Posted:

3 Jul 2024

Playing with a couple of common tools used by network defenders and attackers.

Preparation | Procedure

Preparation

  1. What are the 16b big- and little-endian representations of the number 22?

  2. What are the standard TCP ports for DNS, SSH, HTTP and HTTPS? Cite your sources.

  3. Using the Wireshark User Guide:

    1. What is the difference between a capture filter and a display filter?

    2. Give an example (using the correct filter syntax) of a display filter that cannot be expressed as a capture filter.

  4. What is a TCP three-way handshake? Cite an authoritative source or sources.

  5. Using the manual page for nmap, identify the command-line options that trigger a TCP SYN scan, a UDP scan and OS detection.

This lab will be completed in our disconnected "hacking lab" environment, so bring a USB stick to save your work.

Procedure

  1. Start packet capture

    1. Log into Kali using the username l33t and password opposable thumbs.

    2. Use ifconfig to investigate your computer’s network interfaces and their various network addresses (Ethernet MAC and IP)

    3. Use Wireshark to start capturing packets on the wired Ethernet interface. If prompted for a root password, use slather departure closable theology.

  2. DNS inspection

    1. Set a display filter of dns in Wireshark and perform a DNS query using the CLI host tool.

    2. Using Wireshark, identify the number of bytes in your query’s Ethernet header, its source Ethernet address and its destination Ethernet address.

    3. How many bytes are in the IP header? How do we know that this packet is a UDP packet rather than ICMP, TCP, SCTP, etc.?

    4. Identify both the source and destination IP addresses of your DNS query. Show both the hexadecimal representation from the packet contents and the decimal "dotted quad" notation (e.g., 192.168.1.1).

    5. What is your query packet’s UDP source port, destination port and payload length?

  3. HTTP[S] inspection

    1. Set a display filter of http and then open http://10.0.0.1 in a Web browser. How many packets are generated?

    2. Right-click on one of the HTTP packets and then click "Follow > TCP Stream". Show, from this data, what HTTP User-Agent your browser uses.

    3. Set a display filter of tls.handshake and then open https://10.0.0.1. How many packets are generated?

    4. From the TLS Client Hello message, how many TLS cipher suites are supported? How many use AES in CBC mode?

    5. In the TLS Server Hello message, what records does the TLS layer contain (e.g., one is "Handshake Protocol: Server Hello").

    6. Within the Server Hello record, which cipher suite is negotiated?

    7. What can you say about the final record’s payload?

    8. Use the OpenSSL client (openssl s_client) to retrieve the course website’s index page over HTTPS (i.e., use argument --connect 10.0.0.1:443, then enter the HTTP command GET / HTTP/1.0 followed by two newlines).

      1. Is the server certificate signed by a Certificate Authority?

      2. What version of the TLS protocol is used?

      3. Which cipher suite is selected?

  4. Network scanning

    1. Open the manual page for the nmap network mapping tool (man nmap). Based on the contents of the Host Discovery portion of the manual page, what is the default host discovery approach used by nmap?

    2. Based on this answer, set a display filter in Wireshark to show the TCP packets used by nmap host discovery and use nmap with the -sn option (host discovery only, no port scan) to scan the hosts that are up in the 10.0.0.0/24 subnet. How many hosts are up? Show one of the packets that nmap generated in Wireshark output, demonstrating that the protocol, destination IP and port match what nmap and its man page say.

      Details

      There are two big reasons to use Wireshark:

      1. its huge number of protocol "dissectors" that show you what the bytes mean, and

      2. its filtering language.

      For example, if I want to filter Wireshark’s output such that I only see packets from my computer to UDP port 67 or 68, I can use a display filter like:

      ip.src == 134.153.27.196 and (udp.port == 67 or udp.port == 68)

    3. Perform a full TCP SYN scan with UDP scans and OS detection (see nmap manual page) on one of the hosts that you previously discovered to be up. What ports are open? What OS do you find?

    4. Show that at least one of these scan packets shows up in Wireshark.

    5. Confirm that you can SSH into another host that you found to have the SSH port (TCP port 22) open. Once logged in, run DISPLAY=:0 xmessage "A message of your choosing" and see if anyone receives the pop-up.

      Tip

      Depending on how many people are in the lab, you may need to do a little bit of co-ordination ("hey, what’s your IP?") to cause the desired effect(s).