sans forensic challenges reportprof.ysu.ac.kr/pds_update/qori report netork analysis.pdf · 2016....
TRANSCRIPT
SANS FORENSIC CHALLENGES REPORT
Nama : Fitroh Qori Saputro
이름 : 피뜨로 코리 사뿌뜨로
NIM : 10152147
1. Wireshark
Wireshark is the world's foremost network protocol analyzer. It lets you see what's
happening on your network at a microscopic level. It is the de facto (and often de jure)
standard across many industries and educational institutions.
Wireshark is a free and open source network protocol analyzer that enables users to
interactively browse the data traffic on a computer network. The development project was
started under the name Ethereal, but was renamed Wireshark in 2006. Many networking
developers from all around the world have contributed to this project with network analysis,
troubleshooting, software development and communication protocols. Wireshark is used
in many educational institutions and other industrial sectors.
Wireshark is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible.You could
think of a network packet analyzer as a measuring device used to examine what’s going
on inside a network cable, just like a voltmeter is used by an electrician to examine what’s
going on inside an electric cable (but at a higher level, of course).In the past, such tools
were either very expensive, proprietary, or both. However, with the advent of Wireshark,
all that has changed.Wireshark is perhaps one of the best open source packet analyzers
available today.
Here are some examples people use Wireshark for:
Network administrators use it to troubleshoot network problems
Network security engineers use it to examine security problems
Developers use it to debug protocol implementations
People use it to learn network protocol internals
Beside these examples Wireshark can be helpful in many other situations too.
2. Conversation and Endpoint in Wireshark
a. Conversation
A network conversation is the traffic between two specific endpoints. For example,
an IP conversation is all the traffic between two IP addresses.
The conversations window is similar to the endpoint Window.
See Figure 2.b, “The “Endpoints” window” for a description of their
common features. Along with addresses, packet counters, and byte counters
the conversation window adds four columns: the start time of the
conversation (“Rel Start”) or (“Abs Start”), the duration of the conversation
in seconds, and the average bits (not bytes) per second in each direction. A
timeline graph is also drawn across the “Rel Start” / “Abs Start” and
“Duration” columns.
Figure 2.a The “Conversations” window
b. Endpoint
A network endpoint is the logical endpoint of separate protocol traffic of a specific
protocol layer. The endpoint statistics of Wireshark will take the following endpoints
into account.
Figure 2.b, “The “Endpoints” window”
3. Analysis
a. Ip address scanner
Clicking twice at the evidence will automatically open Wireshark. To determine
scanner we can simply see the first packet that is initializing the connection. The
IP source shown is 61.75.199.63.
b. Firs port scan, Type of port scan
The first port scan can be examine by following the TCP stream. We can follow
the TCP stream of the first packet by using filter expression “tcp.stream eq 0″.
The information of the packet shown is SYN then responded with RST, ACK. This
pattern is a common pattern for a 3 hand-shake of TCP Connect port scan.
c. The IP addresses of the targets
The IP addresses of the targets can be seen under Statistics –> Endpoints. Then
examine under IPv4:5 because the port scan used is TCP connect. There we can
see several endpoints addresses. which is the gateway there are 3 other addresses:
61.75.199.239
61.75.199.254
61.75.199.255
Etc
d. The IP address of the Windows system
Then to see which IP address is the Windows system we can use the filter
expression “ip.ttl eq 128″. The result show that the packet that have TTL value of
128 have the IP destination of 61.75.199.239.
e. TCP ports were open on the Windows system
To see the TCP Ports that were open on the Windows system we can use the filter
expression “tcp.flags.syn==1 && tcp.flags.ack==1″ as the successful connection
plus “ip.ttl eq 128″ to filter the Windows system connection. Wireshark will list he
packets that fulfill the filter and you can simply see under tab Transmission Control
Protocol, source port information. The port used are 3871.
DAFTAR PUSTAKA
Website :
https://www.wireshark.org/about.html
https://www.techopedia.com/definition/25325/wireshark