WEST END UNIVERSITY COLLEGE-FACULTY OF COMPUTER STUDIES

Computer Security
Assignment 1 (Wireshark Traffic Analysis)

Due Date: Saturday, 12th October, 2024

Submission Instructions:
1. Deliverables include:
a. Documentation/Report
b. Captured file(.pcap file)
c. Documentation should include screenshots as evidence of all activities.
2. Zip all files together and rename it as follows:
Assign1+Indexnumber+FirstName
Eg. Assign1+WICT2000493+David
3. Copying someone attracts a zero score. I may not know who copied who, so to cut a
long story short, both the copier and benevolent individual will get zero.
4. Submit to the Computer Security Google Classroom Assignment 1 space.

Instructions for Assignment 1:

1. Objective:

This assignment will test your ability to capture, filter, and analyze network traffic using
Wireshark. You will investigate network protocols, interpret packet data, and identify
potential security vulnerabilities in real network communications. Specific objectives
include:

• Capture and compare the network traffic of a secure website (using HTTPS) and a
vulnerable website (using HTTP or insecure practices).
• Analyze the differences in how data is transmitted and secured between the two.

2. Tools Required:

• Wireshark installed on your computer (available at https://www.wireshark.org)

• A functioning network connection
• Administrator access to capture network traffic on your machine

The following Tutorials will be helpful in helping you understand this assignment:

• https://www.youtube.com/watch?v=Lb-PJl9u3z8
• https://www.youtube.com/watch?v=lb1Dw0elw0Q
• https://www.youtube.com/watch?v=2pyEyER9dAU&list=PLZUlpNYznmNTL02BhILup
Sz7pqnqYw_uV&index=1

Page | 1
3. Start Wireshark and Capture Traffic (10 Marks):
a. Launch Wireshark and choose the network interface you want to monitor
(e.g., Ethernet or Wi-Fi).
b. Start capturing network traffic for 15 minutes.
c. Choose a potentially secure (eg. https://github.com) website and a
potentially vulnerable website (eg. http://httpforever.com) to perform this
analysis (see appendix for more examples of websites).
d. Use Wireshark to capture network traffic for both sites while performing
similar actions (e.g., logging in, browsing). This means that while capturing,
open a web browser and visit at least two websites (of your choice), perform
a DNS lookup (use the nslookup command), and download the captured file
(.pcap file) from a web server.
e. Pay attention to key factors like encryption, headers, and how sensitive
information (e.g., passwords, session tokens) is handled.
f. Once 15 minutes have passed, stop the capture.

Deliverable: Include screenshots of Wireshark showing at least 100 captured

packets, and specify which websites you visited during the capture.

4. Task 1: DNS Traffic Analysis (5 Marks):

a. Filter DNS Traffic: Use the Wireshark filter dns to focus on DNS request and
response packets.
b. Identify Requests/Responses: Find at least three DNS queries you made
during the session (e.g., while visiting a website).
i. For each DNS query, identify:
1. The domain name that was queried
2. The IP address returned in the DNS response (if available)
3. The time it took for the DNS server to respond (look at the
Response Time field).
c. Analyze DNS Process: Briefly explain how DNS works in resolving domain
names into IP addresses and the security risks of DNS spoofing attacks.

Deliverable: Provide screenshots showing DNS queries and responses for three
domains and summarize how DNS works and its potential security vulnerabilities.

5. Task 2: HTTP/HTTPS Traffic Analysis (5 Marks):

a. Filter HTTP/HTTPS Traffic: Use filters http and ssl to view unencrypted HTTP
and encrypted HTTPS traffic, respectively.
b. Analyze HTTP Traffic: Examine at least one HTTP GET request and one HTTP
POST request.
i. Identify and explain the following for each:
1. URL and host of the GET/POST request
2. Any parameters sent (check if sensitive information like
usernames/passwords is transmitted in plaintext)
3. Status code and response time of the request.
ii. Discuss why HTTP traffic is insecure, focusing on the risk of
transmitting sensitive data without encryption.

Page | 2
 c. Analyze HTTPS Traffic: Examine an encrypted HTTPS request and compare it
with an HTTP request.
i. Identify the Client Hello and Server Hello messages in an HTTPS
handshake.
ii. Discuss how HTTPS provides better security through encryption and
what information is still visible to someone monitoring the network.

Deliverable: Provide screenshots of both HTTP and HTTPS traffic, with key fields
highlighted, and summarize the differences between HTTP and HTTPS in terms of
security.

6. Task 3: TCP Handshake and Data Transfer Analysis (5 Marks):

a. Filter TCP Traffic: Use the filter tcp to view TCP traffic.
b. Analyze a TCP Handshake:
i. Locate a three-way TCP handshake (SYN, SYN-ACK, ACK packets).
ii. Identify and describe the following:
1. Source and destination IP addresses
2. Sequence and acknowledgment numbers
3. TCP flags (e.g., SYN, ACK)
iii. Explain how the three-way handshake establishes a reliable
connection and why it’s crucial for TCP.
c. TCP Data Transfer:
i. Find a TCP session where data is being transferred between your
machine and a server.
ii. Calculate the round-trip time (RTT) and the throughput by using
packet timestamps and payload sizes.
iii. Discuss what factors might affect the performance of a TCP
connection (e.g., network congestion, latency).

o Comparison Criteria:
• Data Encryption: Compare how data is encrypted in transit on an
HTTPS site versus the plaintext transmission on an HTTP site.
• TLS Handshake: Identify the presence of a TLS handshake in the
secure website traffic and note its absence in the insecure site.
• Sensitive Information: Look for sensitive information such as login
credentials in the captured traffic. Identify how well (or poorly) each
site protects this information.
• Certificate Information: For the secure site, examine the certificate
details exchanged during the HTTPS connection.

Deliverable: Provide screenshots of the TCP handshake and data transfer sessions
with annotations. Include explanations of the connection establishment process and
performance factors in TCP communication and all comparisons.

Page | 3
 7. Task 4: Security Issues and Intrusion Detection (5 Marks):
a. Analyze for Potential Security Issues: Look through the entire capture for
any unusual or suspicious activity (e.g., repeated failed logins, malformed
packets, signs of network scanning, or Denial-of-Service (DoS) attempts).
i. Use filters to identify anomalies (e.g., tcp.flags.syn == 1 and tcp.flags.ack ==
0 for SYN flooding attempts, icmp for excessive ICMP requests that
might indicate a DoS attack).
b. Analyze a Security Event:
i. Identify one specific security event (e.g., SYN flood, unusual DNS
queries, or brute-force login attempts).
ii. Provide a description of the event, explain how Wireshark helped you
detect it, and discuss potential security threats it could indicate.
c. Mitigation Strategies: Discuss how the security threat you identified could be
mitigated or prevented in a real-world scenario (e.g., firewalls, intrusion
detection systems, encryption).

Deliverable: Provide a detailed report on the identified security issue, screenshots of

relevant Wireshark traffic, and explanations of how the issue can be mitigated.

8. Bonus Task: SSL/TLS Decryption (Optional, 5 Marks):

a. If possible, use Wireshark to decrypt SSL/TLS traffic (requires access to server
private keys or pre-master secret).
b. Explain the process of decrypting encrypted HTTPS traffic and the ethical
considerations in doing so.

Deliverable: Provide a brief report on the steps required to decrypt SSL/TLS traffic
and the legal/ethical concerns associated with packet decryption.

Submission:

• Submit a report (4-6 pages) summarizing your findings from each task, including
annotated Wireshark screenshots and explanations.
• Your report should include:
o A description of the traffic captured
o Key findings for each protocol (DNS, HTTP, HTTPS, TCP)
o Identification and analysis of any potential security issues
o Recommendations for improving network security based on your analysis

o Differences in security between the two websites.

o Risks involved in using vulnerable websites.
o Recommendations for improving security on vulnerable websites.
o Screenshots of Wireshark captures showing key differences.

Page | 4
Grading Rubric:

• Capture Traffic and Setup (5 Marks)

• DNS Traffic Analysis (5 Marks)
• HTTP/HTTPS Traffic Analysis (5 Marks)
• TCP Handshake and Data Transfer Analysis (5 Marks)
• Security Issues and Intrusion Detection (5 Marks)
• Good comparison between both websites (5 Mars)
• Bonus Task: SSL/TLS Decryption (Optional 5 Marks)

Page | 5
 Appendix

Secure Websites
1. Google (https://www.google.com)

• Reason: Google is one of the most widely used websites for DNS analysis, and it uses
both HTTP/2 and HTTPS, providing students the opportunity to observe secure
connections and encrypted traffic.
• Tasks:
o Capture DNS queries and responses.
o Analyze the HTTPS handshake.

2. Wikipedia (https://www.wikipedia.org)

• Reason: Wikipedia offers both HTTP and HTTPS access, so students can compare
unsecured HTTP traffic with secured HTTPS traffic. It’s also a highly interactive
website with multiple resource requests.
• Tasks:
o Compare HTTP and HTTPS traffic.
o Analyze GET requests for page resources.
o Examine content delivery through DNS queries.

3. Amazon (https://www.amazon.com)

• Reason: Amazon generates a lot of HTTP GET/POST requests, allowing students to

examine detailed web traffic. Students can observe user interaction with the site,
which triggers multiple network communications.
• Tasks:
o Capture and analyze GET and POST requests.
o Investigate encrypted HTTPS traffic and TLS handshakes.

4. GitHub (https://www.github.com)

• Reason: GitHub uses secure connections (HTTPS) and has several elements on its
pages that generate complex traffic. It's also a good platform for analyzing traffic
related to developer tools and services.
• Tasks:
o Analyze the HTTPS traffic and handshake.
o Observe how data like page resources and API calls are transmitted securely.

5. OpenDNS (https://www.opendns.com)

• Reason: OpenDNS is a DNS resolution service that students can use to observe DNS
query/response behavior, especially in relation to security services and domain
filtering.

Page | 6
 • Tasks:
o Analyze DNS query responses.
o Investigate DNS resolution and performance.
o Examine how DNS can be used to filter or block traffic.

Optional:

• Wireshark Sample Captures (https://wiki.wireshark.org/SampleCaptures)

o Reason: Wireshark provides sample packet captures that can be used for
practice. Students can analyze pre-recorded traffic with a focus on different
protocols, giving them insights into common network patterns and
anomalies.
o Tasks:
▪ Analyze pre-captured traffic for common protocols (e.g., DNS, HTTP,
TCP).
▪ Investigate and document potential security issues.

Vulnerable Websites
1. Vulnerable Web Application (OWASP Juice Shop) - https://owasp.org/www-
project-juice-shop/

• Reason: OWASP Juice Shop is a deliberately vulnerable web application, designed for
security training. It has various vulnerabilities, including SQL Injection, Cross-Site
Scripting (XSS), and more, making it ideal for hands-on learning.
• Potential Vulnerabilities:
o Insecure handling of HTTP requests.
o SQL Injection and XSS attacks.
• Tasks:
o Capture network traffic for login attempts and analyze HTTP vulnerabilities.
o Investigate insecure communications and the lack of proper encryption.

2. HTTP Test Site (http://httpforever.com)

• Reason: This is a deliberately HTTP-only site, meaning data is transmitted in plaintext

and can be intercepted. Students can explore the risks associated with HTTP
compared to HTTPS.
• Potential Vulnerabilities:
o Plaintext HTTP traffic vulnerable to interception.
o Lack of encryption makes sensitive data easy to capture.
• Tasks:
o Capture HTTP traffic and identify sensitive information like credentials.
o Analyze how data is transmitted without encryption.

3. WebGoat - https://owasp.org/www-project-webgoat/
Page | 7
 • Reason: WebGoat is another vulnerable web application maintained by OWASP. It’s
designed to teach web application security lessons and contains various
vulnerabilities, including Cross-Site Request Forgery (CSRF), insecure authentication,
and more.
• Potential Vulnerabilities:
o Insecure authentication and session management.
o CSRF, XSS, and command injection attacks.
• Tasks:
o Capture and analyze network traffic during attacks (e.g., CSRF, SQL injection).
o Observe insecure session tokens being transmitted in plaintext or
unprotected.

4. HTTP-only Site with Basic Auth (http://testphp.vulnweb.com)

• Reason: This is a deliberately vulnerable website designed for testing purposes. It

offers students opportunities to see how basic HTTP authentication and weak
encryption can be exploited.
• Potential Vulnerabilities:
o Weak authentication (Basic Auth) over HTTP.
o Exposure of sensitive credentials and data.
• Tasks:
o Capture login attempts and analyze how credentials are sent in plaintext.
o Investigate weak authentication mechanisms and how they can be
intercepted.

5. Insecure FTP Server (ftp://test.rebex.net)

• Reason: This is a public FTP test server that allows anonymous logins and uses an
insecure protocol. FTP transmits credentials and data in plaintext, making it easy to
capture sensitive information.
• Potential Vulnerabilities:
o Plaintext credentials for FTP logins.
o No encryption of data during file transfers.
• Tasks:
o Capture FTP traffic and analyze username/password transmission in
plaintext.
o Examine file transfers to see how data is vulnerable to interception.

Page | 8