Using the pcap data and log files provided with this assignment (107MB). Apply what has been learned throughout the course, tools such as Wireshark with its display filters and Snort with its rules/signatures, on-line resources such as centralops.net, an

User Generated

ngnyvxra

Science

The Community College of Baltimore County

Description

Module 6 Assignment

Attached Files:

Using the pcap data and log files provided with this assignment (107MB). Apply what has been learned throughout the course, tools such as Wireshark with its display filters and Snort with its rules/signatures, on-line resources such as centralops.net, and Internet research to analyze the packet data and write a detailed report of what transpired. Your report should include who attacked, what was attacked, what actions (tools, tactics, and procedures) the attacker took to attempt their malicious actions, were they successful? Include the proof for each of your findings and also a potential mitigation Acme, Inc's IT Security team can implement to prevent future attacks like those you detected, for example a rule that can be used with Snort. Note: There may be more than one incident of malicious activity. While you have been provided with some web server logs, your report should include what other sources of data you would want from the Acme, Inc system/network administrators to further your investigation.

Scenario: Acme, Inc System Administrators detected an attack against a company web server that resulted in a web site defacement and there were also some unusual server and network activity. Acme, Inc's internal network uses 192.168.200.0/24. The web server is at 192.168.200.144, listens on port 80. 192.168.200.2 is the IP for Acme's gateway to the Internet.

Unformatted Attachment Preview

DCOM 212, Module 3 - Analyzing Network Traffic (Packet Data) NAME: DATE: Instructions: Using Wireshark, load in the Module 3 packet capture, and answer the following questions within the document, save, convert to a pdf file and upload the pdf to Blackboard before the due date. 1. Create a colorize rule (bright yellow background, black foreground) that allows you to quickly locate packets where the TCP-SYN and TCP-ACK flags are set. Apply the rule and paste below a screenshot to show the applied rule. 2. List 3 Unique IP addresses from hosts on the 172.16.100.0/24 network, hint 172.16.100.1 is the gateway and not a host. 3. Carve out and paste below, at least two graphic files from the packet capture. 4. What was the name of the .iso file downloaded? 5. What IP downloaded the .iso file? 6. Using the error code for an unsuccessful attempt to obtain a web page from a web server, how many packets were there containing unsuccessful attempts to get web pages? 7. Write the Wireshark filter you used for question 6. 8. Analyzing the unsuccessful web page attempts in question 6 list at least the potential attack scheme. 9. Looking at packets 3079 – 3329, what do they represent? 10. What was the IP address of the attacking host computer and what browser was the attacker using? Logs file. 1. Error log. [Sat Nov 09 09:36:15 2013] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.21ubuntu4.17 with Suhosin-Patch configured -- resuming normal operations [Sat Nov 09 10:01:42 2013] [error] [client 127.0.0.1] Invalid method in request \xff\xf4\xff\xfd\x06 [Sat Nov 09 10:18:05 2013] [error] [client 192.168.200.149] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:18:05 2013] [error] [client 192.168.200.149] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:21:17 2013] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:21:17 2013] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:35:48 2013] [error] [client 192.168.200.149] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:35:48 2013] [error] [client 192.168.200.149] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:38:43 2013] [error] [client 192.168.200.136] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:38:43 2013] [error] [client 192.168.200.136] File does not exist: /var/www/favicon.ico [Sat Nov 09 10:50:06 2013] [error] [client 192.168.200.136] File does not exist: /var/www/NISTIntusionReport.pdf [Wed Nov 13 16:15:29 2013] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.17 with Suhosin-Patch configured -resuming normal operations [Wed Nov 13 16:17:22 2013] [notice] caught SIGTERM, shutting down [Wed Nov 13 16:18:10 2013] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.17 with Suhosin-Patch configured -- resuming normal operations [Wed Nov 13 16:18:38 2013] [notice] caught SIGTERM, shutting down [Wed Nov 13 16:19:16 2013] [notice] Apache/2.2.14 (Ubuntu) PHP/5.3.21ubuntu4.17 with Suhosin-Patch configured -- resuming normal operations [Wed Nov 13 16:20:32 2013] [error] [client 127.0.0.1] File does not exist: /var/www/secret.pdf [Wed Nov 13 16:20:38 2013] [error] [client 127.0.0.1] File does not exist: /var/www/topsecret.pdf [Wed Nov 13 16:20:47 2013] [error] [client 127.0.0.1] File does not exist: /var/www/confidential.pdf [Wed Nov 13 16:21:03 2013] [error] [client 127.0.0.1] File does not exist: /var/www/classifeed.pdf 2.access log 192.168.200.149 - - [09/Nov/2013:10:35:48 -0500] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0" 192.168.200.149 - - [09/Nov/2013:10:35:48 -0500] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0" 192.168.200.136 - [09/Nov/2013:10:38:43 -0500] "GET / HTTP/1.1" 200 565 "-" "Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1" 192.168.200.136 - - [09/Nov/2013:10:38:43 -0500] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1" 192.168.200.136 - - [09/Nov/2013:10:38:43 0500] "GET /favicon.ico HTTP/1.1" 404 503 "-" "Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1" 192.168.200.136 - [09/Nov/2013:10:38:58 -0500] "GET /IEEE_IDS.pdf HTTP/1.1" 200 172471 "http://192.168.200.144/" "Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1" 192.168.200.149 - - [09/Nov/2013:10:42:14 -0500] "GET / HTTP/1.1" 200 562 "-" "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0" 192.168.200.149 - [09/Nov/2013:10:42:17 -0500] "GET /IEEE_IDS.pdf HTTP/1.1" 200 172471 "http://192.168.200.144/" "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0" 192.168.200.136 - - [09/Nov/2013:10:42:38 -0500] "GET /symantec.pdf HTTP/1.1" 200 55809 "http://192.168.200.144/" "Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1" 192.168.200.149 - - [09/Nov/2013:10:45:09 -0500] "GET /symantec.pdf HTTP/1.1" 200 55809 "http://192.168.200.144/" "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0" 192.168.200.136 - - [09/Nov/2013:10:49:50 -0500] "GET /NavyReport-Secret.pdf HTTP/1.1" 200 1235914 "-" "Wget/1.13.4 (linuxgnu)" 192.168.200.136 - - [09/Nov/2013:10:50:06 -0500] "GET /NISTIntusionReport.pdf HTTP/1.1" 404 542 "-" "Wget/1.13.4 (linux-gnu)" 192.168.200.136 - - [09/Nov/2013:10:50:28 -0500] "GET /NISTIntrusionReport.pdf HTTP/1.1" 200 4341557 "-" "Wget/1.13.4 (linux-gnu)" 192.168.200.149 - [09/Nov/2013:10:58:40 -0500] "GET / HTTP/1.1" 304 211 "-" "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0" 127.0.0.1 - [13/Nov/2013:16:19:59 -0500] "GET / HTTP/1.1" 200 562 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1" 127.0.0.1 - [13/Nov/2013:16:20:12 -0500] "GET /symantec.pdf HTTP/1.1" 200 55808 "http://127.0.0.1/" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1" 127.0.0.1 - - [13/Nov/2013:16:20:32 -0500] "GET /secret.pdf HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1" 127.0.0.1 - - [13/Nov/2013:16:20:38 -0500] "GET /topsecret.pdf HTTP/1.1" 404 501 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1" 127.0.0.1 - - [13/Nov/2013:16:20:47 -0500] "GET /confidential.pdf HTTP/1.1" 404 504 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1" 127.0.0.1 - - [13/Nov/2013:16:21:03 0500] "GET /classifeed.pdf HTTP/1.1" 404 503 "-" "Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1"
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Completed work.

One’s understanding of network protocols can often be greatly deepened by “seeing protocols in action”
and by “playing around with protocols” – observing the sequence of messages exchanged between two
protocol entities, delving down into the details of protocol operation, and causing protocols to perform
certain actions and then observing these actions and their consequences. This can be done in simulated
scenarios or in a “real” network environment such as the Internet. The Java applets that accompany the
textbook take the first approach. In the Wireshark labs, we’ll take the latter approach. You’ll be running
various network applications in different scenarios using a computer on your desk, at home, or in a lab.
You’ll observe the network protocols in your computer “in action,” interacting and exchanging messages
with protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an
integral part of “live” labs in this class. You’ll observe, and you’ll learn, by doing. The basic tool for
observing the messages exchanged between executing protocol entities is called a packet sniffer. As the
name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by your
computer; it will also typically store and/or display th...

Related Tags