CS 3710 Introduction to Cybersecurity

Term: Fall 2021

Lab Exercise 3 – Sniffing

Name: Ryan Robinson

By submitting this assignment you are digitally signing the honor code, “On my honor, I pledge that I
have neither given nor received help on this assignment.”

1. Overview

In this exercise, you will be introduced to Wireshark, a very useful tool that covers a very important
network monitoring, security, and forensic concept – reading and understanding networking traffic.
Wireshark (software known as a packet analyzer) allows you to view pieces of data (called packets) in
real-time as they go in and out of a system and can be saved as packet capture (pcap or cap) files. In this
exercise, you will be analyzing packet capture files as well as capturing live network traffic in real-time.

2. Resources required

This exercise requires a Kali Linux VM running in the Cyber Range. Please log in at
https://console.virginiacyberrange.net/.

3. Initial Setup

From your Virginia Cyber Range course, select the Cyber Basics environment. Click “start” to start your
environment and “join” to get to your Linux desktop.

4. Tasks

Task 1: Analyzing a Wireshark capture file

Wireshark offers a variety of sample packet captures to analyze for learning about network traffic,
attacks, and how to use the tool. You can find the whole list at:
https://wiki.wireshark.org/SampleCaptures.

A. Go to SampleCaptures wireshark page and click on #20 Telnet and then click on the telnet-
cooked.pcap to download it. The file is located in the /home/student/Downloads folder. You
can open the pcap file from within an open Wireshark GUI by going to File -> Open, or you can
open the file from the command line by supplying Wireshark the path and file name.

What is the username and password of the Telnet user? (.5 point)
Username: fake
Password: user

© 2020 Virginia Cyber Range. Created by Thomas Weeks. (CC BY-NC-SA 4.0)
1
Modified by Angela Orebaugh, Ph.D, CISSP, University of Virginia
CS 3710 Introduction to Cybersecurity
Term: Fall 2021

What is the operating system and version of the server that the user logged into? (.5 point)
OpenBSD 2.6-beta

Once the user was logged in what commands did they run? (.5 point)
ls
ls -a
exit

B. Next download an HTTP packet capture with several downloaded images here:
https://wiki.wireshark.org/SampleCaptures?
action=AttachFile&do=get&target=http_with_jpegs.cap.gz.

Paste a screenshot of the last image that was downloaded. (.5 point)

What is the date and time that the image was downloaded? (.5 point)
Date: Sat, 20 Nov 2004 10:21:13 GMT

C. Now it’s time to do some cyber forensics analysis on FTP. Next download and open a new pcap
file from http://artifacts.virginiacyberrange.net/gencyber/ftp_attack.pcap. This is a packet
capture of a file transfer using FTP. FTP uses ports 21 and 20. Port 21 is the command port and
port 20 is the data port. Open the file in Wireshark to begin your analysis.

The user logs in early on in the capture and downloads a file. Inspect this traffic and answer the
following questions:

What is the username and password of the FTP user? (.5 point)
USER anonymous
PASS h4x0r@evil.com

What is the name and version of the FTP software on the server? (.5 point)
(vsFTPd 2.2.2)

© 2020 Virginia Cyber Range. Created by Thomas Weeks. (CC BY-NC-SA 4.0)
2
Modified by Angela Orebaugh, Ph.D, CISSP, University of Virginia
CS 3710 Introduction to Cybersecurity
Term: Fall 2021

What is the name of the file that was downloaded? (.5 point)
File.txt

What is the content of the file downloaded? (.5 point)

Later in the FTP capture the user tries to log in using another username. After many failed password
guesses the user guesses the correct password and is authenticated to the FTP server. Inspect this
traffic and answer the following questions:

What is the new username and password of the FTP user that is successful? (.5 point)
User: golightly
Password: letmein

What are the names of the 2 files that were downloaded while logged in as this new user? (.5 point)
CC_data.csv
shadow

Cut and paste a screenshot of the contents of the two files that were downloaded while logged in as this
user. (.5 point)

Shadow: failed to open

Hints: FTP filtering will help here. Also, HTTP files can be downloaded as an object, but FTP file transfers are
embedded in the data channel.

Task 2: Capturing traffic real-time using Wireshark

Now let’s take a look at some real-time packet capturing. Make sure that you are running Wireshark as
root.

Start a real-time capture in Wireshark and then open a Web Browser within the Cyber Range and go to
the site dvwa.example.com. You will see a login screen. Log in using the username of admin and the
password of password. You can exit out after you have logged in and then stop the Wireshark capture.

Filter your packet capture to show the HTTP POST where you entered your username and password.

© 2020 Virginia Cyber Range. Created by Thomas Weeks. (CC BY-NC-SA 4.0)
3
Modified by Angela Orebaugh, Ph.D, CISSP, University of Virginia
CS 3710 Introduction to Cybersecurity
Term: Fall 2021

What filter did you use? (.5 point)

Cut and paste a screenshot of your packet capture that shows the username and password. (.5 point)

NOTE: We will be using dvwa.example.com in future labs, so feel free to look around.

By submitting this assignment you are digitally signing the honor code, “I pledge that I have
neither given nor received help on this assignment”.

END OF EXERCISE

References

 Wireshark https://www.wireshark.org/

© 2020 Virginia Cyber Range. Created by Thomas Weeks. (CC BY-NC-SA 4.0)
4
Modified by Angela Orebaugh, Ph.D, CISSP, University of Virginia