CIT 481: Cybersecurity Capstone

Assignment #5: Application Layer Protocols

Due October 2nd in class

Name: ______

The objective of this assignment is to refresh your knowledge of application layer protocols and of how to use protocol analysis software like Wireshark. This assignment comes with a set of files containing captured packets in either the PCAP or PCAPNG formats. Sections of the lab will refer to the appropriate packet capture files to use by name.Use the references in the References section at the bottom of the lab when needed to answer questions about the protocols in the lab.

This lab can be completed on any machine with protocol analysis tools, including the Kali and SecurityOnion VMs.Bring a copy of the completed lab to the class period during which it is due for discussion.

1:File Transfer Protocol (FTP)

FTP is an unencrypted protocol used to transfer files between machines that has been around since 1971. By default, FTP uses two ports: port 21 for the control protocol that determines which files to transfer as well as handling other commands such as cd and ls, and port 20 for the actual data transfer. In active mode FTP, the client connects initially to the control protocol on port 21, makes a request for a data connection from the server, specifies with client port to use with the PORT command, then the server makes a connection to the client to transfer the file. This behavior predates firewalls and NAT and causes problems for certain configurations of such devices on the client side, as they expect the client to initiate all connections to the server.

In passive mode FTP, the client initiates both control and data connections to the server. Instead of using the PORT command, the client issues the PASV command, causing the server to open a random unprivileged port, whose number is sent back to the client. While passive mode does not cause any problems for the client’s firewall and NAT, it requires the firewall and NAT on the server side to permit connections to any high port on the ftp server. While the protocol does not limit which server ports can be used, many FTP servers permit the administrator to specify which ports are permitted for passive FTP. Some firewalls and NAT devices perform deep packet inspection to modify the port used by the PASV command to ensure that only permitted ports are used for FTP.

This protocol permits authentication with a username and password, but due to the lack of encryption, it is insecure to use this way except for anonymous ftp sites, which are meant to be publicly accessible to anyone on the network. While it is possible to encrypt FTP using Transport Layer Security (TLS) in the same way that HTTP is encrypted, resulting in the FTPS protocol using ports 989 (data) and 990 (control), other protocols are more likely to be used for secure file transmission such as SFTP, which transfers files using the SSH protocol.

Investigate the FTP sessions captured in ftp-session.pcapng and ftp-download-good2.pcapng. Answer the following questions based on this file and what you know of FTP. If you need a reference on FTP, there are too many RFCs, so I recommend searching the web for a term like “ftp commands” or “ftp response codes”.

  1. What username was used to login to the ftp server?
  2. How many unsuccessful login attempts were made? What 3-digit response code did the server use to indicate failure to login? What passwords were used?
  3. What password was used in the successful login attempt? What 3-digit response code did the server use to indicate a successful login?
  4. What was the number of the TCP stream used for FTP commands? What were the client and server ports used?
  5. Which FTP commands did the client send to the server? How do these commands correspond to what the user typed? For example, when the user typed “cd” their FTP client issued the command “CWD” to the server. Some user actions, such as transferring a file, result in multiple FTP protocol commands being send to the server.
  6. Is the FTP session using active mode or passive mode? How did you determine this fact?
  7. What file was transferred from the client to the server? What is the first line of that file? Note that you can use the Follow TCP Stream feature from the right click menu on an FTP data packet, then select Raw format and do a Save As to write the file to disk. Note that this technique will not work with our next protocol—HTTP—as that protocol uses a single port for commands and data, so saving an HTTP stream will save the protocol commands and headers from both client and server as well as the file data.
  8. What did the client learn about the server during this session? Your answer should include all information, including file and directory names, as well as file contents.

2:HyperText Transport Protocol (HTTP)

HTTP 1.1 is the most widely used version of the HyperText Transport Protocol, originally described in RFC 2616. HTTP 2.0, the most recent version of the protocol, is a binary-encoded version of HTTP 1.1 with additional features for network performance, so understanding HTTP 1.1 is still essential even as more servers upgrade to HTTP 2.0. Please refer to RFC 2616 when you have any questions about how to interpret HTTP packets.

Let us start by examining three files that contain simple HTTP requests.

  1. http-google.pcapng
  2. http-post.pcapng
  3. http-fault-post.pcapng

Each file starts with the 3-way TCP handshake and contains a simple HTTP request and its response(s). Neither file contains the terminating packets of the TCP stream. Web browsers can keep TCP connections open to use with multiple HTTP requests.

For each file, perform the analysis tasks below. You can use Wireshark's Follow TCP stream feature to make the analysis easier.

  1. Identify the HTTP request method(s).
  2. Identify the URL(s) requested (include all URL components available: protocol, DNS name, path, query parameters).
  3. Identify the DNS name(s) of the server contacted according to the Host: header.
  4. Identify the name and version number of the browser.
  5. Determine whether a cookie was sent to the server and what was the name of the cookie.
  6. Determine whether any data besides the HTTP request headers is sent to the server. If data is sent, what is the meaning of the data?
  7. Identify the HTTP response code(s) sent by the server and determine whether that response code indicates success or failure (see RFC 2616 for explanations of the response codes).
  8. Identify the content type of the data included in the response.
  9. Identify the content encoding of the data included in the response.
  10. Save the response data as file(s). Do not include any header information. Try saving the TCP stream as you did with FTP, then look at the file and verify that the HTTP commands and headers can be found at the top of the file data. You can save files this way by manually deleting the HTTP control information, but it is easier to use the Export Objects submenu of Wireshark's File menu to save only the data to a file.
  11. Examine the saved file(s) and identify the last angle-bracket tag in it.

Make a copy of the table below and fill it out with the answers for each file.

PCAP Filename
HTTP Request Methods
URL
Protocol from URL
DNS name from URL
Path from URL
Query Parameters from URL
DNS name of server (from Host: header)
Browser name and version
Cookie name
HTTP request data
HTTP response codes
Content type
Content encoding
Last angle bracket tag (if any)

While looking at simple HTTP requests is a good place to start, the PCAPs we have examined look nothing like what fetching a typical web page looks like. Most web pages consist of many components coming from multiple sites in different domains. To get a feel for a typical web site, examine the capture file http-espn2012.pcapng.

Answer the following questions for this file. Features found in the Statistics menu in Wireshark can make answering some questions easy. If you find yourself manually counting to a number above 10, then you are finding the answer wrong—there’s a way to compute it directly in the GUI or indirectly through a bash command. To see packet information on the command line, you can use the command

tshark –r http-espn2012.pcapng

which prints one line of information per packet. You can get more information by adding the –xflag and even more by using the –V flag. If you are more familiar with tcpdump, then you can use it instead of tshark for command line packet analysis.

tcpdump –r http-espn2012.pcapng

You can obtain more information about the packets by adding –v options. The tool supports one to three –v options, i.e. tcpdump–vvv –r http-espn2012.pcapngwould give full information.

Finally, note that companies can be identified by their Autonomous System numbers, which Wireshark can find based on ownership of IP ranges.

PCAP Filename
Count of bytes transferred
Total Number of packets
Total Number of HTTP packets
Total Number of HTTP requests
Number of GET requests
Number of POST requests
HTTP responses
Number of 5xx errors
Number of 4xx errors
Number of 3xx redirects
Number of 2xx success responses
Count of files transferred
Number of different IP addresses involved in HTTP requests/responses
Number of different companies involved in HTTP requests/responses
Peak data rate in bytes/second
Time (measured in seconds from the start of the PCAP) during which the peak data rate happened

While most web sites use form-based authentication, some sites use the built-in authentication features of HTTP. HTTP has two forms of authentication, basic and digest, the former of which cannot be used without encryption as it transmits the password in base64-encoded plaintext. To better understand basic authentication, load the capture file http-basic-auth.pcap and answer the following questions. Refer to RFC 7617 when needed.

  1. How many failed attempts at HTTP basic authentication are made? What HTTP response code indicates failed authentication.
  2. What header does the server use to indicate authentication is required for a URL? What is the name of the realm specified in the server?
  3. What header does the client use to authenticate with the server to access a URL? What are the full contents of this header?
  4. What username is used to authenticate?
  5. What password is used to authenticate?

3: Simple Mail Transport Protocol (SMTP)

SMTP is the standard protocol for sending email, using TCP port 25 by default. Originally documented in RFC 821, its most recent version was documented in RFC 5321. It is a stateful protocol, requiring a series of commands indicating the sending mail server, email sender, email recipient, and data (the header and body of the email message).

Let us first look at a PCAP containing a successful, normal email delivery request. The file is smtp-normal.pcapng. Answer the following questions based on the packet data, referring to the RFCs mentioned above as needed.

  1. What is the fully qualified hostname of the email server being contacted?
  2. What is the name of the server sending the email?
  3. Which email address is the sender of the message?
  4. Which email address is the recipient of the message?
  5. What is the subject of the email message?
  6. What email client was used to send the email message?
  7. What is the body of the message? Note that there are two bodies—just answer with the plaintext message. Do not include the HTML message.

Next examine an example of an SMTP session with errors, smtp-strange.pcapng. For this PCAP, answer the following questions for the first failed attempt at sending a message. Note that SMTP follows the same conventions as HTTP for error messages (in fact, HTTP adopted these conventions from SMTP), so 2xx numbers are success messages and 5xx messages are errors.

  1. What is the fully qualified hostname of the email server being contacted?
  2. What is the name of the server sending the email?
  3. Which email address is the sender of the message?
  4. Which email address is the recipient of the message?
  5. What error is received? Include the error code number, error message, and the meaning of the error code number from the RFC. Does the RFC meaning match the message or not?

4: Ports and Protocols

Wireshark has powerful abilities to dissect different application layer protocols, but it can be fooled by the simple expedient of running a service on a nonstandard port, since Wireshark decides which application layer protocol dissector to use based on the TCP port and not on the actual application layer contents of the TCP packets being analyzed. To work around this common problem, Wireshark provides the Decode As option in the right click menu that gives the user the ability to choose how to interpret application layer data.

Open the capture file ssh-different-port.pcapng. When you open this file, you will see the protocol for all packets listed as TCP. The packets form a complete TCP stream, starting with the 3-way handshake and end with FIN packets acknowledge by both sides of the conversation. Looking for the server port number, we find it to be 2222, which is not a well known standard port number for any service.

The first step towards determine what protocol is being used is to right click on a packet and follow the TCP stream. When you follow the TCP stream, you should find plaintext strings beginning with SSH-2.0, which is a clear indicator that this stream is an ssh session. Right click on any of the packets in the stream, then select the option to decode the stream. This will bring up a window, in which you can select a port number (use the port number discovered above) and select a protocol from a list (select SSH). Click on OK, and you will see that the value in the Protocol column has changed to SSHv2 for many of the packets (similarly to our experience with HTTP above, packets containing only data with no decodable application information are just listed as TCP even though they are part of a stream associated with a known application layer protocol.

If you examine the newly labeled SSHv2 packets, you will find an option to open the application layer. In the application layer component on various packets, you can see text strings identifying the protocol version, client and server versions, and cryptographic protocol suites that are being negotiated for use during the ssh session. You will also see additional information about keys, padding, and so forth that are not text strings and which are very difficult to find from the TCP stream.

Based on what you learned above, answer the following questions:

  1. What version of ssh is the client using?
  2. What version of ssh is the server using?
  3. Which encryption algorithm is used for the packets in this session?
  4. Which message authentication code is used for this session?
  5. What is the smallest amount of data contained in an ssh packet in this session?

5: Investigation

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer using AOL Instant Messenger (AIM). The rogue laptop disappeared shortly thereafter.

The organization has captured the packets from the network activity inevidence01.pcap. As with all investigations, you want to answer the Who, When, What, and How questions. The organization also wants you to answer the following questions:

  1. What is the name of Ann’s IM buddy?
  2. What was the first comment in the captured IM conversation?
  3. What is the name of the file Ann transferred?
  4. What is the magic number (binary file header) of the file?
  5. What was the MD5 sum of the file?
  6. What is the secret recipe?

Here are some hints to help with the investigation. AIM is based on the OSCAR protocol. The AIM protocol is notorious for finding a way past firewalls, looking for widely used ports that are open in the firewall to find a way through. While Wireshark knows how to decode AIM, you will need to find which port has AIM data (look for cleartext chat in a TCP stream) then tell Wireshark to decode that port as AIM. AIM uses the OSCAR File Transfer (OFT) protocol to transfer files. OFT file transfer protocol packets cannot be decoded by Wireshark but do contain the string OFT2 inside the packet. You can search for this in Wireshark, being sure to select Packet Bytes as the data being searched or you can use another tool like ngrep.