Chapter 10 - Labs
10.1.6 Spoof Mac Addresses with SMAC In this lab, your task is to complete the following: On Office2 use ipconfig /all and find the IP address and MAC address. Spoof the MAC address on ITAdmin to that of Office2 using SMAC. Refresh your MAC and IP addresses to match the target machine.
Steps. 1. Open Windows Powershell (Admin) and type ipconfig /all a. Find the Mac address and the IP address (look at DHCP enabled) 2. Spoof Mac a. Select ITAdmin, type SMAC- right click and run as admin b. In new spoof mac address field type 00:00:55:55:44:15 from Office 2 c. Select Update MAC d. Select OK to restart adapter 3. Refresh MAC and IP a. Open Windows Powershell (Admin) b. Type ipconfig /all to confirm MAC address has been updated c. Type ipconfig /renew to update IP address
10.1.8 Poison ARP and Analyze with Wireshark In this lab, your task is to discover whether ARP poisoning is taking place as follows: Use Wireshark to capture packets on the enp2s0 interface for five seconds. Analyze the Wireshark packets to determine whether ARP poisoning is taking place. Use the 192.168.0.2 IP address to help make your determination. Answer the questions.
Steps: 1. Open Wireshark, under Capture, select enp2so 2. Select Blue fin to begin capture. 3. After 5 seconds, select red box to stop 4. In the Apply a display filter type arp and press Enter to show those packets 5. In Info column, look for lines containing the 192.168.0.2 IP. 6. Answer questions Questions: What is the MAC address of the 1st responding device? 00:00:1B:11:22:33 What was the MAC address of the duplicate responding device? 00:00:1B:33:22:11
10.1.10 Poison DNS In this lab, your task is to: Use Ettercap to begin sniffing and scanning for hosts. Set Exec (192.168.0.30) as the target machine Initiate DNS spoofing. From Exec, access rmksupplies.com.
Steps: 1. Use Ettercap to begin sniffing/scanning for hosts a. Open Ettercap b. Select Sniff c. Select Unified Sniffing d. Select enp2s0 from Network Interface & click Ok e. Select Hosts and select Scan for hosts 2. Set Exec (192.168.0.30) as target a. Select Hosts and select Host list b. Under IP select 192.168.0.30 c. Select Add to Target 1 3. Initiate DNS spoofing a. Select Plugins b. Select Manage the Plugins c. Select the Plugins tab d. Double click dns_spoof to activate e. Select Mitm, then select ARP poisoning, then Sniff remote connections, OK 4. From Exec access rmksupplies.com a. Select Exec b. Open Chrome c. Type rmksupplies.com - changes to RUS Office supplies
10.1.13 Analyze Email Traffic for Sensitive Data 2 In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing the following information using display filters: Social security numbers (SSN) Birth dates Direct deposit routing numbers Mother's maiden name Favorite car Favorite movie
-- you know how to do it yay -- Steps: 1. Open Wireshark, select enp2s0, after a few seconds stop 2. Type tcp contains SSN (Movie works as well) and press Enter 3. Questions Questions: What is George Han's SSN? 111-00-5555 What is Steven Joffer's favorite car? Aston Martin How many packets contain SSN's? 2 What is the 9-digit bank routing # for Julia? 999912341
10.2.8 Capture HTTP POST Packets with Wireshark
Q1How many HTTP POST packets were captured?Your answer:Correct answer: 3 Q2What is the source IP address of the packet containing the clear text password?Your answer:Correct answer: 192.168.0.98 Q3What is the clear text password captured?Your answer:Correct answer: St0ne$@
10.2.6 Perform a DHCP Spoofing Man-in-the-Middle Attack In this lab, your task is to complete the following: On IT-Laptop, use Ettercap to launch a man-in-the-middle DHCP spoofing attack using the following parameters: Netmask: 255.255.255.0 DNS Server IP: 192.168.0.11 On Support, complete the following tasks:Start a capture in Wireshark and filter the display for DHCP traffic. View the IP address and the gateway in Terminal. Bring the network interface down and back up to request a new DHCP address. In Wireshark, how many DHCP packets were exchanged?View the IP address and gateway again. What has changed? On Office1, complete the following tasks: Use tracert to rmksupplies.com to find the path. What is the path? Check the IP address of the computer.Release and renew the IP address assigned by DHCP. Check the IP address of the computer again. What has changed? Use tracert to rmksupplies.com to find the path again. What has changed? Log in to the rmksupplies.com employee portal with the following credentials: Username: bjackson Password: $uper$ecret1 On IT-Laptop, find the captured username and password in Ettercap.
Steps: 1. On IT laptop start unified sniffon on the enp2s0 - Open Ettercap, select Sniff, Unified Sniffing, select enp2s0 - Click OK, Mitm, DHCP spoofing, in netmask field enter 255.255.255.0, in DNS server IP enter 192.168.0.11 and click OK 2. On support capture filter for bootp packets - Select Support, open Wireshark, select enp2s0, start capture, in display filter type bootp. 3. Request a new IP address -open terminal, type ip addr show, Enter + IP for enp2s0 is 192.168.0.45 -Type route +the gateway is 192.168.0.5 -type ip link set enp2s0 down /Enter -type ip link set enp2s0 up /Enter -Open Wireshark, under Info notice 2 DHCP ACK packets - one is real/other fake(spoof). -Select 1st DHCP ACK packet, expand Bootstrap Protocol (ACK) -Expand Option: (3) Router -repeat steps for second packet 4. View current IP - Terminal, type ip addr show + IP is 192.168.0.45 - Type route /Enter + current gateway 192.168.0.46 5. On Office 1, view current route/IP address - Select Office1, open Windows Powershell (Admin) - Type tracert rmksupplies.com /Enter +1st hop is 192.168.0.5 -Type ipconfig /all /Enter + config is as follows: IP(192.168.0.33), Gateway(192.168.0.5), DHCP(192.168.0.14) -Type ipconfig /release /Enter - type ipconfig /renew /Enter +default gateway has changed IP address of 192.168.0.46 -type tracert rmksupplies.com +1st hop is now 198.168.0.46 6. In Chrome, login rmksupplies.com employee portal. -Open Chrome, type rmksupplies.com, select Employee Portal, user: bjackson, password: $uper$ecret1, Login 7. From IT-laptop, find captured username/password in Ettercap -Open IT-Laptop, in Ettercap find username/password Questions: How many DHCP packets were captured in Wireshark? 5 Which gateway addresses are provided in the ACK packets? 192.168.0.5, 292.168.0.46
10.1.12 Analyze Email Traffic for Sensitive Data In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing invoice emails using display filters. Check to see if the following information can be seen in clear text format in the invoice emails: Source and destination email addresses Names of those that sent or received the emails Customer information
Steps: 1. Open Wireshark and select enp2so - after a few seconds stop 2. Type tcp contains Invoice - examine info and locate - account manager's email address - recipient of email's full name - name of company requesting payment Questions: What is the email address of the account manager? [email protected] What is the recipient's full name on the captured email? Lynette Pratt What is the name of the company requesting payment? ACME, Inc
10.1.11 Filter and Analyze Traffic with Wireshark In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use the following Wireshark filters to isolate and examine specific types of packets:net 192.168.0.0host 192.168.0.34tcp contains password Answer the questions.
Steps: 1. Open Wireshark and select the enp2s0 and select blue fin to begin capture. 2. Apply the net 192.168.0.0 filter - type net 192.168.0.0 - look at source and destination addresses 3. Apply host 192.168.0.34 filter - Type host 192.168.0.34 - look at source/destination 4. Apply tcp contains password filter - type tcp contains password - select the red box to stop capture - locate the password Questions: What is the effect of the net 192.168.0.0 filter in Wireshark? Packets with either a source or destination address on the 192.168.0.0 network are displayed. What is the effect of the host 192.168.0.34 filter in Wireshark? Packets with 192.168.0.34 in either the source or destination address are displayed. What is the captured password? St@y0ut!@
10.3.6 Perform and Analyze a SYN Flood Attack
What is the source IP address of the SYN attack? 192.168.0.33 Which of the following MAC addresses is initiating the SYN flood attack? 00:60:98:7F:41:E0 (IT Laptop)
