Student name: ______________________

Date: _____________________________

LAB 6 Network Analysis and Passive Fingerprinting

(Revised SM2010 1.5 to 2 hours)

General Instructions:
The purpose of this Lab exercise is to get the student familiar with the basic concepts and
procedures for conducting network analysis, network forensics and passive network
fingerprinting.
Record your results directly on the lab sheets for submission. They will be returned to you after
grading.

Information you may find useful when completing this Lab.

1.

BackTrack: http://www.backtrack-linux.org/
a. BackTrack is a Linux-based penetration testing arsenal that aids security
professionals in the ability to perform assessments in a purely native environment
dedicated to hacking.

2.

WireShark: http://www.wireshark.org/
a. Wireshark is the world's foremost network protocol analyzer, and is the de facto
(and often de jure) standard across many industries and educational institutions.

3.

Wireshark User Guide: http://www.wireshark.org/docs/wsug_html/

4.

Wireshark Manual Pages: http://www.wireshark.org/docs/man-pages/

5.

Wireshark Display Filters: http://www.wireshark.org/docs/dfref/

6.

EtterCap: http://ettercap.sourceforge.net/
a. Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of
live connections; content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones)
and includes many features for network and host analysis.

7.

P0f: http://lcamtuf.coredump.cx/p0f.shtml

a. P0f is a versatile passive OS fingerprinting tool.

8.

NetworkMiner: http://networkminer.sourceforge.net/
a. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows.
NetworkMiner can be used as a passive network sniffer/packet capturing tool in
order to detect operating systems, sessions, hostnames, open ports etc. without
putting any traffic on the network.

9.

Passive Operating System Identification From TCP/IP Packet Headers Article by

Richard Lippmann, David Fried, Keith Piwowarski, and William Streilein from the MIT
Lincoln Laboratory:
http://www.ll.mit.edu/mission/communications/ist/publications/03_POSI_Lippmann.pdf

10. Passive OS Fingerprinting: Details and Techniques by Toby Miller:

http://www.ouah.org/incosfingerp.htm
11. Know Your Enemy: Passive Fingerprinting by Craig Smith and Peter Grudl:
http://old.honeynet.org/papers/finger/
12. Remote OS Detection by Gordon Fyodor: http://nmap.org/book/osdetect.html
13. TCP/IP Fingerprinting: http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting
14. Defeating TCP/IP Stack Fingerprinting:
http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html

Starting BackTrack VM
1.

Open Virtual Box from the Program Menu and Start the BackTrack VM Image
Note: BackTrack will boot into run level 3, which is simply the Bash Command
Environment without a Windows Manager by Default.

2.

Login to BackTrack from the command line with the following credentials:
Username: root
Password: toor

3.

Start the default Linux windows manager by typing the following command at the
command prompt after logging in:
root@bt:~# startx

4.

By default network services are not started with Backtrack, so we need to start these
services if we want to connect to the Internet and/or internal networks. To start the
network services in backtrack type the following command into a terminal window:
root@bt:~# service networking start
Note: To open a terminal window click the black and white Konsole Icon on the task bar
at the bottom of your screen. It is the icon just right of the Firefox icon.

5.

BackTrack is now fully booted into run level 5 or the Windows GUI Manager and you
can now proceed with your lab.

Getting Familiar with WireShark

1.

Click on the WireShark icon located on your Desktop to launch the WireShark
application.
Note: An alternative way to launch the WireShark application is to simply type the
following command within any terminal window:
root@bt:~# wireshark
NOTE: You can also automatically open a network capture file (PCAP) with wireshark
by supplying the file name when launching wireshark from the command line like this:
root@bt:~# wireshark example.pcap

2.

Click on the Edit Menu Option and then select Preferences from the drop down
menu to display wiresharks default application preferences. The following pop up
dialog box should be shown:

3.

Select Capture from the left hand list box to show the capture preferences for
wireshark.
a. Ensure the following settings are applied:
Default Interface: eth0
All Checkboxes are Checked as shown in the following image:

b. Click Apply to apply these settings.

4.

Explore the Name Resolution Settings within wireshark by recording them here:

a. Why would it be important for an Attacker to turn off all Name Resolution
settings within a network packet capturing application like wireshark before
sniffing packets on a network?
HINT: An attackers main goal is to avoid detection and go unnoticed while
conducting his or her activities. Think stealthy!

b. Close the wiresharks Preferences dialog box by clicking the OK button.

5.

Start a network capture session by selecting the Capture menu option and then
selecting Start from the drop down menu.

6.

Now open up the web browser FireFox by selecting it from the taskbar at the bottom of
your screen and perform the following actions:
a. Goto www.google.com by typing the URL directly in the address bar.
b. Search for the term uah
c. Click the first search result within your google search results to visit the UAH
home page.
d. Close your FireFox web browser.

7.

Stop the network capture by selecting the Capture menu option and then selecting
Stop from the drop down menu.

8.

Verify your network capture session was successful by comparing the following image
with your running instance of wireshark.
Note: Packet details will not be exactly the same but the general display should be very
similar.

9.

Apply a display filter to display on DNS related traffic within wireshark to identify the
IP address of the DNS server being utilized.
Note: Wireshark has numerous built in filtering options making it an extremely powerful
network analysis tool. See the cheat sheet provided for this lesson titled:
Wireshark_Display_Filters.pdf for a few of the more common filtering capabilities.
a. In wiresharks filter bar type the following text:
dns
b. Identify the IP address serving your network and record it here.
HINT: DNS Services is provided by a server listening on port 53.

c. Scroll down to the packet captured from your client to the DNS server looking for
www.uah.edu. Select this packet to ensure it is highlighted. Within wiresharks
protocol analysis box expand out the Domain Name System query data and then
further expand out the Queries information to display the DNS query
information as shown in the following image:

d. Notice as you select different pieces of information in the protocol analysis

window that the packet data analysis window updates and highlights the
corresponding specific packet data within the entire network packet. The packet
display window shows the entire network packet in both standard ASCII form and
HEX form. Select the Type field in the protocol analysis window and record
the HEX value here:

e. Clear the display filter by clicking the Clear button on the filter toolbar at the
top of wiresharks application window.
10. The ability to search a network capture within wireshark is another powerful feature.
Click the Edit menu and then click Find Packet from the drop down menu to show
the following dialog box:

a. We are going to search for our first visit to the UAH website. Ensure the radio
button String is checked and then type in the following text exactly as it
appears below:
Host: www.uah.edu
b. Now click find, which should result in the following packet being displayed:

c. As you can see this is our request since it is a HTTP/1.1 GET request. To verify
this scroll down in the protocol window and look at the Referer: information
and select it. Record the domain name of the referrer here.
Note: The domain name string is located between the string HTTP:// and the
first / occurrence.

11. Wireshark has the ability to follow specific streams within a network packet capture to
show both server and client sides of the conversation in an easy to read format. To follow
the TCP stream from previous searched packet simply Right Click the packet data in
the top table/window and select Follow TCP Stream from the pop up menu.
a. Notice by default wireshark shows all client side traffic in Red and all server
side traffic in Blue. This is a very useful view to follow a full conversation
when performing network analysis.
b. Record the server sides value for the HTTP Content-Encoding header
specification here:

c. Looking at the servers response why is the Content-Encoding information

important for performing a network forensic analysis on the rest of the packets
payload? Record your answer here. HINT: Is the packet data readable in its
current format and by understanding the encoding technique what can we do?

d. Close the Follow TCP Stream dialog box.

12. This concludes the introduction to the basic familiarization to wireshark. Through out
the rest of the labs these basic skills will not be covered again, so you may need to refer
back to this section for reference. Close wireshark and do not save the network capture
file.

WireShark Forensic Investigation Example

1. Open wireshark and the following file:
Full Path to file: /root/mis501/lab6/mis501_forensics.pcap
Note: The file open option is located under the File menu item and you can use the pop up
dialog to drill down into the file system to open this network capture.

2. There are a number of interesting characteristics within this network capture file. Please
fill in the following information by analyzing this capture file in wireshark:
Client IP:
Client Port:
Server IP:
Server Port:
3. Based off the above captured information what application layer protocol do you believe
we are dealing with in this network capture file?

4. Wireshark has several statistics displays built in that can be very useful when performing
network analysis. Lets look at a few:

a. Summary Statistics: Click on the Statistics menu option and then select
Summary from the drop down menu. Fill in the following information based
off the information from this display:
First Packet Time/Date:
Last Packet Time/Date:
Elapsed Time for Capture File:
Total Number of Packets:
Average Packet Size:
i. Close this dialog box.
b. Protocol Hierarchy Statistics: Click on the Statistics menu option and then
select Protocol Hierarchy from the drop down menu. Fill in the following
information based off the information from this display:
Percentage of TCP Packets:
Percentage of HTTP Packets:
i. Based off this new information do you believe you answer to question
number 3 is still correct, if not what application layer protocol do you
believe is in use now?

ii. Close the protocol hierarchy dialog box.

5. Apply the following display filter to show only HTTP packets within the capture file:
http
a. What is the info message column for all HTTP in the top packet analysis
window?

b. Expand out the HTTP protocol information for any of the packets within this
filtered view. What is the only HTTP protocol subfield available/listed?

c. Now with this new information you can see that HTTP is not the application
protocol being utilized in this network packet capture file. Wireshark bases its

protocol decoding and analysis off of destination port numbers and since the
server port number was port 80 wireshark categorized this capture as HTTP.
Wireshark did leave us clues that there was something wrong with the packet
decoding with its info message, so this may be something you look at when
performing network forensics with wireshark in the future.
d. Clear your display filter to show all network packets in the capture file.
6. Since we discovered that the application protocol was not HTTP lets take a deeper dive
into the entire conversation.
a. Follow the TCP Stream and answer the following questions:
i. What is the hostname of the computer infected by the bot?

ii. What is the uptime for the infected host?

iii. What sensitive information is being uploaded by the infected host?

7. Now that we know the attacker was not using the HTTP application layer protocol, why
do you think the botnet creator chose port 80 for exfiltrating the sensitive data?

8. Close wireshark and this capture file.

File Carving with Wireshark

1.

Open wireshark and the following network capture file:

/root/mis501/lab6/mis501_filecarving.pcap

2.

Fill in the following information using what you have learned so far using wireshark:
Client IP:
Client Port:
Server IP:
Server Port:
Application Layer Protocol:
First Packet Date/Time:
Last Packet Date/Time:
Elapsed Time for Capture File:
Total Number of Packets:
Average Packet Size:

3.

You may have noticed wireshark uses colors to identify things such as protocols, errors,
and other capture related data to the user. To identify what the yellow color is in the
packet-listing window we need to look it up on the coloring rules. To do this follow
these steps:
a. Click the View menu option and then select Coloring rules from the drop
down menu items.
b. Scroll down to the yellow highlighting with black letters. What protocol does this
coloring represent?

c. What does a black highlighting with green letters represent?

d. Close the coloring rules dialog box.

4.

Since we know that the SMB protocol is normally used for file transfers lets look at
extracting a file out of the network capture file for further analysis. To do this follow
these steps:
a. Go to packet number 101 and select it.
b. What is the name of the file being transferred in this SMB request? Hint: Expand

out the SMB protocol details in the protocol analysis window to expose the
request details.

c. Now that you have expanded out the details to find the file name scroll further
down in the protocol analysis window to the File Data: field and highlight it
just like in the following image:

d. Right click the File Data field and select Export Selected Packet Bytes from
the pop up menu.
e. Name this file evidence_file.txt and click save.
f. Open this file following these steps:
i. Click on the Konsole icon located on the task bar at the bottom of your
screen. This icon is a black screen with greater than sign in the top left of
it.
ii. Type the following on the command line to open Kate a text editor:
root@bt:~# kate /root/mis501/lab6/evidence_file.txt
g. What sensitive information was being transferred via the SMB protocol?

h. Close Kate.
5.

Close wireshark and the packet capture file.

Getting Familiar with EtterCap

13. To launch EtterCap with its GTK GUI open a console terminal window by clicking the
Konsole icon on the lower task bar located to the right of the Firefox icon. The Konsole
icon is shown in the following screenshot and highlighted in red:

14. Launch EtterCap with its GTK GUI by executing the following command within the
console terminal window:
root@bt:~> ettercap G
This command will result in the following GUI being displayed:

15. Select Unified sniffing from the main menu option located under the Sniff menu
item.
16. Choose eth0 from the drop down Network Interface select box. The EtterCap menu
options will now be updated and your GUI should look like this:

17. Select the Start Sniffing menu option located under the main menu item Start on the
main menu bar at the top of the GUI. The status box in the lower portion of the GUI
should now have the following output:
Starting Unified Sniffing
18. Select the Profiles view menu item located under the main menu option View to
show the Systems profile view tab within EtterCap. Your GUI should now look like this:

EtterCap is now sniffing all traffic between you and the Internet and will display IP
addresses and hostnames within the profile view tab.
19. To generate some traffic and perform some basic familiarization with EtterCap we will
use our web browser FireFox within Backtrack. Open FireFox via its shortcut located
on the main task bar at the bottom of your Backtrack screen. It is the icon with the
orange fox wrapped around the blue sphere.
20. Enter the following URL into FireFoxs Address bar: www.uah.edu
21. Now switch over to the EtterCap GUI without closing your FireFox web browser and
view the Profiles view tab. Double click any IP address or Hostname within the Profile
view tab to display additional details about the host.
22. Display the additional details regarding the hostname uah.edu and fill in the following
information:
IP Address:
Hostname:
Type:
Fingerprint:
Operating System:
Port:
23. Notice that EtterCap is capable of fingerprinting specific information regarding the
service being run on the remote host right down to the actual version number of the web
server being utilized. What could an attacker do with this information and what are

some of the possible methods to prevent EtterCap from being able to gather this
information from the web server?

24. EtterCap is not limited to just fingerprinting HTTP traffic or web traffic. To demonstrate
this we are going to see what information EtterCap can extract from an encrypted SSH
connection attempt. Open up a new console terminal within Backtrack. If you dont
remember how to open a terminal console refer to step one in this lab where you
launched a Konsole terminal. Execute the following command within the console
terminal:
root@bt:~> ssh uah.edu
When prompted to accept the remote hosts key type yes and then press enter. You will
be prompted for a password, just press enter three times to be returned back to your
console prompt. Your ssh console screen should look something like the following
screenshot:

Now close the console terminal by typing exit and pressing enter.
25. Switch back to your EtterCap GUI and open the additional options for the uah.edu
hostname. Now look at the port information for port 22, what version of SSH is running
on the host uah.edu?

26. This concludes the introduction to EtterCap. Close EtterCap and all associated windows
and your FireFox browser windows.

Introduction to P0f
9. Within Backtrack open a console terminal window; if you dont remember how to do this refer to
step 1 of the Introduction to EtterCap instructions.
10. P0f does not have a GUI interface, so we will need to observe the output from the console
window. We are going to fingerprint the uah.edu host just like we did with EtterCap to
compare the results. Launch P0f with the following command within your console window:
root@bt:~> p0f i eth0 -M -A
You should now see the following in your console window:

11. Now open the FireFox browser within Backtrack and enter the URL www.uah.edu into the
address bar to visit the default UAH web page.
12. Switch back to your console window where p0f is running and record what OS type p0f thinks
UAH is running here:

13. Is this OS fingerprint different from EtterCaps? Why do you think that is?

14. To fix this issue lets update p0fs signature set for ACK mode detection by creating a custom
signature file. First we need to stop the current p0f process by pressing CTRL-C in the console
window it is running. You should see the following message printed on the console window if
you successfully exited p0f:
^C+++ Exiting on signal 2 +++
15. P0f can provide us with the signature it detects via a console output message. To do this execute

p0f with the following command:

root@bt:~> p0f i eth0 -S -A
16. Once p0f is running refresh the UAH webpage within Firefox by pressing the Reload icon or
retyping the URL www.uah.edu and pressing enter. Switch back to your console terminal to
observe p0fs output. You should now see a new line under the console output called
Signature. The signature should look something like this string 65535:64:0:44:M1460:A.
Record your signature here:
17. Once you have the signature recorded stop p0f by pressing CTRL-C.
18. Now we need to create a new ACK mode signature file. To do this we will use the nano text
editor built into the Backtrack console. Create a new p0f filter by executing the following
command to open nano:
root@bt:~> nano new_p0f.p0fa
This will open the nano text editor show in the following screenshot:

Copy and paste your signature into this file or manually type it in. Append the following text to
the end of your signature without the quotes: :Linux 2.6.x:Apache Web Server. Your screen
should look something like this screenshot:

Press CTRL-O to writeout your new file. Press enter when prompted for file name to write the
file to. Now press CTRL-X to exit nano and return to your command prompt.
19. Your new ACK mode filter file should now be in your current director and we can verify this by
simply outputting it to the current console window with the following command:
root@bt:~> cat new_p0f.p0fa
Your output should look like the following screenshot:

20. Now we need to verify our signature by executing p0f with this filter file. We can do this by
providing the -f option. Execute p0f within your console window with the following
command:
root@bt:~> p0f -f new_p0f.p0fa -A i eth0
21. Once p0f is executing/running we need to switch back to our FireFox web browser and reload the
www.uah.edu web page. Do this and record p0fs new output here for the UAH website:

22. This concludes the introduction to p0f lab. Exit and/or close all associated windows and
programs such as FireFox, the console windows, and p0f before continuing on with this lab.

Introduction to NetworkMiner
6.

NetworkMiner is located within your Windows XP Virtual machine, so you will need to
launch your Windows XP VM.

7.

Extract the NetworkMiner Zip file from this location: C:\MIS501\NetworkMiner-0.92.

To extract the zip file within Windows XP double click the NetworkMiner-0.92 zip
file, which will open the zip file within Windows Explorer. Copy the entire folder out of
Windows Explorer onto your Desktop. When prompted by Windows Explorer click the
yes button.

8.

Open the new folder on your desktop and open NetworkMiner by double clicking the
purple icon with the pick axe image shown in the following screenshot:

9.

The NetworkMiner GUI looks like the following screenshot:

NetworkMiner is a network forensics tool jammed packed with a whole suite of features
we wont be using in this lab, but I encourage you to explore them on your own time.
10. We are going to fingerprint www.uah.edu just like we did with both EtterCap and p0f
earlier in this lab. To do this first select the first listed Network Adapter from the drop
down select box within the NetworkMiner GUI. The IP address for this interface should
be something like: 10.0.2.xxx.
11. Now click the Start button located next to the drop down box to start your packet
capture.
12. Open either Internet Explorer or FireFox and surf to the www.uah.edu web page.
13. Now return to your NetworkMiner GUI and find the host associated with
www.uah.edu. Expand out the additional information associated with this host by
clicking on the + icon. Expand out the OS information and record the related
information here:

14. As you can see NetworkMiner uses common signatures found in EtterCap and also p0f
for Operating System fingerprinting. This ensures we can update our signatures just like
we did with p0f in the previous lab. We wont do this exercise for NetworkMiner, but if
your curious the signature files are located in the NetworkMiner directory titled
Fingerprints and I would encourage you to perform this on your own, as it is an

extremely powerful and useful capability.

15. Close and Exit NetworkMiner as this concludes the introduction to NetworkMiner
section of this lab.

Applying what you have learned with Passive OS Fingerprinting

1.

In most scenarios there are multiple web servers for a domain running different
Operating Systems and different Web Applications. In many cases we can discover these
new hosts by simply surfing and/or browsing web links from the main domain names
web page or site. To put this information into practice we are going to discover 5 new
hosts for the uah.edu domain name.

2.

Using EtterCap while you are browsing and discovering new hosts fill out the following
table. Remember you need at least five new hosts, but feel free to explore even more if
you have time. One last hint to make this a little simplier, in most cases subdomains will
be hosted on different web servers. An example subdomain for uah.edu would be
example.uah.edu, where example is the subdomain name and uah is the main domain
name. Mousing over links within your web browser will display the URL on the status
bar located at the bottom of your web browser, which could speed up the process of
selecting links that could lead you to new hosts.

HostName or IP Discovered

3.

EtterCap Port Information

Reported

EtterCap OS Reported

This concludes tonights lab. Remember to close out of all applications and to power
down your virtual machines before leaving.