Scenario: Flextor Applications, Inc. has contacted you regarding a possible secu
ID: 3854803 • Letter: S
Question
Scenario:
Flextor Applications, Inc. has contacted you regarding a possible security breach on their network. Philo Farnsworth, the owner, believes something suspicious is going on. Specifically he thinks that someone is stealing his business secrets.
Mr. Farnsworth asked his network administrator, James Garrett, to capture network activity and email it to you. James met with you and handed over a CD with the packet capture. He seemed nervous.
Mr. Farnsworth has asked you to identify any suspicious activity in the packet capture. You are to answer the questions below, in as much detail as possible, and provide Mr. Farnsworth with a half-page summary of what you found that might be suspicious. If there's a 'mole' in his organization he wants to know, and what, if anything, might have been stolen or compromised.
Here are the details regarding the network:
Employee
Title
IP address
Server
Server
172.16.235.131
Philo Farnsworth
President
172.16.235.129
James Garrett
Network Admin
172.16.235.130
Allen Beard
Vice President
172.16.235.128
Deliverable:
SINGLE DOCUMENT, either *.doc, *.docx, or *.pdf that contains the following information:
1. A 1/2 page management summary, written in non-technical language, that provides a high level interpretation of what occurred during the sequence of events, identifying any suspicious activity (trust me there is a LOT going on). I will count off if you use ANY of the following terms (or terms like this): ftp, telnet, IP, http, port, ping, etc. Think of a way to describe what occurred without using technical lingo!
2. Answer the questions below. Keep the stems included in your document so I can identify the questions you are answering. You can type DIRECTLY into this document as I want to see the question stems!! 10 points off immediately if you don't include the stems. Answer every part of every question!
NOTE: Some activity is suspicious, some is NOT. If it's NOT suspicious, describe why it’s not, and go on to the next question! If you don't know whether it's suspicious -- sometimes it's difficult to tell -- say so, and describe why you can't tell whether it's suspicious or not, but you MUST describe what is going on. There are examples of EACH of the aforementioned categories of behavior included in the packet capture.
NOTE: I want a DETAILED INTERPRETATION of what is happening. Don't simply DESCRIBE what is going on, I want an expert interpretation. Here’s an example:
POOR INTERPRETATION: IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx.
My feedback to you: That is useless information.
GOOD INTERPRETATION: IP xxx.xxx.xxx.xxx, Sam Smith’s computer’s IP address, is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx (the server’s IP address). Port 21 is ftp, which sends credentials in the clear. The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer.
My feedback: Whoa! Excellent! Off to the NSA you go!
Questions
1. What is occurring in packets 21-26? Is it evidence of an intrusion? Provide an interpretation of what is occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and explain why it’s normal traffic.
2. Is the activity occurring in packets 75-95 evidence of an intrusion? Provide a detailed interpretation of what is occurring, and the possible uses of the information gained. What ports are involved? What information would be gained, and how would it be used by an attacker? What tool did the ‘attacker’ use? (Covered in a video.) Note there are several questions here to be answered.
3. Is the activity starting in packet 101 evidence of an intrusion? (Hint: Select the packet, right-click, Follow->TCP Stream). Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!
4. Is the activity starting in packet 507 evidence of an intrusion? (Note: this is a TCP stream so you can select the first packet, right click your mouse, select "Follow -> TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!
5. Is the activity starting in packet 661 evidence of an intrusion? (Note: this is a TCP stream so you can select the packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. Look for human readable text (a lot of what you see are formatting commands.). What text was added? To what file? What was the purpose of adding the text to this file, and who might see it? (there are a lot of questions to answer there).
6. Is the activity starting in packet 804-805 abnormal? Why or why not?
7. Is the activity starting in 1713 through 1719 a sign of an attack? Why or why not?
8. Is the activity starting in packet 2367 a sign of an attack (Note: if it’s sign of an attack, tell me why. If you can’t tell, tell me why you can’t). (Use Follow TCP Stream).
9. Is the activity starting in packet 2519 (to the end of the packet capture) evidence of an intrusion or attack? Provide a detailed description of what is occurring, and the possible consequences. What did the attacker do?
10. Who was the attacker, and were his skills low, moderate, or high? Defend your answer based on the evidence. How much is Philo Farnsworth’s salary?
Employee
Title
IP address
Server
Server
172.16.235.131
Philo Farnsworth
President
172.16.235.129
James Garrett
Network Admin
172.16.235.130
Allen Beard
Vice President
172.16.235.128
Explanation / Answer
package algorithms;
import java.util.Hashtable;
public class DistributedHashTableAlgorithm {
public void algorithm(String srcId, String desId) {
Hashtable htObj = new Hashtable();
htObj.put(desId, srcId);
}
}
package nodes;
import java.util.ArrayList;
import test.ReplaceCharacters;
public class AdversaryNode extends javax.swing.JFrame {
public AdversaryNode() {
initComponents();
setTitle("Adversary Node");
}
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
private void initComponents() {
jPanel1 = new javax.swing.JPanel();
attackBtn = new javax.swing.JButton();
jLabel1 = new javax.swing.JLabel();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
jPanel1.setLayout(null);
attackBtn.setText("Attack On Network");
attackBtn.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
attackBtnActionPerformed(evt);
}
});
jPanel1.add(attackBtn);
attackBtn.setBounds(10, 10, 130, 50);
jLabel1.setIcon(new javax.swing.ImageIcon(getClass().getResource("/images/Protection-intrusion.jpg"))); // NOI18N
jPanel1.add(jLabel1);
jLabel1.setBounds(0, 0, 425, 290);
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, 422, Short.MAX_VALUE)
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, 285, Short.MAX_VALUE)
);
pack();
}// </editor-fold>//GEN-END:initComponents
private void attackBtnActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_attackBtnActionPerformed
if (evt.getSource() == attackBtn) {
java.util.Random rObj = new java.util.Random();
int rNode = rObj.nextInt(1) + 1;
javax.swing.JOptionPane.showMessageDialog(null, "Attack launched on NODE " + rNode);
if (rNode == 1) {
//Node1 node1Obj = new Node1();
java.util.ArrayList obj = new ArrayList();
java.util.ArrayList obj2 = (java.util.ArrayList)obj.clone();
}
}
}//GEN-LAST:event_attackBtnActionPerformed
public static void main(String args[]) {
//<editor-fold defaultstate="collapsed" desc=" Look and feel setting code (optional) ">
try {
for (javax.swing.UIManager.LookAndFeelInfo info : javax.swing.UIManager.getInstalledLookAndFeels()) {
if ("Nimbus".equals(info.getName())) {
javax.swing.UIManager.setLookAndFeel(info.getClassName());
break;
}
}
} catch (ClassNotFoundException ex) {
java.util.logging.Logger.getLogger(AdversaryNode.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
} catch (InstantiationException ex) {
java.util.logging.Logger.getLogger(AdversaryNode.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
} catch (IllegalAccessException ex) {
java.util.logging.Logger.getLogger(AdversaryNode.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
} catch (javax.swing.UnsupportedLookAndFeelException ex) {
java.util.logging.Logger.getLogger(AdversaryNode.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
}
//</editor-fold>
/* Create and display the form */
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new AdversaryNode().setVisible(true);
}
});
}
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton attackBtn;
private javax.swing.JLabel jLabel1;
private javax.swing.JPanel jPanel1;
// End of variables declaration//GEN-END:variables
}
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.