1. Exercises ARP ICMP DNS HTTP/TCP Trace analysis

2. ARP launch Wireshark ipconfig /all ; see local IP and gateway route -print ; find gateway arp -a ; list all MAC addresses learned arp -d * ; delete all MAC address learned ping www.polyu.edu.hk What is the MAC address of the router? 2

3. Hints If the default gateway/router’s MAC address is not in the cache, the host will send ARP to ask for it. The default gateway’s IP address is pre- configured or learnt through the DHCP protocol. 3

4. ICMP ping www.polyu.edu.hk – http://www.networksorcery.com/enp/protocol/icmp. htm http://www.networksorcery.com/enp/protocol/icmp. htm – What is the value of ‘Type’ in the outgoing ICMP packet? – What is the value of ‘Type’ in the incoming ICMP packet? – Take a look at the data section in the incoming ICMP packet. tracert www.polyu.edu.hk – What are the answers to the above two questions? 4

5. Hints Ping – Send: ICMP Echo Request – Receive: ICMP Echo Reply Traceroute – Send: And kind of IP packet with special TTL It would be an ICMP packet if we need the reply from the destination – Receive: ICMP Time Exceeded 5

6. DNS nslookup www.polyu.edu.hk Take a look at DNS query and response packets nslookup set type=PTR 158.132.19.132 Take a look at DNS query and response packets 6

7. Hints set type=A (default setting) – Normal DNS lookup: get the IP address from a host name set type=PTR – Reverse DNS lookup: get the host name from its IP address 7

8. HTTP/TCP Use browser to visit www.polyu.edu.hk Take a look at – TCP’s three-way handshake – sequence numbers in packets from the server and the acknowledgement number in packets from the client – HTTP header in the packet from the client – HTTP header in the packets from the server 8

9. Trace analysis Real trace from a VoIP hacking demo Analyze the trace using Wireshark and answer the following questions – Which 4 protocols are involved in the pcap? – Which codec does the RTP stream use? – How did the attacker gain access to the server? – Where is the hacked server? Tips: look into the payload 9

10. Hints 4 Protocols: HTTP, RTP, RTCP, SIP RTP uses G.7111 PCMU coding Default user name/password – Authorization: Basic bWFpbnQ6cGFzc3dvcmQ= The city is DISTRITO FEDERAL MEXICO – Hear it Telephony -> RTP -> Stream analysis – Public IP: 132.248.255.82 in an HTTP response Follow HTTP connections Look into the HTTP responses Use Geolocation websites to locate the city 10

11. Useful links Protocols – http://www.networksorcery.com/enp/default110 1.htm http://www.networksorcery.com/enp/default110 1.htm Wireshark – http://www.wireshark.org/download/docs/user- guide-a4.pdf TCPDump – http://www.tcpdump.org/tcpdump_man.html http://www.tcpdump.org/tcpdump_man.html