Higher Colleges of Technology

Computer and Information Science

CSF 3103 (Incident Response & Disaster Recovery)

Lab 2: Backup
Before you begin:
The lab environment consists of one Microsoft Azure Windows Server machine with Hyper V
installed. The Azure machine has already been assigned to you. If you have not registered for the
CSF3103 Azure lab yet, check your email for an invitation from Microsoft Azure and follow the
instructions. This lab is based on the previous lab (Security Onion Installation)
Lab Objectives:
1. Backup using rsync
2. Backup using rdiff-backup
3. Archive using tar
Required Resources
• Security Onion virtual machine (Username: hct & password: Letmein)
• Internet access

Student Name: Click or tap here to enter text.

Student ID: Click or tap here to enter text.

1 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

Task1: Backup using Rsync:

Rsync, or Remote Sync, is a free command-line tool that lets you transfer files and directories to
local and remote destinations. Rsync is used for mirroring, performing backups, or migrating
data to other servers.
rsync provides a number of options that control how the command behaves. The most widely
used options are:
1. -a, --archive, archive mode
2. -z, --compress. This option forces rsync to compresses the data as it is sent to the
destination machine/folder
3. --delete. When this option is used, rsync deletes extraneous files from the destination
location. It is helpful for mirroring.
For more rsync command options, use your CIS2903 skills (hint: man and help)
Basic Rsync Usage
The most basic use case of rsync is to copy a single file from one to another local location. Here
is an example:
1. Create a folder to backup your data using mkdir /home/hct/rsync-backup
2. Create a folder called AbuDhabi using the command mkdir AbuDhabi
3. Create 10 files using the command touch AbuDhabi/File{1..10}.txt
4. Use the command below to backup the files you created to the rsync-backup directory.
rsync -avz - - delete AbuDhabi /home/hct/rsync-backup

Note: In real work experience, you use the rsync command to backup your data to
remote servers or external storage media, not in the same system.

2 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

Check that AbuDhabi directory has been backed up in rsync-backup directory. Write the
command you have used: Click or tap here to enter text.

Task2: Backup using rdiff-backup

Rdiff-backup backs up one directory to another, possibly over a network. The target directory
ends up a copy of the source directory. It is used to combine the best features of a mirror and an
incremental backup.
1. Make sure you have access to the internet by opening any website. You need Internet
access for the next step. If you do not have access, check your virtual network adapter
setting. It should be connected to the default switch.
2. Install rdiff-backup using the following command:
sudo apt-get install rdiff-backup

Basic use of rdiff-backup:

3 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

3. Backup the local directory ADMC to the local directory HCT. HCT will end up with a
copy of ADMC, except it will contain the directory ADMC/rdiff-backup-data, which will
allow rdiff-backup to restore previous states.
4. Create new directories ADMC and HCT in the HCT home directory and one file called
test1 in the ADMC.
rdiff-backup ADMC HCT

5. Restoring:
We have run rdiff-backup ADMC HCT, with both ADMC and HCT as local directories. Say
we accidentally deleted ADMC and now want to restore it from HCT.
Since rdiff-backup makes a mirror, we can retrieve files using standard commands like cp.
cp -a HCT ADMC

Task3: Archive using tar

The primary function of the Unix/Linux tar command is to create backups/archives. It is used to
create a ‘tape archive’ of a directory tree that could be backed up and restored from a tape-based
storage device. The term ‘tar’ also refers to the file format of the resulting archive file. The
archive format preserves the directory structure and the file system attributes such as permissions
and dates.

4 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

Tar Syntax:

tar [function] [options] [paths]

Tar options:
The tar command supports the following functions:
• tar -c: Create a new archive.
• tar -A: Append a tar file to another archive.
• tar -r: Append a file to an archive.
• tar -u: Update files in an archive if the one in the filesystem is newer.
• tar -d: Find the diff between an archive and the filesystem.
• tar -t: List the contents of an archive.
• tar -x: Extract the contents of an archive.

Create a directory in the hct home directory called Tar-Backup:

mkdir /home/hct/Tar-Bakup
Cerate four files in the hct home directory called test1, test2, test3, and test4.
touch test1 test2 test2 test3 test4 OR touch home/hct/text{1..4}

A. Create an archive file containing test1 and test2

tar cvf /home/hct/Tar-Backup/archive.tar test1 test2
Understand the cvf options used in the command above.

B. Verify that the files test1 and test2 have been archived as a tar file.

5 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

C. List the contents of the archive.tar using the following commands:

tar tvf /home/hct/Tar-Backup/archive.tar

D. Extract the contents of archive.tar to the Tar-Backup directory using the following
commands:
Cd /home/hct/Tar-Backup
tar xvf /home/hct/Tar-Backup/archive.tar

E. Verify that the archive.tar has been extracted.

6 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

Questions:

1. Write the rsync command to backup the directory /tmp to /home/hct/rsync-backup with
the following options:
A.Verbose.
B. Compress file data during the transfer.
Click or tap here to enter text.

Use the following command to properly shutdown your Security Onion machine: sudo init 0
2. Search the internet about rsnapshot backup, write a brief description, and compare it to
rsync.
Click or tap here to enter text.

3. Search the internet about the difference between full, incremental, and differential
backup. Write your finding below. (This topic will be covered later)
Click or tap here to enter text.

4. What is the difference between backup and archive?

Click or tap here to enter text.

End of the lab ☺

7 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
CSF 3103 (Incident Response & Disaster Recovery)
Lab Objectives: Investigate suspicious traffic using Sguil.
Required Resources
• Security Onion virtual machine
• Internet access
Student Name: Click or tap here to enter text.

Student ID: Click or tap here to enter text.

Task1: Security Onion Setup:

To work with Sguil, Squert and ELSA, you have to setup the Security Onion machine first by:
1. Double-click on the setup icon on the Desktop and enter the root password “Letmein”.
Click on OK.

2. Click on Yes, Continue!

1 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
3. Click on No, not right now.

4. Select the Evaluation Mode option (Default) and click on OK.

5. Type hct to be the username for Sguil, Squert, and ELSA. Click on OK.

2 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
6. Type Letmein to be used as a password for Sguil, Squert, and ELSA. Click on OK.

7. Confirm the password.

8. Click on Yes, Proceed with the changes! to save your setup.

It takes about 2 minutes to save the setup.

9. Click OK on the remaining dialog messages.

3 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
Task 2: Using Sguil In Investigating Captured Network Data (1)
Sguil (pronounced sgweel) was built for network security analysts. Sguil’s main component is
an intuitive GUI that provides access to real-time events, session data, and raw packet captures.
Sguil facilitates the practice of Network Security Monitoring and event-driven analysis
(Wikipedia).
You will use Sguil to check the IDS alerts and gather more information about the series of events
related to this attack.

Note: The alert IDs used in this lab are for example only. The alert IDs on your VM may be different

Step 1: Open Sguil and located the alerts:

a. Launch Sguil from the Desktop. Login with username hct and password Letmein.
Enable all sensors and click Start.

b. All the alerts you currently see are related to the Operating System Security (OSSEC).
c. Open a Terminal Emulator by clicking the start icon on the upper right corner, then select
Terminal Emulator as shown below:

4 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

d. Create a directory called Pcap-Files in the hct home directory using the following
command: mkdir /home/hct/Pcap-Files
e. Copy example.com-3.pcap from /opt/samples to /home/hct/Pcap-Files using the
following command: cp /opt/examples/samples.com-3.pcap /home/hct/Pcap-Files

f. To generate some alerts type the following:

cd /home/hct/Pcap-Files
sudo tcpreplay –i eth0 -t example.com-3.pcap (This command will generate traffic from the
example.com-3 pcap file)

5 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

g. Now go back to Sguil and observe the generated alerts:

Task 3: Using Sguil In Investigating Captured Network Data (2)

Locate the alert with the event message “ET P2P BitTorrent DHT ping request, and answer the
following questions:

Question Answer
What is the source IP? 192.168.10.128
What is the destination IP? 72.20.34.145
What is the source port number? 36012
What is the destination port number? 6881
What is the rule class-type? 2008581
What is the transport protocol used in the UDP
generated traffic?

6 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
What are the source and destination MAC 00C299CAA25
addresses? (Hint: Pivot to Wireshark by right-
click on the even ID and select Wireshark)
Who is the NIC vendor of the destination Cisco-linksys,LCC
machine? (Hint: Pivot to NetworkMiner by
right click on the even ID and select
NetworkMiner)
Can you view the transcript of this traffic and Bo because its use UDP protocl
why?

Task 4: Using Sguil In Investigating Captured Network Data (3)

Run the following commands:
1. Copy the file example.com-4.pcap from /opt/samples to /home/hct/Pcap-Files
cp /opt/samples/example.com-4.pcap /home/hct/Pcap-Files

2. Replay the traffic in the example.com-4.pcap file using the following command:
Sudo tcpreplay –I eth0 -t /home/hct/Pcap-Files/example.com-4.pcap

3. Locate the alert with the event message “ET INFO .exe File requested over FTP, and
answer the following questions:

7 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
Question Answer
What is the source IP? 192.168.10.128
What is the destination IP? 130.89.149.129
What is the source port number? 1637
What is the destination port number? 21
What is the OS used in the source machine and the Windows xp
service pack based on the operating system fingerprint?
What is the FTP domain name? ftp://ftp.snt.utwente.nl/
What is the warning banner used in this FTP session? If you don like this policy , disconnect
now!
What is the password that was used to log in to this PASSIEUser@
FTP session?

Answer the following questions:

1. How do you resize columns in Sguil? by right-clicking on the column heading in the Sguil
client. ·
2. Now you know what Sguil is. Search the Internet. What is Squert? s a web application
that is used to query and view event data stored
End of the lab ☺
Do not forget to shutdown the Security Onion VM by using the command sudo init 0

8 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
CSF 3103 (Incident Response & Disaster Recovery)
Lab04: Examine simulated traffic on a network using Squert
Lab Objectives: Investigate suspicious traffic using Squert.
Required Resources:
• Security Onion virtual machine
• Internet access
Student Name: asma

Student ID: h00417552

What is Squert?
"Squert is a web application that is used to query and view event data stored in a Sguil database
(typically IDS alert data). Squert is a visual tool that attempts to provide additional context to
events through the use of metadata, time series representations and weighted and logically
grouped result sets" (Wikipedia).
Task 1: Copy the necessary file
Copy bredolab-sample.pcap file from /opt/samples to /home/hct/Pcap-Files directory using
the following command:
cp /opt/samples/example/bredolab /home/hct/Pcap-Files

Task 2: Replay the copied Pcap file

Navigate to the /home/hct/Pcap-Files directory, where bredolab-sample.pcap. If not found,
repeat task 1.
Run the following command:
sudo tcpreplay -i eth0 –t /home/hct/Pcap-Files/bredolab-sample.pcap (Password: Letmein)
This command replays network traffic stored in the bredolab-sample.pcap file onto security
onion's network card as if the network activity were happening again, live.

1 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
You should see the following at the end of your output:

Task 3: Log in to Squert to Investigate

1. Log in to Squert using the Squert icon on the Security Onion desktop using the
username: hct and the password: Letmein.
If you get the SSL warning message, bypass it by clicking "ADVANCED" then "(Proceed to
localhost unsafe)."
2. Each row in Squert lists an IDS event. Click on the QUEUE "12" (Yours might have a
different number) button on the row with ET TOROJAN Tibs/Harnig Downloader
Activity to see the detail of this alert.

2 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
If you do not see any events of the event you are looking for, press the Squert's "Refresh"
button (not the browser refresh button).
Note: You can filter by typing trojan in the filter at the upper right corner of the screen and
hit enter.

More details will appear below when you click this number (12 in this case), including the
associated IDS event's source and destination IP addresses.

Note: These events have the same source and destination IP addresses. They appear
more than one time, because the pcap file has been run multiple times.

3 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
Answer the following question according to the rule that triggered this event:

Question
What is the destination IP address, and what
country does it belong to?
Is the source IP address public or private, and
why?
What are the source and destination port
numbers? (Hint: Click on the event ID to get
the pcap transcript via capMe)
What is the source hostname?
What is the class-type of this attack?
When was the metadata created?
Based on the Microsoft reference URL given
in the rule, what is the threat (Harnig)
behavior?
Based on the Microsoft reference URL given
in the rule, How does the Harnig work? (Hint:
look at the payload section)
Answer
195.2.253.92 Romania
Private because it started with 192.168
Source ports 1032 destination port 80
Acxerox.com
Trojan-activity
2010_7_30
Is a trojan family that downloads and executes
arbitrary files in the system
Tries to connect to a remote server to download and
execute arbitrary files in the local machine. Saves
downloaded files to root of the C: drive with a
randomly generated file name.

Questions

When Squert first opens, you will see a list of all the events. Squert's visualization tools will help
identify suspicious sessions or behaviors without knowing too much about the data and events.

4 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

1. Navigate both SUMMARY and VIEWS tabs are write the benefits of these tabs:
Summary tab: provides the summary of all the alerts on the system, and separate those source ip address
that has the highest traffic received from a specified location

Views tab: it helps to view the traffic in a more convenient visualization

End of the lab ☺
Do not forget to shutdown the Security Onion VM by using the command sudo init 0

5 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
CSF 3103 (Incident Response & Disaster Recovery)
Lab05: Evaluate captured traffic using Wireshark & NetworkMiner
Lab Objectives:
• Capture and view HTTP traffic
• Capture and view HTTPS traffic
Required Resources:
• Security Onion virtual machine
• Internet access
Student Name: Click or tap here to enter text.
Student ID: Click or tap here to enter text.
Task1: Using Wireshark to Examine HTTP and HTTPS Traffic
HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a
web browser. With HTTP, there is no safeguard for the exchanged data between two
communicating devices.
With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true
meaning of the data that is being exchanged. This is done through the use of certificates.
Regardless of HTTP or HTTPS, it is only recommended to exchange data with websites that
you trust. Just because a site uses HTTPS does not mean it is a trustworthy site. Threat actors
commonly use HTTPS to hide their activities.
In this task, you will explore and capture HTTP and HTTPS traffic using Wireshark.
Task1-A: Capture and view HTTP traffic
In this part, you will use tcpdump command to capture the content of HTTP traffic. You will
use command options to save the traffic to a packet capture (pcap) file. These records can
then be analyzed using different applications that read pcap files, including Wireshark.
1. Start the Security Onion VM (Azure). Use the following user credentials:
Username: hct
Password: Letmein
2. Open a terminal and start tcpdump.
A. Open a terminal application and enter the command ifconfig.

1 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

B. List the interfaces and their respective IP addresses displayed in the ifconfig output:
Click or tap here to enter text.
C. Create a new directory name Lab05 in the hct home’s directory, and then change the
current directory to Lab05 directory.
D. Starts tcpdump and records network traffic on the eth0 interface by using the
following command: sudo tcpdump –i eth0 –s 0 –w httpdumpLab5.pcap

This command starts tcpdump and records network traffic on the eth0 interface.
The -i command option allows you to specify the interface. If not specified, the tcpdump
will capture all traffic on all interfaces.
The -s command option specifies the length of the snapshot for each packet (0-65535).
You should limit snaplen (Snapshot Length) to the smallest number that will capture the
protocol information in which you are interested.
The -w command option is used to write the result of the tcpdump command to a file.
Adding the extension .pcap ensures that operating systems and applications will be able
to read to file.
E. Open The Chromium web browser within the Security Onion. Navigate to
http://www.webscantest.com/login.php
F. Enter a username of admin with a password of admin and click login.

G. Close the web browser after you log in successfully.

2 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
H. Return to the terminal window where tcpdump is running. Enter CTRL+C to stop the
packet capture.
Task1-B: View the HTTP capture.
The tcpdump executed in the previous step printed the output to the file named
httpdumpLab05.pcap. This file is located in the directory /home/hct/Lab05.

1. Open httpdumpLab05.pcap with Wireshark by using the following command:

Wireshark httpdumpLab05.pcap
Note: you have to be in the Lab05 directory to use the above command or write the file's
path.

2. After Wireshark load the httpdumpLab05.pcap file, filter for http and click Apply.

3. Browse through the different HTTP messages and select the POST message.

3 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
4. In the lower window, the message is displayed. Expand (Click on the “+” sign) the
HTML Form URL Encoded: application/x-www-form-urlencoded section.

5. What two pieces of information are displayed? Username and password

Task1-C: View the HTTPS capture.
Repeat the steps you have done in Task1-2 using the website www.gmail.com or any other email
service provider website (e.g. www.yahoo.com, www.hotmail.com or https://id.cisco.com if you
took CIN2103), which you already have an account with. Call your tcpdump output file
httpsdumpLab05.pcap.
Are you able to see the username and password in Wireshark, and why? Click or tap here to enter
text.

Task2: Analyze captured file (pcap) using Wireshark.

1. Download Lab05.pcap file from Lab05 Blackboard learn folder to your local machine,
and email it to yourself.
2. Open your email using the web browser with in the security onion, and download the
Lab05.pcap into the Lab05 directory under the hct home’s directory.
3. Open Lab05.pcap with Wireshark and answer the following questions:
Question Answer
What was the username and password used in password:cdts3500\r\n username:ctds3500
the FTP session?
What is the idle connection duration time for more than 5 minuts
the FTP session?

4 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
What is the source IP address that initiated the 10.20.144.151
FTP connection?
What is the IP address of the FTP server? 10.20.144.151
What are the source and destination port 35974 21
numbers for the frame number 11?
What are the frames involved the TCP 3-way 1,2,3
handshake?
From which frame did the telnet start? 56
What were the source and destination port 35977 23
numbers in the frame number 66?

Task3: NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can
be used as a passive network sniffer/packet capturing tool in order to detect operating systems,
sessions, hostnames, open ports, etc, without putting any traffic on the network (NetreseC).
1. Start Networkminer.

2. Click on file, Open and then browse to the httpdumpLab5.pcap

3. Wait until NetworkMiner load the captured file.

5 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
4. Navigate through all the NetworkMiner tabs to discover their purposes.
5. Answer the following questions:
Question Answer
What is the MAC address associated with Click or tap here to enter text.
www.webscantest.com?
What is the webserver OS the webscantest.com Click or tap here to enter text.
running on and its version?
Is the connection to the server secure or not, and Click or tap here to enter text.
why?

Questions

1. What are the advantages of using HTTPS instead of HTTP? Click or tap here to enter text.
2. When using HTTPS, the data payload of a message is encrypted and can only be viewed
by the devices that are part of the encrypted conversation yes or no, and why. Click or tap
here to enter text.
3. Tcpdump has an option to set Snapshot Length called _________________.
☐ A. Snapin
☐ B. Snaplimit
☐ C. Snapbit
☒ D. Snaplen

4. Are all websites that use HTTPS considered trustworthy? Click or tap here to enter text.

6 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
CSF 3103 (Incident Response & Disaster Recovery)
Lab06: Use Xplico to examine pcap files
Lab Objectives: Investigate suspicious traffic using Xplico.

Required Resources:
• Security Onion virtual machine
• Internet access
Student Name: shouq Abdalla
Student ID: h00422778

What is Xplico?
Xplico is a network forensics analysis tool (NFAT), which reconstructs the contents of
acquisitions performed with a packet sniffer (e.g., Wireshark, tcpdump, Netsniff-ng).
The goal of Xplico is to extract the internet traffic to capture the data of the application
contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP
protocols), all HTTP contents, each VoIP call (SIP, RTP), IRC, MSN…Xplico is able to classify more
than 140 (application) protocols. (Wikipedia)
Task1: Install Xplico:
1. To install Xplico, run the following command:
sudo apt-get install xplico

Press Y and hit enter to continue

1 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
2. To check the status of the Xplico service, rune the following command:
sudo service xplico status (password: Letmein)

It shows the Xplico is running. Just in case it showed that Xplico is not running, you need to run
the following command to start it to make it running:
sudo service xplico start
3. Create a new directory in the HCT home directory call it Xplico (mddir
/home/hct/Xplico)
4. Copy the file snort.log.1362864654 from /opt/samples/pnsm/ch10 to the Xplico
directory.
cp /opt/samples/pnsm/ch10/snort.log.1362864654 /home/hct/Xplico

Task2: Access Xplico through a Web Browser:

Open the Chromium web browser and type localhost:9876, where 9876 is the Xplico standard
port number.
Use the default username xplico and password xplico

2 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
Task3: Creating a new case and session, uploaded a pcap file, and then investigate.
1. Click on New Case and Uploading PCAP capture file/s (Default). Enter Lab6 as the case
name and HQ as an External reference, and then click on Create.

2. After the Lab6 case has been created, click on it as shown below to create a new
session.

3. Click on New Session.

4. Enter Lab6-Pcap1 as the Session name, and then click on Create.

5. Now click on the session name to upload the captured file (snort.log.1362864654) that
you copied to the Xplico directory.

3 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

6. Click Choose File, then browse to the Xplico directory, select the File
snort.log.1362864654, and then click on Upload.

7. Make sure that it says File uploaded, wait start decoding … (It is doing the magic)

8. Wait until it says, “decoding completed”.

4 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
9. Observe the highlighted boxes, which have some decoded information. The bottom
right box has the number of undecoded information.

10. Click on Undecoded on the left side, and then select TCP-UDP.
The screen below shows the destination IP, port, date, time, connection duration and
contains more details of info.xml. Captured destination IP addresses are colored in red;
you can see more information by clicking on the IP address.

11. Click on the first destination IP address (in red) and observe the output.
12. On the left side, click on Graphs then Arp, and answer the following questions:
A. What type of information can you get from this window? Click or tap here to enter
text.

5 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
B. Write the MAC address that associated with the 192.168.3.130: Click or tap here
to enter text.

Task 4: Getting the necessary files

Download the Lab6.pcap, Lab6SIP1.pcap, and Lab6SIP2.pcap files from Lab6 folder (BBL) to
your local machine. Email these files to yourself, open your email within Security Onion, and
upload the files to the Xplico folder you created in the hct home’s directory in security onion
You need to send these files in two separate emails due to the size limitation. Send
Lab6.pcap.gz (compressed file) first and then Lab6SIP1.pcap, and Lab6SIP2.pcap.
Use the command gunzip Lab6.pcap.gz to decompress it.
Task 5: Analyzing a captured (Pcap) file

Add a new session in the Lab6 case and name it Lab6BR and Upload Lab6.pcap. After Xplico
finishes decoding the Pcap file, answer the following questions:

Question
What is the IP address associated with the MAC
address 00:04:75:ea:13:01?
What is the IP address of the host webmail.aol.com
What is the webmail sender address with the subject
“Welcome to Your New Email Account?”
Was there any file(s) downloaded using FTP? If yes,
who downloaded the file(s)?
What is the layer 7 protocol used for remote
connection and the username used?
Answer
192.168.1.111
Click or tap here to enter text.
Click or tap here to enter text.
Click or tap here to enter text.
Click or tap here to enter text.

Task 6: Reassemble a captured Session Initiation Protocol (SIP) voice using Xplico
1. Create a new case and session as follows:
A. Case name: SIP1
B. External reference: Phone-Call
C. Session name: Lab6-Session
2. Upload the Lab6SIP1.pcap you downloaded in step 1.
3. After Xplico finishes decoding, click on Voip >> Sip and click on the duration time as
shown below to play the captured file.

6 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

4. You will not be able to play this phone conversation because the Adobe flash add-on is
not installed (Adobe flash is not supported anymore).
5. Still, you can play SIP messages using the Xplio web-based tool by accessing the
following link: https://pcap2wav.xplico.org/ from your laptop/PC or the Azure windows
VM, but NOT security Onion. You need to download Lab6SIP1.pcap and Lab6SIP2.pcap
file from your email to the same machine where you access this website.
6. Click on Create a new session.

7. Click on Add files and select Lab6SIP1.pcap.

7 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
8. Click on the .wav files to download them, save the downloaded files anywhere on your
PC/laptop, and play them (Magic!).
Task 7: Do it yourself
Try to play Lab6SIP2.pcap using the same technique (Steps 5 – 8).
Were you able to play Lab6SIP2.pcap? Click or tap here to enter text.
Task 8: Live acquisition
1. Create a new live acquisition case called Lab6Live with External reference LA as shown
below:

2. Create a new session and name it Lab6LA.

3. After you click on the Lab6LA session, select the interface that you want Xplico to listen
on.

4. Click on Start and make sure that it says listening at the interface you selected.

8 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

5. Open the Chromium web browser and type www.cnn.com. Wait for a while to see some
captured data, especially under Dns, Arp –Icmpv6.
6. If too much data has been captured, as shown below, you can search for what you are
looking for by typing a keyword in the search field.

9 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
7. Search for cnn.

What is the IP address of www.cnn.com? Answers may vary Click or tap here to enter text.

Questions

1. What is the difference between Xplico and Wireshark? Click or tap here to enter text.
2. Explain how to capture traffic in Xplico: Click or tap here to enter text.

10 | Student Lab Manual CSF 3103 Created by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
CSF 3103 (Incident Response & Disaster Recovery)
Lab07: Using Chaosreader application to examine a Pcap file
Lab Objectives:
• Examine a Pcap file using Chaosreader
Required Resources:
• Security Onion virtual machine
• Internet access
Student Name: Click or tap here to enter text.
Student ID: Click or tap here to enter text.
How Chaosreader works?
Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop, Pcap
files, or tcpdump logs. After parsing the network traffic, Chaosreder generates an HTML index
file that links to all the session details, including real-time replay programs for telnet, rlogin,
IRC, X11, and VNC sessions. Similarly, traffic session streams, traced and made into HTML
reports for further inspection. Further, particularized reports are generated pertaining to image
files captured in traffic and HTML GET/POST contents (Forensicswiki).
Task1: Getting the necessary Pcap file
1. Start the Security Onion Virtual machine after login to the Microsoft Azure virtual lab.
2. Open a terminal session.
3. Create a new directory call it Lab07 in the hct home’s directory. (mkdir Lab07)
4. Login to CSF3103 Blackboard Learn course shell.
5. Click on Course Labs, lab07, and download Lab07.pcap.gz file to your local machine.
6. Email Lab07.pcap.gz to yourself, and download it to the Lab07 directory.
Task2: Using Chaosreader
1. Change your current directory to /home/hct/Lab07 where you have Lab07.pcap.gz file.
2. Use the command gunzip to decompress the Lab07.pcap.gz file.

1 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
Note: in Lab07 directory, you have only the Lab07.pcap file.
3. Use Chaosreader to traces TCP/UDP/others sessions and fetches application data from
Lab07.pcap using the following command: chaosreader –v Lab07.pcap
-v is the option that produces verbose output on your screen, where you observe what is
going on.
Note: Make sure you are in the correct directory (Lab07) and you have the Lab07.pcap
file in it.

4. After you hit enter, Chaosreader will trace all the TCP and UDP sessions available in the
Lab07.pcap file.

Note: Chaosreader breaks every session/stream with its respective protocol (E.g. session/steam
number 0236 used the protocol http, and session/stream number 0894 used the protocol https)
5. List the Lab07 directory contents using the command ls to see all the traced sessions files.
6. Open the Chromium internet browser in Security Onion and type the following in the
URL field: file:///home/hct/LabFiles/Lab07/index.html to view all the traced sessions.

2 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

7. The Chaosreader report above shows some TCP/UDP sessions information captured in
the Lab07.pcap file, such as date/time stamp, length, source and destination IP addresses,
the protocol used, size, and output.
8. Answer the following questions regarding the telnet session after you click on as HTML
(Session 1020):

Question Answer
What is the source IP address that the telnet Click or tap here to enter text.
session was initiated from?
What is the port number that was used by Click or tap here to enter text.
telnet?
What is the correct password used in this Click or tap here to enter text.
telnet session
What is the username used in this telnet Click or tap here to enter text.
session?
What is the website that the user pinged? Click or tap here to enter text.
What is the first command that was issued Click or tap here to enter text.
after login?
What is the last command that was issued in Click or tap here to enter text.
this telnet session?
Note: To return to the index page, click the browser’s back button.

3 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
9. Return to the main Chaosreadr page by using the back arrow, then click on the Image
Report, and look for the image below:

A. What is the source and destination IP address, along with their respective port numbers?
Click or tap here to enter text.
B. What is the date and time when the image was accessed? Click or tap here to enter text.
Task3: Replay traced sessions from the command line (Terminal)
Alternatively, you can replay this entire session from the command line so that you
can see exactly what has been done. Look for the file named
session_1020.telnet.replay, which we will use to view the telnet session from the
command line. Any file created by Chaosreader that has a replay extension can be
replayed from the command line, as you are about to do.
Minimize the browser and restore the terminal window you minimized earlier.
Type ./session_1020.telnet.replay. Your screen should look similar to what is shown
in the figure below. After you press Enter, you will now see the Telnet session
replayed in its entirety from the command line. Moreover, this will give you a better
understanding of what has been done in real-time.

4 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

Questions

Write a brief reflection about what you have learned from this lab. Click or tap here to enter text.

5 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
CSF 3103 (Incident Response & Disaster Recovery)
Lab08: Using Ostinato to generate random packets
Lab Objectives:
• Generate a stream of packets
• Analyze the generated packets using Wireshark
Required Resources:
• Security Onion virtual machine
• Internet access
Student Name: Click or tap here to enter text.
Student ID: Click or tap here to enter text.
What is Ostinato?
Ostinato is a versatile packet crafter, Pcap player, and traffic generator with an intuitive GUI. It
is an open-source network traffic generator that also has options for packet manipulation and
analysis. It has a very simple GUI to carry out the same operations; it supports most common
protocols and Python API to carry out automated tasks. (Ostinato.org)
Task1: Installing Ostinato
Install Ostinato in the Security Onion machine using the following command:
sudo apt-get install ostinato

Type Y when you prompted to continue [Y/N]

1 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
Task2: Starting Ostinato and configure a New Stream
After a successful installation, Ostinato has a client-server model where servers can be run on
multiple hosts. The client can connect to multiple servers, allowing a single client to manage
ports and present in multiple servers.
1. To start both client and server, use the following command:
sudo ostinato
2. Click on the "+" sign to display all the available ports as shown below:

After you click on the "+" sign, all the available ports will be displayed.

2 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
3. Click on the loopback Port (lo) that has a green dot beside it.

4. Right-click on the white space to start a New Stream.

5. Right-click on the New Stream and select Edit Stream.

3 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
6. Under the Protocol Selection tab, select the following options:

7. Under the Protocol Data tab, select the following options:

Click the Internet protocol ver4 bar -> source field = 1.1.1.1, and the destination
field = 2.2.2.2

4 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
8. Under the Protocol Data tab click on Payload Data and select Random as the payload
data type.

9. Click "Stream Control" and change the value in the Number of Packets = 30

10. Click on OK.

11. Click on Apply.

5 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

12. (1) Click on port 10 (lo). (2) Click on Port 0-10 to highlight the column. (3) Click on the
Start Capture icon labeled 3. (4) Click on Start Tx icon labeled 4.

13. Click on the Stop Tx labeled 1 first, and then click on View Capture Buffer labeled 2.

6 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science
14. After you click on the View Capture Buffer, it opens the transmitted packets in
Wireshark. If you get any error message, just ignore it by click on OK.

15. Once Wireshark starts and displays the frames, apply the filter as below in the expression
bar. ip.addr == 1.1.1.1
16. We can see the packets we crafted for this lab, proving we were successful in our efforts.

17. Observe the first frame was sent by 1.1.1.1 in the Wireshark and answer the following
questions. (Answers may vary from student to student)
Question Answer
Frame Length Click or tap here to enter text.
Destination IP address Click or tap here to enter text.
Source port number Click or tap here to enter text.
Window size value Click or tap here to enter text.
TCP payload value Click or tap here to enter text.
Sequence number Click or tap here to enter text.
Protocol Click or tap here to enter text.

7 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed

 Higher Colleges of Technology
Computer and Information Science

Questions

1. What is the difference between Ostinato and Wireshark? Click or tap here to enter text.
2. What is the difference between packet crafter and packet generator? Click or tap here to enter
text.

8 | Student Lab Manual CSF 3103 Enhanced by: Ayman Ahmed