0

W32M00 Pre-Course Materials

Free introductory materials. Lab setup and initial instructions inside - free access, no login necessary (just click the link above)!
Back to Course

Inside:

  1. The Lab 

  2. Packet capture

  3. Packet analysis

  4. Kali Linux tools

1. The Lab

The laboratory of this course has the following virtual machines:

  • Kali Linux 2017.1

  • Debian 7 Server

  • Windows 10

Our aim in this lab is show as closely as possible the real word situations that occur day by day in network connections by using the forensics analysis to filter a normal packet to malicious packet.

The virtual lab’s network uses a Virtualbox solution. The network has a DHCP to give an IP number to each machine (maybe, this IP will change when you start the machines in your lessons).

The machine’s IP in my lab:

  • Kali linux: 192.168.56.102

  • Debian Server: 192.168.56.103

  • Windows 10: 192.168.56.104

  • Remember that it is normal for an IP number to change when you boot up the machine in your Virtualbox copy. I do not use a static IP.

The network ping test is positive. In other words, it’s possible to capture packets in all destinations represented in the figure above.  

The Windows 10 virtual machine is a Microsoft virtual machine prepared to restart the previous configuration. So, I recommend that you do not turn off the machine, just save the state of the machine. This procedure can be used in the Kali and Debian Server.

The virtual machines of the lab have the same network configuration: a NAT and host-only card. So, the experiments proposed in the the lessons are in the safety network segment/node. Please, do not change this configurations.

2. Packet capture

In this course, we use packets (cap, pcap) captured by specialists and shared in trusted repositories. On the other hand, we will capture our own packets using Kali tools. This means that we will capture the packets in the Windows and Debian Server network traffic.

Therefore, as mentioned above, once the virtual machines received NAT and host-only network adapters, our capture action will be made in eth0 and eth1 of the virtual network. In this course, we won’t capture wi-fi packets, but we will analyze wi-fi packets.

Packet analysis includes some fundamental questions:

  • How to identify malicious activity in the network traffic?

  • How to identify the attack behavior in the packet?

  • How to identify the protocol integrity?

  • Is the sequence of bytes fragmented?

It isn’t easy to answer these questions without basic training. This course will provide you this basic training in packet analysis. To capture a packet in the lab, considering that the machines can be ping is work, we have some functional tools in Kali Linux, for example, netsniff-ng. The command reference and usage examples are shown below:

In Kali machine, you must create a folder named, for example, packet to save all captured packets. If the packet is captured in eth1, the command is:

netsniff-ng in eth1 --out /root/packet/ -s -m --interval 100MiB -b 0

The command above captures a packet counting intervals of 100 MiB in eth1, using a silent mode (-s), an mmap mode (-m), a bind mode (-b) and saves it in a folder named “packet” placed in root environment.

3. Packet analysis

In the example below, I captured in my own network (eth0) a packet. The total time of capture is less than two minutes and in the meantime, I visited the Offensive Security and Hakin9 site.

The captured packet can be opened by Wireshark.

Opening the captured file in Wireshark, we are faced with an amount of information: the protocol, the packet size, the time of live (TTL) of the packet, the request route, the TCP handshake and so on.

In this course, we are interested in some functions of Wireshark: follow a TCP stream (or other protocol) and in the expert mode. To follow a specific protocol stream just right click above a destination IP (or source IP) and choose “Follow” in the Analyze menu.

Malicious packets will be highlighted with a yellow color warning and show some of the information about the protocol. In the example below, we see a dns-remoteshell attack (this packet can be downloaded in Wireshark wiki):

DNS exploitation uses a classical approach zone transference that manipulates the sequence of frame segment. In other words, changing the order of sequence in the frame, the zone transference can redirect a host to malicious domain.

Following the TCP stream of the suspicious packet dns-remoteshell, we can see (figure below) the directory structure request by the malicious packet in Drive C.

You can navigate by the stream, just changing the number of each stream:

4. Kali Linux tools

Kali Linux has a plethora of tools. Network tools are localized in the “Sniffing & Spoofing” section menu.

In this course, we will talk about defensive strategies. So, once we have a scenario of attack against Debian Server or Windows 10, I will introduce the defensive strategic in the lab.

Attachments15

SEE ALL Add a note
YOU
Add your Comment
 

Certificate Code

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
Please review your information and consent to the processing of your personal data.(Required)
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?
Please review your information and consent to the processing of your personal data.(Required)

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.