Network Traffic and Exploit Identification
Learning Objectives and Outcomes
Analyze network packet captures.
Assignment Requirements
Answer the following questions based on the packet capture that proceed them. You may research any of these on the Internet if you need to do so.
- What was the first connection made, to where, and via what protocol?
15:40:19.571032 IP 192.168.2.62.44389 > 192.168.2.104.22: S 1273007928:1273007928(0) win 5840
15:40:19.571720 IP 192.168.2.104.22 > 192.168.2.62.44389: S 1312754191:1312754191(0) ack
1273007929 win 5792
15:40:19.571812 IP 192.168.2.62.44389 > 192.168.2.104.22: . ack 1 win 92
15:40:19.604635 IP 192.168.2.104.22 > 192.168.2.62.44389: P 1:40(39) ack 1 win 91
15:40:19.611687 IP 192.168.2.62.44389 > 192.168.2.104.22: . ack 40 win 92
15:40:19.612844 IP 192.168.2.62.44389 > 192.168.2.104.22: P 1:40(39) ack 40 win 92
- What website did the user visit? What port did it connect to?
15:42:31.063149 IP 192.168.2.62.36182 > 192.168.2.1.53: 64516+ A? google.com. (28)
15:42:31.080163 IP 192.168.2.1.53 > 192.168.2.62.36182: 64516 6/0/0 A 74.125.95.103,[|domain]
15:42:31.126128 IP 192.168.2.62.60175 > 74.125.95.103.80: S 3347203011:3347203011(0) win 5840
15:42:31.151658 IP 74.125.95.103.80 > 192.168.2.62.60175: S 1961428039:1961428039(0) ack
3347203012 win 5672
15:42:31.151923 IP 192.168.2.62.60175 > 74.125.95.103.80: . ack 1 win 92
15:42:31.152698 IP 192.168.2.62.60175 > 74.125.95.103.80: P 1:465(464) ack 1 win 92
15:42:31.185873 IP 74.125.95.103.80 > 192.168.2.62.60175: . ack 465 win 106
15:42:31.186930 IP 74.125.95.103.80 > 192.168.2.62.60175: P 1:512(511) ack 465 win 106
15:42:31.186969 IP 192.168.2.62.60175 > 74.125.95.103.80: . ack 512 win 108 - What is different about this connection to the same site? Explain what was different, and what this
would mean to a security analyst performing packet captures.
15:47:49.273824 IP 192.168.2.62.42937 > 192.168.2.1.53: 30382+ A? www.google.com. (32)
15:47:49.292587 IP 192.168.2.1.53 > 192.168.2.62.42937: 30382 7/0/0 CNAME
www.l.google.com.,[|domain]
15:47:49.293736 IP 192.168.2.62.44190 > 209.85.225.104.443: S 4032272183:4032272183(0) win 5840
15:47:49.320776 IP 209.85.225.104.443 > 192.168.2.62.44190: S 901179054:901179054(0) ack
4032272184 win 5672
15:47:49.320842 IP 192.168.2.62.44190 > 209.85.225.104.443: . ack 1 win 92
15:47:49.321702 IP 192.168.2.62.44190 > 209.85.225.104.443: P 1:164(163) ack 1 win 92
15:47:49.351569 IP 209.85.225.104.443 > 192.168.2.62.44190: . ack 164 win 106
15:47:49.352940 IP 209.85.225.104.443 > 192.168.2.62.44190: . 1:1419(1418) ack 164 win 106
15:47:49.352966 IP 192.168.2.62.44190 > 209.85.225.104.443: . ack 1419 win 137 - What is occurring in the following traffic capture? What tells you this?
15:50:53.508777 IP 192.168.2.104.52386 > 192.168.2.62.5900: S 3291711383:3291711
383(0) win 2048
15:50:53.508927 IP 192.168.2.62.5900 > 192.168.2.104.52386: R 0:0(0) ack 3291711
384 win 0
15:50:53.509020 IP 192.168.2.104.52386 > 192.168.2.62.110: S 3291711383:32917113
83(0) win 4096
15:50:53.509033 IP 192.168.2.62.110 > 192.168.2.104.52386: R 0:0(0) ack 32917113
84 win 0
15:50:53.509614 IP 192.168.2.104.52386 > 192.168.2.62.22: S 3291711383:329171138
3(0) win 1024
15:50:53.509629 IP 192.168.2.62.22 > 192.168.2.104.52386: R 0:0(0) ack 329171138
4 win 0
15:50:53.510196 IP 192.168.2.104.52386 > 192.168.2.62.1025: S 3291711383:3291711
383(0) win 4096
15:50:53.510210 IP 192.168.2.62.1025 > 192.168.2.104.52386: R 0:0(0) ack 3291711
384 win 0
15:50:53.511099 IP 192.168.2.104.52386 > 192.168.2.62.135: S 3291711383:32917113
83(0) win 4096
15:50:53.511113 IP 192.168.2.62.135 > 192.168.2.104.52386: R 0:0(0) ack 32917113
84 win 0
15:50:53.511220 IP 192.168.2.62.199 > 192.168.2.104.52386: R 0:0(0) ack 32917113
84 win 0
15:50:53.511275 IP 192.168.2.104.52386 > 192.168.2.62.23: S 3291711383:329171138
3(0) win 1024
15:50:53.511289 IP 192.168.2.62.23 > 192.168.2.104.52386: R 0:0(0) ack 329171138
4 win 0
15:50:53.512057 IP 192.168.2.104.52386 > 192.168.2.62.993: S 3291711383:32917113
83(0) win 3072
15:50:53.512082 IP 192.168.2.62.993 > 192.168.2.104.52386: R 0:0(0) ack 32917113
84 win 0
15:50:53.512490 IP 192.168.2.104.52386 > 192.168.2.62.80: S 3291711383:329171138
3(0) win 3072
15:50:53.512503 IP 192.168.2.62.80 > 192.168.2.104.52386: R 0:0(0) ack 329171138
4 win 0
15:50:53.512625 IP 192.168.2.104.52386 > 192.168.2.62.587: S 3291711383:32917113
83(0) win 2048
15:50:53.512636 IP 192.168.2.62.587 > 192.168.2.104.52386: R 0:0(0) ack 32917113
84 win 0
15:50:53.513796 IP 192.168.2.104.52386 > 192.168.2.62.139: S 3291711383:32917113
83(0) win 2048
15:50:53.513816 IP 192.168.2.62.139 > 192.168.2.104.52386: R 0:0(0) ack 32917113
84 win 0 - Advanced analysis exercise: Packet (d) below contains interesting content. Read through it
carefully and explain what might be occurring.
a. 16:05:51.768502 IP (tos 0x0, ttl 64, id 46146, offset 0, flags [DF], proto TCP (6),
length 451) 192.168.2.62.51622 > 192.168.2.104.8080: P 999656888:999657287(399) ack
1026547700 win 544 E….B@.@……>…h….;…=/…..
………….KmGET /zzioR5iD HTTP/1.1 Host:
b. 16:05:51.963761 IP (tos 0x0, ttl 64, id 26181, offset 0, flags [DF], proto TCP (6),
length 52) 192.168.2.104.8080 > 192.168.2.62.51622: ., cksum 0x70f9 (correct), 1:1(0) ack
399 win 175 E..4fE@.@.N….h…>….=/..;..G….p…………..
c. 16:05:55.129265 IP (tos 0x0, ttl 64, id 26182, offset 0, flags [DF], proto TCP (6),
length 1500) 192.168.2.104.8080 > 192.168.2.62.51622: . 1:1449(1448) ack 399win 175
E…fF@.@.H….h…>….=/..;..G….=…………..HTTP/1.1 200 OKContent-Type:
d. 16:05:55.130916 IP (tos 0x0, ttl 64, id 26186, offset 0, flags [DF], proto TCP (6),
length 1500) 192.168.2.104.8080 > 192.168.2.62.51622: . 5793:7241(1448) ack399 win 175
E…fJ@.@.H….h…>….=/..;..G………………216){tOy += tOy;}
Required Resources
§ Course textbook
§ Internet access
Submission Requirements
§ Format: Microsoft Word (or compatible)
§ Font: Arial, size 12, double-space
§ Citation Style: Follow your school’s preferred style guide
§ Length: 1 to 2 pages
Self-Assessment Checklist
§ I analyzed the packet captures.
§ I answered each question fully.
§ I followed the submission guidelines
Leave a Reply
You must be logged in to post a comment.