Exercises ARP ICMP DNS HTTPTCP Trace analysis ARP

  • Slides: 11
Download presentation
Exercises • • • ARP ICMP DNS HTTP/TCP Trace analysis

Exercises • • • ARP ICMP DNS HTTP/TCP Trace analysis

ARP • • launch Wireshark ipconfig /all ; see local IP and gateway route

ARP • • launch Wireshark ipconfig /all ; see local IP and gateway route -print ; find gateway arp -a ; list all MAC addresses learned arp -d * ; delete all MAC address learned ping www. polyu. edu. hk What is the MAC address of the router? 2

Hints • If the default gateway/router’s MAC address is not in the cache, the

Hints • If the default gateway/router’s MAC address is not in the cache, the host will send ARP to ask for it. • The default gateway’s IP address is preconfigured or learnt through the DHCP protocol. 3

ICMP • ping www. polyu. edu. hk – http: //www. networksorcery. com/enp/protocol/icmp. htm –

ICMP • ping www. polyu. edu. hk – http: //www. networksorcery. com/enp/protocol/icmp. htm – What is the value of ‘Type’ in the outgoing ICMP packet? – What is the value of ‘Type’ in the incoming ICMP packet? – Take a look at the data section in the incoming ICMP packet. • tracert www. polyu. edu. hk – What are the answers to the above two questions? 4

Hints • Ping – Send: ICMP Echo Request – Receive: ICMP Echo Reply •

Hints • Ping – Send: ICMP Echo Request – Receive: ICMP Echo Reply • Traceroute – Send: And kind of IP packet with special TTL • It would be an ICMP packet if we need the reply from the destination – Receive: ICMP Time Exceeded 5

DNS • nslookup • www. polyu. edu. hk • Take a look at DNS

DNS • nslookup • www. polyu. edu. hk • Take a look at DNS query and response packets • nslookup • set type=PTR • 158. 132. 19. 132 • Take a look at DNS query and response packets 6

Hints • set type=A (default setting) – Normal DNS lookup: get the IP address

Hints • set type=A (default setting) – Normal DNS lookup: get the IP address from a host name • set type=PTR – Reverse DNS lookup: get the host name from its IP address 7

HTTP/TCP • Use browser to visit www. polyu. edu. hk • Take a look

HTTP/TCP • Use browser to visit www. polyu. edu. hk • Take a look at – TCP’s three-way handshake – sequence numbers in packets from the server and the acknowledgement number in packets from the client – HTTP header in the packets from the server 8

Trace analysis • Real trace from a Vo. IP hacking demo • Analyze the

Trace analysis • Real trace from a Vo. IP hacking demo • Analyze the trace using Wireshark and answer the following questions – Which 4 protocols are involved in the pcap? – Which codec does the RTP stream use? – How did the attacker gain access to the server? – Where is the hacked server? • Tips: look into the payload 9

Hints • 4 Protocols: HTTP, RTCP, SIP • RTP uses G. 7111 PCMU coding

Hints • 4 Protocols: HTTP, RTCP, SIP • RTP uses G. 7111 PCMU coding • Default user name/password – Authorization: Basic b. WFpbn. Q 6 c. GFzc 3 dvcm. Q= • The city is DISTRITO FEDERAL MEXICO – Hear it • Telephony -> RTP -> Stream analysis – Public IP: 132. 248. 255. 82 in an HTTP response • Follow HTTP connections • Look into the HTTP responses • Use Geolocation websites to locate the city 10

Useful links • Protocols – http: //www. networksorcery. com/enp/default 110 1. htm • Wireshark

Useful links • Protocols – http: //www. networksorcery. com/enp/default 110 1. htm • Wireshark – http: //www. wireshark. org/download/docs/userguide-a 4. pdf • TCPDump – http: //www. tcpdump. org/tcpdump_man. html