Cyber security
LAB EXERCISE 1 (W4):
NETWORK ANALYSIS TOOLS
|
Name |
|
|
|
|
|
Course Number |
CSCI 397.01W or CSCI 397.61W (select one) |
|
Course Time |
Tuesday: 1630 – 1900 h |
|
Semester |
Fall 2020 |
|
Submission |
Lab Exercise 1 |
|
Due Date |
September 21, 2020 |
|
Instructor |
Joel Langill |
|
| |
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
Monday: 1630 – 1900 h Thursday: 1630 – 1900 h By Appointment |
PART 1: DOWNLOADING AND USING NETWORK ANALYSIS TOOLS
Downloading Network Analysis Tools
How long did it take you to download the three network analysis tools?
<your answer>
Installing GrassMarlin
Did you experience any difficulties installing GrassMarlin? If so, please explain.
<your answer>
How long did it take for you to install GrassMarlin?
<your answer>
Installing Wireshark
Did you experience any difficulties installing an updated Wireshark after GrassMarlin? If so, please explain.
<your answer>
How long did it take for you to install the updated Wireshark?
<your answer>
Installing NetworkMiner
Did you experience any difficulties installing NetworkMiner? If so, please explain.
<your answer>
How long did it take for you to install NetworkMiner?
<your answer>
Using Wireshark
1. Can you explain why the following Wireshark expression returns a yellow warning? What could you do to make this expression work correctly ip.addr != 172.16.100.36 && dns
<your answer>
2. What is the IP address of the DNS Server used to resolve the host ICSCSI.org ?
<your answer>
3. What is the IP address of the webserver hosting https://ICSCSI.org ?
<your answer>
4. Realizing this question is asked very early in this course – well ahead of the discussions that will take place during the last two lectures …. What would be the security risk in using HTTPS to encrypt traffic between a client computer and a webserver? Do you have any ideas how to mitigate this risk?
<your answer>
Please submit your PCAP file with this lab exercise submittal document. There is currently an 8MB file size limit on assignment uploads. Your PCAP file should be relatively small because of its short duration. If your file size is greater than 8MB, please contact your instructor for further assistance.
PART 2: ANALYZING ICS NETWORK TRAFFIC WITH NETWORK ANALYSIS TOOLS
Analyzing SMB Traffic
How long did it take you to complete the section on SMB?
<your answer>
1. What would the Wireshark Display Filter look like?
<your answer>
2. What packet number does this occur in?
<your answer>
3. What layer would you expect the “NetBIOS Session Service” to reside?
<your answer>
4. What would your new Display Filter look like? (Hint: you will need to use a logical “AND”)
<your answer>
5. What packet number contains this file?
<your answer>
6. What would your new Display Filter look like? (Hint: append “&&” to the previous Display Filter and start typing “smb.trans2.” and see what choices you have)
<your answer>
7. List some of the files that you see transferred across this connection.
<your answer>
8. What packet number contains this file?
<your answer>
9. What other text file ending in .txt was transferred in this capture file?
<your answer>
10. Provide the name and contents of this file(s)
<your answer>
11. What ports is the Domain Server servicing (e.g the Destination port) in this example containing the two text files?
<your answer>
12. What service is used on each of these ports? (Hint: use Wireshark and a web search)
<your answer>
13. What is the IP address of a server that the Domain Server (10.1.1.1) has acted as a client in an Outgoing session?
<your answer>
14. What service to you think that server is running?
<your answer>
15. What are the contents of this file?
<your answer>
16. What packet number was this file first referenced in?
<your answer>
17. What did you find?
<your answer>
18. How many “groups” or “networks” are shown? (Consider a network as more than one device)
<your answer>
19. Which network(s) appear to have connections to external devices on the public Internet?
<your answer>
20. What countries do these addresses most likely reside in? (Hint: View Details for the address by right-clicking)
<your answer>
21. What transport, port number, and service(s) are used in the external connections? (Hint: View Frames for the details of the packets by right-clicking)
<your answer>
22. Is this traffic legitimate? Why or why not? (Hint: When viewing Frames in GrassMarlin, a right-click will allow the frame to be opened in Wireshark)
<your answer>
23. Do you know what the destination IP addresses represent?
<your answer>
Analyzing Modbus/TCP (MBT) Traffic
How long did it take you to complete the section on Modbus/TCP?
<your answer>
1. What would the Display Filter look like?
<your answer>
2. What ports are being used by the PLC (192.168.1.5) for incoming sessions?
<your answer>
3. What is the most common service used by each of the TCP port numbers?
<your answer>
4. What is the manufacturer of the PLC?
<your answer>
5. Where did you find this information?
<your answer>
6. Is there more information about the manufacturer?
<your answer>
7. What information is provided here that was not provided with Wireshark?
<your answer>
8. What ports are listed under the “Incoming” sessions where the PLC would act as a server?
<your answer>
9. What TCP port is used by Modbus/TCP?
<your answer>
10. What would the Display Filter look like to display only hosts on the 192.168.1.0/24 network using the Modbus/TCP port and catch any 3-way handshakes if possible?
<your answer>
11. What packet number did this occur?
<your answer>
12. Why does it show two in this case?
<your answer>
13. What is contained in the “Modbus” portion of the frame?
<your answer>
14. What Function Code is used here?
<your answer>
15. What is the meaning of this Function Code?
<your answer>
16. What is the meaning of the “Reference Number”?
<your answer>
17. What is the meaning of the “Word Count”?
<your answer>
18. What packet number did this occur?
<your answer>
19. What is the value stored in Register Number 12300?
<your answer>
20. What does “UINT16” stand for?
<your answer>
21. What is the “Byte Count” in the Response different from the “Word Count” in the Request?
<your answer>
Analyzing EtherNet/IP (EIP) Traffic
How long did it take you to complete the section on EtherNet/IP?
<your answer>
1. What can you determine about this PLC?
<your answer>
2. What is the IP address, TCP port used to source the conversation, and the likely operating system of the client?
<your answer>
3. How long did this session last?
<your answer>
4. How many host IP addresses does NetworkMiner show?
<your answer>
5. How many of these IP addresses are IP Version 6 (IPv6)?
<your answer>
6. So, now how many HOST IPv4 addresses are on this network?
<your answer>
7. How many IPv4 addresses are shown in Wireshark Endpoints?
<your answer>
8. What is special about the hardware MAC address of FF:FF:FF:FF:FF:FF?
<your answer>
9. What can you tell me about the manufacturer of this device? (Hint: use the Wireshark OUI Lookup Tool)
<your answer>
10. What would the Display Filter look like to filter out all traffic except that using the PLC?
<your answer>
11. What packet number did this occur?
<your answer>
12. What is the EtherNet/IP Session Handle provided in the “RegisterSession” Response?
<your answer>
13. What packet number did this occur?
<your answer>
14. What packet is the CIP Connection closed?
<your answer>
15. Is this traffic likely to be Time Critical or Non-Time Critical?
<your answer>
Analyzing OPC Data Access (OPC-DA) Traffic
How long did it take you to complete the section on OPC-DA?
<your answer>
1. Using any of the three tools available, describe the hosts in terms of their network IP address, their relationship (client or server), what platform operating system they are likely running, and what services and ports are being used.
<your answer>
2. What does DCOM stand for?
<your answer>
3. What packet number represents this action?
<your answer>
4. What endian is the data for this session using?
<your answer>
5. What username is used to authenticate against the client against the server?
<your answer>
6. Looking at the “RemoteCreateInstance request” packet, what frame number contains the response? (Hint: look in the Application Layer details)
<your answer>
7. What types of information can you decipher from this ASCII data?
<your answer>
8. What is this port number?
<your answer>
9. What number is shown for “StringBinding[2]” “NetworkAddr”?
<your answer>
10. What is the new TCP port number that will be used for the remaining data exchange session?
<your answer>
11. Is this the same port?
<your answer>
12. what is the new Display Filter that was automatically created?
<your answer>
PART 3: LAB EVALUATION
Did you find this lab useful?
<your answer>
What would you like to see changed?
<your answer>
Do not forget to submit your PCAP file used in the beginning of the lab under “Using Wireshark”. There is an 8MB site limit on file size of uploads. If your PCAP file is larger than 8MB, please notify the instructor for alternate instructions.
CSCI 397.01W | CSCI 397.61W © 2012-2020 ICSCSI LLC
Fundamentals of Industrial Control System Cyber Security Page L1-1 of 14
Fall 2020 CSCI 397 F20 - Lab Exercise 1.docx