Computer network and security

profilemottcr
computer.network.security.assignment.2_2.txt

Scenario: Flextor Applications, Inc. has contacted you regarding a possible security breach on their network. The systems administrator at the company, James Garrett, emailed you the packet capture located at the end of the interpretation. James has asked you to identify any suspicious activity in the packet capture. You are to answer the questions below, in as much detail as possible, to provide James with sufficient information to take back to his boss, Mr. Farnsworth. Here are the details regarding the network: Server Name: IP Address: FlextorAdmin 192.168.247.130 FlextorServer 192.168.247.150 FlextorDev4 192.168.247.148 Deliverable: I want a SINGLE DOCUMENT, either *.doc, *.docx, or *.pdf that contains the following information: 1. A 1/2 page management summary, written in non technical language, that provides a high level interpretation of what occurred during the sequence of events, identifying any suspicious activity (trust me there is a LOT going on). I will count off if you use ANY of the following terms (or terms like this): ftp, telnet, IP, http, port, ping, etc. Think of a way to describe what occurred without using technical lingo! 2. Answer the questions below. Keep the stems included in your document so I can identify the questions you are answering. 10 points off immediately if you don't include the stems. NOTE: Some activity is suspicious, some is NOT. If it's NOT suspicious, describe why it’s not, and go on to the next question! If you don't know whether it's suspicious -- sometimes it's difficult to tell -- say so, and describe why you can't tell whether it's suspicious or not. There are examples of EACH of the aforementioned categories of behavior included in the packet capture. NOTE: below I mention the word DETAIL. I want a DETAILED INTERPRETATION of what is happening. Don't simply DESCRIBE what is going on, I want an interpretation. Here’s an examnple: WRONG: IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx. My feedback: That is useless information. CORRECT: IP xxx.xxx.xxx.xxx is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx. Port 21 is telnet, which sends credentials in the clear. The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer. My feedback: Whoa! Excellent! Off to the NSA you go! ---------------------------------- Questions: 1. Is the activity occurring in packets 1-6 abnormal, in and of itself (that is, before you look at everything else in the packet)? If so, provide an interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 2. Is the activity occurring in packets 9-18 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 3. Is the activity occurring in packets 31-405 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible consequences. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 4. Is the activity occurring in packets 528-530 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 5. Is the activity occurring in packets 904-973 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 6. Is the activity occurring in packets 991-1293 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 7. Is the activity occurring in packets 1309-1405 abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system. 8. Is the activity occurring in packets 1406 to the end of the packet capture abnormal? If so, provide a detailed interpretation of what is occurring, and the possible uses of the information gained. You don’t have to tell me “IP xx.xx.xx.xx is accessing port x on IP xx.xx.xx.xx. I KNOW that. What I want is an interpretation of what all that means, and how it might be used as an intruder to gain access to a protected system.