Man in the Middle
PcoulI need help with the project Man in the Middle. The due date is Tuesday 14, 2025.
I also attached the project file below.
a year ago
50
files (1)ProjectManintheMiddle.docx
ProjectManintheMiddle.docx
In this project, students will get familiar with reading packet captures (PCAP) and some standard man-in-the-middle techniques. This is where a malicious user puts themselves in the middle of a conversation with another user and an application and eavesdrops on all the traffic. Students will familiarize themselves with Layer 2 - 7 network traffic and how to analyze network traffic using Wireshark, a network protocol analyzer, and its libraries such as pyShark.
Wireshark file to analyze Part 1 PCAP is available at: https://cs6035.s3.us-east-1.amazonaws.com/MITM/mitm_2025.pcapLinks to an external site.
Part 2 Programming Assignment is available at: https://cs6035.s3.amazonaws.com/MITM/pcapanalysis.zipLinks to an external site.
Assessment
Flag 1
Your first task is to figure out where the hackers are spending their time and gather some evidence for the Attorney General. This will also give you a good overview of Wireshark filters.
The Attorney General needs some evidence of The Necrocryptors’ associates and where the group meets. For this, you need to gather the following information:
Task 1.1
· Based on the provided packet capture (pcap) file, identify the server address used by the hackers to communicate.
· Example: irc.someplace.net
Task 1.2
· Based on the provided packet capture (pcap) file, identify the nicknames of the malicious actors involved in the conversation. List the nicknames in the order they appear in the conversation following the format below:
· Example: firstactor,secondactor,thirdactor
Task 1.3
· Based on the provided packet capture (pcap) file, identify the channel the malicious actors use to communicate. Remember, channel names always start with #, so include # in your answer.
· Example: #WOW
Task 1.4
· Based on the provided packet capture (pcap) file, identify the hash used by the malicious actor to validate its identity.
· Example: a12342342bcde393202013434
Task 1.5
· Based on the pcap file provided, analyze the network traffic to determine the potential origin country of the last identified malicious actor. Consider the IP addresses, any geolocation data. Provide the name of the country
· Example: Atlantis
Flag 2
Your second task will require you to recover a payload from the conversation. There are multiple ways to do this. You can use Wireshark, pyShark or any other library available.
As part of the evidence gathering, the Attorney General needs concrete evidence of malicious intent. For Task 2, you will need to review the conversation between members of TNC and gather incriminating data from this conversation.
Task 2.1
· Based on the provided pcap file, identify which malicious actor initiated a private chat during the conversation.
· Example: maliciousactor
Task 2.2
· Based on the provided pcap file, identify the name of the file transferred by one hacker to another via IRC DCC. (Including extension)
· Example:somefile.extension
Task 2.3
· Based on the provided pcap file, determine the encryption method or algorithm used to encrypt the file transferred between the hackers. (Just the 3-letter name)
· Example:something
Task 2.4
· If you decrypt and run the file, you’ll get a unique hash based on your GTID. What is the hash generated?
· Example:a123242342342342342934234
Flag 3
The Attorney General lets you know that they think there is a web server in here that is phishy and is spitting out long numbers and letters. The Necrocryptors hacking group is known to play tricks with these values. The Attorney General needs the following information to track the folks operating the website:
Task 3.1
· The site domain name (Record just the site’s domain name and the top-level-domain (TLD) name, with the period. E.G: something.hostname.tld)
· Example: something.something.something
Task 3.2
· What is the public IP address?
· Example: 192.168.1.10
Task 3.3
· The primary nameserver for this domain (You may need to look outside the pcap for this information. Think about tools that will give you the nameserver data for a specific domain)
· Example: ns-something-something.something.something
Task 3.4
· The hash provided by entering your Georgia Tech ID in the field (i.e. 9021042) (NOTE: The website is real and safe to access)
· Example: abcdef1234567890953453434
Flag 4
The Attorney General is impressed by you but says they believe the group is also using another server to host a malicious file. It appears that one of the hackers recently accessed this server and downloaded a file from it. As a last minute request, the Attorney General is asking you to investigate what this file is, and where it is hosted.
Task 4.1
· What is the IP address for the server in question?
· Example: 192.168.8.7
Task 4.2
· What is the username used to log in the server?
· Example: something
Task 4.3
· What is the password used to log in the server?
· Example: something
Task 4.4
· One file is downloaded from the server, what is the file name?
· Example: something
Task 4.5
· What is the programming language used to create this file?
· Example: something
Task 4.6
· If you run this file you’ll get a Combined hash. What is the unique hash for your GTID (i.e 902042)?
· Example: 12123123129413249121249aa
Flag 5
Exhausted from the prior exercises, the attorney general has two more exercises for you to prove you belong here and that he shouldn’t fire you despite doing a good job. He mentions to you the hackers are getting smart and they have a website called http://www.didbastionbreak.com:5000 that has absolutely nothing to do with Azure Firewalls but everything to do with web application firewalls. Apparently there are some weaknesses integrated into the website which allow you to get to different parts of the website something called a path traversal attack.
Task 5.1
· There is a flag labeled 5.1 that outputs a hash when you input in your GTID. Try to find the page and recover the flag.
· Example: tr95843fkdspugr8euyre0gfd
Task 5.2
· From the main page on the website, click the blue box that says “Download the Zip”. When you do, it downloads a file that is zipped and encrypted with a password. You have to use the tool “John the Ripper” to crack the encryption to find the password. What is the password for your file?
· Hint: The password is seven numbers long
Task 5.3
· When you use the password to unlock the file and unzip it, it contains a program. After you run the program, what is the hash provided?
· Example: 58437594ejgfdiohr8e054309
Installing John The Ripper
John the Ripper (JtR) is a powerful, open-source password-cracking tool primarily used for security auditing and password recovery. John the Ripper is designed to detect weak passwords and poor password policies, making it a valuable tool for penetration testers, ethical hackers, and IT security auditors. It helps identify vulnerabilities in password storage mechanisms by attempting to crack hashed passwords.
Link to Download: Download John The Ripper
Documentation: Documentation for John The Ripper
- Ideal Procedures for Writing a...: Commentary: • Read the Lesson in order to get an idea of the themes in the Lesson. Get an idea of the Lesson’s themes that excite you or that make you want to further explore certain issues. The themes are to provide
- Dropbox Assignments
- Alternative Gender Roles or Rites of Passage
- Harvard Business Case Study
- RAM subsystems Block Level Diagram and Description for VHDL Hack Computer using an FPGA device
- Assignment
- Homework
- In the book blink by Malcolm Gladwell in details what is the concept of choice? And how does it relate...
- Lady Taylor Phd
- After studying the assigned reading 21st Century Communication: A Reference Handbook: Chapter 65: The Changing Nature of âNewsâconsidering the concepts of timeliness,...
