Question 1
Protocol Analysis with Wireshark:
This assignment question requires that you analyse a packet capture dump file (http_gzip.pcap) and provide comments explaining each packet. This pcap file contains only ten packets. Your task is to annotate each packet commenting on the following characteristics.
• Comment on any significant TCP flags and what they mean in the context of the packet capture. Significant flags include SYN, FIN, RST, and URG. You must explain why the flag has been set and what it means for this TCP connection.
• Comment on the direction of each packet (ie. client -> server or server -> client). Be clear to explain in which direction the interaction is occurring.
• Comment on each command and response between the client and the server. You must explain what each command does. You should also explain the data that is exchanged. This will require that you study Internet documents relating to TCP to understand what the commands mean.
You should also comment on the 2 port numbers used in this connection and their significance. For example, is it an ephemeral or reserved port? If it is a reserved port, what protocol does it relate to?
On the following page is an example of the template to use to complete this question. It provides a brief summary of each packet and has been formatted to include an "explanation" field underneath each packet. You are to write your comments in this "explanation" field addressing the packet immediately above, based on your analysis of the packet using Wireshark. Be specific and detailed. Any vague or limited responses will not attract any marks. Note, that the table is only a summary of the information provided in the pcap file. Be sure to comment in relation to information provided in the pcap file using Wireshark, not just the summary table.
For examples of how to complete the table, be sure to have completed all 3 parts of the Packet Capture Exercises. They are available from the Lectures and Tutorials page of the course website. Your solution must of course be in your own words. Do not copy directly from any examples or you will get zero marks
No.
|
Time
|
Source
|
Destination
|
Protocol
|
Info
|
1
|
2004-10-29 15:21:00.402416
|
192.168.69.2
|
192.168.69.1
|
TCP
|
34059 > 80 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=2011387883 TSecr=0
|
Explanation:
|
2
|
2004-10-29 15:21:00.402475
|
192.168.69.1
|
192.168.69.2
|
TCP
|
80 > 34059 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=432614628 TSecr=20
|
Explanation:
|
3
|
2004-10-29 15:21:00.402569
|
192.168.69.2
|
192.168.69.1
|
TCP
|
34059 > 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=2011387883 TSecr=432614628
|
Explanation:
|
4
|
2004-10-29 15:21:00.402698
|
192.168.69.2
|
192.168.69.1
|
HTTP
|
GET /test/ethereal.html HTTP/1.1
|
Explanation:
|
5
|
2004-10-29 15:21:00.402746
|
192.168.69.1
|
192.168.69.2
|
TCP
|
80 > 34059 [ACK] Seq=1 Ack=446 Win=6432 Len=0 TSV=432614628 TSER=2011387883
|
Explanation:
|
6
|
2004-10-29 15:21:00.423868
|
192.168.69.1
|
192.168.69.2
|
HTTP
|
HTTP/1.1 200 OK (text/html)
|
Explanation:
|
7
|
2004-10-29 15:21:00.424045
|
192.168.69.2
|
192.168.69.1
|
TCP
|
34059 > 80 [ACK] Seq=446 Ack=403 Win=6912 Len=0 TSV=2011387905 TSER=432614630
|
Explanation:
|
8
|
2004-10-29 15:21:00.424171
|
192.168.69.1
|
192.168.69.2
|
TCP
|
80 > 34059 [FIN, ACK] Seq=403 Ack=446 Win=6432 Len=0 TSV=432614630 TSER=2011387905
|
Explanation:
|
9
|
2004-10-29 15:21:00.425093
|
192.168.69.2
|
192.168.69.1
|
TCP
|
34059 > 80 [FIN, ACK] Seq=446 Ack=404 Win=6912 Len=0 TSV=2011387906 TSER=432614630
|
Explanation:
|
10
|
2004-10-29 15:21:00.425131
|
192.168.69.1
|
192.168.69.2
|
TCP
|
80 > 34059 [ACK] Seq=404 Ack=447 Win=6432 Len=0 TSV=432614630 TSER=2011387906
|
Explanation:
|
Question 2:
Firewall and Proxy Services Configurations
A small company is connected to the internet via a Router with firewall and proxy services installed (139.77.5.210).
There are three servers located in a DMZ (138.77.5.0 / 25).
The web server (138.77.5.89) can directly accept requests (HTTP or HTTPS) from the Internet or from the internal network (192.168.1.0/25).
The DNS server (138.77.5.6) can directly accept requests from the Internet. The DNS server can also directly accept requests from the internal network (192.168.1.0/25). However, if the DNS server cannot resolve a domain name requested by the internal network (192.168.1.0/25), it will contact the DNS servers on the Internet directly for the name resolution.
On behalf of the users on the internal network (192.168.1.0/25), the email server (138.77.5.110) sends emails to and receives emails from the Internet. The users on the internal network (192.168.1.0/25) use IMAP (Internet E-mail Access Protocol) to read and organise their emails on the email server.
The users on the internal network (192.168.1.0/25) are allowed to access the Internet only for HTTP, HTTPS and FTP services. However, the users of the internal network are never allowed to connect to the Internet directly.
There are 8 client computers and a Database server on the internal network.
Based on the above network configuration and application scenarios, answer the following three questions.
A. Draw a network diagram of this network including IP addresses.
B. The firewall services are installed on the router. Create the firewall rules to implement the packet filtering and only allow the specified traffic. The firewall rules are to be created in the following format.
Rule
No.
|
Application
Protocol
|
Transport
Protocol
|
Source
IP
|
Source
Port
|
Destination
IP
|
Destination
Port
|
Action
|
1
|
|
|
|
|
|
|
|
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
|
C. Briefly explain each rule in the rule base that you have created.
D. The proxy services are also installed on the router to conceal the users of the internal network (192.168.1.0/25) from the Internet. Suppose that users on the internal computers send the following requests to the Internet. The proxy services perform the Port Address Translation (PAT). Complete the following connection table to show how PAT is working for requests from the users on the internal network.
Packet Addressing on internal network
|
Packet Addressing on external network
|
Source IP
|
Source Port
|
Destination IP
|
Destination Port
|
Source IP
|
Source Port
|
Destination IP
|
Destination Port
|
192.168.1.2
|
1033
|
203.206.209.77
|
80
|
|
|
|
|
192.168.1.2
|
1035
|
210.10.102.196
|
443
|
|
|
|
|
192.168.1.5
|
2301
|
203.206.209.55
|
21
|
|
|
|
|
192.168.1.5
|
2302
|
202.2.59.40
|
443
|
|
|
|
|
192.168.1.5
|
4123
|
72.5.124.55
|
80
|
|
|
|
|
192.168.1.8
|
4128
|
72.5.124.35
|
21
|
|
|
|
|
192.168.1.8
|
1033
|
150.101.16.250
|
80
|
|
|
|
|
192.168.1.9
|
1035
|
150.101.16.250
|
443
|
|
|
|
|
Question 3: Network Attack Research
Although the course textbook and other resources discuss several specific network attack vulnerabilities, it is not feasible to cover all of them. New vulnerabilities are being discovered all of the time, and there are hundreds of currently known vulnerabilities. Professional network administrators have to keep themselves current with all possible threat possibilities. One way of doing this is by performing personal research. In this case study, you should use the Internet to assist you in developing responses to the three questions. Use of the course textbook and supplied resources only is not sufficient to award full marks. You should use your research skills and go beyond these resources.
You are required to answer the following questions. Please reference all sources - do not copy directly from sources.
a) Your are to research a recent ransom type attack via the internet, what type of attack has been performed by the hackers? You need to fully justify your answer, not just state the type of attack.
b) Describe how the attack may have occurred with sufficient information to explain how a hacker could carry out the attack. Ensure you include references.
c) How could the network administrator prevent such attacks? You don't need to provide the actual code - just describe what measures they would have to implement to ensure that occurrence of an attack could be minimised.
d) What limitations does this form of attack have?
Question 4:
In this hypothetical case study, you should use the Internet to assist you in developing responses to three questions. Use of the text only is not sufficient to attract full marks.
An online sales company Cheapies recently received a series of reports from customers concerning security breaches in online ordering. Customers reported having fraudulent orders being made via their accounts, usually after they have found that their password has changed. A full security audit revealed that the orders and changes to user passwords all originated from an Eastern European country on servers within the domain of freebies.com - however - the question remained: how did the hackers accomplish this attack?
Given that legitimate account numbers and passwords were used, it was initially assumed that it could be some form of phishing attack. However, no evidence of such emails was found. The only commonality between the victims was that they all used the same Internet Service Provider.
You are required to answer the following questions. Please reference all sources - do not copy directly from sources.
A. Based on the information provided, what type of attack has been performed? Justify your answer.
Hint: In order to capture account numbers and passwords, how would a hacker "redirect" users to their servers instead of Cheapies?
B. Describe in detail how the attack occurred - you may wish to include one or more diagrams. You will need to make assumptions about host names, domains and IP addresses - document these. You need not concern yourself with the technical details of the capture and reuse of Cheapies customer details (eg. Fake web sites/malware) - you are documenting how it was possible from a network perspective.
C. What steps would you advise to prevent such attacks? What limitations does this form of attack have?
Attachment:- q1 and q4 cap.rar