Lab 4: Evaluate Incidents using Wireshark and NetworkMiner

HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a web
browser. With HTTP, there is no safeguard for the exchanged data between two communicating
devices.
With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true
meaning of the data that is being exchanged. This is done through the use of certificates.
Regardless of HTTP or HTTPS, it is only recommended to exchange data with websites that you
trust. Just because a site uses HTTPS does not mean it is a trustworthy site. Threat actors
commonly use HTTPS to hide their activities.
In this task, you will explore and capture HTTP and HTTPS traffic using Wireshark.
Required Resources
• Security Onion VM
• Internet access
Task 1: Capture and view HTTP traffic
1. In this part, you will use tcpdump command to capture the content of HTTP traffic. You will
use command options to save the traffic to a packet capture (pcap) file. These records can then
be analyzed using different applications that read pcap files, including Wireshark.
2. Start the Security Onion VM. Username: hct Password: Letmein
3. Open a terminal and start tcpdump.
a. Open a terminal application and enter the command ifconfig.
b. List the interfaces and their respective IP addresses displayed in the ifconfig output:
c. Create a new directory name Lab04 in the hct home’s directory, and then change the
current directory to Lab04 directory.
d. Start tcpdump and record network traffic on the eth0 interface by:
sudo tcpdump –i eth0 –s 0 –w httpdumpLab04.pcap
This command starts tcpdump and records network traffic on the eth0 interface.
• -i allows you to specify the interface. If not specified, the tcpdump will
capture all traffic on all interfaces.
• -s specifies the length of the snapshot for each packet (0-65535).
• -w used to write the result of the tcpdump command to a file.
e. Open the Chromium web browser within the Security Onion.
f. Navigate to http://testphp.vulnweb.com/login.php

CSF 3103 – Incident Response and Disaster Recovery 1

 g. Enter a username of test with a password of test and click login. Or any username or
password.

h. Close the web browser after you log in successfully.

i. Return to the terminal window where tcpdump is running. Enter CTRL+C to stop
the packet capture.
4. Open httpdumpLab04.pcap with Wireshark by using the following command:
Wireshark httpdumpLab05.pcap
Note: you have to be in the Lab04 directory to use the above command or write the file's path.
5. After Wireshark load the httpdumpLab04.pcap file, filter for http and click Apply.

6. Browse through the different HTTP messages and select the POST message.
7. In the lower window, the message is displayed. Expand the Line-based text data
application/x-www-form-urllencoded.

CSF 3103 – Incident Response and Disaster Recovery 2

Task 2: Capture and view HTTPs traffic
Repeat the steps you have done in Task1-2 using the website www.gmail.com or any other email
service provider website (e.g. www.yahoo.com, www.hotmail.com or https://id.cisco.com if you
took CIN2103), which you already have an account with. Call your tcpdump output file
httpsdumpLab05.pcap
Task 3: Analyze captured file (pcap) using Wireshark
1. Download Lab04.pcap file from Lab04 Blackboard learn folder to your local machine, and
email it to yourself.
2. Open your email using the web browser with in the security onion, and download the
Lab04.pcap into the Lab04 directory under the hct home’s directory.
3. Open Lab04.pcap with Wireshark.
Task 4: NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can
be used as a passive network sniffer/packet capturing tool in order to detect operating systems,
sessions, hostnames, open ports, etc, without putting any traffic on the network (NetreseC).
1. Start Networkminer.

2. Click on file, Open and then browse to the httpdumpLab4.pcap

CSF 3103 – Incident Response and Disaster Recovery 3

3. Wait until NetworkMiner load the captured file.

4. Navigate through all the NetworkMiner tabs to discover their purposes.

CSF 3103 – Incident Response and Disaster Recovery 4