Scribd
Upload
371 views10 pages

Lab Experiment-7: Case Study 1: Ann's Bad Machine

The document contains details from 5 case studies related to network security experiments and investigations: 1) Case study 1 details a conversation from an IM chat where a secret recipe file was shared between two users and analyzed. 2) Case study 2 involves forensic analysis of a packet capture from an attacked wireless network, identifying attacker behaviors and access point details. 3) Case study 3 finds SSH traffic hidden in ICMP packets, indicating potential tunneling. 4) Case study 4 analyzes a ping scan and identifies tools and flags used in the scan. 5) Case study 5 traces a drive-by download attack exploiting IE6 via a malicious GIF leading to remote shell access on the client.

Uploaded by

Que Ret
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
371 views10 pages

Lab Experiment-7: Case Study 1: Ann's Bad Machine

The document contains details from 5 case studies related to network security experiments and investigations: 1) Case study 1 details a conversation from an IM chat where a secret recipe file was shared between two users and analyzed. 2) Case study 2 involves forensic analysis of a packet capture from an attacked wireless network, identifying attacker behaviors and access point details. 3) Case study 3 finds SSH traffic hidden in ICMP packets, indicating potential tunneling. 4) Case study 4 analyzes a ping scan and identifies tools and flags used in the scan. 5) Case study 5 traces a drive-by download attack exploiting IE6 via a malicious GIF leading to remote shell access on the client.

Uploaded by

Que Ret
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Lab Experiment-7

 Case Study 1: Ann’s Bad Machine:

1. What is the name of Ann’s IM buddy?

1. sec558user1

2. What was the first comment in the captured IM conversation?

2. Here’s the secret recipe… I just downloaded it from the file server.
Just copy to a thumb drive and you’re good to go >:-)

3. What is the name of the file Ann transferred?

3. recipe.docx

4. What was the MD5sum of the file?

8350582774e1d4dbe1d61d64c89e0ea1

5. What is the secret recipe?


Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir
gently over low heat until sugar is fully dissolved. Remove the
saucepan from heat. Allow to cool completely. Pour into gas tank.
Repeat as necessary.

 Case Study 2: Access Point Forensics:


1) Joe’s WAP is beaconing. Based on the contents of the packet
capture, what are:
a. The SSID of his access point?
SSID: Ment0rNet
b. The BSSID of his access point?2. Look and bookmark 10 email
messages?
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in


SECONDS – please round to the nearest full second)?
A: 414s

3) How many WEP-encrypted data frames are there total in the


packet capture?
$ tshark -r evidence08.pcap -R ‘((wlan.fc.type_subtype == 0x20) &&
(wlan.fc.protected == 1)) && (wlan.bssid == 00:23:69:61:00:d0)’|wc
-l
A: 59274

4) How many *unique* WEP initialization vectors (IVs) are there


TOTAL in the packet capture relating to Joe’s access point?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) &&
wlan.wep.iv’ -T fields -e wlan.wep.iv | sort -u | wc -l
A: 29719

5) What was the MAC address of the station executing the Layer 2
attacks?
A: 1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access


point):
a. By the attacker station?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) &&
(wlan.sa == 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e
wlan.wep.iv|sort -u|wc -l
A: 14133

b. By all *other* stations combined?7. Wes man-tooth has a friend


by name Joan Acetone. Where does he work?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) &&
(wlan.sa != 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e
wlan.wep.iv|sort -u|wc -l
B : 15587
7) What was the WEP key of Joe’s WAP?
$ aircrack-ng -b 00:23:69:61:00:d0 evidence08.pcap
A: D0:E5:9E:B9:04

8) What were the administrative username and password of the


targeted wireless access point?
username: admin
password: admin

9) What was the WAP administrative passphrase changed to?


passphrase: hahp0wnedJ00

 Case Study 3: Ping.pcap:


1. What type of ICMP traffic is shown in this capture?
- Echo Request/Reply

2. What is the number of the first frame that indicates that


something funny might be going on?
- 15 (Unprompted reply with suspicious content - SSH-2.0-
OpenSSH_5.3p1 Debian-3ubuntu6...)

3. What is the application layer protocol that is hidden


within the ICMP traffic?

- ssh

4. What tool most likely generated this 'malicious' traffic?

- ICMP Tunnel

5. What is the 'true' destination of the ICMP traffic


generated from 192.168.5.208?

- An external host accessible through 192.168.5.217

6. What is the session identifier for each packet? (answer


in hex, 2 bytes)

 Case Study 4: Scan.pcap:

1. What tool is generating this traffic?


- ping

2. What is the frame that indicates something strange


might be going on?

-8

3. What does this frame constitute the beginning of? (What


type of Scan?)

- Ping Scan

4. The 'miscreant' then runs two scans beginning just after


six minutes and 24 minutes into the trace, however,
these traces weren't to his/her liking as they were too
slow. On the following scans, a switch was removed
from the command to improve the speed, what was this
switch (just the letters, case-sensitive)?

- sU

5. What switch was added to the final scan (case-


sensitive)?

- sS
 Case Study 5: Malicious.pcap:

1. What was the complete URI of the original web request that
led to the client being compromised?

- http://10.20.0.111:8080/banking.html

2. What file type was requested in the final web request to the
malicious server?

- gif

3. What is the sha1 hash of the afore-mentioned file?

-addf120b430021c36c232c99ef8d926aea2acd6b

4. What is the number of the first frame that indicates that the
client has been compromised?

- 4722

5. At one point, the malicious server sends a malicious file to


the client. What type of file is it?

- windows executable

6. What is the sha1 hash of the malicious file?

- 7afc1f67e627abb4786e5596843f9d790be81a34
7. What vulnerable software is exploited?

- ie6

8. Can you give the corresponding CVE security bulletin that


covers the vulnerability here that was exploited (answer in
form of CVE-$year-$number).

- CVE-2005-1790

9. From the capture, it is clear that the attacker gets a certain


form of access (i.e. the interface), what (type of) access does
the attacker "get" on the client?

- shell
Submitted To:
Dr. Manoj Kumar, Department of Systemics (SoCS)
Submitted By:
Pulkit Mittal
B-tech CSE-CSF (B-3)
500068183
R134218125

You might also like