Index

S.No Experiments Date

.

1.
Basic Packet Inspection: Capture network traffic
using Wire shark and analyze basic protocols like
HTTP, DNS, and SMTP to understand how data is
transmitted and received.

2.
Detecting Suspicious Activity: Analyze network
traffic to identify suspicious patterns, such as
repeated connection attempts or unusual
communication between hosts.

3.
Malware Traffic Analysis: Analyze captured traffic to
identify signs of malware communication, such as
command-and-control traffic or data infiltration.

4.
Password Sniffing: Simulate a scenario where a
password is transmitted in plaintext. Use Wireshark
to capture and analyze the packets to demonstrate
the vulnerability and the importance of encryption.

5. ARP Poisoning Attack: Set up an ARP poisoning

attack using tools like Ettercap. Analyze the
captured packets to understand how the attack can
lead to a Man-in-the-Middle scenario.

6.
SQL Injection: Use DVWA to practice SQL injection
attacks. Demonstrate how an attacker can
manipulate input fields to extract, modify, or delete
database information.

7.
Cross-Site Scripting (XSS): Exploit XSS
vulnerabilities in DVWA to inject malicious scripts
into web pages. Show the potential impact of XSS
attacks, such as stealing cookies or defacing
websites.
 Experiment No:1

Aim: Basic Packet Inspection: Capture network traffic using

Wire shark and analyze basic protocols like HTTP, DNS, and
SMTP to understand how data is transmitted and received.

a. Open Wireshark.
b. The following screen showing a list of all the network
connections is displayed. Select one or more of the network
interfaces using shift+left-click or by clicking on the tab All
Interfaces Shown

c. Once the network interface is selected, start the capture, and

there are several ways to do that.
i. Click the first button on the toolbar, titled “Start capturing

packets.”
 OR

select the menu item Capture-> Start

d. During the capture process, Wireshark will show the following

screen
 e. Once all required packets are captured, use the same buttons

or menu options to stop the capture as you did to begin.

Analyzing data packets on Wireshark: Wireshark Interface

Wireshark shows three different panes for inspecting packet data.

The Packet List, the top pane, lists all the packets in the capture.
Wireshark filters

i) Wireshark capture filters

Capture filters limit the captured packets by the chosen filter. If the

packets don’t match the filter:

a. host IP-address: This filter limits the captured traffic to and from

the IP address

b. net 192.168.0.0/24: This filter captures all traffic on the subnet

c. dst host IP-address: Capture packets sent to the specified host

d. port 53: Capture traffic on port 53 only

e. port not 53 and not arp: Capture all traffic except DNS and ARP

traffic
Wireshark display filters

Wireshark display filters change the view of the capture during

analysis.

i) ip.src==IP-address and ip.dst==IP-address This filter shows

packets sent from one computer (ip.src) to another (ip.dst).

You can also use ip.addr to show packets to and from that

IP.

ii) tcp.port eq 25: This filter will show you all traffic on port 25,

which is usually SMTP traffic

iii) icmp: This filter will show you only ICMP traffic in the capture,

most likely they are pings

iv) ip.addr != IP_address: This filter shows you all traffic except

the traffic to or from the specified computer

 Experiment No:2

Aim: Detecting Suspicious Activity: Analyze network traffic to

identify suspicious patterns, such as repeated connection
attempts or unusual communication between hosts.

HTTPS traffic analysis

The Hypertext Transfer Application Layer Protocol (HTTP) utilizes the

internet to establish protocols whenever the HTTP client/server
transmits/receives HTTP requests.

Start a Wireshark capture -> Open a web browser -> Navigate to any
HTTPS-based website -> Stop the Wireshark capture.

Input ' ssl' in the filter box to monitor only HTTPS traffic -> Observe
the first TLS packet -> The destination IP would be the target IP
(server).

TCP traffic analysis

A standard port scan takes advantage of the TCP three-way
handshake. The attacker sends the SYN packet to the target port. The
port is considered open when he gets SYN+ACK as a response,
whereas the arrival of RST shows the port is closed. After receiving
SYN+ACK, the hacker would send an ACK packet to establish a TCP
connection.

Analyze TCP SYN traffic

Input ‘tcp.port == 80’ to see only TCP traffic connected to the web
server connection.

Observe the TCP [SYN] packet. Expand Ethernet and observe the
destination address that is the default gateway address; whereas, the
source is your own MAC address.

To check the IP details, observe Internet Protocol Version 4; in our

case, the destination IP is Googles' web server IP, and the source IP
is the local IP address.

To view TCP details, observe Transmission Control Protocol, like port

numbers. Monitor the flag values. SYN, which is enabled, shows the
initial section of the TCP three-way handshake.

Analyze TCP SYN, ACK traffic

Take a look at the TCP [SYN, ACK] packet. Expand Ethernet and
observe the destination address now would be your own MAC
address; whereas the source is the default gateway address.

Monitor the acknowledgement code. It's worth noting that the number
is one relative ACK number. The real acknowledgement value is one
higher than the previous segment's identifier.

Monitor the flag values. [SYN, ACK], which is enabled, shows the
second section of the TCP three-way handshake.

Analyze SYN flood attack

SYN flood occurs when an attacker delivers a substantial amount of

SYN packets to a server using fake IPs, causing the server to respond
with an SYN+ACK and keep its ports partially open, expecting a
response from an invisible client.

By overwhelming a victim with SYN packets, an attacker can

effectively overrun the victim's resources. In this state, the victim
fights with traffic, which causes processor and memory usage to rise,
eventually exhausting the victim's resources.

Use the hping3 tool to flood the victim IP. Simultaneously, start
capturing the traffic on Wireshark. Input 'tcp.flags.syn == 1' in the
filter box to view SYN packets flood.
Notice a lot of SYN packets with no time lag.

Analyze DoS attacks

Let’s simulate a Denial of Service (DoS) attack to analyze it via

Wireshark. Use macof tool, the component of the Dsniff suit toolkit,
and flood a surrounding device's switch with MAC addresses.

The image below shows IP address is generating requests to another

device with the same data size repeatedly. This sort of traffic shows
a standard network DoS attack.
For a DDoS attack, use the macof tool again to generate traffic.
Observe the fake source and destination IP addresses are sending
many packets with similar data sizes.
 Experiment-3

Malware Traffic Analysis: Analyze captured traffic to identify

signs of malware communication, such as command-and-
control traffic or data infiltration.

The malware being use is called Dridex malware. This malware affects
financial institutions, and typically is found through spreadsheets with

custom macros. It downloads tools or utilizes to download the

malware.

We investigate it by looking for successful TLS handshakes. We can

do this by using:

tls.handshake.type eq 1
Since this traffic is encrypted we will be decrypting with the
decryption key we were provided with on GitHub.

Now, filter the HTTP traffic and the TLS handshake, along with

excluding SSDP:

(http.request or tls.handshake.type eq 1) and !(ssdp)

Here is an interesting GET request where it looks like it was reaching

for a .dll file.

If we follow this through a HTTP stream, we can see that it has already
been downloaded. The running in DOS mode means the rest of the
content is the dll.

Save this file, and use a website like virus total to see what kind of

malware it is.

Here we can get a very detailed breakdown of the file:

Potential method of infection:

We can also find an very weird POST request for this .php file:

After the system has been infected it tries to connect to a control

server. Following with TLS stream we can see it does indeed try and
connect to the control server.
 Experiment No:4

Aim: Password Sniffing: Simulate a scenario where a

password is transmitted in plaintext. Use Wireshark to
capture and analyze the packets to demonstrate the
vulnerability and the importance of encryption.
Solution:

Password sniffing is a type of network attack in which an attacker

intercepts data packets that include passwords. The attacker then
uses a password-cracking program to obtain the actual passwords
from the intercepted data. Password sniffing can be used to obtain
passwords for any type of account, including email, social media, and
financial accounts.

Step 1: Open Wireshark tool start capturing the network. Here we

are capturing wireless fidelity.

Step:2 After starting the packet capturing we will go to the website

and login the credential on that website.
Step-3: Now after completing the login credential we will go and
capture the password in Wireshark. For that we have to use some
filter that helps to find the login credential through the packet
capturing.

Step 4: Wireshark has captured some packets but we are specifically

looking for HTTP packets. so in the display filter bar we use some
command to find all the captured HTTP packets.
Step 5: So there are some HTTP packets that are captured but we
are specifically looking for form data that the user submitted to the
website. For that, we have a separate filter .
As we know that there are two main methods used for submitting
form data from web pages like login forms to the server. the methods
are-
● GET
● POST

Step 6: So firstly for knowing the credential we use the first method
and apply the filter for the GET methods.

As we can see in the image there are two packets where the login
page was requested with a GET request as well, but there is no form
data submitted with a GET request.

Step 7: Now after checking the GET method if we didn’t find the form
data, then we will try the POST method for that we will apply the filter
on Wireshark as you can see.
As we can see we have a packet with form data click on the packet
with user info and the application URL encoded. and click on the
down-

HTML form URL Encoded where the login credential is found. login
credential as it is the same that we filed on the website in step 2.
 Experiment No:5

Aim: ARP Poisoning Attack: Set up an ARP poisoning attack

using tools like Ettercap. Analyze the captured packets to
understand how the attack can lead to a Man-in-the-Middle
scenario.

1. Open Ettercap.

2. Go to the pull-down menu that says "Sniff" and click on "Unified

Sniffing".

3. Click "OK", ettercap launches it sniffing and loads its plugins.

4. Click on the "Hosts" tab and there is a menu that includes "Scan
for Hosts". Click on it and ettercap will begin scanning the
network for hosts.

5.

6. Now, using that same "Hosts" tab, click on "Hosts List". This will
display all the hosts that ettercap has discovered on your
network as seen in the screenshot below.

7. Now, select one of the hosts that will be the target of this attack
in the window by clicking on it and then click on "Add to Target
 1" at the bottom of the window. When we do so, ettercap will
add that host as the first target in our MiTM attack as seen in
the screenshot below. Next, select the second host in this
attack and then click "Add to Target 2".

8. Finally, go to the menu above and click on MITM tab and the
drop down menu will have a selection called "ARP Poisoning" as
seen in the screenshot below.

9. Select it and it will open a pop window like below. Select "Sniff
remote connections".When we press OK, ettercap will begin
ARP poisoning and we see ettercap respond in its main windows
with the message below.
Now, we have successfully placed ourselves between the two targets
systems and all their traffic must flow through us.

10. This is how ARP poisoning looks in Wireshark

Wireshark warns you by the message "(duplicate use of <ip> detected!)".