ComputerScienceExpert
$18/per page/
Below I have attach the documents for the assignment. It's due tomorrow and I would appreciate any help I can get with this short notice. If you have any questions, message me. This assignment require wireshark. It is for free.
Â
Â
Assignment 2: Network Security – Packet Capture Analysis
Fall 2016 Scenario:
Flextor Applications, Inc. has contacted you regarding a possible security breach on their network. Philo
Farnsworth, the owner, believes something suspicious is going on. Specifically he thinks that someone is
stealing his business secrets.
Mr. Farnsworth asked his network administrator, James Garrett, to capture network activity and email it
to you. James met with you and handed over a CD with the packet capture. He seemed nervous.
Mr. Farnsworth has asked you to identify any suspicious activity in the packet capture. You are to answer
the questions below, in as much detail as possible, and provide Mr. Farnsworth with a half-page
summary of what you found that might be suspicious. If there's a 'mole' in his organization he wants to
know, and what, if anything, might have been stolen or compromised.
Here are the details regarding the network:
Employee
Server
Phil Farnsworth
James Garrett
Allen Beard Title
Server
Owner
Network Admin
Payroll Admin IP address
192.168.0.128
192.168.0.133
192.168.0.131
192.168.0.132 File to use: 4360.2.spring.2016.pcap (on the website) Deliverable:
I want a SINGLE DOCUMENT, either *.doc, *.docx, or *.pdf that contains the following information:
1. A 1/2 page management summary, written in non-technical language, that provides a high level
interpretation of what occurred during the sequence of events, identifying any suspicious activity (trust
me there is a LOT going on). I will count off if you use ANY of the following terms (or terms like this): ftp,
telnet, IP, http, port, ping, port numbers, etc. Think of a way to describe what occurred without using
technical lingo!
2. Answer the questions below. Keep the stems included in your document so I can identify the
questions you are answering. You can type DIRECTLY into this document as I want to see the question
stems!! 10 points off immediately if you don't include the stems.
NOTE: Some activity is suspicious, some is NOT. If it's NOT suspicious, describe why it’s not, and go on to
the next question! If you don't know whether it's suspicious -- sometimes it's difficult to tell -- say so, and
describe why you can't tell whether it's suspicious or not. There are examples of EACH of the
aforementioned categories of behavior included in the packet capture.
NOTE: I want a DETAILED INTERPRETATION of what is happening. Don't simply DESCRIBE what is going
on, I want an expert interpretation. Here’s an example:
POOR DESCRIPTION: IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx.
My feedback to you: That is useless information. Assignment 2: Network Security – Packet Capture Analysis
Fall 2016
GOOD DESCRIPTION: IP xxx.xxx.xxx.xxx is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx. Port 21
is ftp, which sends credentials in the clear. The series of packet captures shows that the intruder was
attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the
5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter
of which allowed the intruder to gain access to the computer.
My feedback: Whoa! Excellent! Off to the NSA you go! Questions
1. What is occurring in packets 3-4? Is it evidence of an intrusion? Provide an interpretation of what is
occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and
explain why it’s normal traffic.
2. Is the activity occurring in packets 17-20, 24-25, 28-33, 36-41 evidence of an intrusion? Provide a
detailed interpretation of what is occurring, and the possible uses of the information gained. How many
computers are involved? Who owns them?
3. Is the activity starting in packet 80-116 evidence of an intrusion? Provide a detailed interpretation of
what is occurring, and the possible consequences. How many ports are involved, and what are their
associated services? What information would be gained, and how would it be used by an attacker?
4. Are packets 508-595 abnormal? (Note: this is a TCP stream so you can select the first packet, right
click your mouse, select "Follow TCP Stream", and Wireshark will extract those packets and form a
single readable stream.) Provide a detailed description AND interpretation of what is occurring, and the
possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!
5. Is the activity starting in packet 618 evidence of an intrusion? (Note: this is a TCP stream so you can
select the packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those
packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and
the possible consequences.
6. Is the activity starting in packet 1037 abnormal? Provide a detailed interpretation of what is occurring,
and the possible consequences. What did the attacker do on the system?
7. Is the activity in packets 1130-1136 abnormal? If so tell me why. If not, explain why.
8. Is the activity occurring in packets 1347-1934 evidence of an intrusion? (Use Follow TCP Stream. Look
at the IP address. Type that into Google. Haha.) Provide a detailed interpretation of what is occurring.
9. Is the activity starting in packet 4363 evidence of an intrusion or attack? (Use Follow TCP Stream).
Provide a detailed interpretation of what is occurring, and the possible consequences. What did the
attacker do, and to whom?
10. Is the activity starting in packet 5321 evidence of an intrusion or attack? (Use Follow TCP Stream).
Provide a detailed interpretation of what is occurring, and the possible consequences. Assignment 2: Network Security – Packet Capture Analysis
Fall 2016
11. Is the activity starting in packet 5489-to the end of the packet capture evidence of an intrusion or
attack? What port is involved? What would be the consequence to the server for this series of packets?
What is strange about the source packets?
12. Who was the attacker, and were his skills low, moderate, or high? Defend your answer.