Lab 4a: Ethernet, IP and TCP

1 Details
Aim: To provide a foundation in understanding Ethernet, IP and TCP.

 The demo of this lab is at: http://youtu.be/FhVN-gZnQq0

2 Activities
L1.1 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/webpage.zip

In this case a host connects to a Web server. Determine the following:

Host src IP address (Hint: Examine the Source IP on Packet 3): 192.168.75.1

Server src IP address (Hint: Examine the Dest IP on Packet 3): 192.168.75.132

Host src TCP port (Hint: Examine the Source Port on Packet 3): 2427

Server src TCP port (Hint: Examine the Destination Port on Packet 3): 80

What is the MAC address of the server (Hint: Examine the reply for Packet 2), and which is
the manufacture of the network card: 00:0c:29:0f:71:a3,
vmware

What is the MAC address of the host contacting the server, and which is the manufacture
of the network card: 00:50:56:C0:00:08, the
manufacture is vmware

Identify the packets used for the SYN, SYN/ACK and ACK sequence. Which packets are
these: 3, 4, 5, 9, 14, 17, 20, 23,
26, 30

In Packet 1, which is the destination MAC address used in the ARP request? ff:ff:fff:ff:ff:ff

Using the filter of tcp.flags.syn==1, find all the packets that involve a SYN flag. What are
there IDs? Ox011c, 0x0130

What does the filter of tcp.flags.syn==1 && tcp.flags.ack==0 do? request a connect but
server dont't reply
What does the filter of tcp.flags.syn==1 && tcp.flags.ack==1 do? server reply and start
exchange
Which flags are set at the end of a connection? ACK 0X010

CSN111123/4 Introduction to Network Forensics 1

L1.2 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/googleWeb.zip

In this case a host connects to the Google Web server. Determine the following:

Host src IP address: 192.168.0.20

Server src IP address of the Web server: 91.203.99.45

Host src TCP port: 3404

Server src TCP port: 80

Can you determine the MAC address of the server: 00:1f:3c:4f:30:1d

What is the MAC address of the host contacting the server, and which is the manufacturer
of the network card: no

What is the IP address of the local gateway? 192.168.0.1

What is the MAC address of the local gateway, and which is the manufacturer of the
network card: 00:18:4d: b0:d6:8c

Identify the packets used for the SYN, SYN/ACK and ACK sequence. Which packets are
these: 6, 8, 9

By tracing the TCP stream, can you view the contents of the CSS file? Give an example of
some of the text in it?

L1.3 Start capturing network packets on your main network adapter. Next go to intel.com,
and access the page. Stop the network capture, and then from your network traffic,
determine:

Your MAC address (and its manufacturer): 50:00:00:01:0:00

Your IP address: 192.168.100.139

The MAC address of the gateway: 00:50:56:fa:0a:f7

The IP address of intel.com 42.119.184.83

The source TCP port of your connection: 49290

The destination TCP port used by the server: 443

Apart from your network traffic, can you see other traffic from other hosts on the network?
If so, which type of network traffic do you see?

CSN111123/4 Introduction to Network Forensics 2

Lab 4b: HTTP, DNS and FTP
1 Details
Aim: To provide a foundation in understanding HTTP, DNS and FTP.

 The demo of this lab is at: http://youtu.be/l0A4Xrfq5Tc

2 Activities
L1.4 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/webpage.zip

In this case a host connects to a Web server. Determine the following:

Using the filter of http.request.method=="GET", identify the files that the host gets from the
Web server:

Using the filter of http.response, determine the response codes. Which files have
transferred and which have been unsuccessful? text/html text/css

Which is the default file name on the server when the user accesses the top levels of the
domain? issstart.html

Which type of image files does the client want to accept? jpeg, png, bitmap,gif

Which language/character set is used by the client? en, utf8, utf16...

Which Web browser is the client using? Opera 9.8

Which Web server technology is the server using? IIS

On which date were the pages accessed? 02 Jan 2010

L1.5 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/googleWeb.zip

In this case a host connects to the Google Web server. Determine the following:

CSN111123/4 Introduction to Network Forensics 3

Using the filter of http.request.method=="GET", identify the files that the host gets from the
Web server: proxy.r, boxer.js,
favicon.ico

Using the filter of http.response, determine the response codes. Which files have
transferred and which have been unsuccessful? text.html,
application/javascript

Which is the default file name on the server when the user accesses the top levels of the
domain? sitecheck2.opera.com

Which type of image files does the client want to accept? png, jpeg, gif, bitmap

Which language/character set is used by the client? en-gb/iso-8859-1, utf8,

utf16

Which Web browser is the client using? opera 9.8

Which Web server technology is the server using? GFE 2.0

On which date were the pages accessed? 02 jan 2010

L1.6 Start capturing network packets on your main network adapter. Next go to intel.com,
and access the page. Stop the network capture, and then from your network traffic,
determine:

Using the filter of http.request.method=="GET", identify the files that the host gets from the
Web server: job-at-intel.html

Using the filter of http.response, determine the response codes. Which files have
transferred and which have been unsuccessful? no

https://www.intel.com/co
Which is the default file name on the server when the user accesses ntent/www/us/en/jobs/job
the top levels of the
s-at-intel.html?
domain? _ga=2.208713106.16113
51672.1552582163-628
999195.1552581975
Which type of image files does the client want to accept? webp

Which language/character set is used by the client? en-US

Which Web browser is the client using? chrome 40.0

Which Web server technology is the server using? AkamaiGhost

CSN111123/4 Introduction to Network Forensics 4

L1.7 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/dnslookup.zip

For this trace, determine the following:

Which is the domain which is being searched for? intel.com

Which are the IP addresses of the domain being searched for? 92.122.126.176,
92.122.126.146

The first request is of class of PTR. What is the PTR? 1.0.168.192.in-addr.arpa

The second request is of class for A. What is the A class? a961.g.akamai.net

The last request is for class of AAAA. What is the AAAA class? www.intel.com

Does the domain have an IPv6 address? not

L1.8 Start capturing network packets on your main network adapter. Next go to
imperial.ac.uk, and access the page. Stop the network capture, and then from your
network traffic, determine:

Using the filter of udp.port==53, and examining the A class request, determine the IPv4
address of imperial.ac.uk: 146.179.40.148,
155.198.64.148

Using the filter of udp.port==53, and examining the AAAA class request, determine the
IPv6 address of imperial.ac.uk: 2001:630:12:600:1:1:0:
172

L1.9 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/ftp2.zip

For this trace, determine the following:

USER, PASS, SYST,

Using the filter of ftp.command, determine the FTP commands that the user has used:
FEAT, PWD, TYPE,
PASV, LIST, CWD,
PWD, RETR, STOR

Using the filter of ftp.response, determine the FTP codes that have been returned:
220,331,230,215,211,25
7,200,227, 125,
226,331,,250
What is the username and password for the access to the FTP server:
Administrator
napier

CSN111123/4 Introduction to Network Forensics 5

What is the name of the file which is uploaded: 111.png

What is the name of the file which is downloaded: menual.txt

Using the filter of ftp.request.command=="LIST", determine the first packet number which
performs a “LIST”: 2

In performing in the list of the files on the FTP server, which TCP is used on the server for
the transfer: 21

From the final “LIST” command, which are the files on the server? ftp

What does the filter ftp.response.code==227, identify in terms of the ports that are used for
the transfer: 1078->1082

CSN111123/4 Introduction to Network Forensics 6

Lab 4c: ARP and ICMP
1 Details
Aim: To provide a foundation in understanding ARP and ICMP.

 The demo of this lab is at: http://youtu.be/T_jrAwZfE74

3 Activities
L1.10 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/webpage.zip

In this case a host connects to a Web server. Determine the following:

Server 192.168.75.132
By examining the ARP request and reply. What is the IP and MAC address of the server for
00:0c:29:0f:71:a3
the host: Host 192.168.75.1 00:50:
56:C0:00:08

Why does the host not go through a gateway: same network

L1.11 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/googleWeb.zip

In this case a host connects to the Google Web server. Determine the following:

By examining the ARP request and reply. What is the IP and MAC address of the gateway
for the host: 192.168.0.1 00:18:4d:b0:
d6:8c

Can we determine the MAC address of the Google Web server?

L1.12 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/arp_scan.zip

Determine the following:

This was generated by an intruder.

What can you say about the aim of the scan? find a active maching

CSN111123/4 Introduction to Network Forensics 7

What can say about whether this is an inside intruder or an external one? ARP inside
192.168.47.1 ,
Which nodes did the intruder find where connected to the network? 192.168.47.2 ,
192.168.47.132 ,
192.168.47.254 ,
192.168.47.134
L1.13 Start capturing network packets on your main network adapter. Next go to intel.com,
and access the page. Stop the network capture, and then from your network traffic,
determine:

By examining the ARP request and reply. What is the IP and MAC address of the gateway
Interface: 10.14.0.242 ---
0x4
for your host: 192.168.1.1 ec:84:b4: Internet Address
09:ea:78
Physical Address
Type
10.14.0.1
L1.14 In Windows, using a command line console perform the following: 44-d1-fa-2b-32-2a
dynamic
10.14.255.255
Determine you ARP cache, by running arp –a: ff-ff-ff-ff-ff-ff static
224.0.0.22
01-00-5e-00-00-16
Now ask your neighbour what their IP address is, and the ping it. Re-examine yourstaticARP
224.0.0.251
cache. What has changed: ip 1.2.3.4 mac 01-00-5e-00-00-fb
00-11-22-33-44-55 static
224.0.0.252
Now add the address as a static route, using the command in the form: arp –s 1.2.3.4 00-11-
01-00-5e-00-00-fc
22-33-44-55-66. Re-examine your ARP cache. How has it changed: static
239.255.255.250
01-00-5e-7f-ff-fa static
255.255.255.255
ff-ff-ff-ff-ff-ff static
From your ARP cache, what is the MAC address of the gateway:
44-d1-fa-2b-32-2a

L1.15 Start capturing network packets on your main network adapter. Next go to intel.com,
and access the page. Stop the network capture, and then from your network traffic,
determine:

By examining the ARP request and reply. What is the IP and MAC address of the gateway
for your host: IP: 192.168.1.1 MAC:
ec:84:b4:09:ea:78

L1.16 In Windows, using a command line console, and using the command tracert,
determine the route to the following:

Route to IBM.COM:

CSN111123/4 Introduction to Network Forensics 8

Route to INTEL.COM:

Which parts of these routes are the same, and why?

L1.17 Repeat the previous exercise, but this time capture the network traffic with
Wireshark. Now determine the following:

Which ICMP type is used for the ping request? 8

Which ICMP type is used for the ping reply? 0

L1.18 From your Windows and also from Linux host, capture the traffic from a ping, and
determine the payload:

Ping payload for Windows

Ping payload for Linux:

CSN111123/4 Introduction to Network Forensics 9

Lab 4d: SMTP, POP-3 and IMAP
1 Details
Aim: To provide a foundation in understanding SNMP, POP-3 and IMAP.

 The demo of this lab is at: http://youtu.be/3RHrq3EehsE

2 Activities
L1.19 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/smtp.zip

Determine the following:

The IP address and TCP port used by the host which is sending the email: IP : 192.168.0.12 TCP
port: 1713

IP : 192.168.0.13 TCP
The IP address and the TCP port used by the SMTP server:
port :25

Who is sending the email: martin.tor@4salet.com

Who is receiving the email: bert.manly@five8nine.co

m

When was the email sent: Mon, 11 Mar 2013 22:

10:34
Message : “.” Subject:
When was the email client used to send the email: Mon, 11 Mar 2013 22: T2theS4gSSB0aGluayBpdCBpcyBh
06:28 bGwgc2V0dXAgZm9yIHlvdS4gSnV
zdCBjb25uZWN0IHRvIHRoZSBsa
What was the message, and what was the subject of the email: W5rLCBhbmQgaXQgc2hvdWxkIGJl
IGZpbmUu
With SMTP, which character sequence is used to end the message:
quit

L1.20 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/pop3.zip

Determine the following:

The IP address and TCP port used by the host which is sending the email: IP: 192.168.0.4 TCP
port: 26272
The IP address and the TCP port used by the POP-3 server: IP: 212.227.15.166 TCP
port: 110

Whose mail box is being accessed: digitalinvestigator@netw

orksims.com

CSN111123/4 Introduction to Network Forensics 10

How many email messages are in the Inbox: 3

The messages are listed as:

115565
5565
2 8412
2 8412
3 5214
3 xxxx
Which is the ID for message 3: 5214

For Message 1, who sent the message and what is the subject and outline the content of the
message: 1&1 Internet Ltd, A message from 1&1
Internet,

For Message 2, who sent the message and what is the subject and outline the content of the
message: Buchanan and Bill , Testing

For Message 3, who sent the message and what is the subject and outline the content of the
message: Buchanan and Bill,
Testing

Which command does POP-3 use to get a specific message: RETR

L1.3 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/imap.zip

Determine the following:

The IP address and TCP port used by the host which is sending the email: IP: 192.168.0.4, TCP
port: 23463

The IP address(es) and the TCP ports used by the SMTP and the IMAP server: IP: 212.227.15.167, TCP
port: 25

Whose mail box is being accessed: Buchanan, Bill

How many email messages are in the Inbox: 2

Trace the email message that has been sent for its basic details:

CSN111123/4 Introduction to Network Forensics 11

Outline the details of email which are in the Inbox:

L1.4 Start the Windows 2003 virtual machine. From the console on your host enter the
command:
telnet w.x.y.z 25

Next enter the commands in bold:

220 napier Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready
at Sun,
0 Dec 2009 21:56:01 +0000
help
214-This server supports the following commands:
214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN
BDAT VRFY
helo me
250 napier Hello [192.168.75.1]
mail from: email@domain.com
250 2.1.0 email@domain.com....Sender OK
rcpt to: fred@mydomain.com
250 2.1.5 fred@mydomain.com
Data
354 Start mail input; end with <CRLF>.<CRLF>
From: Bob <bob@test.org>
To: Alice <alice@ test.org >
Date: Sun, 20 Dec 2009
Subject: Test message

Hello Alice.
This is an email to say hello
.
250 2.6.0 <NAPIERMp7lzvxrMVHFb00000001@napier> Queued mail for
delivery

L1.5 On the Windows 2003 virtual machine, go into the C:\inetpub\mailroot\queue

folder, and view the queued email message.

 Was the mail successfully queued? If not, which mail folder has the file in?

 Outline the format of the EML file?

CSN111123/4 Introduction to Network Forensics 12

Lab 4e: SSL and TLS
1 Details
Aim: To provide a foundation in understanding SSL and TLS.

 The demo of this lab is at: http://youtu.be/jejjoSCn6Yg

2 Activities
L1.21 Download the following file, and open it up in Wireshark:

http://asecuritysite.com/log/ssl.zip

Determine the following:

The IP address and TCP port used by the host: IP: 192.168.0.20 TCP
port: 2099

The IP address and the TCP port used by the server: IP: 66.211.169.66, TCP
port: 443

Which network protocol is thus being used: HTTPS

Which Web site is being accessed: Paypal

Can you determine which organised signed the digital certificate passed from the server:
https://www.verisign.com/rpa
Can you read any of the encrypted data sent/received? Yes/No no

L1.22 Start Wireshark and capture your network traffic Next go to http://google.co.uk and

Determine the following:

The IP address and TCP port used by the host: 192.168.1.43

56008
, TCP port:

The IP address and the TCP port used by the server: IP: 216.58.199.14, port:
443

Which network protocol is thus being used: HTTP

Which Web site is being accessed:

Can you determine which organised signed the digital certificate passed from the server:
no

Can you read any of the encrypted data sent/received? Yes/No no

CSN111123/4 Introduction to Network Forensics 13

On the Web browser go to google.co.uk, find the digital certificate and determine the
following:

The organisation who have issued the digital certificate: Google Internet
Authority G3

The expiry date of the certificate: Friday, May 24, 2019

The encryption method used for the public key: RSA

The length of the encryption key: 2048

On the Web browser go to paypal.com, find the digital certificate and determine the following:

The organisation who have issued the digital certificate: DigiCert SHA2 Extended
Validation Server CA

The expiry date of the certificate: Tuesday, August 18,

2020

The encryption method used for the public key: RSA

The length of the encryption key: 2048

For digital certificates, can you determine four digital certificate issuers who could be trusted
to sign certificates:

DigiCert SHA2 Extended Validation Server CA

Google Internet Authority G3
IdenTrust
Comodo

Which of the following sites use an SSL/TLS connection by default:

http://cisco.com

http://microsoft.com

http://outlook.com

http://skydrive.com

CSN111123/4 Introduction to Network Forensics 14