Scribd Logo
Upload

Welcome to Scribd!

  • CSCI369 Lab 2

    Uploaded by

    Joe Ong Zuokai
    39 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    39 views3 pages

    CSCI369 Lab 2

    Uploaded by

    Joe Ong Zuokai

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    CSCI369 Ethical Hacking

    This material is copyrighted. It must not be


    distributed without permission from
    Joonsang Baek and Jongkil Kim

    Lab 2
    Capturing Network Traffic

    1. Wireshark on Kali

    Wireshark is already installed in Kali by default. At terminal type wireshark


    to run wireshark. You can see the number of interfaces in the initial screen. If you
    set your Kali properly in the last lab, you will have two interfaces eth0 and eth1.
    Notice that eth0 is connected to the Internet and eth1 is connected to your home
    private network.

    1) Open a web browser → Start to capture the traffic from eth0 → Connect
    to www.amazon.com in the web browser → If loading the initial page was
    finished, stop to capture the traffic.
    2) Try to see the traffic only between your laptop and Amazon webserver
    using Follow function. If you are not sure the IP address Amazon
    webserver, remember thing you did in the last lab.
    3) Q) Can you check the SYN → SYN-ACK → ACK for TCP handshake?
    4) Q) Can you check the SSL/TLS connection?
    o Find the following traffic sequences:
    ▪ Client Hello
    ▪ Server Hello, Certificate
    ▪ Server Key Exchange, Server Hello Done
    o Find the following information:
    ▪ CipherSuites that your browser support. (Hint) Your browser is
    client.
    ▪ The agreed CipherSuite used in this SSL/TLS connection.

    5) Use the filter in Wireshark


    o Try to view all the packets exchanged between your computer and
    www.amazon.com (not only tcp or udp) only.
    o Can you filter out all packets containing SSL/TLS certificate?
    o Try to do more filtering activities using the [Expression…] button
    which locates next to the filtering bar.

    1
    CSCI369 Ethical Hacking
    This material is copyrighted. It must not be
    distributed without permission from
    Joonsang Baek and Jongkil Kim

    2. We will perform more advanced analysis using Scapy.

    Scapy is a Python program that enables the user to generate, modify, sniff,
    dissect and transmit network packets. This capability allows construction of
    tools that can probe, scan or attack networks. Scapy is already installed on the
    Kali linux. Start it by typing scapy in the terminal.

    1) Let’s follow some simple step to use scapy.


    o Generate IP packet
    >>> IP()
    <IP |>
    >>> target="www.target.com/30"
    >>> ip=IP(dst=target)
    >>> ip
    <IP dst=<Net www.target.com/30> |>
    >>> [p for p in ip]
    [<IP dst=151.101.30.184 |>, <IP dst=151.101.30.185 |>,
    <IP dst=151.101.30.186 |>, <IP dst=151.101.30.187 |>]

    o Generate TCP packet (the destination IP below belongs to Google)


    >>> IP(dst="151.101.30.184")/TCP(sport=666, dport=80,flags="S")

    o Add the contents (payload)


    >>> IP(dst="151.101.30.184")/TCP(sport=RandShort(), dport=80)/"GET
    /index.html HTTP/1.0 \n\n"

    2) SYN-ACK Test: Now, let’s try to do some fun things. The sr() function in
    Scapy is for sending packets and receiving responses. In particular, the
    input of this function is multiple packets (to send) and the return value is
    multiple responses (represented as packets). Its variant sr1()only
    takes one packet as input and returns one packet as a response.

    o Classic SYN Scan can be performed by the following command:


    >>> sr1(IP(dst="151.101.30.184")/TCP(dport=80,flags="S"))
    o Q) Check “flags” field in the response packet. What does this mean?
    (Can you see any value in the field?)
    o Q) Change dport to 443. What does this mean?

    3) Read a pcap file and analyse packets


    o Download aavtrain.pcap file from the moodle site.
    o Read the file using the following command:
    >>> a=rdpcap("/root/Desktop/aavtrain.pcap")
    o For example, you can visualize the 23rd packet using the following
    command:
    >>> a[23].pdfdump(layer_shift=1)

    2
    CSCI369 Ethical Hacking
    This material is copyrighted. It must not be
    distributed without permission from
    Joonsang Baek and Jongkil Kim

    o Try more commands to get the information of the packet using the
    table below: (Hint: Replace “pkt” with the packet you have read, e.g.
    a[23])

    hexdump(pkt) have a hexadecimal dump


    ls(pkt) have the list of fields values
    pkt.summary() for a one-line summary
    pkt.show() for a developed view of the packet
    pkt.show2() same as show but on the assembled packet
    (checksum is calculated, for instance)
    pkt.command() return a Scapy command that can generate
    the packet

    4) [Scapy with python] Scapy can also be used as a python library. You can
    create your own automated analysis program of packets (or attacks)
    using Scapy. Your task is to write a python program that extracts the
    packet containing user ID and password from the downloaded pcap file.
    (Hint: Use the functions above and python basic commands to figure out
    what are the user id (followed by “user_name”) and password (followed by
    “password”). )

    To include the scapy package in your python code, use “from scapy.all
    import *”

    You might also like