Please read carfully!!! Packet Capture Analysis Download packet cap here http://
ID: 3864954 • Letter: P
Question
Please read carfully!!!
Packet Capture Analysis
Download packet cap here http://www.filedropper.com/packetcap
Identify any suspicious activity in the packet capture. You are to answer the questions below, in as much detail as possible. If there's a 'mole' in the organization we want to know, and what, if anything, might have been stolen or compromised.
Here are the details regarding the network:
Employee
Title
IP address
Server
Server
172.16.235.131
Philo Farnsworth
President
172.16.235.129
James Garrett
Network Admin
172.16.235.130
Allen Beard
Vice President
172.16.235.128
Questions
1. What is occurring in packets 21-26? Is it evidence of an intrusion? Provide an interpretation of what is occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and explain why it’s normal traffic.
2. Is the activity occurring in packets 75-95 evidence of an intrusion? Provide a detailed interpretation of what is occurring, and the possible uses of the information gained. What ports are involved? What information would be gained, and how would it be used by an attacker? What tool did the ‘attacker’ use? (Covered in a video.) Note there are several questions here to be answered.
3. Is the activity starting in packet 101 evidence of an intrusion? (Hint: Select the packet, right-click, Follow->TCP Stream). Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!
4. Is the activity starting in packet 507 evidence of an intrusion? (Note: this is a TCP stream so you can select the first packet, right click your mouse, select "Follow -> TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!
5. Is the activity starting in packet 661 evidence of an intrusion? (Note: this is a TCP stream so you can select the packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. Look for human readable text (a lot of what you see are formatting commands.). What text was added? To what file? What was the purpose of adding the text to this file, and who might see it? (there are a lot of questions to answer there).
6. Is the activity starting in packet 804-805 abnormal? Why or why not?
7. Is the activity starting in 1713 through 1719 a sign of an attack? Why or why not?
8. Is the activity starting in packet 2367 a sign of an attack (Note: if it’s sign of an attack, tell me why. If you can’t tell, tell me why you can’t). (Use Follow TCP Stream).
9. Is the activity starting in packet 2519 (to the end of the packet capture) evidence of an intrusion or attack? Provide a detailed description of what is occurring, and the possible consequences. What did the attacker do?
10. Who was the attacker, and were his skills low, moderate, or high? Defend your answer based on the evidence. How much is Philo Farnsworth’s salary?
Employee
Title
IP address
Server
Server
172.16.235.131
Philo Farnsworth
President
172.16.235.129
James Garrett
Network Admin
172.16.235.130
Allen Beard
Vice President
172.16.235.128
Explanation / Answer
Answer 1. In Packets 21-26 the user with ip address 172.16.235.130 that is James Garret has sent a ping request to server 172.16.235.131 in the form of Echo requests. Server is then responding these Echo request by sending Echo reply packets. Three times this has happened .
Answer 3. TCP stream is as follows :
........... ..!.."..'.....#..... ..#..'........!.."..... .....#.....'.............P...... .38400,38400....#.Ubuntu16:0....'..DISPLAY.Ubuntu16:0......xterm-256color..............Ubuntu 16.04.1 LTS
server login: ppffaarrnnsswwoorrtthh
.
Password: 123456
.
Login incorrect
server login: ppffaarrnnsswwoorrtthh
.
Password: pfarnsworth
.
Login incorrect
server login: ppffaarrnnsswwoorrtthh
.
Password: password
.
Last login: Sat Feb 4 13:56:19 EST 2017 from 192.168.194.128 on pts/0
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
.]0;pfarnsworth@server: ~..[01;32mpfarnsworth@server.[00m:.[01;34m~.[00m$ llss
.
.[0m.[01;34mimportant_company_files.[0m
.]0;pfarnsworth@server: ~..[01;32mpfarnsworth@server.[00m:.[01;34m~.[00m$ ccdd iimm portant_company_files/
.
.]0;pfarnsworth@server: ~/important_company_files..[01;32mpfarnsworth@server.[00m:.[01;34m~/important_company_files.[00m$ llss
.
budget.xls marketing.docx salaries.txt top-secret.txt
.]0;pfarnsworth@server: ~/important_company_files..[01;32mpfarnsworth@server.[00m:.[01;34m~/important_company_files.[00m$ ccaatt ssaall aries.txt
.
Philo Farnsworth, President, $325,000
Allen T. Beard, Vice President, $226,000
James T. Garrett, Systems Administrator, $22,120
.]0;pfarnsworth@server: ~/important_company_files..[01;32mpfarnsworth@server.[00m:.[01;34m~/important_company_files.[00m$ ccaatt ttoopp -secret.txt
.
Dear Share Holders:
We will be purchasing ACME, Ltd. at the end of the month for $1,000,000. This is highly sensitive information as if this was to become public, our 'low ball' offer would surely increase the price.
Please do not share this information with anyone!
Sincerely,
P. Farnsworth
President
.]0;pfarnsworth@server: ~/important_company_files..[01;32mpfarnsworth@server.[00m:.[01;34m~/important_company_files.[00m$ eexxiitt
.
logout
As can be seen several attempts were made to login into the server.
Then information regarding salaries of different heads/users contained in file salaries.txt file was accessed.
Also secret.txt file containing an email for share holders was accused.
Answer 4 .
220 (vsFTPd 3.0.3)
USER pfarnsworth
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 172,16,235,130,237,40
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
CWD important_company_files
250 Directory successfully changed.
PORT 172,16,235,130,129,130
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
TYPE A
200 Switching to ASCII mode.
PORT 172,16,235,130,160,255
200 PORT command successful. Consider using PASV.
NLST salaries.txt
150 Here comes the directory listing.
226 Directory send OK.
PORT 172,16,235,130,131,179
200 PORT command successful. Consider using PASV.
RETR salaries.txt
150 Opening BINARY mode data connection for salaries.txt (129 bytes).
226 Transfer complete.
PORT 172,16,235,130,230,92
200 PORT command successful. Consider using PASV.
NLST top-secret.txt
150 Here comes the directory listing.
226 Directory send OK.
PORT 172,16,235,130,193,234
200 PORT command successful. Consider using PASV.
RETR top-secret.txt
150 Opening BINARY mode data connection for top-secret.txt (308 bytes).
226 Transfer complete.
QUIT
221 Goodbye.
FTP Login is made using username : pfarnsworth and password : password.
SYST command is being used to gather the information regarding OS of the server. Then PORT command is used to establish a data transfer channel with server 172.16.235.130.
LIST command is used to enlist name of directories.
CWD command changes currently working directory to important_company_files.
NLST command is used to read contents of salaries.txt .
Thus as we can see that the intruder is accessing the data various files as per his wish. He even uses RETR command to retrieve copy of files top-secret.txt and salaries.txt.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.