BTJA Introduction to Network Analysis Course Capstone!
In BTJA Course for network analysis we have studied tcpdum and Wireshark to analyze traffic but at the end we have given with scenario to analyze the traffic and we have to answer question by using whether Wireshark or tcpdum but we will use Wireshark.
Here is the description of the Scenario:
Alexis is a fictional cybersecurity company with thousands of employees. An attacker has gained unauthorized entry into its premises and has connected their laptop to an unused port on a switch. The attacker now has access to the company’s internal networks. Within the internal network, there is a central server where critical proprietary data is stored. In this capture, the attacker is attempting to collect SSH credentials that they can use to log into the central server.
- What is the MAC address of the attacker?
To analyze the Mac Address of the attacker as constantly one IP Address is constantly making arp request for mac address that is 192.168.56.111 and going to layer 2 in ethernet details we can get the Mac address of IP 192.168.56.111.
We also know that SSH was compromised we can also check also protocol statistics to get idea which IP are communicating and then we can get their Mac Address.
I checked Statistics > Conversations. Looks like there are only two devices that are communicating via SSH as destination port is 22.
By filtering ssh on display filter we can also get the Source IP 192.168.56.111 which is attacker so analyzing the ethernet details in
Answer: 08:00:27:3d:27:5d
2. What is the type of attack which is taking place that allows the attacker to listen in on conversations between the central server and another host?
As to listen conversion between two nodes gives the following attack type.
Answer: man in the middle attack
Analyzing Man in the Middle Attack (MITM) using Wireshark.
3. What is the file which was downloaded from the central server?
To get the file detail which was downloaded from server first we check protocol hierachy is there any ftp protocol participate in communication or not.
Under TCP communication ftp has used for communication so by filtering ftp in display filter of Wireshark we can get the file name by following tcp stream of packet 550.
Answer: Alevis_Employee_Information_Chart.csv
4. What department does Borden Danilevich work in?
As we know that in previous question Alevis_Employee_Information_Chart.csv downloaded from server (packet 615) so we can use this file by saving this file as Go to File > Save As and save the file to your desired location.
Go to the location where you saved the file. Rename the file and change the extension to .csv. Afterwards, I opened the file and inspected it for a bit. Somewhere in the csv file, I found what looks like a table that contains several fields. The fields are as follows: id, first_name, last_name, email, department, ip_address, ssh_username and ssh_password. I did a CTRL — F and searched for “Borden.”
Answer: Sales
5. What is the SSH password of the Domain Administrator?
I checked the csv file again and looked for the word “admin.” There were some gibberish characters in the SSH password. I removed them and got gMR<4eXf]e6W.
Answer: gMR<4eXf]e6W
Conclusion:
In this capstone we have analyzed traffic which was under man in the middle attack and arp poisoning was carried out and data exfiltration and communication interception was carrying out.
