Computer Science Man In the Middle Assignment
Shanu10
Assignement.pdf
CS 6035
Projects / Man in the Middle / Quick Intro to Wireshark
If youʼre already familiar with Wireshark, you can skip this section.
As a quick introduction to some wireshark syntax let s̓ get familiar with some commands. For this
quick introduction we are going to focus on the Azure Wireserver which will be in your packet
capture. (Not sure what it is check out: What is the Azure Wire Server?)
When you open Wireshark, you will be asked how you want to set up the packet capture. In our
case, we will open a previously recorded PCAP file that contains all captured network traffic.
To open an existing file, go to “File > Open.” Locate the downloaded PCAP file and click “Open”:
On the PCAP for this project there is a special IP address for Azure Wireserver which is
168.63.129.16. If you work on the azure platform you will have seen this IP address all the time for
DNS, Health Probes and much more.
Introduction to Wireshark
Table of contents
Introduction1
Opening PCAP files2
Applying Filters
3
Python4
Introduction
Opening PCAP files
Applying Filters
8/25/24, 2:00 AM Quick Intro to Wireshark | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Quick Intro to Wireshark.html 1/4
Below we will use the IP and some Wireshark filter commands to navigate through the PCAP. The
command below:
ip.addr==168.63.129.16
If you would like to filter by a protocol and the IP address you would add the protocol before or
after the IP address like the following:
ip.addr==168.63.129.16 and http
8/25/24, 2:00 AM Quick Intro to Wireshark | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Quick Intro to Wireshark.html 2/4
Similarly you can just put the protocol no IP address and that will show all source and destination
traffic including that protocol. Now you know the basics, I strongly recommend you review the
Wireshark Guide at
https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html
The DisplayFilters section at https://wiki.wireshark.org/DisplayFilters.
There are numerous videos on YouTube explaining basic Wireshark functionality. I recommend this
one from Anson Alex: https://www.youtube.com/watch?v=TkCSr30UojM
For this project, you will also need the Python interpreter which can be found here: Python
download page
For a guided walkthrough on installing dependencies and going over pyshark, please refer to the
Youtube Video from our IA Renan showing how to install dependencies for Flag 6 and a short
example
For a guided walkthrough using VScode, please refer to the following document: Python tutorial
Good luck!
Python
8/25/24, 2:00 AM Quick Intro to Wireshark | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Quick Intro to Wireshark.html 3/4
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
8/25/24, 2:00 AM Quick Intro to Wireshark | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Quick Intro to Wireshark.html 4/4
CS 6035
Projects / Man in the Middle / Background+Setup
The Necrocryptors (TNC) is a hacking group known for multiple data leaks and has been active at
underground forums selling personally-identifiable information (PII) and credit card data stolen
from vulnerable websites.
Recently, TNC led a DDoS campaign against multiple targets in the United States, leading to a
Federal Investigation by the National Cyber Investigative Joint Task Force (NCIJTF). This
investigation was coordinated by the FBI Cyber Crime division and after months of undercover
investigation, NCIJTF was able to capture unencrypted communication between members of TNC.
While NCIJTF did not disclose how this communication was captured, we can infer that either it
came from an insider member of the organization or a sophisticated attack led by NCIJTF allowed
this communication to be captured.
In this project, you are playing the role of Mark, an FBI agent from the Cyber Crime division.
You walk into the office, just back from a nice vacation in the Bahamas, and pour some coffee
from the shared pot near your cubicle when you hear, “Mark! Great to see you are back! Come
over to my desk right now, we need to talk.” It s̓ your boss, Bill. You think to yourself, Geez! I just
came back. This guy doesnʼt give me a break.
You take your coffee to Bill s̓ office, close the door and listen as Bill starts.
“Mark, I have a task for you. We finally got our hands on some incriminating evidence against
TNC. With this pile of evidence, the Attorney General is on my neck to bring those guys to justice.
But we need some strong evidence of criminal activity that canʼt be disputed in court.”
“Okay…” My wife told me to take some extra days off, but no. I had to come back today…
“Iʼm sending the packet your way,” Bill says, “You have one week to analyze the data and find clear
evidence of criminal activity. The Attorney General sent us a list of things they are looking for. It s̓
all on your desk.”
“Sounds good, boss. It s̓ great to be back.”
Background and Setup
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 1/8
You leave his desk, take a sip of coffee and go back to your computer. No time to slowly get up to
speed, you think, but that s̓ OK. Iʼm excited to help take TNC down.
Ok, vacation is over. Now it s̓ time to configure your workspace and start the research. You have
two options to complete this assignment: 1.) Install Wireshark into the VM; or 2.) Create your own
environment and install any tools needed.
This project does not require a lot of preparation. Just download wireshark, the provided
PCAP file, and start analyzing.
The next few pages will guide you on installing Wireshark on Windows, MacOS and Ubuntu setup.
To install Wireshark on Windows, please go to the Wireshark Website Once there, you will see a
page like this:
Table of contents
Office Setup1
Installing Wireshark (Windows)
2
Python3
Installing Wireshark (Linux)4
Python
5
Office Setup:
Installing Wireshark (Windows)
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 2/8
Click the correct Windows Installer (64-bit or 32-bit), depending on your OS.
Here is an example of what the 64 bit option looks like while it s̓ downloading in the Chrome
browser. (It may look different in your browser.)
After the file finishes downloading, execute it and you will see the following screen:
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 3/8
Just click “Next >” on each page to install with default settings. Then you will see:
A new installation window, for Npcap, will then come up. Please continue through this Npcap
installation as well to proceed with the Wireshark installation.
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 4/8
Once the Npcap installation is finished, the Wireshark installation should continue automatically.
Once that installation is done, you will see the following:
Click “Next” then “Finish.” Congratulations! Wireshark is now installed on your computer!
Python
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 5/8
For this project, you will also need the Python interpreter which can be found here: Python
download page
For a guided walkthrough using VScode, please refer to the following document: Python tutorial
Good luck!
Inside your Linux box, Open Terminal Emulator and run the command below.Once done you may
be prompted to type in the root password which you would know and “y” to download and install
all required packages. See the below image for information on this:
During the installation, if prompted, answer “Yes” for the question: “Should non-superusers be
able to capture packets?”
Installing Wireshark (Linux)
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 6/8
Once the installation is complete, close the Terminal Emulator and locate Wireshark in
Applications > Internet > Wireshark:
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 7/8
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
8/25/24, 2:00 AM Background+Setup | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/backgroundandsetup.html 8/8
CS 6035
Projects / Man in the Middle / Flag 1
Your first task is to figure out where the hackers are spending their time and gather some
evidence for the Attorney General. This will also give you a good overview of Wireshark filters.
The Attorney General needs some evidence of The Necrocryptorsʼ associates and where the
group meets.
For this, you need to gather the following information:
Based on the provided packet capture (pcap) file, identify the server address used by the
hackers to communicate.
Example: irc.someplace.net
Points: 1
Based on the provided packet capture (pcap) file, identify the nicknames of the malicious
actors involved in the conversation. List the nicknames in the order they appear in the
conversation following the format below:
Example: firstactor,secondactor,thirdactor
Points: 1
Based on the provided packet capture (pcap) file, identify the channel the malicious actors use
to communicate. Remember, channel names always start with #, so include # in your answer.
Example: #WOW
Points: 1
Flag 1 (5 points)
Task 1.1
•
•
•
Task 1.2
•
•
•
Task 1.3
•
•
•
Task 1.4
8/25/24, 2:01 AM Flag 1 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag1.html 1/2
Based on the provided packet capture (pcap) file, identify the hash used by the malicious actor
to validate its identity.
Example: a12342342bcde393202013434
Points: 1
Based on the pcap file provided, analyze the network traffic to determine the potential origin
country of the last identified malicious actor. Consider the IP addresses, any geolocation data.
Provide the name of the country
Example: Atlantis
Points: 1
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
•
•
•
Task 1.5
•
•
•
8/25/24, 2:01 AM Flag 1 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag1.html 2/2
CS 6035
Projects / Man in the Middle / Flag 2
Your second task will require you to recover a payload from the conversation. There are multiple
ways to do this. You can use Wireshark, pyShark or any other library available.
As part of the evidence gathering, the Attorney General needs concrete evidence of malicious
intent. For Task 2, you will need to review the conversation between members of TNC and gather
incriminating data from this conversation.
Based on the provided pcap file, identify which malicious actor initiated a private chat during
the conversation.
Example:maliciousactor
Points: 2
Based on the provided pcap file, identify the name of the file transferred by one hacker to
another via IRC DCC. (Including extension)
Example:somefile.extension
Points: 5
Based on the provided pcap file, determine the encryption method or algorithm used to
encrypt the file transferred between the hackers. (Just the 3-letter name)
Example:something
Points: 4
Flag 2 (27 points)
Task 2.1
•
•
•
Task 2.2
•
•
•
Task 2.3
•
•
•
Task 2.4
8/25/24, 2:01 AM Flag 2 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag2.html 1/2
If you decrypt and run the file, youʼll get a unique hash based on your GTID. What is the hash
generated?
Example:a123242342342342342934234
Points: 16
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
•
•
•
8/25/24, 2:01 AM Flag 2 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag2.html 2/2
CS 6035
Projects / Man in the Middle / Flag 3
The Attorney General lets you know that they think there is a web server in here that is phishy and
is spitting out long numbers and letters. The Necrocryptors hacking group is known to play tricks
with these values. The Attorney General needs the following information to track the folks
operating the website:
The site domain name (Record just the site s̓ domain name and the top-level-domain (TLD)
name, with the period. E.G: something.hostname.tld)
Example: something.something.something
Points: 2
What is the public IP address?
Example: 192.168.1.10
Points: 2
The primary nameserver for this domain (You may need to look outside the pcap for this
information. Think about tools that will give you the nameserver data for a specific domain)
Example: ns-something-something.something.something
Points: 6
The hash provided by entering your Georgia Tech ID in the field (i.e. 9021042) (NOTE: The
website is real and safe to access)
Example: abcdef1234567890953453434
Points: 11
Flag 3 (21 points)
Task 3.1
•
•
•
Task 3.2
•
•
•
Task 3.3
•
•
•
Task 3.4
•
•
•
8/25/24, 2:01 AM Flag 3 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag3.html 1/2
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
8/25/24, 2:01 AM Flag 3 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag3.html 2/2
CS 6035
Projects / Man in the Middle / Flag 4
The Attorney General is impressed by you but says they believe the group is also using another
server to host a malicious file. It appears that one of the hackers recently accessed this server and
downloaded a file from it. As a last minute request, the Attorney General is asking you to
investigate what this file is, and where it is hosted.
What is the IP address for the server in question?
Example: 192.168.8.7
Points:2
What is the username used to log in the server?
Example: something
Points:4
What is the password used to log in the server?
Example: something
Points:4
One file is downloaded from the server, what is the file name?
Example: something
Points:3
Flag 4 (27 points)
Task 4.1
•
•
•
Task 4.2
•
•
•
Task 4.3
•
•
•
Task 4.4
•
•
•
Task 4.5
8/25/24, 2:01 AM Flag 4 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag4.html 1/2
What is the programming language used to create this file?
Example: something
Points:5
If you run this file youʼll get a Combined hash. What is the unique hash for your GTID (i.e
902042)?
Example: 12123123129413249121249aa
Points:9
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
•
•
•
Task 4.6
•
•
•
8/25/24, 2:01 AM Flag 4 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag4.html 2/2
CS 6035
Projects / Man in the Middle / Flag 5
Exhausted from the prior exercises, the attorney general has two more exercises for you to prove
you belong here and that he shouldnʼt fire you despite doing a good job. He mentions to you the
hackers are getting smart and they have a website called http://www.didbastionbreak.com that
has absolutely nothing to do with Azure Firewalls but everything to do with web application
firewalls. Apparently there are some weaknesses integrated into the website which allow you to
get to different parts of the website something called a path traversal attack.
There is a flag labeled 5.1 that outputs a hash when you input in your GTID. Try to find the page
and recover the flag
Example: tr95843fkdspugr8euyre0gfd
Points: 2
What is the directory name that contains the hint for 5.3?
Example: something
Points: 1
There is a flag labeled 5.3 that outputs a hash when you input in your GTID. Try to find the
page and recover the flag
Example: 58437594ejgfdiohr8e054309
Points: 2
Suddenly, your phone rings. You see that the call is coming from Billʼ extension.You were ready to
head back home and watch Netflix. Here we go again…
Flag 5 (5 points)
Task 5.1
•
•
•
Task 5.2
•
•
•
Task 5.3
•
•
•
8/25/24, 2:01 AM Flag 5 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag5.html 1/2
“Mark, great job so far! I was thinking here. This will not be the last time you will be doing this
analysis on pcaps, so why donʼt we start building a python class with several methods to
automate some of the work for next time?” “When you say we, you are saying, why dont I build
this class right?” you say.
“Of course not! I already created some skeleton code to help you out. You just need to build 3
functions now” Bill says.
“Oh, ok. Thank you Boss..”
As you hang up the call, Bill sends you via IM a zip file containing the python class and a attack
pcap from a past incident so you can create the functions and test.
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
8/25/24, 2:01 AM Flag 5 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag5.html 2/2
CS 6035
Projects / Man in the Middle / Flag 6
For this task, you need to use the provided pcapanalysis.py and Flag6.pcap files to create three
functions. The snippet below shows where you need to code the functions and the expected
output on each variable n. You can create as many functions and variables you need, however the
provided functions need to return the expected output.
Flag 6 (15 points)
Function Skeleton
# TODO:
# Task 1: Return n being:
# n = Number of ICMP Packets
def icmp_count(self):
n = 0
# TODO: Implement me
return n
# TODO:
# Task 2: Return r,a, being:
# r = Number of ICMP Echo Requests
# a = ICMP Echo Reply
def icmp_request_reply(self):
r = 0
a = 0
# TODO: Implement me
return r,a
# TODO:
# Task 3: Return m,n, being:
8/25/24, 2:01 AM Flag 6 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag6.html 1/3
To start, make sure that the package pyshark is installed on your system. Please review pyshark
Github page to install the package and its dependency (tshark) :
https://github.com/KimiNewt/pyshark/ and https://tshark.dev/setup/install/ When you open
pcapanalysis.py, make sure student_id is updated with your 9-digit Georgia Tech id
Do not modify the import statements. All you need to complete this assignment is there. New
imports may be ignored by the autograder and your code will fail.
Modify the def icmp_count(self): function so that it returns an integer, n , which represents the
number of ICMP packets in the
flag6.pcap file.
Points: 3
# m = Most Common Destination MAC Address
# n = Number of Occurrences
def dest_mac(self):
m,n = 0,0
# TODO: Implement me
return m,n
if __name__ == '__main__':
pcap_analysis = MITMProject()
icmp_count = pcap_analysis.icmp_count()
request,reply = pcap_analysis.icmp_request_reply()
dest_mac,occurences = pcap_analysis.dest_mac()
print("Number of ICMP Packets : ", icmp_count)
print("Number of ICMP Requests and Replies : ",request,reply)
print("Most Common MAC Address and Number of Ocurrences: ", dest_mac,occurences)
# TODO: Change this to YOUR Georgia Tech ID!!!
# This is your 9-digit Georgia Tech ID
self.student_id = '900000000'
Deliverables:
Task 6.1
•
•
8/25/24, 2:01 AM Flag 6 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag6.html 2/3
Modify the
def icmp_request_reply(self): function to return
r (the number of ICMP Echo
Requests as a integer) and a (the number of ICMP Echo Reply as an integer).
Points: 5
Modify the
def dest_mac(self): function to return
m (the most common destination MAC
address as a string) and n (its number of occurrences as an integer).
Points: 7
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
Task 6.2
•
•
Task 6.3
•
•
8/25/24, 2:01 AM Flag 6 | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/Flag6.html 3/3
CS 6035
Projects / Man in the Middle / Submission
File submission instructions:
These are the instructions for how the Attorney General needs you to submit your findings.
This project needs to be submitted via Gradescope. Navigate to the course in Canvas and click
‘Gradescope .̓ On the Gradescope website, click ‘Project MITM and submit there. For this project
there is a limit of 10 submissions for both sections. Section 1 contains Flags 1-5 and Section
2 is the Programming Assignment which contains Flag 6.
There is a limit of 10 submissions for this assignment.
Name your submission file: project_mitm.json. In addition, ensure you replace the placeholders
with the flags you retrieve from each relevant task.
Note: You can use Notepad++/TextEdit or Vim to create and edit this file. IMPORTANT: Do not use
LibreOffice, Word, or any similar document editor. Your submission must be in proper JSON
format with no special characters in order to pass the autograder; these document editors are
likely to introduce special characters that will make your submission fail the autograder.
Here is an example of the provided JSON file:
File submission instructions:
Man in the Middle - WireShark Assignment - Max of 85 points
{
"task1.1": "<copy flag 1 here>",
"task1.2": "<copy flag 2 here>",
"task1.3": "<copy flag 3 here>",
"task1.4": "<copy flag 4 here>",
"task1.5": "<copy flag 5 here>",
"task2.1": "<copy flag 6 here>",
"task2.2": "<copy flag 7 here>",
"task2.3": "<copy flag 8 here>",
"task2.4": "<copy flag 9 here>",
"task3.1": "<copy flag 10 here>",
8/25/24, 2:02 AM Submission | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/submission.html 1/3
And here is an example of how your submitted file should look: (Note: this is an example; none of
these values are correct.)
An example of what the submitted file content should look like:
"task3.2": "<copy flag 11 here>",
"task3.3": "<copy flag 12 here>",
"task3.4": "<copy flag 13 here>",
"task4.1": "<copy flag 14 here>",
"task4.2": "<copy flag 15 here>",
"task4.3": "<copy flag 16 here>",
"task4.4": "<copy flag 17 here>",
"task4.5": "<copy flag 18 here>",
"task4.6": "<copy flag 19 here>",
"task5.1": "<copy flag 20 here>",
"task5.2": "<copy flag 21 here>",
"task5.3": "<copy flag 22 here>"
}
{
"task1.1": "something.something.something",
"task1.2": "BigBird,CookieMonster,OscarTheGrouch",
"task1.3": "#WOW",
"task1.4": "a12342342bcde393202013434",
"task1.5": "Atlantis",
"task2.1": "maliciousactor",
"task2.2": "somefile.extension",
"task2.3": "something",
"task2.4": "a123242342342342342934234",
"task3.1": "something.something",
"task3.2": "192.168.1.10",
"task3.3": "ns-something-something.something.something",
"task3.4": "abcdef1234567890953453434",
"task4.1": "192.168.8.7",
"task4.2": "something",
"task4.3": "something",
"task4.4": "something",
"task4.5": "something",
8/25/24, 2:02 AM Submission | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/submission.html 2/3
There is a limit of 10 submissions for this assignment.
To submit, name your submission file: pcapanalysis.py and wait for the code to execute. There are
only three tests. Your grade will be displayed within a few seconds or minutes depending on how
many submissions are being evaluated at the time
If you go over the submission limit you are responsible to activate the submission you want to be
graded. The TA̓s will not do this for you.
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.
"task4.6": "12123123129413249121249aa",
"task5.1": "tr95843fkdspugr8euyre0gfd",
"task5.2": "something",
"task5.3": "58437594ejgfdiohr8e054309"
}
Man in the Middle - Programming Assignment - Max of 15 points
Submission Reminder
8/25/24, 2:02 AM Submission | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/MITM/submission.html 3/3
