[SOLVED] πŸ•΅οΈβ€β™‚οΈ CS6035 MITM/PCAP Analysis Project SUMMER26

130.00 $

Category:
Click Category Button to View Your Next Assignment | Homework

You will receive the following solution file(s) instantly after successful payment:

zip file icon MITM2026_Solved-at9ux1.zip (123.5 KB)
Assignment Instructions Updated Recently? Submit Below and we will provide new Solution!
Submit New Instructions
πŸ”’ Securely Powered by:
Secure Checkout
5/5 - (2 votes)

Learning Goals

In this project, you’ll take on the role of a cybersecurity analyst to investigate aΒ Man-in-the-Middle (MITM) attackΒ using real-world network forensics techniques.

You will:

  • Analyze packet capture (PCAP) files using tools like Wireshark and pyShark.
  • Identify MITM techniques and behaviors across the OSI layers.
  • Gain familiarity with application-layer protocols such asΒ HTTP,Β IRCΒ and others.
  • Interpret protocol behavior through RFC documents to understand standards and anomalies.

Tools You’ll Use

Protocols You’ll Explore


RFCs You Should Review

As this is a graduate-level course, you’re expected to explore protocol specifications via official RFCs:


Recommended Reading

To deepen your understanding of MITM techniques, consider reviewing:


βœ… Final Deliverables

There areΒ twoΒ deliverables for this project, each submitted via Gradescope:

  1. Man in the Middle – PCAP Analysis
    • A single JSON file namedΒ project_mitm.json.
    • A template will be provided in the next section.
  2. Man in the Middle – Programming Assignment
    • Write a small program that automates part of your analysis using pyShark/tshark.
    • This encourages scripting for repeatable and scalable workflows.

Ready to dive in? Head to the background and setup to begin your investigation.


Table of contents

🧠 Background and Setup


The Situation

TheΒ Necrocryptors (TNC)Β are no ordinary hacker crew. Known across underground forums for selling stolen PII and credit card data, they’ve also made headlines with multiple high-profile data leaks. Most recently, they launched a wave ofΒ DDoS attacksΒ on U.S. infrastructureβ€”triggering an aggressive federal response.

Enter theΒ National Cyber Investigative Joint Task Force (NCIJTF), working hand-in-hand with the FBI’s Cyber Crime Division. Months of undercover work and silent tracking led to a breakthrough:Β captured, unencrypted communications between core TNC members.

The source of this intel? Classified. But rumor has it an insider may have flippedβ€”or the Feds pulled off an extremely quiet man-in-the-middle operation.


πŸ§‘β€πŸ’Ό Your Role

You areΒ Mark, an FBI agent just back from a much-needed vacation in the Bahamas. Tan lines still fresh, you pour yourself a cup of stale office coffee when your boss,Β Bill, shouts from across the floor:

β€œMark! Glad you’re back. We’ve got something big. The Attorney General needs airtight evidence on the Necrocryptors. You’ve got one week. The packet’s on your desk.”

No easing back inβ€”it’s game time.


🧰 Your Mission

You’re tasked with analyzing real network traffic associated with the TNC case. Your goals:

  • Extract clear evidence of criminal activity.
  • Identify the methods used by the attackers.
  • Understand the protocols and patterns of communication.
  • Bonus: Crack any intercepted credentials if possible.

πŸ’» Environment Setup

You’ll be using yourΒ own local setupΒ for this project. Here’s what you’ll need:

Required Tools:


πŸ”§ Tool Installation Instructions

To install Wireshark on Windows, please go to theΒ Wireshark WebsiteΒ Once there, you will see a page like this:

alt text

Click the correct Windows Installer (64-bit or 32-bit), depending on your OS.

Here is an example of what the 64 bit option looks like while it’s downloading in the Chrome browser. (It may look different in your browser.)

alt text

After the file finishes downloading, execute it and you will see the following screen:

alt text

Just click β€œNext >” on each page to install with default settings. Then you will see:

alt text

A new installation window, for Npcap, will then come up. Please continue through this Npcap installation as well to proceed with the Wireshark installation.

alt text

Once the Npcap installation is finished, the Wireshark installation should continue automatically. Once that installation is done, you will see the following:

alt text

Click β€œNext” then β€œFinish.” Congratulations! Wireshark is now installed on your computer!

🐍 Installing Python and pyShark

For this project, you will also need the Python interpreter which can be found here:Β Python download page

For a guided walkthrough using VScode, please refer to the following document:Β Python tutorial

Good luck!

🐧 Installing Wireshark (Linux)

Inside your Linux box, Open Terminal Emulator and run the command below.Once done you may be prompted to type in the root password which you would know and β€œy” to download and install all required packages. See the below image for information on this:

alt text

During the installation, if prompted, answer β€œYes” for the question: β€œShould non-superusers be able to capture packets?”

alt text

Once the installation is complete, close the Terminal Emulator and locate Wireshark in Applications > Internet > Wireshark:

alt text

πŸ” Installing John the Ripper

John the Ripper (JtR) is a powerful, open-source password-cracking tool primarily used for security auditing and password recovery. John the Ripper is designed to detect weak passwords and poor password policies, making it a valuable tool for penetration testers, ethical hackers, and IT security auditors. It helps identify vulnerabilities in password storage mechanisms by attempting to crack hashed passwords.

Link to Download:Β Download John The Ripper

Navigate to the website. For this write up, we will be using Windows 64 bit. Click the Jumbo 64-Bit Windows Binary Zip to begin the downloadΒ alt text

Once the zip is downloaded and extracted, open up command prompt and cd (change directory) to the directory the extracted file is in. Once we are in the right directory, type β€œjohn”. Now, you are off to the races! Take a look through the documnetation to learn through the switches.Β alt text

Documentation:Β Documentation for John The Ripper

Install Tips

  • Windows Users: John The Ripper can easily be installed on Windows by selecting the appropriate Windows Binary (most likely 64 bit) from the site above
  • Mac Users: John The Ripper can be installed on OS X or Mac OS by using the followingΒ Link Here
  • If you have a Kali Linux instance, John The Ripper comes pre-built into it and you can also use it there
  • You do not need the pro version for this project. The free version should be used
  • Like all tools, take time reading the documentation and learning the switches and keywords

🏁 Flag 1 β€” Surveillance Sweep (5 points)


β€œMark, let’s start simple. The AG wants to know where these clowns hang out and who’s in the room. It’s time to follow the chatter.” β€” Bill

Your first mission is reconnaissance.

According to preliminary analysis,Β The NecrocryptorsΒ have been using an old-school protocol to coordinate operations. Your job is toΒ tap into their virtual hangout, identify who’s talking, and collect metadata to help build the case.

Use the packet capture file provided. This is a great opportunity to brush up on Wireshark filters and IRC structure.


Objectives

Task 1.1 β€” Find Their Hideout

  • Identify theΒ IRC server addressΒ used by the hackers to communicate.
  • Example:Β irc.someplace.net
  • πŸ† Points: 1

Task 1.2 β€” Name the Actors

  • Extract theΒ nicknamesΒ used by the malicious actors from the chat log.
  • Format your answer in order of appearance:Β firstactor,secondactor,thirdactor
  • πŸ† Points: 1

Task 1.3 β€” What’s the Channel?

  • WhatΒ IRC channelΒ are the Necrocryptors using? (Channel names start withΒ #)
  • Example:Β #WOW
  • πŸ† Points: 1

Task 1.4 β€” Identity Check

  • One of the actors drops aΒ hashΒ in the chatβ€”likely a form of identity verification. Provide the hash value.
  • Example:Β a12342342bcde393202013434
  • πŸ† Points: 1

Task 1.5 β€” Trace the Signal

  • Determine theΒ country of originΒ for the last actor you identified in Flag 1.2. Use IP geolocation and traffic analysis to figure it out.
  • Example:Β Egypt
  • πŸ† Points: 1

πŸ•΅οΈ Tip: Don’t forget to check both directions of communication.

Once you’ve completed this sweep, you’ll be ready to start digging deeper into the behavior behind the chatter in Flag 2.

🏁 Flag 2 β€” Digital Contraband (19 points)


β€œMark, we’ve got something. Looks like one of them tried to pass a file under the radar. The AG wants it analyzed β€” yesterday.” β€” Bill

The Necrocryptors aren’t just chatting β€” they’reΒ moving digital assets. During your last sweep, one of the actors initiated aΒ private file transfer. That payload could contain code, plans, or worse.

Your job now is to recover the file, identify how it’s protected, and extract aΒ digital fingerprintΒ that ties it back to the group β€” and to you.

You can useΒ Wireshark,Β pyShark, or any tooling of your choice. Use your skills and forensic intuition to piece this together.


Objectives

Task 2.1 β€” Who Whispered First?

  • Identify theΒ malicious actorΒ who initiated the private chat (DCC) during the conversation.
  • Format:Β maliciousactor
  • πŸ† Points: 2

Task 2.2 β€” Name the File

  • What is theΒ name (and extension)Β of the file transferred via IRC DCC?
  • Format:Β somefile.extension
  • πŸ† Points: 2

Task 2.3 β€” What’s the Cipher?

  • Determine theΒ encryption algorithmΒ used to protect the file.
  • Just the 3-letter name (e.g.,Β AES,Β DES, etc.)
  • πŸ† Points: 2

Task 2.4 β€” Executing the Payload

  • After decrypting and executing the transferred file, it generates aΒ unique hash tied to your GTID. What’s the hash?
  • Format:Β a123242342342342342934234
  • πŸ† Points: 13

Tips:

  • Look closely at DCC messages in the IRC stream.

Once you extract the payload’s fingerprint, you’ll have the strongest evidence yet against the group. Bill will want this on his desk ASAP.

🏁 Flag 3 β€” Domain of Deceit (16 points)


β€œMark, we traced something weird. There’s a site tied to the chatter β€” looks harmless, but it’s spitting out cryptic hashes and numbers. Feels like a front. Go dig.” β€” Bill

TheΒ Bad guysΒ may be hiding in plain sight.

Buried within the network traffic is a lead: aΒ web serverΒ tied to their operation. It’s emitting odd sequences β€” likely encoded data β€” and it might be where they’re validating identities, issuing tokens, or even hiding command-and-control instructions.

The Attorney General wants a full breakdown β€” domain, infrastructure, and whatever that site spits back when given your credentials.


Objectives

Task 3.1 β€” Identify the Domain

  • What is theΒ site’s domain name? Include subdomains and the full TLD.
  • Format:Β something.hostname.tld
  • πŸ† Points: 2

Task 3.2 β€” What’s the IP?

  • What is theΒ public IP addressΒ tied to the server hosting this domain?
  • Format:Β 192.168.1.10
  • πŸ† Points: 2

Task 3.3 β€” Follow the Nameserver

  • Identify theΒ primary nameserverΒ associated with the domain.
  • Format:Β ns-something.domain.tld
  • πŸ† Points: 3

Task 3.4 β€” GTID Fingerprint

  • Visit the site and enter yourΒ Georgia Tech IDΒ to receive aΒ unique hash. This hash will be used to track and correlate user interactions.
  • Format:Β abcdef1234567890953453434
  • πŸ† Points: 9

Tips:

  • Use Wireshark filters likeΒ http,Β dns, or look for base64-like patterns.
  • Look up DNS records using online tools or terminal commands.
  • The website is safe to access β€” treat it like an intel drop from an undercover informant.

This server may be a key part of the Necrocryptors’ infrastructure. Confirming its ownership and function is critical to building the case.

🏁 Flag 4 β€” Final Link (27 points)


β€œMark, one more thing β€” the AG just called. She’s convinced there’s another server. Said one of the actors downloaded something from it. We need to know what that was β€” now.” β€” Bill

Just when you thought you could grab another cup of coffee,Β a last-minute lead drops. Another server. Another file. One of the hackers accessed it β€” and the contents might just be the final nail in the case.

Your job:Β trace the server, identify how access was gained, recover the downloaded file, and analyze it for a unique fingerprint.

This is your last technical hurdle before wrapping up your investigation.


Objectives

Task 4.1 β€” Locate the Server

  • What is theΒ IP addressΒ of the server in question?
  • Format:Β 192.168.8.7
  • πŸ† Points: 2

Task 4.2 β€” Username

  • WhatΒ usernameΒ was used to access the server?
  • πŸ† Points: 4

Task 4.3 β€” Password

  • WhatΒ passwordΒ was used to log in?
  • πŸ† Points: 4

Task 4.4 β€” What Was Downloaded?

  • Identify theΒ name of the fileΒ that was pulled from the server.
  • πŸ† Points: 3

Task 4.5 β€” Language of the Beast

  • WhatΒ programming languageΒ was the file written in?
  • πŸ† Points: 5

Task 4.6 β€” Hash of Justice

  • If you run the file, you’ll generate aΒ unique hash tied to your GTID.
  • Format:Β 12123123129413249121249aa
  • πŸ† Points: 9

πŸ•΅οΈβ€β™‚οΈΒ Tips:

  • Watch for FTP, SCP, or HTTP file transfers.
  • Look closely at authentication exchanges.
  • Don’t forget your reverse engineering instincts β€” the code may speak for itself.

This may be the final digital trace connecting the Necrocryptors to something bigger. The AG is counting on you.

🏁 Flag 5 β€” Final Stretch & Automation (18 points)


β€œMark, you’re not done yet. They launched a new site. Totally unrelated to Azure… but everything to do with breaking things.” β€” The Attorney General

Exhausted but relentless, you’re handed one last assignment β€” and it’s weird. The AG wants you to investigate a suspicious site:
http://www.didbastionbreak.com:5000
Apparently, it’s some hacker-themed trap disguised as a joke about firewalls. But it’s not funny β€” it’s hiding encrypted content, and the AG wants you to crack it.

Once that’s done, your phone buzzes…

β€œMark, great job so far! But let’s make sure you never have to do all of this by hand again…”

Here we go.


Objectives

Task 5.1 β€” GTID Hash (Web App)

  • Visit the website and find the page that outputs a hash when you input your GTID. Find theΒ flag labeled 5.1.
  • Format:Β tr95843fkdspugr8euyre0gfd
  • πŸ† Points: 2

Task 5.2 β€” Crack the Zip

  • On the homepage, click the blue β€œDownload the Zip” button. You’ll get a password-protected zip file. UseΒ John the RipperΒ to crack it. Provide the password once you retrieve it.
  • Hint: The password isΒ up to seven digits long.
  • πŸ† Points: 10

Task 5.3 β€” Run and Reveal

  • After unzipping the file with the cracked password, you’ll find a program inside. Run the program. It will return a hash. What is the hash?
  • Format:Β 58437594ejgfdiohr8e054309
  • πŸ† Points: 6

Epilogue: Automate or Die Trying

Just as you close your laptop, your phone rings.
It’sΒ Bill. Of course it is.

β€œMark, great job so far! I was thinking β€” we’re gonna do this kind of work a lot more. Why don’t we start building a Python class to automate some of these analysis tasks?”

You squint. β€œβ€¦When you sayΒ we, you meanΒ me, right?”

β€œOf course not! I already started a skeleton class for you. You just need to build three small functions.”

Before you can reply, he sends over a zip file: it contains a base Python class and a past attack PCAP.

Your mission (yes, still going):Β write the code, build the functions, and prepare for the next breach.

β˜• No rest for the cyber-defenders.

🏁 Flag 6 β€” Automation Begins (15 points)


β€œMark, it’s time to level up. No more clicking around Wireshark forever. Start building tools β€” future-you will thank you.” β€” Bill

Your investigation is complete β€” almost.

The AG was impressed. Bill’s already bragging about your work to other divisions. But before you ride off into digital sunset, there’s one last task:Β automate what you’ve learned.

You’ve been sent two files:

  • pcapanalysis.py: the starter Python class
  • flag6.pcap: a capture from a past operation

Your job is to complete three methods in the class usingΒ pyShark, creating a mini-forensics toolkit.


Function Skeleton

Below is the structure of the Python class you’re working with. You’ll fill in the logic for each function.

# Task 1: Return number of ICMP packets
def icmp_count(self):
    n = 0
    # TODO: Implement me
    return n

# Task 2: Return number of Echo Requests (r) and Echo Replies (a)
def icmp_request_reply(self):
    r = 0
    a = 0
    # TODO: Implement me
    return r, a

# Task 3: Return most common destination MAC (m) and its count (n)
def dest_mac(self):
    m, n = 0, 0
    # TODO: Implement me
    return m, n

Make sure you run the class like this:

if __name__ == '__main__':
    pcap_analysis = MITMProject()
    icmp_count = pcap_analysis.icmp_count()
    request, reply = pcap_analysis.icmp_request_reply()
    dest_mac, occurences = pcap_analysis.dest_mac()

    print("Number of ICMP Packets  : ", icmp_count)
    print("Number of ICMP Requests and Replies : ", request, reply)
    print("Most Common MAC Address and Number of Occurrences: ", dest_mac, occurences)

Setup Notes

Make sure you’ve installed theΒ pysharkΒ package and its dependency,Β tshark.

Update your GTID at the top ofΒ pcapanalysis.py:

# TODO: Change this to YOUR Georgia Tech ID!!!
self.student_id = '900000000'

🚫 Do not add or change import statementsΒ β€” the autograder will ignore unapproved libraries.


Deliverables

Task 6.1 β€” Count ICMP Packets

  • CompleteΒ icmp_count()Β so it returns the total number of ICMP packets.
  • πŸ† Points: 3

Task 6.2 β€” Requests & Replies

  • CompleteΒ icmp_request_reply()Β so it returns:
    • r: number of Echo Requests
    • a: number of Echo Replies
  • πŸ† Points: 5

Task 6.3 β€” MAC Attack

  • CompleteΒ dest_mac()Β to return:
    • m: most common destination MAC address
    • n: number of times it appeared
  • πŸ† Points: 7

πŸŽ‰ When you finish this, your toolkit will be ready for future cases β€” and future agents.

Bill’s already calling this theΒ Mark Protocol.

print("Automation engaged. Mission complete.")

  • MITM2026_Solved-at9ux1.zip