SANS FORENSIC CHALLENGES REPORT

Nama : Fitroh Qori Saputro

이름 : 피뜨로 코리 사뿌뜨로

NIM : 10152147

1. Wireshark

Wireshark is the world's foremost network protocol analyzer. It lets you see what's

happening on your network at a microscopic level. It is the de facto (and often de jure)

standard across many industries and educational institutions.

Wireshark is a free and open source network protocol analyzer that enables users to

interactively browse the data traffic on a computer network. The development project was

started under the name Ethereal, but was renamed Wireshark in 2006. Many networking

developers from all around the world have contributed to this project with network analysis,

troubleshooting, software development and communication protocols. Wireshark is used

in many educational institutions and other industrial sectors.

Wireshark is a network packet analyzer. A network packet analyzer will try to capture

network packets and tries to display that packet data as detailed as possible.You could

think of a network packet analyzer as a measuring device used to examine what’s going

on inside a network cable, just like a voltmeter is used by an electrician to examine what’s

going on inside an electric cable (but at a higher level, of course).In the past, such tools

were either very expensive, proprietary, or both. However, with the advent of Wireshark,

all that has changed.Wireshark is perhaps one of the best open source packet analyzers

available today.

Here are some examples people use Wireshark for:

Network administrators use it to troubleshoot network problems

Network security engineers use it to examine security problems

Developers use it to debug protocol implementations

People use it to learn network protocol internals

Beside these examples Wireshark can be helpful in many other situations too.

2. Conversation and Endpoint in Wireshark

a. Conversation

A network conversation is the traffic between two specific endpoints. For example,

an IP conversation is all the traffic between two IP addresses.

The conversations window is similar to the endpoint Window.

See Figure 2.b, “The “Endpoints” window” for a description of their

common features. Along with addresses, packet counters, and byte counters

the conversation window adds four columns: the start time of the

conversation (“Rel Start”) or (“Abs Start”), the duration of the conversation

in seconds, and the average bits (not bytes) per second in each direction. A

timeline graph is also drawn across the “Rel Start” / “Abs Start” and

“Duration” columns.

Figure 2.a The “Conversations” window

b. Endpoint

A network endpoint is the logical endpoint of separate protocol traffic of a specific

protocol layer. The endpoint statistics of Wireshark will take the following endpoints

into account.

Figure 2.b, “The “Endpoints” window”

3. Analysis

a. Ip address scanner

Clicking twice at the evidence will automatically open Wireshark. To determine

scanner we can simply see the first packet that is initializing the connection. The

IP source shown is 61.75.199.63.

b. Firs port scan, Type of port scan

The first port scan can be examine by following the TCP stream. We can follow

the TCP stream of the first packet by using filter expression “tcp.stream eq 0″.

The information of the packet shown is SYN then responded with RST, ACK. This

pattern is a common pattern for a 3 hand-shake of TCP Connect port scan.

c. The IP addresses of the targets

The IP addresses of the targets can be seen under Statistics –> Endpoints. Then

examine under IPv4:5 because the port scan used is TCP connect. There we can

see several endpoints addresses. which is the gateway there are 3 other addresses:

61.75.199.239

61.75.199.254

61.75.199.255

Etc

d. The IP address of the Windows system

Then to see which IP address is the Windows system we can use the filter

expression “ip.ttl eq 128″. The result show that the packet that have TTL value of

128 have the IP destination of 61.75.199.239.

e. TCP ports were open on the Windows system

To see the TCP Ports that were open on the Windows system we can use the filter

expression “tcp.flags.syn==1 && tcp.flags.ack==1″ as the successful connection

plus “ip.ttl eq 128″ to filter the Windows system connection. Wireshark will list he

packets that fulfill the filter and you can simply see under tab Transmission Control

Protocol, source port information. The port used are 3871.

DAFTAR PUSTAKA

Website :

https://www.wireshark.org/about.html

https://www.techopedia.com/definition/25325/wireshark