Playing with a couple of common tools used by network defenders and attackers.

Preparation | Procedure




  1. Start packet capture

    1. Log into Kali using the username l33t and password opposable thumbs.

    2. Use ifconfig to investigate your computer’s network interfaces and their various network addresses (Ethernet MAC and IP)

    3. Use Wireshark to start capturing packets on the wired Ethernet interface. If prompted for a root password, use slather departure closable theology.

  2. DNS inspection

    1. Set a display filter of dns in Wireshark and perform a DNS query using the CLI host tool. Due to a DHCP misconfiguration, you will need to specify the DNS server explicitly, e.g.: host ("please ask the DNS server about the address for

    2. Using Wireshark, identify the number of bytes in your query’s Ethernet header, its source Ethernet address and its destination Ethernet address.

    3. How many bytes are in the IP header? How do we know that this packet is a UDP packet rather than ICMP, TCP, SCTP, etc.?

    4. Identify both the source and destination IP addresses of your DNS query. Show both the hexadecimal representation from the packet contents and the decimal "dotted quad" notation (e.g.,

    5. What is your query packet’s UDP source port, destination port and payload length?

  3. HTTP[S] inspection

    1. Set a display filter of http and then open in a Web browser. How many packets are generated?

    2. Right-click on one of the HTTP packets and then click "Follow > TCP Stream". Show, from this data, what HTTP User-Agent your browser uses.

    3. Set a display filter of tls.handshake and then open How many packets are generated?

    4. From the TLS Client Hello message, how many TLS cipher suites are supported? How many use AES in CBC mode?

    5. In the TLS Server Hello message, what records does the TLS layer contain (e.g., one is "Handshake Protocol: Server Hello").

    6. Within the Server Hello record, which cipher suite is negotiated?

    7. What can you say about the final record’s payload?

  4. Network scanning

    1. Open the manual page for the nmap network mapping tool (man nmap). Based on the contents of the Host Discovery portion of the manual page, what is the default host discovery approach used by nmap?

    2. Based on this answer, set a display filter in Wireshark to show the TCP packets used by nmap host discovery and use nmap with the -sn option (host discovery only, no port scan) to scan the hosts that are up in the subnet. How many hosts are up? Show one of the packets that nmap generated in Wireshark output, demonstrating that the protocol, destination IP and port match what nmap says.


      There are two big reasons to use Wireshark:

      1. its huge number of protocol "dissectors" that show you what the bytes mean, and

      2. its filtering language.

      For example, if I want to filter Wireshark’s output such that I only see packets from my computer to UDP port 67 or 68, I can use a display filter like:

      ip.src == and (udp.port == 67 or udp.port == 68)

    3. Perform a full TCP SYN scan with UDP scans and OS detection (see nmap manual page) on one of the hosts that you previously discovered to be up. What ports are open? What OS do you find?

    4. Show that at least one of these scan packets shows up in Wireshark.

    5. Confirm that you can SSH into another host that you found to have the SSH port (TCP port 22) open. Once logged in, run DISPLAY=:0 xmessage "A message of your choosing" and see if anyone receives the pop-up.