Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Lab 9-10

    Загружено:

    Anant Patni
    167 просмотров6 страниц
    ia

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    DOC, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    ia

    Авторское право:

    © All Rights Reserved
    Скачайте в формате DOC, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    167 просмотров6 страниц

    Lab 9-10

    Загружено:

    Anant Patni
    ia

    Авторское право:

    © All Rights Reserved
    Скачайте в формате DOC, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 6

    Jaypee Institute of Information Technology, Noida-128

    IS Lab (15B17CI576) Exercises


    5th Semester – 2018 (Odd Sem)
    Lab 9-10

    LAB ASSIGNMENT - 9

    Notes: Packet capture (PCAP) files contain information about the network traffic that can
    be explored in detail. The goal of this exercise is to examine PCAP files containing
    attacks, and analyze the traffic in detail. We look into details of transport- (TCP) and
    application-layer (SMB, RPC, HTTP). Wireshark (and the command-line tool, tshark)
    will be used in the tasks.
    Some Useful Examples of Applying Filters on pcap files:-
     ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source
    or dest]
     ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the
    two defined IP addresses]
     http or dns [sets a filter to display all http and dns]
     tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest
    port]
     tcp.flags.reset==1 [displays all TCP resets]
     http.request [displays all HTTP GET requests]
     tcp contains reviews [displays all TCP packets that contain the word ‘reviews’.
    Excellent when searching on a specific string or user ID]
     !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may
    be background noise. Allowing you to focus on the traffic of interest]
     tcp.flags.syn eq 1 [TCP packets with SYN flag set to 1]

    Q1. Refer to file Ass9_1.pcap and answer following questions:-


    (a) Find IP addresses of FTP server and Client
    (b) What is the meaning of FTP Err Code 530.
    (c) How many login errors occurred within a minute?

    Q2. Refer to file Ass9_2.pcap and answer following questions:-


    (a) Explore what’s going on with wireshark gui:-

    • Statistics -> Conversation List -> TCP (*)


    (b) Explore web to find out which application use TCP/6346?
    Q3. Refer the network trace Ass9_4.pcap and examine it using Wireshark. Provide
    concise answers to the following questions. Each response should require at most 2–3
    sentences.
    1. One of the clients connects to an FTP server during the trace
    a. What is the DNS hostname of the server it connects to?
    b. Is the connection using Active or Passive FTP?
    c. Based on the packet capture, what’s one major vulnerability of the FTP
    protocol?
    d. Name at least two network protocols that can be used in place of FTP to
    provide secure file transfer.
    2. The trace shows that at least one of the clients makes HTTPS connections to sites
    other than Facebook. Pick one of these connections and answer the following:
    a. What is the domain name of the site the client is connecting to?
    b. Is there any way the HTTPS server can protect against the leak of
    information in (a)?
    c. During the TLS handshake, the client provides a list of supported cipher
    suites. List three of the cipher suites and name the crypto algorithms used
    for each.
    d. Are any of these cipher suites worrisome from a security or privacy
    perspective? Why?
    e. What cipher suite does the server choose for the connection?
    3. One of the clients makes a number of requests to Facebook
    a. Even though logins are processed over HTTPS, what is insecure about the
    way the browser is authenticated to Facebook?
    b. How would this let an attacker impersonate the user on Facebook?
    c. How can users protect themselves against this type of attack?
    d. What did the user do while on the Facebook site?

    Lab Exercise Based on SSL:


    In this lab, we’ll investigate the Secure Sockets Layer (SSL) protocol, focusing on the
    SSL records sent over a TCP connection. We’ll do so by analyzing a trace of the SSL
    records sent between your host and an e-commerce server. We’ll investigate the various
    SSL record types as well as the fields in the SSL messages. You may want to review
    Section 8.6 in the text1.

    1. Capturing packets in an SSL session

    The first step is to capture the packets in an SSL session. To do this, you should go to
    your favorite e-commerce site and begin the process of purchasing an item (but
    terminating before making the actual purpose!). After capturing the packets with
    Wireshark, you should set the filter so that it displays only the Ethernet frames that
    contain SSL records sent from and received by your host. (An SSL record is the same
    thing as an SSL message.) You should obtain something like screenshot on the previous
    page.

    1
    References to figures and sections are for the 6th edition of our text, Computer Networks, A Top-down
    Approach, 6th ed., J.F. Kurose and K.W. Ross, Addison-Wesley/Pearson, 2012.
    If you have difficulty creating a trace, you should download the zip file
    http://gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ssl-ethereal-
    trace-1 packet trace.

    2. A look at the captured trace

    Your Wireshark GUI should be displaying only the Ethernet frames that have SSL
    records. It is important to keep in mind that an Ethernet frame may contain one or more
    SSL records. (This is very different from HTTP, for which each frame contains either one
    complete HTTP message or a portion of a HTTP message.) Also, an SSL record may not
    completely fit into an Ethernet frame, in which case multiple frames will be needed to
    carry the record.

    LAB ASSIGNMENT - 10
    Q.5 Whenever possible, when answering a question below, you should hand in a printout
    of the packet(s) within the trace that you used to answer the question asked. Annotate the
    printout2 to explain your answer. Refer the network trace Ass10.pcap and examine it
    using Wireshark To print a packet, use File->Print, choose Selected packet only, choose
    Packet summary line, and select the minimum amount of packet detail that you need to
    answer the question

    1. For each of the first 8 Ethernet frames, specify the source of the frame (client or
    server), determine the number of SSL records that are included in the frame, and
    list the SSL record types that are included in the frame. Draw a timing diagram
    between client and server, with one arrow for each SSL record.
    2. Each of the SSL records begins with the same three fields (with possibly different
    values). One of these fields is “content type” and has length of one byte. List all
    three fields and their lengths.

    ClientHello Record:

    3. Expand the ClientHello record. (If your trace contains multiple ClientHello
    records, expand the frame that contains the first one.) What is the value of the
    content type?
    4. Does the ClientHello record contain a nonce (also known as a “challenge”)? If so,
    what is the value of the challenge in hexadecimal notation?
    5. Does the ClientHello record advertise the cyber suites it supports? If so, in the
    first listed suite, what are the public-key algorithm, the symmetric-key algorithm,
    and the hash algorithm?

    ServerHello Record:

    6. Locate the ServerHello SSL record. Does this record specify a chosen cipher
    suite? What are the algorithms in the chosen cipher suite?
    7. Does this record include a nonce? If so, how long is it? What is the purpose of the
    client and server nonces in SSL?
    8. Does this record include a session ID? What is the purpose of the session ID?
    9. Does this record contain a certificate, or is the certificate included in a separate
    record. Does the certificate fit into a single Ethernet frame?

    Client Key Exchange Record:

    2
    What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout
    you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what
    you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and
    annotate.
    10. Locate the client key exchange record. Does this record contain a pre-master
    secret? What is this secret used for? Is the secret encrypted? If so, how? How long
    is the encrypted secret?

    Change Cipher Spec Record (sent by client) and Encrypted Handshake Record:

    11. What is the purpose of the Change Cipher Spec record? How many bytes is the
    record in your trace?
    12. In the encrypted handshake record, what is being encrypted? How?
    13. Does the server also send a change cipher record and an encrypted handshake
    record to the client? How are those records different from those sent by the client?

    Application Data

    14. How is the application data being encrypted? Do the records containing
    application data include a MAC? Does Wireshark distinguish between the
    encrypted application data and the MAC?
    15. Comment on and explain anything else that you found interesting in the trace.

    Prepare your answers in a text file named Enrollment_no.txt.

    Вам также может понравиться