Lab05: Evaluate and Incident using Wireshark & NetworkMiner

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello and welcome to the csf3103 lab series this is lab5 in this lab we are going to capture http and https traffic using tcp dom and examine the capture traffic using shark and netminer so let's log in to the security onion username act password let me in capital l so let's go to the terminal and what we are going to do here we're going to create a um directory and we're going to call it live5 okay in the act home directory let me just close this browser let's go to the terminal so we're going to create a directory call it lab5 okay lab zero five and that would be because i logged in as a ct automatically i will be in the act homes directory so lab5 and then i'm going to change directory from my current directory to be inside lab 5 directory right if i do ls it's empty nothing in there okay so um then what i will use i will use the tcp dum command to capture the traffic that i will generate all right so um now let me go to the uh uh you know let me just use the the command now and then i will go to the uh the chromium browser the web browser to uh go to the website that i would like to capture the traffic from right so go sudo tcp dom minus i so this here where to specify the interface all right so before i do that let me just go to if config just to see the available interfaces all right so here if i go up a little bit these are the interfaces available here i see the lo that's the loopback and then i have the uh docker zero and i have the ethernet zero right so i will capture the traffic that's going through my ethernet zero here so that's eth0 this interface all right so tcp dump minus i so that's ethernet 0 minus s so the minus s switch that is there this snap where we have to specify the snap length the snapshot length of the uh the packets so and that range is between zero to six five five three five all right so that's sixty five thousand five hundred thirty five between these two numbers zero and uh six to five thousand three hundred thirty five right but here we're going to use the smallest snap link length right the snapshot length the smallest so once we go with the smaller that will allow us to capture the protocol information where this is what we're going to uh do we're going to use zero all right so and then minus w lowercase w this will allow us to write the outcome of the tcp dom to a file all right so and then i'll have to give the file name which is i'm going to put http dum lab5 lab05 dot pcapp all right so this will listen to interface ethernet 0 and then it's going to write capture the traffic and write it to this file http dump lab05.pcapp and where is it going to be saved is going to be saved under left 5 here under the uh act home directory all right so um just to have it short uh let's do this i will go to the uh the chromium browser which is the web browser here and i will go to this website so the website is using http it's a colon slash slash www dot web scan test dot com and i'm going to go straight to the login page all right login dot php here i'm gonna hit enter all right so uh we don't have internet connection glad this has happened so um or let me just test it with another website maybe oh here i think i got it here but it's a web web scan w e b this one here web scan webbiescantest.com all right so here it is good so um we're going to put the username admin and password admin as well all right admin admin so before i hit login i would like to go to the terminal and i hit enter there i could have done this before right so uh and then it will capture so now it's capturing the traffic that's going through ethernet 0 right so now here i'm going to hit enter so i'm already logged in you see here just click anywhere just to have more traffic there and then i'm just going to close the browser we'll just leave it i'm going to go back to the terminal and here i will hit control c right to stop it ctrl c now it has been stopped now if i go to lab5 directory and i show the content or list the content of it i should see the http dump lab5 lab05.p cap right i should see that and which is just right here all right so um now let me just go back here to the lab and see what is so we did this we just show that all right so now we are going to open the http dum lab05 with wireshark all right let's do that so i'm just going to say wireshark http dumb lab05.pcapp open that right so um this is what we have captured so now we are interested in according to the lab in the http right traffic so now here i have just used the filter to filter the http and in the http we are interested in the post right if you remember that we started that with uh uh i just logged in right so post just right here and now if we go to um in csf three three if you took that course you guys did a lot of wireshark and how to use the filter and how to answer uh questions related to wireshark okay so now here because this is uses http with an encrypted data so you should be able to show the username and the password that we have used and all these here right and because that's it's a form we fill the form that's where we enter the username and password right so if we go here then you can easily see a lot of a good sensitive information from here all right so let's go go back to the lab i'm not answering anything here so because that's where what you supposed to answer in the lab and all these here these type of questions okay so um that is task one we did part a and part b so here part c it's asking now to view the http ps capture you have to capture https and we know that now um if not all most of the the websites they are secure and they're using https right such as gmail yahoo hotmail or cisco right so that's for the netacad right if you took the cin2103 and you have your valid username and password you can try that or you can try it with your gmail personal with your personal gmail account or yahoo or hotmail and put your username and password capture it using tcp dom the same thing that's what we did there name the file any name any name that you like or just call it um https dumbblab5 right so call it that and um capture the traffic open it with wire chart and answer these questions here all right so um that is about a part task one part c and now we're going to move on to task to okay so in task two we are going to analyze captured file that's a pica file using wireshark okay first we have to download the lab5.pcaf file from lab5 folder in blackboard learn and bbland okay so and then to local machine and then your your to your pc right or your laptop whatever that you're using so download that file from uh la five uh folder then uh email it to yourself then you are going to open your email from uh security onion download that file and put it in lab5 directory under the act homes directory right and then you're going to open that file with the uh with wireshark so here this is the file that you need to download is android lab5 so under the the course labs uh folder which is just right here all right you click here then you click on that five um then you need to download this right so click download save it so i'm going to save it here and open it and show the folder i'm just going to copy it if you go to your email for example it's gonna you know use any email you can use your personal email like a gmail or hotmail right these here just going to put my email paste that here and i'm just going to call it lab zero five dot p cap know it i'm gonna email it and go back here to uh security onion i'm gonna just go to the browser so if you use your hotmail or your uh gmail account so you have to go to that email service provider website and download it from there so i use my act so this is what i'm going to use here web mail email here [Music] all right so i go here to my folder and this is it here i'm gonna open that and this is the file here i'll download it right now i'll minimize this and i go to the terminal and i go ls push download okay here home act downloads all right so and i see you right here this is it so i'm going to copy this one and put it in lab05 so cp so you can copy or remove it right so let's move it just like a cut and paste right mv home act download downloads and then lab zero five dot p cap oops sorry the destination is missing so i'm just going to i'll show you the shortcut okay just dot so let's copy that and paste it right here the dot all right so you can do that or you can put the path so now if i do ls i should see the lab05 okay so whenever that you are in the current directory if you want to copy something from somewhere to the current directory you're working current directory you just use the dot that will move it there all right so uh now let's open this with wireshark i'll say uh wireshark lab05 that keycap so i'm going to open it with or you can use the um the gui so you can open wireshark and then you say open from the file here you click on file and then you see open and here file and then open and then you browse to the lab5 lab05 directory right so now this is the file that we are trying to examine or to analyze so let's just see uh the lab instructions and then we're gonna come back to the workshop all right so here so now we opened it they ask they ask us some questions here we need to answer all these questions related to that file all right so uh this is about task two so here the first question asking you what was the username and password used in the ftp session so that means you have to use your your uh wire shark skills that you have learned in previous courses and you know what's ftp and how to find out and how to use the filter you know you see here you see these here ftp traffic and then you just need to um you might need to follow the the tcp streams and all these so you can answer some questions from there all right uh that's it about this part here and [Music] let me just go back here to the lab again to see i know that we have task three then in the next part we task we're gonna talk about the network miner so now let's talk about task 3 which is about network miner so what is network miner network miner is a network forensic analysis tool that can be used as a passive network sniffer which is used as a packet capture as well right packet capture tool that can detect operating systems host names open ports and sessions right so let's see how to access network miner so if you go here and then just type a network miner see it here click on it so we are going to use the the pcaf file that we have captured before using the tcp dom which is again it's under um lab5 directory right so i'm just gonna go here this is a ct home directory and if i go here lab5 and then i have the http dom lab5 live05.pcapp this is what i'm going to open highlight it open it so now the file it's open so here you can get a lot of information as i said before such as the operating system the host name the open ports and other sessions right so here if i go back to the lab these are the steps that we just did and this is what we see here so now you have to navigate on different tabs of network miner right to discover what are these tabs used for [Music] and you can answer them these questions right so here so uh if the first question is about web scantest.com that's what we have used before to capture the traffic using the tcp dump right so and then you can answer these related uh questions to this website here also again it's the operating system right that's what it can be answered also as well and do not forget uh to answer these questions also at the end of the lab here if i go here so this is the uh that session about the web scan test.com right so if i highlight here then i can see a lot of uh information here open tcp ports this can be found here sessions coming sessions and all weeks here right so you need to navigate uh through different tabs here and you have to expand you can search also here you can do a filter that you can sort right if you need to uh just like a wire shark when you use the filter to narrow or sort down uh the search result right um i think that's it and i hope this has been informative and i would like to thank you for viewing
Info
Channel: Ayman Ahmed
Views: 162
Rating: undefined out of 5
Keywords:
Id: 688hWuQPzX8
Channel Id: undefined
Length: 25min 7sec (1507 seconds)
Published: Thu Jul 29 2021
Related Videos
3 Types of Projects That Will Make You a Programmer
Andy Sterkowitz
26K
Tutorial Using Wireshark
3dmasters
258K
The Ultimate RetroPie Setup and Install Guide (2022)
TheGeekPub
9.1K
LOG4J Vulnerability: Easiest Explanation with Live Demo🔥
Spin The Hack
24K
One Trillion Minecraft Views on YouTube and Counting
YouTube
3.8M
EXPLODING Glitter Bomb 4.0 vs. Package Thieves
Mark Rober
10M
Indie World Showcase 12.15.2021 - Nintendo Switch
Nintendo
619K
George Harrison - My Sweet Lord (Official Music Video)
George Harrison
360K
Why We Should NOT Look For Aliens - The Dark Forest
Kurzgesagt – In a Nutshell
3.6M
Spider-Man: No Way Home - Movie Review
Jeremy Jahns
479K
Minecraft Celebrates the Community! (Yes, that means you!)
Minecraft
754K
New faces from the Hisui Region | Pokémon Legends: Arceus
The Official Pokémon YouTube channel
682K
Why New York’s Billionaires’ Row Is Half Empty
The B1M
314K
Deck The Halls - Holiday Songs For Kids + More Nursery Rhymes & Kids Songs - CoComelon
Cocomelon - Nursery Rhymes
5.6M
Jingle Bell Dance | Dance Party | CoComelon Nursery Rhymes & Kids Songs
Cocomelon - Nursery Rhymes
3.7M
Sick Song + More Nursery Rhymes & Kids Songs - CoComelon
Cocomelon - Nursery Rhymes
18M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.