Ask a New Question
Menu

SEC290

Fundamentals of Infrastructure Security
Module 2 Intrusion Analysis using Wireshark
basic attack analysis questions
Look at captures no. 20 and 22. (You can use the “Go” link at the top of the Wireshark screen to quickly go to a specific capture) Both packets are ICMP traffic but there are subtle differences between them. Compare the time-to-live and data field sizes in the two packets. What differences do you see?

Do a little Internet research to discover which operating systems use the specific values in their ping commands. What operating system generated the echo request in capture 20?

Review packet no. 37 and beyond, what do you think is taking place here? __________________

Look at capture 22846. What is suspicious about the flag settings in this packet?

What is the IP address of the host being targeted?

1 answer

To answer your questions accurately regarding the traffic captures in Wireshark, here's how you can conduct the analysis based on the information provided and expected outcomes.

Capture Analysis:

  1. Comparing Packets 20 and 22 (ICMP Traffic):

    • Time-to-Live (TTL):
      • Typically, the TTL value is set by the operating system when an ICMP packet is generated. Common TTL values are as follows:
        • Windows: Often uses 128
        • Linux: Often uses 64
        • macOS: Typically also uses 64.
      • Compare the TTL values from packets 20 and 22. If packet 20 has a TTL of 128 and packet 22 has a TTL of 64, for example, this suggests that packet 20 likely originated from a Windows host while packet 22 came from a Linux or macOS system.
    • Data Field Sizes:
      • Examine the size of the ICMP payload in each packet. Differences in payload size might indicate variations in the default behavior of the ping command or how much data is being sent in the echo request.
      • Typically, Windows ping command sends 32 bytes by default, while Linux generally sends 64 bytes.

  2. Operating Systems for Ping Commands:

    • As you conduct your research, you’ll find that different operating systems have their own default TTL and data payload configurations for ICMP packets. If you determine that capture 20 used a TTL of 128 and a payload of 32 bytes, you can conclude that it is likely from Windows.

  3. Packet No. 37 and Beyond:

    • After reviewing these packets, assess what type of communication or activity is taking place. If you see a lot of SYN packets without corresponding ACKs, this could indicate a SYN flood attack or scanning behavior from the source IP address. If you see a series of ICMP packets, it could imply a ping sweep.

  4. Capture 22846 Flag Settings:

    • Inspect the flags in the TCP header of capture 22846. Suspicious settings could include flags like “SYN” without follow-up packets, “FIN” or “RST” flags when not appropriate, or unusual combinations that suggest port scanning or other malicious activities.
    • Flag settings that indicate unusual sequences or inconsistencies (e.g., receiving a reset on an open connection) can also be suspicious.

  5. Targeted IP Address:

    • The targeted IP address is often either the destination of the suspicious traffic or the endpoint of the attack (for example, if identifying a victim in a scan). Check the destination IPs in the relevant packets (look for SYN packets targeting specific ports).

For exact answers, you would need to open Wireshark and analyze the defined captures according to these parameters. Each capture should give you details you can interpret based on the above criteria.