INTERNATIONAL UNIVERSITY School of Computer Science and Engineering LAB 1: Introduction to VMWare and Wireshark Course !

ate Network Security 09/19/2013 Lecturer Pham Van Hau,PhD

!uration

135 minutes

Student I! "IT"#$#%&

Student name !O N'U TAI

The purpose of this La( is to introduce the )or*ing en+ironment, tool used to carr- out the LA.s of the Net)or* and S-stem Securit- /NSS0 course1 2e use +irtual machines and )ireshar* for all the la(s, getting familiar )ith them is must1 1. Part1: VMWare Instruction on VMWare, VMWarenet Use the +irtual machine /(ased on U(untu0 to create the follo)ing simple net)or*

Machine 1 192.168.1.2 GW 192.168.1.1 Netmask 255.255.255.0

VMNet 5

Machine 2 192.168.1.3 GW 192.168.1.1 Netmask 255.255.255.0

You need to configure the I3 addresses for the +irtual machines configure the net)or* /use V"Net$0 ma*e sure that machine % can ping machine 4 2. Part 2: Wireshark 1. Route recording with command !ing" a# !ing command 3ing uses the IC"3 protocol5s mandator- EC'O RE6UEST datagram to elicit an IC"3 EC'O RES3ONSE from a host or gate)a-1 EC'O RE6UEST datagrams /77pings550 ha+e an I3 and IC"3 header, follo)ed (- a 77struct time+al55 and then an ar(itrar- num(er of 77pad55 (-tes used to fill out the pac*et1 On machine %, turn on )ireshar* ping machine 4 O(ser+e the traffic, tr- to ans)er the follo)ing 8uestions

6%0 )hat are the +alues of t-pe and code in EC'O RE6UEST and EC'O RE3LY pac*et Answer $1: EC'O RE6UEST T-pe9:, Code9#

EC'O RE3LY T-pe9#, Code9#

640 2hat are the meaning of identifier and se8uence num(er in the IC"3 pac*ets Answer $2: ; Each echo re8uest and corresponding echo repl- ha+e the same Identifier +alue and the same Se8uence Num(er +alue1 The +alues are used to match the echo re8uest to the right echo repl-1 ; T-picall-, the Identifier is *ept the same and the Se8uence Num(er is incremented1 This ensures that as a pair, successi+e echo re8uests )ill ha+e different Identifier<Se8uence Num(er +alues so the- /and their corresponding replies0 can (e distinguished1

%# Ping with &R o!tion on machine %, ping machine 4 )ith the =R option1 6>0 2hat is the ne) information in the re8uest and repl- pac*ets that -ou o(ser+e? Answer $': The new information in the request and reply packets is portion of record route option in IP header.

Code is a %=(-te field specif-ing the t-pe of I3 option1 @or the RR option its +alue is A1 Len is the total num(er of (-tes of the RR option, )hich in this case is >B1 /Although itCs possi(le to specif- an RR option )ith less than the maDimum siEe, ping al)a-s pro+ides a >B=(-te option field, to record up to nine I3 addresses1 Fi+en the limited room in the I3 header for options, it doesnCt ma*e sense to specif- a siEe less than the maDimum10 3tr is called the pointer field1 It is a %=(ased indeD into the >B=(-te option of )here to store the neDt I3 address1 Its minimum +alue is G, )hich is the pointer to the first I3 address1 As each I3 address is recorded into the list, the +alue of ptr (ecomes :, %4, %&, up to >&1 After the ninth address is recorded ptr (ecomes G#, indicating the list is full1

Request Packets without R option

Request Packets with R option

Reply Packets withoutR option

Reply Packets with R option

6G0 )hat is the =R option used for?

Answer $(: The ping program gi+es us an opportunit- to loo* at the I3 record route /RR0 option1 "ost +ersions of ping pro+ide the =R option that ena(les the record route feature1 It causes ping to set the I3 RR option in the outgoing I3 datagram /)hich contains the IC"3 echo re8uest message01 This causes e+er- router that handles the datagram to add its I3 address to a list in the options field1 2hen the datagram reaches the final destination, the list of I3 addresses should (e copied into the outgoing IC"3 echo repl-, and all the routers on the return path also add their I3 addresses to the list1 2hen ping recei+es the echo repl- it prints the list of I3 addresses1

6$0 Charge file tme)&!R!.dm!, dra) the net)or* diagram (et)een the source and the destination host1 Answer $*:

Reply Packets with R option

Request Packets with R option

6&0 2hat is maDimum length in terms of num(er of hops that Hping =RIcan record?

Answer $): "aDimum length in terms of num(er of hops that Hping =RIcan record is B1

6A0 Sho) ho) to use the option/s0 =f =s of ping command Answer $+ ping -f

Example: + pin an ip a!!"ess #hich is n$t exist

+ pin %& 192.168.1.3 'a(aila)le a!!"ess*

+ pin %& mail.c$m

ping s [packetsize]

Example: pin %s +00 192.168.1.3

2. ,tud- o. the traceroute too/ 'ere the (eginning of the description of the man UNIJ on the traceroute command The Internet is a large and compleD aggregation of net)or* hard)are connected together (- gate)a-s1 Trac*ing the route of one5s pac*ets follo) /or finding the miscreant gate)a- that5s discarding -our pac*ets0 can (e difficult1 Traceroute utiliEes the I3 protocol 7time to li+e5 field and attempts to elicit an IC"3 TI"E EJCEE!E! response from each gate)a- along the path to some host1 Charge the follo)ing file tme)&tcr.dm!.g0 6:0 2hat is the +alue of TTL of the first pac*et sent (-

%BG14$G1%&>1%:4? Answer $1 The +alue of TTL of the first pac*et sent (- %BG14$G1%&>1%:4 is %1

6B0 2hich host sends the Htime=to=li+e eDceededI pac*et? @or )hat reason? Answer $2 'ost )ith ip %BG14$G1%&>14$G sends the Htime=to=li+e eDceededI pac*et (ecause ,,- (al.e is 1. 6%#0 List all the +alues of TTL of U!3 pac*ets sent (- %BG14$G1%&>1%:41 EDplain )hat -ou get Answer $13 All the +alues of TTL of U!3 pac*ets sent (- %BG14$G1%&>1%:4 are %, 4, >, G, $, &, A, and :1 Explain Traceroute sends an I3 datagram )ith a TTL of % to the destination host1 The first router to handle the datagram decrements the TTL, discards the datagram, and sends (ac* the IC"3 time eDceeded1 This identifies the first router in the path1 Traceroute then sends a datagram )ith a TTL of 4, and )e find the I3 address of the second router1 This continues until the datagram reaches the destination host1 The purpose of the TTL field is to pre+ent datagrams from ending up in infinite loops, )hich can occur during routing transients1 6%%0List all the destination port num(ers of U!3 pac*ets sent (-

%BG14$G1%&>1%:41 EDplain )hat -ou get Answer $11 All the destination port num(ers of U!3 pac*ets sent (%BG14$G1%&>1%:4 are from >>G>$ to >>G$:1 Explain Traceroute sends U!3 datagrams to the destination host, (ut it chooses the destination U!3 port num(er to (e an unli*el- +alue /larger than >#,###0, ma*ing it impro(a(le that an application at the destination is using that port1 This causes the destination hostCs U!3 module to generate an IC"3 Kport unreacha(leK error )hen the datagram arri+es1 All Traceroute needs to do is differentiate (et)een the recei+ed IC"3 messagesLtime eDceeded +ersus port unreacha(leLto *no) )hen itCs done1 6%40 'o) does the command traceroute finish? Answer $12 The command traceroute finishes )hen the TTL is incremented to a +alue large enough for the datagram to reach the destination host or until the maDimum TTL is reached or the destniation host replies )ith an IC"3 Echo Repl-1 6%>0 Open 2ireshar* and charge the follo)ing files tme4=tel1dmp, tme>= pop1dmp, tmeG=ftp1dmp, tme4=rlo1dmp, and tme4=ssh1dmp1gE1 an! )rite out the user name and pass)ord if possi(le1 Answer $1' M tme2&te/.dm! username= tteesstt--rreess / password = lmdUpmc

/ tme'&!o!.dm! U ER !oiteres"##$ / P%

lmdUpmc

M tme(&.t!.dm! U ER test-res / P%

lmdUpmc

4 tme2&r/o.dm! User 9 fourmauD < 3ass 9 lmdUpmc

M tme2&ssh.dm!: no see username 5 !assword %ecause the data is encr-!ted.

6%G0 2ireshar* pro+ide the filter to eDtract traffic1 2rite the appropriate filter to find the user name and pass)ord of protocols in 6%>1