wireshark. In Windows 10, click the Startbutton, click All apps, and then
click Wireshark. Alternatively, use the Start menu search box [Windows 7] or the Search
box on the taskbar [Windows 10], type Wireshark, and then click Wireshark in the
resulting list.)
2. 2.
Click File on the menu bar, click Open, select the ch12_Portscan.pcapng trace file, and
then click the Open button. The packet summary window appears. This file contains a TCP
reconnaissance probe process.
3. 3.
Click Packet #1 and expand the Internet Protocol Version 4 and Transmission Control
Protocol subtrees to view the full details of the packet. The first packet was sent to
destination port number 1. What TCP flag is set in this packet?
4. 4.
Select the Packet #2 entry in the upper capture window. Examine the flags in the response
packet. What flags are set in this packet?
5. 5.
Click through the remaining packets in the trace file and answer these questions:
1.
2.
3.
6.
How obvious is this port probe?
If this probe continues through all the ports, will it detect the DHCP service process?
Based on this set of probes, what ports are active on the destination device?
6.
Close Wireshark.
Hands-On Project 12-3
Time Required: 15 minutes
Objective: Create a filter in Wireshark to catch port scans to blocked ports.
Description: Your firewall is configured to block all TCP handshake packets sent to the
Echo port. This project helps you learn how to build a filter in Wireshark to check for any
packets sent to the Echo port and test this filter on the ch12_Portscan.pcapng trace file to
ensure it works properly.
1. 1.
Start Wireshark. (In Windows 7, click the Start button, point to All Programs, and then
click Wireshark. In Windows 10, click the Startbutton, click All apps, and then
click Wireshark. Alternatively, use the Start menu search box [Windows 7] or the Search
box on the taskbar [Windows 10], type Wireshark, and then click Wireshark in the
resulting list.)
2. 2.
Click Analyze, and then click Display Filters to open the Display Filters window.
3. 3.
Click the plus sign (+) at the bottom of the window, double-click in the Name field on the
left and enter the name Echo-port filter.
4. 4.
Double-click in the Filter string field on the right, enter tcp.port == 7(the Echo port
number). This filter will locate packets from and to port 7.
5. 5.
Click OK to close the Display Filters window.
6. 6.
Close any currently open packet captures. Next, test the filter to see if it can catch the Echo
packets in the ch12_Portscan.pcapng file.
7. 7.
Click File on the menu bar, click Open, select the ch12_Portscan.pcapng trace file and
then click the Open button. The packet summary window appears.
8. 8.
Click on the ribbon button on the far left side of the display filter bar.
9. 9.
Select Echo-port filter and then click the right-facing arrow button on the right side of the
display filter bar. The filter is applied to the packets.
Note that the upper capture window now shows the packets that match the selection
criteria. Did your filter work? Do you see packets to and from the Echo port? This filter can
be used to catch packets addressed to or from the Echo port. For example, if you set up a
firewall to block all traffic to and from the Echo port, you can test the firewall by setting up
this filter inside the firewall.
10. 10.
Close Wireshark.
Hands-On Project 12-4
Time Required: 10 minutes
Objective: Set up a Boolean filter in Wireshark to locate all traffic to and from suspect
port numbers.
Description: This project helps you learn how to create a complex filter to look for
traffic that uses the standard Back Orifice and Trinoo port numbers (31337, 31335, and
27444). This project illustrates how filters can be built to capture specific attack traffic
crossing the network.
The suspect port numbers you use in this project are:
31337 Back Orifice
31335 Trinoo agent to handler communications
27444 Trinoo handler to agent communications
To set up a filter to catch traffic associated with Back Orifice and Trinoo communications:
•
•
•
1. 1.
Start Wireshark. (In Windows 7, click the Start button, point to All Programs, and then
click Wireshark. In Windows 10, click the Startbutton, click All apps, and then
click Wireshark. Alternatively, use the Start menu search box [Windows 7] or the Search
box on the taskbar [Windows 10], type Wireshark, and then click Wireshark in the
resulting list.)
2. 2.
Click Capture, and then click Capture Filters to open the Capture Filters window.
3. 3.
Click the plus sign (+) at the bottom of the window, double-click in the Name field on the
left and enter the name BO-Trinoo.
4. 4.
Because you are interested in packets that match 31337, 31335, or 27444, use the OR
operand between sequence points of the capture filter string. Double-click in the Filter
string field on the right, enter the following in the Filter string field: port 31337 or port
31335 or port 27444.
5. 5.
Click OK to close the Capture Filters window.
6. 6.
Close Wireshark.
By running this filter on a network, you can capture traffic that is on the way to or coming
from these suspect ports.
Hands-On Project 12-5
Time Required: 15 minutes
Objective: Examine a specific type of port scan based on IPv4 in Wireshark.
Description: This project lets you examine a TCP-based port scan where the scan is
trying to determine the type of operating system clients are using. While an operating
system type cannot be determined using TCP and/or UDP scans, some attacker
applications use information they glean from making queries against a wide array of mostly
TCP port scans and, based on those, have internal tables they consult to determine which
operating system might have those ports open and/or how it may reply in general. This is
not an absolute nor always accurate process, but over time they have gotten better in the
determination.
1. 1.
Start Wireshark. (In Windows 7, click the Start button, point to All Programs, and then
click Wireshark. In Windows 10, click the Startbutton, click All apps, and then
click Wireshark. Alternately, use the Start menu search box [Windows 7] or the Search box
on the taskbar [Windows 10], type Wireshark, and then click Wireshark in the resulting
list.)
2. 2.
Click File on the menu bar, click Open, select the ch12_Osscan.pcapngtrace file, and then
click the Open button. The packet summary window appears. This file contains a TCP
reconnaissance probe process specifically trying to determine the operating system of a
client.
3. 3.
Click Statistics, click IPv4 Statistics, then click All Addresses. In the All Addresses
window, click the Count heading twice to sort highest to lowest. This view will indicate
who the “top talkers” are in this trace file, and most likely you can determine who the
attacker is and who is being attacked. Who are the top three talkers?
4. 4.
Close the All Addresses window.
5. 5.
The first test the attacker executes is trying to determine the host name via DNS reverse
lookup. Click the Protocol heading to re-sort the displayed packets by protocol type. Look
for a DNS reverse lookup query and query response (hint, IPv4 & PTR). Expanding the
packet detail of those two packets, answer these questions:
1.
2.
3.
4.
What is the host name that is resolved?
What is the probable IPv4 address of the attacker?
What is the probable IPv4 address of the attacked?
How do the IPv4 addresses you identified in questions b and c correlate to the top talkers
list you made in Step 3?
6. 6.
Close Wireshark.
Hands-On Project 12-6
Time Required: 15 minutes
Objective: Examine a specific type of port scan based on IPv6 in Wireshark.
Description: This project lets you examine a TCP-based port scan where the scan is
trying to determine the type of operating system clients are using. While an operating
system type cannot be determined using TCP and/or UDP scans, some attacker
applications use information they glean from making queries against a wide array of mostly
TCP port scans and, based on those, have internal tables they consult to determine which
operating system might have those ports open and/or how it may reply in general. This is
not an absolute nor always accurate process, but over time they have gotten better in the
determination.
1. 1.
Start Wireshark. (In Windows 7, click the Start button, point to All Programs, and then
click Wireshark. In Windows 10, click the Startbutton, click All apps, and then
click Wireshark. Alternatively, use the Start menu search box [Windows 7] or the Search
box on the taskbar [Windows 10], type Wireshark, and then click Wireshark in the
resulting list.)
2. 2.
Click File on the menu bar, click Open, select the ch12_Osscan.pcapngtrace file, and then
click the Open button. The packet summary window appears. This file contains a TCP
reconnaissance probe process specifically trying to determine the operating system of a
client.
3. 3.
Click Statistics, click IPv6 Statistics, and then click All Addresses. In the All Addresses
window, click the Count heading twice to sort highest to lowest. This view will indicate
who the “top talkers” are in this trace file, and most likely you can determine who the
attacker is and who is being attacked. Who are the top three talkers?
4. 4.
Close the All Addresses window.
5. 5.
The first test the attacker executes is trying to determine the host name via DNS reverse
lookup. Click the Protocol heading to re-sort the displayed packets by protocol type. Look
for a DNS reverse lookup query and query response (hint, IPv6 & PTR). Expanding the
packet detail of those two packets, answer these questions:
1. What is the host name that is resolved?
2. What is the probable IPv6 address of the attacker?
3. What is the probable IPv6 address of the attacked?
4. How do the IPv6 addresses you identified in questions b and c correlate to the top talkers
list you made in Step 3?
6. 6.
Close Wireshark.
Case Project 12-1
Firewall Filters
You are the network security technician for a large shoe manufacturer based in Detroit, MI.
Your internetwork connects six buildings through fiber links. You have experienced
numerous attacks on your corporate Web server. The company CEO decides to pay for a
firewall. Describe the filters you will implement in your firewall, and note how you will test
your firewall.
Case Project 12-2
Firewall Research, Planning, and Implementation
Your network currently has an old basic technology firewall that needs a software upgrade
in order to support the newer security features and capabilities that are available.
However, your manager would rather invest in a newer technology firewall solution that is
more capable and can provide protection for the network. In addition, it has been decided
that perhaps a single firewall protecting the external side of the network may not be
sufficient for overall network and systems protection. Your manager has tasked you with
the “firewall replacement” project. Your goals are to design a new firewall protection
strategy that offers a multilayered approach using firewalls for network protection. You
must also produce a report that lists firewall vendors who will meet your needs and the
overall plan for selection and deployment of the new firewall solution.
Purchase answer to see full
attachment