Assignment 4: Network Traffic Monitoring and Security Analysis

Part 1: Analyzing Captured Packets

Describe the activities observed in captured packets from #5 to #218.

As we see, only 2 DNS protocols is used and other rest is TCP. I think, the two DNS protocols observed
could be indicative of DNS tunneling activity, where the attacker is using DNS queries and responses to
transfer data covertly between the compromised system and an external server. The TCP traffic alongside
DNS could be used for command and control (C2) communication or other malicious activities.

Identify the potential used tool.

In my opinion, tools like Nmap, Masscan, or Zmap are could be used for network scanning and
reconnaissance. These tools can scan a range of IP addresses, identify live hosts, and detect
open ports and running services.

Explain the potential outcomes and report the open ports found.

Here we can see clear TCP four way handshake, where we can find all the used source and destination
ports. For example, 41230, 80, 56590, 443.

Determine the number of ports used in this activity by hackers.

I looked at “Statistics” panel in wireshark file, where we can see the number of overall ports. As
you see, for ethernet it is 4, for IPv4 is 36, for TCP 162 and for UDP 54. So, overall we have 256
open ports.

Part 2: FTP Traffic Analysis

Extract login credentials for FTP.

Identify FTP passive mode port numbers.

In the transcript, we see the EPSV (Extended Passive Mode) command being issued. The PASV response
provides the port number for the data connection in the format (|||port|). In the first PASV response,
the port number is 14139, and in the second PASV response, it is 61507.

Find directories and files on the FTP server.

 Identify the transferred file and its size.

The transcript includes a command to retrieve the size of a file named "users.sh" (SIZE users.sh). The
server responded with "213 2245", indicating that the file "users.sh" has a size of 2245 bytes.

Display the content of the downloaded file.

This is a content in ASCII. We see that it contains usernames and passwords.

Determine the UTC time of file transfer completion.

Here, in the Transfer Completed file, we can see Arrival time of file in UTC.

Part 3: HTTP Traffic Analysis

Identify the directory and file name of the website's icon.

If we enter this in browser, we can see the website’s icon:

Directory: "/templates/Baskino/images/"; File: "favicon.png"

Extract the login credentials for the website.

As we see, username = shakhnazar and password = CatchMeIfYouCan;

Count the number of HTTPS-related packets (excluding TCP).

SSH provides a secure channel between two devices, typically a client and a server, allowing for encrypted
remote access and control. That’s why, to find the number of https requests, I used it as a filter.

If we count, we discover that we have 388 HTTPS related packets.

Part 4: DNS Analysis

Obtain IPv6 addresses for 'naos.ink' domain.

In the Wireshark capture file, we can look for AAAA naos.ink request and in this way, find out the IPv6 of
it.

Get IPv4 addresses for 'www.googletagmanager.com' domain.

In the IPv4 description of 'www.googletagmanager.com', we can find out its IPv4.

IPv4 for 'www.googletagmanager.com' domain: 10.100.1.2.

Identify the Canonical Name for 'cdn77-fs.aj1907.online' domain.

In the Answers panel of description of 'cdn77-fs.aj1907.online' domain, we can find out the Canonical
name of it. As we can see, CNAME of 'cdn77-fs.aj1907.online' is given in the picture above.

Part 5: Attack Analysis

Analyze captured packets to determine the type of attack.

As we have 288128 packets, which is a lot, we can come up to desicion that it is DDos attack. In a DDoS
attack, multiple compromised systems, often distributed across various locations and networks,
are used to flood the target with an excessive volume of requests or traffic, rendering it unable
to respond to legitimate requests from users.

Explain the dangers associated with this attack.

One of the primary dangers of DDoS attacks is the disruption of online services. By
overwhelming servers or networks with a flood of traffic, attackers can render websites,
applications, or online services unavailable to legitimate users.

In some cases, DDoS attacks may serve as a diversionary tactic to distract security personnel
while attackers attempt to exploit vulnerabilities or launch other types of cyberattacks, such as
data breaches.

Mitigating DDoS attacks and restoring services can incur significant operational costs for
organizations.

Count the number of TCP segments with SYN flags sent.

Using filter, tcp.flags.syn==1, we can count the number of TCP segments with SYN flags sent. Here, we see
that we have 288094 of them.

Identify the target IP address and port.

IP: 192.168.0.20

Port: 80

Part 6: Attack Analysis

Analyze captured packets to determine the type of attack.

As we see here, there a bunch of SYN requests from the same IP address (192.168.0.10) and in this way, also a
bunch of SYN, ACK responses from the same destination (192.168.0.67). In my opinion, this looks like a Brute-Force
attack. Because, Brute force attacks involve a large number of repetitive login attempts or encryption key
guesses.

Explain the dangers associated with this attack.

One of the primary dangers of brute force attacks is the risk of unauthorized access to sensitive
systems, accounts, or data. If an attacker successfully guesses the correct credentials or
encryption key, they can gain illicit access to user accounts, administrative privileges, or
confidential information.

Brute force attacks can lead to data breaches, where sensitive information such as personal
data, financial records, or proprietary business data is exposed or stolen.

Brute force attacks can disrupt services and operations by overwhelming authentication
systems, application servers, or network infrastructure with a high volume of login attempts or
encryption key guesses.

Identify the target IP address and port.

We see here, that the target IP address is 192.168.0.10 and port is 22.

List the IP addresses of attackers.

In the Statistics panel of the file we can find source and destination IP addresses. Here the Source IP
addresses are IP addresses of attackers who send requests to the Destination.

Part 7: Server Logs Analysis

Analyze server logs to identify the type of attack.

As we see, too many failed passwords in a little time period. This refers to Brute-Forse Attack.

Count unsuccessful attempts for usernames (Mirth66, Pixel64, Sonic68, Ivory16, Breez100).
Unsuccessful attempts can be searched by entering in search “Failed password for [username]”.

For Mirth66 = 466; Pixel64 = 135; Sonic68 = 693; Ivory16 = 146; Breez100 = 3998.

Identify IP addresses of attackers.

By searching by filtering in part7.txt file using ‘Failed password’ as a starting words, we can find all the IP
addresses of attackers.

Find usernames from which successful connections were made to the server.
Successful usernames: Upton36, Sonic68, Snack18, shakh, Mirth66, Pixel64, Ivory16.