Description

Wireshark is a packet analyser tool. Apart from being a packet analyser, it is also a network sniffer tool. So it provides the option of capturing packets flowing in and out of a network as well as analyse and troubleshoot with a nice GUI. It allows live capture of packets which means you can capture and save information about the networks packets from a live network in real time.

To run live capture, a user needs sufficient privileges. However, you can analyze the packet-data based on trace files without super user privileges.

How to run Wireshark on Linux

Open a terminal (type ​Ctrl+Alt+t​). Once you are inside terminal, type ​wireshark ​and hit enter. You should see a screen as in following figure.

 

It should open the GUI as shown in the following figure.

 

We will download trace files that are available online and then analyze them to extract some information.

In your report, please make sure that you include screenshots of all the steps as you perform them as a proof of your work even if the assignment does not mention explicitly.

How to run Wireshark on Windows or Mac

You may go to the following ​link to download wireshark for Windows or Mac machines.​                   

How to run Wireshark on WSL2

Please refer to the course WSL 2 document provided along with the lab module if you wish to run wireshark from WSL2.

Subtask 1 (Introduction)

1. Go to ​SampleCaptures – The Wireshark Wiki.​ This website contains a list of sample trace files that are output of network capturing. let us find a simple unencrypted trace file, load it in wireshark and analyze it.
2. Go to ​number 20​, which should give you telnet packets as the following figure shows.
3. Download the first pcap file ​telnet-cooker.pcap
4. On the wireshark window, select ​File->Open ​to open a dialog box that lets you choose the pcap file. Navigate and open the pcap file that you downloaded earlier.
5. Once you select ​Open​, you will see a window something like the following figure.

Assignments

1. How many packets are captured in the .pcap file that you loaded?
2. List all the communicating parties in the .pcap file? Can you also identify the ports being used by each of them?
3. What protocols are used for communication by the communicating parties ? 4. What is the total duration of the communication? (You may want to see the first and last frame)
4. What is the frame length and number of the longest frame transferred? Who is the source and destination of that packet?

Subtask 2 (Real Hacking and Stuff)

Now that you have sniffed someone in a network and got the data that is being tranferred. You also know who is involved in communication. Now we want to see if we can get something of real value for us. May be someone has transferred his/her username and password over the network that we sniffed.

Assignments

6. Select frame number 8. Who is the sender and receiver of this frame?
7. On the window that appears below the listing of all the frames (as shown below), expand Internet Protocol Version 4. What is the Time To Live of this frame? What does this mean?
8. Select frame 8 again. Right click on it, and select ​Follow TCP Stream​. What information can you see? What is the username and password that is transferred?
9. Repeat the same procedure in ​telnet-raw.pcap​. Find the login information used to verify credentials. (Select frame 8 again)
10. What do you think is wrong with these two files that you analyzed? How can you not allow anyone to know your password that you send for authentication?
11. Load the file ​pcapng​. The protocol used is UFTP. What is UFTP? Can you identify two parties that are involved in file transfer. (Use your intelligent guessing) 12. Write differences between TCP and UDP.

Subtask 3 (Decrypting The Encrypted)

Let us now work on encrypted protocol.

12. What is the difference between ​https:// ​and ​http://​? What is the encryption standard used by them, if any?
13. Download the file ​mysql_complete_pcap​. Is it encrypted? Please justify.
14. Download the file ​mysql-ssl-larger.pcapng​. Is it encrypted? Please justify.
15. Download the zipped file tgz​ ​. Extract the content in your local folder. Load the .pcap file in wireshark. Is it encrypted?
16. Perform the decryption of the .pcap file as demonstrated in class by the instructor.
    1. What frame number requests the image apache_pb.png?
    2. Does the server provide the image? What is the status code that implies the response has payload?
    3. Attach the image apache_pb.png to your report.
17. What is the response that the server provided when requested for openlogo-25.jpg? Can you see the html code sent as a response? If yes, copy and paste it in a .html file and load it in your

favourite browser. Attach the screenshot of how the response looks like in the web browser.

Subtask 4 (Vulnerability Analysis)

The following assignment is to be done at the ​students own machine​. You do not have permission and user rights to do this on campus machines. Please make sure that you do not reveal any important information to your reports when you attach screenshots. (Please blur out any sensitive information)

18. The first thing that you will do is capture packets. You can use wireshark or tcpdump to capture packets. While you can capture packets from wireshark, I suggest you to use tcpdump so that you can be familiar with a new tool. Following are the procedures that you will follow:
19. Find the interface that is connected to the internet. Do ​ifconfig ​in the terminal and select the one which is connected to the internet. Wireshark should show you the interface in its GUI.
20. Start packet capture in tcpdump using ​tcpdump -i <interface> -s 65535 -w <filename>​. Or select the bluefin below File menu in wireshark after you select the interface if you wish to use wireshark.
21. Please visit the website ​http://weevil.info/​ ​What is wrong with this website? 4. After it is completely loaded, stop the capture. You can select the button in Wireshark GUI or kill the tcpdump process if you are using tcpdump.
22. Load the file in wireshark. If you are using wireshark, it is already loaded. 6. Try to find at least two images that are sent by the server to your machine and attach them to your report.
23. What are the vulnerabilities of the website that you can see right away? 8. Repeat similar operation for ​https://www.foxnews.com/.​ Attach two images sent from the server to your machine if you can.