Question

1. [Wireshark ] Using the Wireshark program, capture all the network traffic that is related to opening a webpage of your choice. In order to get maximum benefit/knowledge from the assignment, it’s recommended to choose a non-trivial web portal for the assignment. Using the captured information (Wireshark Capture), answer the questions below. Explain your answer.
   1. Define a display filter that finds the DNS queries and DNS responses. Narrow down the filter so that only these DNS packets are shown that were necessary for opening your chosen webpage (the captured DNS packets that were related to other applications/clients in your computer should be left out of the list).
   2. Define a display filter that finds the TCP packets.
   3. Narrow down the filter even more, so that only these TCP packets are shown that were used to create a new TCP connection(the TCP packets that were following each connection establishment, should be left out of the list).
   4. Using the filter from the previous step, list all the TCP connections that were necessary for opening your chosen webpage. For each TCP connection, explain the following (you can group the connections, to avoid repetitions in your explanations):
   • local(client) TCP port number,
   • remote(server) TCP port number,
   • remote(server) IP address
   • The source and destination MAC address of all the outgoing packets? Whyare all the outgoing packets going to this particular MAC address?

2. If you can run “traceroute/tracert” between machines in your organization. List three concrete applications to use trace route for cybersecurity?

3. How to use ”netstate/netstat” to discover malicious activities in your machine?

4. Install and use Process Monitor “Procmon” (you can download from https://docs.microsoft.com/en-us/sysinternals/ (Links to an external site.)) and then show how to list all running processes that run “RegCreateKey” operation with unsuccessful results.

5. Show how to use Nmap to do IP scanning using TCP and ICMP and port scanning using Stealth FIN. Show the command and the output.

6. (extra credit) Use Nessus to discover a vulnerability on a real network

Answer 1

1. Define a display filter that finds the DNS queries and DNS responses. Narrow down the filter so that only these DNS packets are shown that were necessary for opening your chosen webpage (the captured DNS packets that were related to other applications/clients in your computer should be left out of the list).

dns.qry.name=="website address"

for example:

dns.qry.name=="www.google.com"

Output:

2. Define a display filter that finds the TCP packets.

"tcp" is the filter

Output:

5.

The source and destination MAC address of all the outgoing packets? Why are all the outgoing packets going to this particular MAC address?

select ethernet 2

6.

In my Linux machine netstat command used is: netstat -an

In Windows machine comand: netstat -b