exercises arp icmp dns http/tcp trace analysis. arp launch wireshark ipconfig /all ; see local ip...
TRANSCRIPT
Exercises
• ARP• ICMP• DNS• HTTP/TCP• Trace analysis
ARP
• launch Wireshark• ipconfig /all ; see local IP and gateway• route -print ; find gateway• arp -a ; list all MAC addresses learned• arp -d * ; delete all MAC address learned• ping www.polyu.edu.hk• What is the MAC address of the router?
2
Hints
• If the default gateway/router’s MAC address is not in the cache, the host will send ARP to ask for it.
• The default gateway’s IP address is pre-configured or learnt through the DHCP protocol.
3
ICMP• ping www.polyu.edu.hk– http://www.networksorcery.com/enp/protocol/
icmp.htm– What is the value of ‘Type’ in the outgoing ICMP
packet?– What is the value of ‘Type’ in the incoming ICMP
packet?– Take a look at the data section in the incoming ICMP
packet.• tracert www.polyu.edu.hk– What are the answers to the above two questions?
4
Hints
• Ping– Send: ICMP Echo Request– Receive: ICMP Echo Reply
• Traceroute– Send: And kind of IP packet with special TTL• It would be an ICMP packet if we need the reply from
the destination
– Receive: ICMP Time Exceeded
5
DNS
• nslookup• www.polyu.edu.hk• Take a look at DNS query and response
packets• nslookup• set type=PTR• 158.132.19.132• Take a look at DNS query and response
packets6
Hints
• set type=A (default setting)– Normal DNS lookup: get the IP address from a
host name
• set type=PTR– Reverse DNS lookup: get the host name from its IP
address
7
HTTP/TCP
• Use browser to visit www.polyu.edu.hk• Take a look at – TCP’s three-way handshake– sequence numbers in packets from the server and
the acknowledgement number in packets from the client
– HTTP header in the packet from the client– HTTP header in the packets from the server
8
Trace analysis
• Real trace from a VoIP hacking demo• Analyze the trace using Wireshark and answer
the following questions– Which 4 protocols are involved in the pcap? – Which codec does the RTP stream use?– How did the attacker gain access to the server?– Where is the hacked server?• Tips: look into the payload
9
Hints
• 4 Protocols: HTTP, RTP, RTCP, SIP• RTP uses G.7111 PCMU coding • Default user name/password– Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
• The city is DISTRITO FEDERAL MEXICO– Hear it
• Telephony -> RTP -> Stream analysis– Public IP: 132.248.255.82 in an HTTP response
• Follow HTTP connections• Look into the HTTP responses• Use Geolocation websites to locate the city
10
Useful links
• Protocols– http://www.networksorcery.com/enp/
default1101.htm
• Wireshark– http://www.wireshark.org/download/docs/user-
guide-a4.pdf
• TCPDump– http://www.tcpdump.org/tcpdump_man.html