SIL765: Assignment 2(Part A) on Packet Trace Analysis

Goal

1. The goal of the project is to cement a more solid understanding of network protocols and attacks and to help you gain familiarity with the standard tools used to view and analyze them.
2. The most useful tool for completing the project is Wireshark, an open-source program for graphically viewing and analyzing packet traces.
3. you may use any tools you like to analyze it and come up with your answers to the questions which appear later in this document.

Wireshark

• One of Wireshark's most important capabilities is its filtering system. Filtering lets you display only a subset of the packets. This is very helpful when dealing with large traces, to let you focus on a small subset of the packets. You can configure a filter by typing an expression into the box at the top of the window, to display only the packets relevant to what you are investigating. Wireshark provides a special language for these expressions, which you will probably want to learn (at least to some extent).
• Try clicking on the "Filter:" button to see a list of examples of filtering expressions. Select each of the filters listed in the popup box one by one and take a look at the expression that appears for each in the bottom box.
• Expressions can specify a protocol (e.g., http). You can also filter on values in headers (e.g., ip.src==1.2.3.4 or ip.src==1.2.0.0/16 or tcp.port==80). You can combine filters using logical expressions (e.g., http || telnet or http && ip.src==1.2.0.0/16).
• For a complete list of the supported protocols, click the "Expression..." button in the main window. The vast majority of these won't be useful on this project, but the list will give you an idea of how comprehensive the tool is.
• To get a list of the endpoints that appear in the trace, you can click on "Statistics" then "Endpoints", then select either the "IPv4", "TCP", or "UDP" tab at the top. You can right-click on individual end host addresses to add a filter that selects just packets associated with that endpoint.
• Another useful feature is Wireshark's ability to reassemble TCP streams. Try right clicking on a TCP packet and selecting "follow TCP stream". You can use this feature to read the contents (HTML and the like) of a web page someone loaded over HTTP, for example.
• You will probably want to maximize the Wireshark so that it uses the entire display, to maximize the number of packets you can view at a time.

Questions

1. (9 pts.)HTTP Sessions

   For this problem, find all web servers that were successfully visited in the trace (that is, contacted via HTTP). Include any servers that engaged in a valid instance of the HTTP protocol, even if the status code returned was, for example, 404 rather than 200. Submit a list of their IP addresses (in q1.txt) as your answer. Please note that you should not try to identify HTTPS traffic.

2. (9 pts.)Directory Traversal

   One simple way people attempt to exploit a web server is by making requests for files outside the normal directories it serves using pathnames with sequences like "../../../". (Of course, a reasonably well-implemented web server will not fall for tricks like this.) Find a host that appears to be attempting this type of attack and submit its IP address.

3. (10 pts.)Password Guessing

   If you've ever looked through the logs of an SSH server, you've likely seen attempts to login through brute force guessing of usernames and passwords. Of course, the same attack is possible for any type of protocol with password authentication. There is one host that attempted such an attack against a password protected FTP server. Find that host and submit the IP address of the attacker.

4. (10 pts.)Unencrypted Usernames and Passwords

   Next, find an unencrypted username and password. Note that we are interested in a real username and password, so failed login attempts don't count. Examples of some protocols that can send usernames and passwords without encryption are Telnet, FTP, HTTP, and POP3. List the username and password as your answer.

5. (10 pts.)Service Versions

   Finding hosts running specific versions of servers is an important step in exploiting them; in general, older versions will have more vulnerabilities. For this problem, find the host running the oldest version of Apache. (Apache is the most widely used web server on the Internet.) Don't count "Apache-Coyote" as "Apache"; also, ignore any servers that don't specify their version. Submit that host's IP address.

6. (13 pts.)DNS and Source Port Randomization

   Recall that most clients now select a random UDP source port when making DNS queries to help prevent the Kaminsky attack. For this problem, look for clients which do not use a random source port. There are exactly two such DNS resolvers (not including MDNS). As your answer to this question, submit the IP addresses of the two DNS resolvers (not counting MDNS) that use the same source port for all the DNS queries they make (and make more than 1 query).

7. (13 pts.)TCP Sequence Numbers

   As explained a few weeks ago in lecture, it is important that the first sequence number chosen by hosts forming a TCP connection be unpredictable. If an adversary can guess the initial sequence number (ISN), they can easily mount TCP session hijacking attacks. In this particular trace, only a few of the TCP implementations appear to use fully random ISNs. You may want to disable Wireshark's relative sequence number feature while working on this question. Find the IP addresses of the two TCP endpoints that participate in 5 connections or more and that provide the broadest 32-bit coverage in their ISNs. Submit a list of the two IP addresses.

8. (13 pts.)Traceroute Scanning

   Traceroute is a utility for finding the addresses of the routers along the IP route between the host it is being run on and an arbitrary destination. Attackers sometimes use traceroute to find out about a victim's network infrastructure (routers and possibly firewalls). Identify the host that is running traceroute for detecting routers on a path. Submit the IP address of the host running traceroute and the IP address of the destination of the traceroute path.

9. (13 pts.)Cross-Site Scripting

   In class, we discussed three types of cross-site scripting (XSS) attacks: reflected XSS, stored XSS, and DOM-based XSS. Recall that reflected XSS involves an attacker sending the victim a URL that contains a script inside the URL itself, so that the server that processes the URL includes the script within the body of the page it returns. Find evidence of reflected XSS. Specifically, submit the IP address of the server that has a reflected cross-site scripting vulnerability that was exploited in the trace. (To our knowledge, there is only one such server in the trace.)

10. (0 pts.) Feedback - Optional

    Submit a text file, q10.txt, with any feedback you may have about this project. What was the hardest part of this project in terms of understanding? In terms of effort? Any feedback you'd like to provide on the class (e.g., what's the single thing we could do to most improve the class?). We appreciate any comments you may have. Your answers will not affect your grade.

Files

• trace_files

Submissions

• You must write up your solutions entirely on your own.
• You must never read or copy the solutions of other students, and you must not share your own solutions not even partial solutions with other students.
• The Deadline is 12th sep.
• Please create a single text file containg all the answers including the answer to question 10, with the question numbers. Please ignore the previous instruction to create separate files for each question. Name the text file containg the answers as EntryNumber.txt.
• The upload link is up.

Relevant Materials

1. Traceroute
2. Wireshark
3. TCP-sequence-numbers
4. TCP-sequence-wiki
5. Wireshark-docs
6. Lipcap File Format