COMP4337/9337 Securing Fixed and Wireless Network

Lab 4: Security Analysis Using TShark

Labs Due Date
M18A / W10A / W10B / W12A / W12B 20th March 2023, 6:00pm (Monday)

Objectives
This lab is designed to help the students to:
• get familiar with TShark which is the command line version of Wireshark, a network
analyser tool, and
• show how TShark can be utilised to analyse security risks to your network.

Lab Overview
A network analyser tool, such as TShark and Wireshark, is used for network troubleshooting,
analysis, software and communications protocol development, and education. TShark is very
similar to tcpdump, another tool for network analysis, while Wireshark has a graphical user
interface, plus some integrated sorting and filtering options.
TShark lets the user put network interface controllers into promiscuous mode (if supported by
the network interface controller), so they can see all the traffic visible on that interface
including unicast traffic that is not sent to the network interface controller's MAC address.
TShark can also read previously captured network packets to perform network analysis.
In this lab, you will be running TShark on the Raspberry Pi remotely via an SSH connection.
Specifically, lab 4 consists of two parts:
• Part A: We will use TShark to analyse some previously captured normal/anomalous
traffic. The traffic is generated by a machine that had been infected by a well-known
piece of Malware, which is distributed by email.
• Part B: Here, we will investigate the Secure Sockets Layer (SSL) protocol, focusing on
the SSL records sent over a TCP connection. We will do so by analysing a trace of the
SSL records sent between a host and an e-commerce server.

Assessment and Marking

For both Part A and Part B you are required to answer questions on Moodle (Lab 4
Assessment A and Lab 4 Assessment B). The same questions are provided in this document
for convenience. The marks will be made available on Moodle within 2 weeks of the
submission date. Only one submission from a group. The details of the marks are as follows:
• Total mark for Lab 4 is 100 and the weight is 0.15/1.

1 of 8
 • You should attempt Part A during the lab hours and show your work to the tutor. You
are free to start working before the lab session.
• Students who do not attend the lab will lose ALL 100 marks.
Marking Criteria Percentage
Part A (start working in class and demonstrate to your tutor) 40%
Part B (submission on Moodle) 60%

Note: lab performance mark is part of Part A. If a group is found to be cheating or submitting
a work that does not match what the tutor observes to be the team’s performance, then NO
MARK will be awarded for Part A.
• The standard late penalty introduced under UNSW new assessment implementation
procedure will be applied for this course.
o 5% per day,
o for all assessments where a penalty applies,
o capped at five days (120 hours) from the assessment deadline, after which a
student cannot submit an assessment, and
o no permitted variation.

Starting the Lab

To begin the lab, open your preferred SSH client, either in Terminal for Linux/Mac systems or
PuTTY for Windows systems. Connect to your Raspberry Pi using steps described in Prep 2
docs. After successfully logging in, run TShark from the command line. We have provided two
pre-captured pcap files located in ~/sfwn/ directory of your Raspberry Pi.
To open part-A-trace.pcap file type this command in the terminal:
$ tshark -r ~/sfwn/part-A-trace.pcap

The command will print all pre-captured network packets as a text with similar format on
Wireshark. Take a look at the following example of packet 1 and 3:
1 0.000000 192.168.1.1 → 192.168.1.254 DNS 87 Standard query 0x297e A
windowsupdate.microsoft.com

3 0.773068 192.168.1.1 → 207.46.18.94 TCP 62 1099 → 80 [SYN] Seq=0

Win=65535 Len=0 MSS=1460 SACK_PERM=1

The column description is as follows:

Column/Displayed Text Description
1 Packet number
3
0.000000 Time since beginning of capture
0.773068
(seconds)
192.168.1.1 → 192.168.1.254 Source and destination IP address
192.168.1.1 → 207.46.18.94
DNS Protocol
TCP

2 of 8
 87 Packet length (bytes)
62
Standard query 0x297e A Packet information, depending on the
windowsupdate.microsoft.com
protocol used.
1099 → 80 [SYN] Seq=0 Win=65535 Len=0
MSS=1460 SACK_PERM=1 For TCP, it also shows the source and
destination port number.

Part A: Analysing Network Traffic from an Infected System

In Part A, you need to open part-A-trace.pcap file that was created by a piece of malware
on an infected system. Try to determine from the packet analysis and internet search tools what
is the source and operation of that malware.
Please follow these instructions and answer these questions.
1. Look at packet 14 and determine the DNS name that is being looked up and what is the
IP address of that domain name? (2 Marks)
Hint: look at packet 15 and look at response info.

2. Do a WHOIS and determine which cities these IP addresses relates to? (2 Marks)
Hint: Use online WHOIS tools, e.g., https://whois.domaintools.com/.

3. By examining Packet 16, what Port is the local host connecting to? (2 Marks)

3 of 8
4. Do an internet search using the port number, what bot(s) can you identify that uses this
port? Now do a “Follow TCP stream” on packet 16. Can you tell whom the bot is talking
to? (5 Marks)
Hint: To follow a TCP stream on TShark, type the following command:
$ tshark -r ~/sfwn/part-A-trace.pcap
-z "follow,tcp,ascii,192.168.1.1:1101,84.244.1.30:5050"

The command will display the contents of a TCP stream in ASCII format between
192.168.1.1 port 1101 and 84.244.1.30 port 5050. Note that we get the source and
destination IP address and port number from looking at packet 16.

5. Now go to packet 95 and note what the DNS request is to? Write down the domain
name. Do not attempt to access this web site as it contains improper links and security
risk scripts! (2 Marks)

6. Now go to packet 111 and follow the TCP stream. Write the local name of the cgi script
you see. Do not attempt to download this script! (2 Marks)
Hint: Use the command from question 4 to follow the TCP streams. To get the source
and the destination port number, you may use this command:
$ tshark -r ~/sfwn/part-A-trace.pcap -T fields -e tcp.srcport -e
tcp.dstport -Y frame.number==111

4 of 8
 7. Go to the SOPHOS Threat Center sites1 and fill in the search field with the domain
name where the cgi script is located. What can you say now about this malware? What
is its name and what does it do? (5 Marks)

8. Finally, you have now used TShark combined with Internet searches to identify what
port number was being accessed and what bot normally uses that port. You then
identified potential threats that such a bot poses to a system. You then identified a
malicious piece of software that indeed attacks a system in the manner identified. Do a
bit more internet research on the nature of the file you have identified and try and think
what you would do as a security manager to stop this threat using TShark or any other
security tool you find or know of? (5 Marks)

1
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware.aspx

5 of 8
6 of 8
Part B: Analysing Secure Sockets Layer Protocol
In Part B, open part-B-trace.pcap file. We will investigate various SSL record types as
well as the fields in the SSL messages from the file packet trace.
It is important to keep in mind that an Ethernet frame may contain one or more SSL records.
This is very different from HTTP, for which each frame contains either one complete HTTP
message or a portion of a HTTP message. Also, an SSL record may not completely fit into an
Ethernet frame, in which case, multiple frames will be needed to carry the record.
You should use a display filter to show SSL records only by typing the following command:
$ tshark -r ~/sfwn/part-B-trace.pcap -Y "ssl"

You may also want to display the details of a packet to inspect what information contained in
a packet to answer the questions. You can write this command:
$ tshark -r ~/sfwn/part-B-trace.pcap -Y "frame.number==106" -V

The above command will print the information packet 106, using –Y flag to filter the frame
number and using –V flag to display the packet details. You may change the packet number
accordingly. Note that packets in Layer 2 are referred to as frames.
Now please follow these instructions and answer these questions.
1. For each of the first 8 Ethernet frames (after you apply SSL filter, i.e., frame 106),
specify 1) the frame number, 2) frame source (client or server), determine the number
of SSL records that are included in the frame, and list the SSL record types that are
included in the frame. (15 Marks)
Hint: You may need to see the details of each frame.
Frame No. Source No. of SSL Records Record Type

2. Draw a timing diagram between client and server, with one arrow for each SSL record.
(10 Marks)

3. Answer the following questions about ClientHello:

a. Locate the ClientHello Record. Does the ClientHello record contain a nonce (also
known as a "challenge")? If so, what is the value of the challenge in hexadecimal
notation? (5 Marks)
Hint: Pick any ClientHello frame that you see, i.e., frame 106. You may need to print
the raw information by adding option –T jsonraw to the command, which will print
the details in JSON with some raw information in hexadecimal.
b. Does the ClientHello record advertise the cyber suites it supports? If so, in the first
listed suite, what are the public-key algorithm, the symmetric-key algorithm, and
the hash algorithm? (5 Marks)

7 of 8
 4. Answer the following questions about ServerHello:
a. Locate the ServerHello SSL Record. Does this record specify a chosen cipher suite?
What are the algorithms in the chosen cipher suite? (5 Marks)
b. Does this ServerHello record include a nonce? If so, how long is it? What is the
purpose of the client and server nonces in SSL? (5 Marks)
c. Does this ServerHello record include a session ID? What is the purpose of the
session ID? (5 Marks)
d. Does this ServerHello record contain a certificate, or is the certificate included in a
separate record. Does the certificate fit into a single Ethernet frame? (3 Marks)

5. Answer the following questions about encryption:

a. Locate the Client key exchange record. Does this record contain a pre-master
secret? What is this secret used for? Is the secret encrypted? If so, how? How long
is the encrypted secret? (5 Marks)
b. What is the purpose of the Change Cipher Spec record (sent by client)? How many
bytes is the record in your trace? (3 Marks)
c. In the Encrypted handshake record, what is being encrypted? How? (3 Marks)

6. Does the Server also send a Change cipher record and an Encrypted handshake record
to the client? How are those records different from those sent by the client? (3 Marks)

7. How is the Application Data being encrypted? Do the records containing application
data include a MAC? Does TShark distinguish between the encrypted application data
and the MAC? (3 Marks)

If you want to use more complex options, consult TShark documentation, which contains full
descriptions and examples for each of TShark options. The TShark documentation is available
at https://www.wireshark.org/docs/man-pages/tshark.html.

8 of 8