Lab 3

In this lab we are going to use Wireshark to analyze DoS attacks (brute force attack)
with FTP protocol

We have an FTP server with IP address 192.168.56.1 has encountered a DoS. The investigator captured
the traffic between the server and attacker’s IP address (192.168.56.101) using Wireshark (the pcap file
is attached).

Based on examining the pcap file, please answer the following question:

- What is the MAC addresses of the victim machine?

In the Figure above we can see that the attacker machine is using ARP protocol to ask about the
MAC address of the victim IP address (Who has 192.168.56.1? Tell 192.168.56.101).

You can filter the packets based on ARP Reply by:

a- You select any (reply packets) that shows MAC address (ARP reply)

Dr. Sarah Abu Ghazalah

 b- Then in the details go to Opcode: reply, right click and choose Apply as Filter >>Selected
c- The result is shown below:

Dr. Sarah Abu Ghazalah

 - What TCP protocols are recorded? (you can search based on syn/ack flag)
To start searching for TCP without ARP

You can see that all ARP packets are gone.

To search based on SYN/ACK packets, choose any SYN/ACK packets, then from details search for Flags:,
right click then Apply as Filter >> Selected

Dr. Sarah Abu Ghazalah

When you look at the result you will find we have a lot of ports used such as FTP, NetBios, 49154, 49152
etc…

We will focus on FTP port 21.

Apply filter as: tcp.flags == 0x012 && tcp.port==21

Dr. Sarah Abu Ghazalah

 - If you look for FTP protocol, what do you realize (according to the number pf packets)?
We have a lot of FTP packets, so we need to check why do we have these numbers of packets.
If we follow any packets: right click on any 21 port packet and >>Follow >>TCP Stream

- Follow the FTP requests, what observation you come up with?

We can see that the user entered passwords many times with login failure (Brute Force attacks).

Dr. Sarah Abu Ghazalah

 Change Stream with up/down arrow you will find many failed attempts with wrong passwords.

We can see that the code for Login incorrect is 530, we need to search for login successful code
in FTP.

Dr. Sarah Abu Ghazalah

Dr. Sarah Abu Ghazalah
 - Demonstrate the successful login (what is the username and password)?
So to demonstrate successful login we use this filter: ftp.response .code==230

For the first packet: Follow>>TCP Stream

Dr. Sarah Abu Ghazalah

The password is anon.

For the second packet:

Follow>>TCP Stream

- What commands the attacker used with FTP protocol?

Dr. Sarah Abu Ghazalah

 So, we can see here the commands are LIST, Change Working Directory (CWD) to imagez, LIST
(again), finally RETR >>>which means download a file (in this case Whywecanthavenicecat.png).
For example, if you change the Stream to 7357(press up button), you will see result of LIST
command:

Dr. Sarah Abu Ghazalah

 In the above message the Stream packet 7359>>shows the picture in ASCII and we can see the
signature it is PNG.

- What is the image the attacker retrieved from the victim machine? Save it in your computer.
Whywecanthavenicecat.png
To save it:
Change the fields as shown in the picture below:

Click on Save as, save it as cat.png.

Dr. Sarah Abu Ghazalah

 Open the image in the downloaded folder:

Dr. Sarah Abu Ghazalah