1. Introduction
The aim of this paper to analyze a packet capture file with various tools and answer the questions provided. SANS have released the Holiday Hacking Challenge packet capture for the last ten years. It's run as a competition for people all around the world. The packet capture is quite challenging and will test the skills of the network analyzer to the limit. The tools that will be used to analyze the packet capture are: Wireshark, Ngrep, Foremost, and Network Miner.
2. Filter by Protocols
The packet capture is quite verbose and can be intimidating to know where to begin, or what methodology to use. The first protocol filtered was POP3 for email communication. The filter revealed a number of email communications between two IP addresses. (See Figure 2.1 below).
Figure 2.1. Filter with POP.
A 'Follow TCP Stream' was run to look at a single packet in more detail. The stream contained an email sent from George Bailey to Don Sawyer. The brief revealed that George Bailey is the head of security of the town, but disclosed no information pertaining to Don Sawyer. George's IP address seems to be 10.16.11.5 which can be filtered to reveal more information.
The stream provides the details of two email addresses: george.bailey@valleyelectr1c.co.nw and don.sawyer@valleyelectric.co.nw. The username name of Don Sawyer is dsawyer and his password is Fashionista. This information may prove useful later. The email sent from George to Don stated.
“Can you monitor the Simatic S7-1200 PLC while I am out today? Just click the link below and keep the window open; if the controller shows "red", then let me know.”
(See Figure 2.2 below).
Figure 2.2.
The link reveals the Simatic webserver. All attempts to open the links...
... middle of paper ...
...initive found.
Q4. What defenses could George have employed to prevent Mr. Potter's power grid attack?
A4. Nothing definitive found.
7. Conclusion
Analyzing a packet capture requires a lot of lateral thinking. There is never one defined method to complete different tasks. A good forensic analyst must be able to recognise crucial information provided. Wireshark is still the go to tool for forensic analysis, but tools like Network Miner group and detail information in an easier way for better understanding. Ngrep is a useful tool to search for key words and phrases. Foremost was a vital tool in this investigation because it carved out vital information. The packet capture was a good examination of my skill set. It also tested my proficiency and knowledge of the tools. The knowledge gained will help with future missions and make better all round forensic analyst.
Commencing penetration tests within the infrastructure of Alexander Rocco Corporation may be a strenuous, yet beneficial process. However, before commencing penetration tests, much planning, strategizing, and research is necessary in order to ensure successful, seamless, and legal operations. Based on information provided by the SANS Institute, an initial meeting should be coordinated between those responsible for conducting the tests, along with the appropriate leadership personnel of the company (source). Within the meeting, the scope of the project should be established, classifying company data appropriately, and determining which components of the company’s infrastructure require penetration testing, which may include Alexander Rocco Corporation’s
The Ip address that I got when I went to whatsmyip.com was 96.48.125.42, this is suppose to be my hackers address. After I got this address i started to search google for websites that would allow me to find my hackers location and address. The website I used was http://www.iptrackeronline.com/. This website is accurate in determining my isp provider which in this case is shaw and furthermore it is also accurate in determining the city and country in this case which was Surrey BC Canada. The only problem that it had was getting my address right it was a bit off.
This essay answers two questions. Question one is to describe the methods and tools used in scanning and enumerating system and network targets and how one can use the results during the rest of the penetration test. The second question concerns what is the favorite tool that this student learned about in this class, how one uses it and an explanation of why and how it enhances one’s ability to conduct a penetration test.
Electronic mail is a phenomenon that has begun to pervade all aspects of our lives today. We use e-mail in our personal lives, at our schools, at our jobs, and everywhere in between. However, very few of us consider the fact that even though our e-mail is composed by the sender, and is intended to be read only by the recipient, it actually passes through many hands in between. Transmitted e-mail will often travel through up to 5 or 6 different servers on its way from sender to recipient. Along the way, it can be read, changed, and even destroyed by any party with the means and the inclination to do so.
The Aim Higher College’s system administrators and network engineers have described seeing some strange behaviors such as high levels of traffic from many hosts that are causing system outages. The web servers of the college have been shutting down frequently by this traffic, it must be from a hacker group trying to attack the school with malicious software. I will review the network traffic from the college’s intrusion detection system and use an intrusion prevention system to block off these threats from the hackers.
The Access Data’s FTK is a regular approved computerized analysis software that can aid in the decryption of passwords within a visceral amalgamate (Banday, 2011). This will help quickly analyze emails. This software backs several favorable automation like Credant, SafeBoot, EFS, and S/MIME to name a few (Banday, 2011). The EnCase forensic is another tool that would aid in an email extraction by imaging a drive and maintain the forensic evidence in a file configuration like LEF or E01 (Banday,
Real-time access to log data will allow you to filter and locate event that could be the cause of a security breach.
Both Kismet and Wireshark are excellent network analyzers. Wireshark possesses a complete packet in terms of collection, visualization, and easy user interface. Kismet provides location services, is small enough to run in small sensors and can be highly mobile. Also, the server/client mode allows for multiple operators to analyze the live capture simultaneously, making it the best tool for the task. Collecting information with Kismet requires familiarization with the software, but once completed the possibilities are diverse. For example, a small single chip computer or sensor placed on a strategically located area near wireless points can locate a user in the
... WPS attack is underway. An example of this is a product known as Kismet-SVN which detects and alerts when an excessive number of WPS queries are being made. An screen shot of kismet is presented in Appendix A, Image 3.
Whipple, William L. “TCP/IP For Internet Administrators.” A Searchable Technical Reference Document. Western Logic Works: 1997 (http://www.pku.edu.cn/academic/research/computer-center/tc/html/TC0310.html)
This latest string of hacks have revolved around the ease at which hackers can find other computers connected to the internet, hack into those, and use their computing power for help in the attack. A company called Norse Corp. has developed ways to monitor this traffic.
Stoll finds out via the press that the hacker’s name is Markus Hess and he was selling printouts, passwords, and hacking methods to the KGB. Stoll later had to fly to Germany in order to testify against Hess.
A network topology in GNS3 (Graphical Network Simulator) is used in conjunction with Backtrack 5 to demonstrate the exploit tools of Cisco. The topology consists of three routers connected to one switch which is connected to a cloud. The cloud will act as Backtrack. The network address is 192.168.6.0/24. Each router is configured with separate IP addresses in the network. Backtrack is connected to the cloud on the same Vmnet custom network. (See Figure 3-1 below).
Penetration testing a server for vulnerabilities requires a lot of lateral thinking. There is never one defined method to complete different tasks. A good pen tester must be able to recognise crucial information provided such as potential usernames and service vulnerabilities. Nmap is an excellent tool to scan for open ports and reveal vulnerabilities. Nikto was a vital tool in this mission as it provided a way to irrefutably find the usernames on the server. The mission was a good examination of my skillset. It also tested my proficiency and knowledge of the tools. The knowledge gained will help with future missions and make me a better pen tester.
Harmful usage of a sniffer is catching password and also capturing special and private information of transactions, like username, credit ID, account, and password, recording sending of email or messages and resuming the information, Some Sniffers have the ability to modify the computer's information also to the extent of even damaging the system. Weakening the security of a network even being successful in gaining higher level authority. With everyday more and different hackers using of packet sniffers, it has become one of the most important tool in the defence of cyber-attacks and cyber-crime. Writted by (2001 – 2014) Colasoft LLC