Martinez Gregory

CSOL 570: Assignment 3

2/13/17

Network Analyzation with Wireshark

Configuring Wireshark:

1. Configure Virtual Box Settings

To begin the network analysis process using Wireshark I configured my Virtual Box settings. I went to Settings – Preferences – Network and checked the box for NatNetwork (Previous settings were for the Host-only adapter setting). This setting, with configuration changes in the Kali Linux VM will enable internet access for my VMs.

2. Configure Kali_2

Kali_2 is my Kali_Linux VM where Wireshark is hosted on my network. I changed the network settings to match the Virtual Box adapter settings.

Figure 1: Virtual Box network configuration changes.

Figure 2: Kali Linux VM network configuration changes.

3. Configured Wireshark

Next, I started my Kali_2 VM and opened the Wireshark tool. My interfaces were configured from a previous exercise using Wireshark and began surfing the web.

Figure 4: Wireshark interfaces capturing traffic. The IPv4 address of my VM host is 10.0.2.15 and the any interface is a rehash of eth0.

Traffic Analysis:

1. IP, TCP, and Encrypted Message Captures

Not really understanding how to use Wireshark prior to this exercise, I was forced to do more research and study to figure out the tool. By doing so, I learned that Wireshark is a very powerful tool that can be used for ethical or malicious purposes. If I were a security engineer I can see this tool being applied to understand how well my Firewall policies are working by filtering my captures using the Protocol tab. I could also analyze traffic patterns to identify heavily trafficked IP sites and times where those sites receive the most traffic. This could help diagnose network latency problems and aid in mitigating those problems. This same information could identify persons not following network use acceptable use policies within an organization. Also, as a security engineer, Wireshark can be used to identify gaps in security for internal and external sites used to conduct organizational business. Sites that utilize protocols like HTTP instead of HTTPS or Telnet instead of SSH could put employees at risk by accepting user credentials in plain text.

Figure 5: Screen capture of gmail communication using SSL protocol TLSv1.2.

Figure 6: Screen capture of the encrypted key exchanged used on the https://www.sandiego.edu website.

Figure 7: Screen capture of source and destination IPs between my Kali_2 VM and Google

Figure 8: Screen capture of data pulled from the Google webpage when I followed the HTTP traffic using Wireshark. The traffic is all encrypted because Google uses the HTTPS protocol, which masks most of the information on the page.

Figure 9: I travelled to the www.msn.com, which uses the HTTP protocol and I discovered that much of the information on the page can be displayed and read without much effort. I was able to pull a JPEG image from the site and export it to my desktop as a saved file. I simply filtered my capture to HTTP traffic only, found a segment with a ‘JPEG JFIF image’ in the Info header and scrolled down to the file info in the below tab.

Figure 10: Exported JPEG image