ITSC200 Midterm

ITSC200-Midterm === ## Title Page ![](https://hackmd.io/_uploads/HyKKhE0Z6.png) ## Table of Content [TOC] ## Logical Topology ![](https://hackmd.io/_uploads/rkbT2FTWa.png) ## Asset List | MAC | Vendor | OS | IP | Hostname | Port | Service | | ----------------- | -------- | -------------- | ------------- | -------------- | --------------------------------------- | ------------------------------------------------ | | 98:fa:9b:7d:3b:c0 | LCFCHeFe | Windows 10 | 192.168.1.72 | SADT225571 | T:2869,U:137,5353 | UPnP:2869/tcp NetBios:137/udp mDNS:5353/udp | | b8:3a:9d:7e:1a:7a | Alarmcom | | 192.168.1.68 | | T:554 | RTSP:554/tcp | | 88:3d:24:1e:31:d2 | Google | | 192.168.1.67 | Chromecast | T:8008,8009,8443,9000,10001,U:5353,8008 | ApacheJserv:8009/tcp mDNS:5353/udp UPnP:8008/udp | | 3c:31:78:3b:7e:87 | Qolsys | | 192.168.1.66 | Android-2 | T:9200 | | | b8:3a:9d:7e:19:16 | Alarmcom | | 192.168.1.65 | | T:554 | RTSP:554/tcp | | 9c:1e:95:23:2a:70 | Actionte | | 192.168.1.254 | | T:80,443,5431,9878,U:53,547,1900 | DNS:53/udp DHCPv6:547/udp SSDP:1900/udp | | 00:0f:3d:50:a5:08 | D-Link | | 192.168.0.1 | | | | | b8:d7:af:03:68:9a | MurataMa | | 192.168.1.70 | | | | | b8:8a:ec:7c:a8:5e | Nintendo | FreeBSD | 192.168.1.71 | | | | | 08:00:27:ef:54:3d | PcsCompu | Ubuntu? | 192.168.1.73 | hackbuntu | U:5353 | mDNS:5353/udp | | 08:00:27:22:46:4f | PcsCompu | Linux? | 192.168.1.75 | | | | | 08:00:27:9a:f1:10 | PcsCompu | metasploitable | 192.168.1.76 | METASPLOITABLE | U:137,138 | NetBios:137/udp SMB:138/udp | ## Wireshark Filters ![](https://hackmd.io/_uploads/S1V1jGoWa.png) Firstly watch the endpoint list on IPv4, which gives an idea about how many addresses in the network. The endpoints list shows the network is on a private network consist with class C addresses. ![](https://hackmd.io/_uploads/H1LMy73ZT.png) Apply filter `ip.addr == 192.168.0.0/16` to limit only shows hosts inside the local network. Use this with the endpoints view. Can get MAC addresses list of LAN. ![](https://hackmd.io/_uploads/Bykiizo-T.png) Since there is a scan happening in the network. Can use it to identify opened tcp port. By only filter `tcp.flags == 0x12` can retrive the traffic at the begining of TCP 3-way handshake. Which imply the port is opened and can be connect by other host. ![](https://hackmd.io/_uploads/BySOnMjZa.png) Combining with the information from endpoints list. `192.168.1.75` has the most packet transit. Compare to the acture size of the traffic. It shows `192.168.1.75` is performing a scan. Filtering other hosts out with SYN, ACK TCP packet. Can get a complete ports list that are open. ![](https://hackmd.io/_uploads/SkVWCGiZa.png) Going further with UDP traffic. Unforntunetlly can not find DHCP traffic. But get another service called MS-BROWSER, which gives the host name of machine. ![](https://hackmd.io/_uploads/H1PExmob6.png) By sinking the scope to smb, can see two machine with their hostname: `SADT225571` and `METASPLOITABLE` ![](https://hackmd.io/_uploads/SJppl7o-p.png) Also digging out a mDNS traffic. It contains a ubuntu call `hackbuntu` which may imply the machine has been config by script at: https://github.com/TheCrysp/Hackbuntu ![](https://hackmd.io/_uploads/r12rWmjZ6.png) --- ![](https://hackmd.io/_uploads/B11UZXsWa.png) Found some SSDP traffic, follow the UDP stream a little, but cann't really figure out what is it. ![](https://hackmd.io/_uploads/HJuy2G2Zp.png) Also there is a strange AJP13 protocol flowing around between Chromecast and Windows machine. Can't recognize what it does. ![](https://hackmd.io/_uploads/HyHC2f2-a.png) --- ![](https://hackmd.io/_uploads/H1BChM3Zp.png) Two mDNS packets that reviews the host name of Chromecast and Android-2. It also imply that both hosts have their 5353/udp port avaliable to be probe. ![](https://hackmd.io/_uploads/ryGdaMnWT.png) Try to find trace of `192.168.0.1`. Only find Windows machine try to connect to it. But fail to reach the port. ![](https://hackmd.io/_uploads/BJukAfnWp.png) And Nintendo have no traffic except been scanned by kali ![](https://hackmd.io/_uploads/BkRr0zhWT.png) The `hackbuntu` has some HTTP traffic between ubuntu.com. But there is nothing intresting happended. ## Protocol Communications **ARP** ![](https://hackmd.io/_uploads/ryNA1mhbp.png) Simply apply the filter `arp` to retrieve all ARP traffic. But since there is a scan happening. There are a lot host discover arp traffic be captured. So need filter out some useless traffic. ![](https://hackmd.io/_uploads/HkAKxm2Zp.png) --- ![](https://hackmd.io/_uploads/HJ-VbX2bT.png) Find out the ARP response packet has set opcode to 2, just drap&drop this to apply a filter. ![](https://hackmd.io/_uploads/BJPYZQnWa.png) And boom, there is a list containing all valid arp response. ![](https://hackmd.io/_uploads/r1zlGQ2-T.png) And the filter works with endpoints list, which giving a more clean host list of the LAN. **Port Scan** ![](https://hackmd.io/_uploads/B1-WXX3-T.png) The `192.168.1.75` is the scanner, why? Becase on endpoints view, it has 7800 packet tx, but only trasmit 580k of data. This is the signature of scaning. And after focus on it by only filter its ip address, the capture list a lot different tcp SYN packets at the same time. Which is a clear sign of port scanning. ![](https://hackmd.io/_uploads/HkSHc7h-6.png) By applying on `tcp.flags == 0x12` to only showing the SYN,ACK packet responded by the remote host. Which is the second step of the TCP 3-way handshake. It means the ports is open and ready to be coneccted. ![](https://hackmd.io/_uploads/BkYLoQ2-6.png) --- ![](https://hackmd.io/_uploads/r1CuaQhZ6.png) Following the TCP flow further, it shows the entire TCP stream. Which cosisting with `SYN -> SYN,ACK -> ACK -> RST,ACK`. This is diffrent from the default SYN scan, which consist by `SYN -> SYN,ACK -> RST,ACK`. And can be identify as a TCP connect scan -sT. It might mean scanner use `nmap -sT` to scan the network. Here is the document of -sT scan: https://nmap.org/book/scan-methods-connect-scan.html