Exercise: Linux MAC CloningWe will now use tcpkill application, which is installed along with dsnif. Copy the files dsniff-2.3.tar.gz, libnet-1.0.2a.tar.gz, and libnids-1.20.tar.gz from the Network Attached Storage to VM1.tcpkill monitors the network for TCP applications and will spoof RST messages to terminate open connections. As we do not want to completely destroy TCP connectivity for everyone on our network, disconnect the Ethernet cable from the back of your computer. Install tcpkill by typingReconnect the Ethernet cable in the back of your computer. You’re done.ECE 4110 Internetwork ProgrammingLab 4: Network Traffic Analyzers and Other ToolsGroup Number: ________Member Names: _________________________ _________________________Date Due: Tuesday Feb. 14, 2006Last Edited: 2/1/2006Lab Goals Understand network analysis and scanning tools: ping, ethereal, and nmap tools Understand network vulnerabilities in FTP, and TELNET Understand MAC address, IP address, and TCP spoofing techniquesSection I: Ping vs. EtherealDo a ping from your machine to 57.35.6.245. Use ethereal to collect approximately 5 to 10 ping packets.Q1.1 What is the total length of each IP packet?Q1.2 What type of protocol do you see inside the protocol field of each packet? Q1.3 List two additional types of messages, which also use the same protocol as ping. (Don’t ask TAfor the answer)Q1.4 How much data is inside each of these protocol packets?Q1.5 How long does it take for the echo reply to come back according to ethereal?Q1.6 How long does it take for the echo reply to come back according to the statistics you see on yourLinux machine? (Note you can see these statistics on the screen after you use a <CTRL+C> to stop theping process)Q1.7 Are ethereal and ping the same in terms of accuracy? Explain. Section II: Network Vulnerabilitiesa) Use ethereal to watch an ftp session from your machine to ‘gatechftp,’ which has ip address 57.35.6.245. From your PC type $ftp 57.35.6.245 <ENTER> and use linux_class as the user, linux_class as thepassword. Then, type $quit <ENTER> to terminate the session.Q2.1 Can you see your password in the tcp data on the analyzer? 1b) Now repeat the process but use ssh.Type $ssh –l linux_class 57.35.6.245 <ENTER> (note: it is a lower case ‘L’ not the number 1)(you might get a prompt asking if you want to continue or not. Type “yes” here).Enter linux_class (as the password). Then, type $exit <ENTER> to terminate the session.Q2.2 Can you see your password using secure shell login? This is the advantage of ssh and why soon you will no longer be able to use ftp in most companies.Optional: For more info on ssh take a look at: http://www.ssh.com/tech/whitepapers/SSH_Secure_Shell.pdfc) Now repeat the process using telnetFrom you PC type $telnet 57.35.6.245 <ENTER>and use linux_class as the user, and linux_class as thepassword. Then, type $exit <ENTER> to terminate the connection.Q2.3 Do you see the individual characters of your password in the TCP packets? (Hint: Expand thefield labeled ‘Telnet’ in the lower window and look at successive packets sent from your machine to‘gatechftp’).Section III: Network ScanningType $man nmap <ENTER> and read the man pageType $nmap –h <ENTER> and look at the resultQ3.1 Explain what nmap would do if you were to type $nmap –v 57.35.6.245 <ENTER> and ran thedefault scan. Hint look at $nmap –h <ENTER> output.Q3.2 What ports are open on 57.35.6.245? Hint run $nmap –v 57.35.6.245 <ENTER>In a second window start ethereal (maybe not in promiscuous mode so you do not see your neighbor’straffic) and start packet collection. Type $nmap –v 57.35.6.245 <ENTER> again. Stop ethereal packetcollection. Look at the output of ethereal. Q3.3 Explain in general what you see in terms of what types of packets is your machine sending to57.35.6.245.Type $nmap –v 127.0.0.1 <ENTER> Q3.4 What ports are open on your own machine?2Type $nmap –O 57.35.6.245 <ENTER> (That is a capital O not a zero). Q3.5 Is nmap up to date enough/capable enough to know what operating system we are running on‘gatechftp’? Q3.6 Can nmap determine exactly which kernel version is being run on ‘gatechftp’? Answer yes or no.(As an afterthought try this on your own machine $nmap –O 127.0.0.1 <ENTER>).Type $nmap –sT 57.35.6.245 <ENTER> This is another type of scan. Q3.7 What ports does this scan find open? Why are they different or why are they the same as before(i.e., default scanning of root privileges)? Explain.There is a machine on the same subnet as ‘gatechftp’ running a web server. Use $nmap –sT 57.35.6.245-254 <ENTER> to find out the IP of that machine. Q3.8 What port indicates that there is a web server running? Go the in web browser, the icon next to the Redhat, and type the IP you just found in the address bar. Q3.9 What web server did you find?Aside: Nmap frontend (invoked in a terminal by typing $nmapfe <ENTER>) is a graphical interface thatwe did not use in the lab but it works the same way in general.Section IV: MAC Address SpoofingThe MAC address for a network interface is assigned by the hardware manufacturer at the time of manufacture. Addresses are therefore completely independent of the network to which they are attached, and addresses can be spoofed with relative ease. This spoofing has the potential to undermine common security measures. OIT, for example, uses MAC addresses on ResNet and on LAWN to tie network traffic to particular students. (Students tell OIT their MAC address when they register on ResNet or log into LAWN). By forging another student’s MAC address, OIT could be led to believe that your malicious activity was actually that of another student. As another example, many wireless routers only allow access from a white list of MAC addresses so that only certain computers can access the wireless network. You may want to use ethereal and initiate some network traffic to “see” the new MAC address being used. Exercise: Linux MAC Cloning Inspect the current MAC and IP address:1. Type the command ifconfig eth02. Record your results (either as a screen shot OR as a text file, you will need to turn it in)3. Type the command ifconfig eth0 downor use the Linux command ifdown eth04. Type the command ifconfig eth0 hw ether 00:30:65:24:21:30(or an Ethernet address you create) 5. Type the command ifconfig eth0 up36. Type ifconfig eth0 again and record your results