Chapter 10 - Labs

10.1.13 Analyze Email Traffic for Sensitive Data 2 In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing the following information using display filters: Social security numbers (SSN) Birth dates Direct deposit routing numbers Mother's maiden name Favorite car Favorite movie

-- you know how to do it yay -- Steps: 1. Open Wireshark, select enp2s0, after a few seconds stop 2. Type tcp contains SSN (Movie works as well) and press Enter 3. Questions Questions: What is George Han's SSN? 111-00-5555 What is Steven Joffer's favorite car? Aston Martin How many packets contain SSN's? 2 What is the 9-digit bank routing # for Julia? 999912341

10.2.7 Perform an MITM Attack from a Remote Computer In this lab, your task is to complete the following: On Consult-Lap2, use ssh -X to connect to your rogue computer using the following parameters: IP address: 192.168.0.251 Password: $uper$neaky Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the-middle attack on your rogue computer and attempt to capture any unsecure passwords: Network Interface: enp2s0 Netmask: 255.255.255.0 DNS Server IP address: 192.168.0.11 On Exec, release and renew the IP address assigned by DHCP. Log in to the rmksupplies.com employee portal using the following credentials: Username: bjackson Password: $uper$ecret1 On Consult-Lap2, copy the session ID detected in Ettercap. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. Verify that you have hijacked the session.

Explanation In this lab, your task is to complete the following: On Consult-Lap2, use ssh -X to connect to your rogue computer using the following paramenters:IP address: 192.168.0.251Password: $uper$neaky Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the-middle attack on your rogue computer and attempt to capture any unsecure passwords:Network Interface: enp2s0Netmask: 255.255.255.0DNS Server IP address: 192.168.0.11 On Exec, release and renew the IP address assigned by DHCP. Log in to the rmksupplies.com employee portal using the following credentials:Username: bjacksonPassword: $uper$ecret1 On Consult-Lap2, copy the session ID detected in Ettercap. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. Verify that you have hijacked the session. Complete this lab as follows: From Conult-Lap2, connect to your rogue computer as follows:From the Favorites bar, open Terminal.At the prompt, type ssh -X 192.168.0.251 and press Enter.For the password, type $uper$neaky and press Enter.You are now connected to Rogue1. Use Ettercap to launch a DHCP spoofing man-in-the-middle attack as follows:At the prompt, type ettercap and press Enter to launch Ettercap remotely.Ettercap is running on the remote computer, but you see the screen locally.Select Sniff.Select Unified sniffing.From the Network Interface drop-down list, select enp2s0.Click OK.Select Mitm.Select DHCP spoofing.In the Netmask field, enter 255.255.255.0.In the DNS Server IP field, enter 192.168.0.11.Click OK. On Exec, release and renew the IP address as follows:From top navigation tabs, select Buildings.Under Building A, select Floor 1.Under Executive Office, select Exec.Right-click Start and select Windows PowerShell (Admin).Type ipconfig /release and press Enter to release the currently assigned addresses.Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. Log into the rmksupplies.com employee portal as follows:From the taskbar, open Chrome.Maximize the window for easier viewing.In the URL field, enter rmksupplies.com and press Enter.At the bottom of the page, select Employee Portal.In the Username field, enter bjackson.In the Password field, enter $uper$ecret1.Select Login.You are logged in as Blake Jackson. On Consult-Lap2, copy the session ID detected in Ettercap as follows:From the top navigation tabs, select Building A.Under Red Cell, select Consult-Lap2.In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap.Highlight the session ID.Press Ctrl + C to copy. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows:From the top navigation tabs, select Building A.Under Red Cell, select Consult-Lap.From the taskbar, open Chrome.Maximize the window for easier viewing.In Chrome's URL field, enter rmksupplies.com.Press Enter.In the top right corner, select cookie to open the cookie editor.At the top, select the plus + sign to add a new session cookie.In the Name field, enter .loginIn the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap.Make sure rmksupplies.com appears in the Domain field.Select the green check mark to save the cookie.Click outside the cookie editor to close the editor.At the bottom of the rkmsupplies page, select Employee Portal.You are now on Blake Jackson's web session on your external computer.

10.3.7 Anaylze ICMP Traffic in Wireshark

Explanation In this lab, your task is to create and examine the results of an ICMP flood attack as follows: From Kali Linux, start a capture in Wireshark for the esp20 interface. Ping CorpDC at 192.168.0.11. Examine the ICMP packets captured. Use hping3 to launch an ICMP flood attack against CorpDC. Examine the ICMP packets captured. Answer the questions. Complete this lab as follows: From the Favorites bar, open Wireshark. Under Capture, select enp2s0. Select the blue fin to begin a Wireshark capture. From the Favorites bar, open Terminal. At the prompt, type ping 192.168.0.11 and press Enter. After some data exchanges, press Ctrl + c to stop the ping process. In Wireshark, select the red box to stop the Wireshark capture. In the Apply a display filter field, type icmp and press Enter.Notice the number of packets captured and the time between each packet being sent. Select the blue fin to begin a new Wireshark capture. In Terminal, type hping3 --icmp --flood 192.168.0.11 and press Enter to start a ping flood against CorpDC. In Wireshark, select the red box to stop the Wireshark capture.Notice the type, number of packets, and the time between each packet being sent. In Terminal, type Ctrl + c to stop the ICMP flood. In the top right, select Answer Questions. Answer the questions. Select Score Lab.

10.2.11 Hijack a Web Session

Explanation In this lab, your task is to hijack a web session as follows: On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. On Office1, log in to the employee portal on rmksupplies.com using the following credentials:Username: bjacksonPassword: $uper$ecret1 On IT-Laptop, copy the session ID detected in Ettercap. On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. Verify that you hijacked the session. Complete this lab as follows: On IT-Laptop, open Terminal from the sidebar. At the prompt, type host office1 and press Enter to get the IP address of Office1. Type route and press Enter to get the gateway address. Use Ettercap to sniff traffic between Office1 and the gateway as follows:From the Favorites bar, open Ettercap.Maximize the window for easier viewing.Select Sniff > Unified sniffing.From the Network Interface drop-down list, select enp2s0.Click OK.Select Hosts > Scan for hosts.Select Hosts > Host list.We want to target information between Office1 (192.168.0.33) and the gateway (192.168.0.5).Under IP Address, select 192.168.0.5.Select Add to Target 1.Select 192.168.0.33.Select Add to Target 2. Initiate a man-in-the-middle attack as follows:Select Mitm > ARP poisoning.Select Sniff remote connections.Click OK. You are ready to capture traffic. On Office1, log in to the employee portal on rmksupplies.com as follows:From the top navigation tabs, select Floor 1 Overview.Under Office 1, select Office1.From the taskbar, open Chrome.Maximize the window for easier viewing.In the URL field, enter rmksupplies.com.Press Enter.At the bottom of the page, select Employee Portal.In the Username field, enter bjackson.In the Password field, enter $uper$ecret1.Click Login.You are logged into the portal as Blake Jackson. On IT-Laptop, copy the session ID detected in Ettercap as follows:From the top navigation tabs, select Floor 1 Overview.Under IT Administration, select IT-Laptop.In the Ettercap console, find bjackson's username, password, and session cookie (.login) captured in Ettercap.Highlight the session ID.Press Ctrl + C to copy. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows:From the top navigation tabs, select Floor 1 Overview.Under Office 2, select Office2.From the taskbar, open Chrome.Maximize the window for easier viewing.In Chrome's URL field, enter rmksupplies.com.Press Enter.In the top right corner, select cookie to open the cookie editor.At the top, select the plus + sign to add a new session cookie.In the Name field, enter .loginIn the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap.Make sure rmksupplies.com is in the Domain field.Select the green check mark to save the cookie.Click outside the cookie editor to close the editor. At the bottom of the rkmsupplies page, select Employee Portal.You are now on Blake Jackson's web session.

10.3.10 Analyze a DDoS Attack

Explanation In this lab, your task is to: Capture packets from the network segment on www_stage using Wireshark. Analyze the attack using the following filters:tcp.flags.syn==1 and tcp.flags.ack==1tcp.flags.syn==1 and tcp.flags.ack==0 Answer the question. Complete this lab as follows: From the Favorites bar, open Wireshark. Under Capture, select enp2s0. From the menu, select the blue fin to begin the capture. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag.You may have to wait several seconds before any SYN-ACK packets are captured and displayed. Select the red square to stop the capture. In the Apply a display filter field, change the tcp.flags.ack ending from 1 to 0 and press Enter to filter the Wireshark display to packets with only the SYN flag.Notice that there are a flood of SYN packets being sent to 128.28.1.1 (www.corpnet.xyz) that were not being acknowledged. In the top right, select Answer Questions. Answer the question is: there are multiple source address for the syn packets with destination address 128.28.1.1 Select Score Lab.

10.2.8 Capture HTTP POST Packets with Wireshark

Q1How many HTTP POST packets were captured?Your answer:Correct answer: 3 Q2What is the source IP address of the packet containing the clear text password?Your answer:Correct answer: 192.168.0.98 Q3What is the clear text password captured?Your answer:Correct answer: St0ne$@

10.1.6 Spoof Mac Addresses with SMAC In this lab, your task is to complete the following: On Office2 use ipconfig /all and find the IP address and MAC address. Spoof the MAC address on ITAdmin to that of Office2 using SMAC. Refresh your MAC and IP addresses to match the target machine.

Steps. 1. Open Windows Powershell (Admin) and type ipconfig /all a. Find the Mac address and the IP address (look at DHCP enabled) 2. Spoof Mac a. Select ITAdmin, type SMAC- right click and run as admin b. In new spoof mac address field type 00:00:55:55:44:15 from Office 2 c. Select Update MAC d. Select OK to restart adapter 3. Refresh MAC and IP a. Open Windows Powershell (Admin) b. Type ipconfig /all to confirm MAC address has been updated c. Type ipconfig /renew to update IP address

10.2.6 Perform a DHCP Spoofing Man-in-the-Middle Attack In this lab, your task is to complete the following: On IT-Laptop, use Ettercap to launch a man-in-the-middle DHCP spoofing attack using the following parameters: Netmask: 255.255.255.0 DNS Server IP: 192.168.0.11 On Support, complete the following tasks:Start a capture in Wireshark and filter the display for DHCP traffic. View the IP address and the gateway in Terminal. Bring the network interface down and back up to request a new DHCP address. In Wireshark, how many DHCP packets were exchanged?View the IP address and gateway again. What has changed? On Office1, complete the following tasks: Use tracert to rmksupplies.com to find the path. What is the path? Check the IP address of the computer.Release and renew the IP address assigned by DHCP. Check the IP address of the computer again. What has changed? Use tracert to rmksupplies.com to find the path again. What has changed? Log in to the rmksupplies.com employee portal with the following credentials: Username: bjackson Password: $uper$ecret1 On IT-Laptop, find the captured username and password in Ettercap.

Steps: 1. On IT laptop start unified sniffon on the enp2s0 - Open Ettercap, select Sniff, Unified Sniffing, select enp2s0 - Click OK, Mitm, DHCP spoofing, in netmask field enter 255.255.255.0, in DNS server IP enter 192.168.0.11 and click OK 2. On support capture filter for bootp packets - Select Support, open Wireshark, select enp2s0, start capture, in display filter type bootp. 3. Request a new IP address -open terminal, type ip addr show, Enter + IP for enp2s0 is 192.168.0.45 -Type route +the gateway is 192.168.0.5 -type ip link set enp2s0 down /Enter -type ip link set enp2s0 up /Enter -Open Wireshark, under Info notice 2 DHCP ACK packets - one is real/other fake(spoof). -Select 1st DHCP ACK packet, expand Bootstrap Protocol (ACK) -Expand Option: (3) Router -repeat steps for second packet 4. View current IP - Terminal, type ip addr show + IP is 192.168.0.45 - Type route /Enter + current gateway 192.168.0.46 5. On Office 1, view current route/IP address - Select Office1, open Windows Powershell (Admin) - Type tracert rmksupplies.com /Enter +1st hop is 192.168.0.5 -Type ipconfig /all /Enter + config is as follows: IP(192.168.0.33), Gateway(192.168.0.5), DHCP(192.168.0.14) -Type ipconfig /release /Enter - type ipconfig /renew /Enter +default gateway has changed IP address of 192.168.0.46 -type tracert rmksupplies.com +1st hop is now 198.168.0.46 6. In Chrome, login rmksupplies.com employee portal. -Open Chrome, type rmksupplies.com, select Employee Portal, user: bjackson, password: $uper$ecret1, Login 7. From IT-laptop, find captured username/password in Ettercap -Open IT-Laptop, in Ettercap find username/password Questions: How many DHCP packets were captured in Wireshark? 5 Which gateway addresses are provided in the ACK packets? 192.168.0.5, 292.168.0.46

10.1.12 Analyze Email Traffic for Sensitive Data In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing invoice emails using display filters. Check to see if the following information can be seen in clear text format in the invoice emails: Source and destination email addresses Names of those that sent or received the emails Customer information

Steps: 1. Open Wireshark and select enp2so - after a few seconds stop 2. Type tcp contains Invoice - examine info and locate - account manager's email address - recipient of email's full name - name of company requesting payment Questions: What is the email address of the account manager? [email protected] What is the recipient's full name on the captured email? Lynette Pratt What is the name of the company requesting payment? ACME, Inc

10.1.11 Filter and Analyze Traffic with Wireshark In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use the following Wireshark filters to isolate and examine specific types of packets:net 192.168.0.0host 192.168.0.34tcp contains password Answer the questions.

Steps: 1. Open Wireshark and select the enp2s0 and select blue fin to begin capture. 2. Apply the net 192.168.0.0 filter - type net 192.168.0.0 - look at source and destination addresses 3. Apply host 192.168.0.34 filter - Type host 192.168.0.34 - look at source/destination 4. Apply tcp contains password filter - type tcp contains password - select the red box to stop capture - locate the password Questions: What is the effect of the net 192.168.0.0 filter in Wireshark? Packets with either a source or destination address on the 192.168.0.0 network are displayed. What is the effect of the host 192.168.0.34 filter in Wireshark? Packets with 192.168.0.34 in either the source or destination address are displayed. What is the captured password? St@y0ut!@

10.1.8 Poison ARP and Analyze with Wireshark In this lab, your task is to discover whether ARP poisoning is taking place as follows: Use Wireshark to capture packets on the enp2s0 interface for five seconds. Analyze the Wireshark packets to determine whether ARP poisoning is taking place. Use the 192.168.0.2 IP address to help make your determination. Answer the questions.

Steps: 1. Open Wireshark, under Capture, select enp2so 2. Select Blue fin to begin capture. 3. After 5 seconds, select red box to stop 4. In the Apply a display filter type arp and press Enter to show those packets 5. In Info column, look for lines containing the 192.168.0.2 IP. 6. Answer questions Questions: What is the MAC address of the 1st responding device? 00:00:1B:11:22:33 What was the MAC address of the duplicate responding device? 00:00:1B:33:22:11

10.1.10 Poison DNS In this lab, your task is to: Use Ettercap to begin sniffing and scanning for hosts. Set Exec (192.168.0.30) as the target machine Initiate DNS spoofing. From Exec, access rmksupplies.com.

Steps: 1. Use Ettercap to begin sniffing/scanning for hosts a. Open Ettercap b. Select Sniff c. Select Unified Sniffing d. Select enp2s0 from Network Interface & click Ok e. Select Hosts and select Scan for hosts 2. Set Exec (192.168.0.30) as target a. Select Hosts and select Host list b. Under IP select 192.168.0.30 c. Select Add to Target 1 3. Initiate DNS spoofing a. Select Plugins b. Select Manage the Plugins c. Select the Plugins tab d. Double click dns_spoof to activate e. Select Mitm, then select ARP poisoning, then Sniff remote connections, OK 4. From Exec access rmksupplies.com a. Select Exec b. Open Chrome c. Type rmksupplies.com - changes to RUS Office supplies

10.3.6 Perform and Analyze a SYN Flood Attack

What is the source IP address of the SYN attack? 192.168.0.33 Which of the following MAC addresses is initiating the SYN flood attack? 00:60:98:7F:41:E0 (IT Laptop)

10.3.9 Perform a DoS Attack

answer: 0x002