DOC PREVIEW
GT ECE 4110 - Network Traffic Analyzers and Other Tools

This preview shows page 1-2-3 out of 10 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 10 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1 ECE 4110 Internetwork Programming Lab 4: Network Traffic Analyzers and Other Tools Group Number: ________ Member Names: _________________________ _________________________ Date Due: Tuesday Feb. 14, 2006 Last Edited: 2/1/2006 Lab Goals  Understand network analysis and scanning tools: ping, ethereal, and nmap tools  Understand network vulnerabilities in FTP, and TELNET  Understand MAC address, IP address, and TCP spoofing techniques Section I: Ping vs. Ethereal Do a ping from your machine to 57.35.6.245. Use ethereal to collect approximately 5 to 10 ping packets. Q1.1 What is the total length of each IP packet? Q1.2 What type of protocol do you see inside the protocol field of each packet? Q1.3 List two additional types of messages, which also use the same protocol as ping. (Don’t ask TA for the answer) Q1.4 How much data is inside each of these protocol packets? Q1.5 How long does it take for the echo reply to come back according to ethereal? Q1.6 How long does it take for the echo reply to come back according to the statistics you see on your Linux machine? (Note you can see these statistics on the screen after you use a <CTRL+C> to stop the ping process) Q1.7 Are ethereal and ping the same in terms of accuracy? Explain. Section II: Network Vulnerabilities a) Use ethereal to watch an ftp session from your machine to ‘gatechftp,’ which has ip address 57.35.6.245. From your PC type $ftp 57.35.6.245 <ENTER> and use linux_class as the user, linux_class as the password. Then, type $quit <ENTER> to terminate the session. Q2.1 Can you see your password in the tcp data on the analyzer?2 b) Now repeat the process but use ssh. Type $ssh –l linux_class 57.35.6.245 <ENTER> (note: it is a lower case ‘L’ not the number 1) (you might get a prompt asking if you want to continue or not. Type “yes” here). Enter linux_class (as the password). Then, type $exit <ENTER> to terminate the session. Q2.2 Can you see your password using secure shell login? This is the advantage of ssh and why soon you will no longer be able to use ftp in most companies. Optional: For more info on ssh take a look at: http://www.ssh.com/tech/whitepapers/SSH_Secure_Shell.pdf c) Now repeat the process using telnet From you PC type $telnet 57.35.6.245 <ENTER>and use linux_class as the user, and linux_class as the password. Then, type $exit <ENTER> to terminate the connection. Q2.3 Do you see the individual characters of your password in the TCP packets? (Hint: Expand the field labeled ‘Telnet’ in the lower window and look at successive packets sent from your machine to ‘gatechftp’). Section III: Network Scanning Type $man nmap <ENTER> and read the man page Type $nmap –h <ENTER> and look at the result Q3.1 Explain what nmap would do if you were to type $nmap –v 57.35.6.245 <ENTER> and ran the default scan. Hint look at $nmap –h <ENTER> output. Q3.2 What ports are open on 57.35.6.245? Hint run $nmap –v 57.35.6.245 <ENTER> In a second window start ethereal (maybe not in promiscuous mode so you do not see your neighbor’s traffic) and start packet collection. Type $nmap –v 57.35.6.245 <ENTER> again. Stop ethereal packet collection. Look at the output of ethereal. Q3.3 Explain in general what you see in terms of what types of packets is your machine sending to 57.35.6.245. Type $nmap –v 127.0.0.1 <ENTER> Q3.4 What ports are open on your own machine?3 Type $nmap –O 57.35.6.245 <ENTER> (That is a capital O not a zero). Q3.5 Is nmap up to date enough/capable enough to know what operating system we are running on ‘gatechftp’? Q3.6 Can nmap determine exactly which kernel version is being run on ‘gatechftp’? Answer yes or no. (As an afterthought try this on your own machine $nmap –O 127.0.0.1 <ENTER>). Type $nmap –sT 57.35.6.245 <ENTER> This is another type of scan. Q3.7 What ports does this scan find open? Why are they different or why are they the same as before (i.e., default scanning of root privileges)? Explain. There is a machine on the same subnet as ‘gatechftp’ running a web server. Use $nmap –sT 57.35.6.245-254 <ENTER> to find out the IP of that machine. Q3.8 What port indicates that there is a web server running? Go the in web browser, the icon next to the Redhat, and type the IP you just found in the address bar. Q3.9 What web server did you find? Aside: Nmap frontend (invoked in a terminal by typing $nmapfe <ENTER>) is a graphical interface that we did not use in the lab but it works the same way in general. Section IV: MAC Address Spoofing The MAC address for a network interface is assigned by the hardware manufacturer at the time of manufacture. Addresses are therefore completely independent of the network to which they are attached, and addresses can be spoofed with relative ease. This spoofing has the potential to undermine common security measures. OIT, for example, uses MAC addresses on ResNet and on LAWN to tie network traffic to particular students. (Students tell OIT their MAC address when they register on ResNet or log into LAWN). By forging another student’s MAC address, OIT could be led to believe that your malicious activity was actually that of another student. As another example, many wireless routers only allow access from a white list of MAC addresses so that only certain computers can access the wireless network. You may want to use ethereal and initiate some network traffic to “see” the new MAC address being used. Exercise: Linux MAC Cloning Inspect the current MAC and IP address: 1. Type the command ifconfig eth0 2. Record your results (either as a screen shot OR as a text file, you will need to turn it in) 3. Type the command ifconfig eth0 down or use the Linux command ifdown eth0 4. Type the command ifconfig eth0 hw ether 00:30:65:24:21:30 (or an Ethernet address you create) 5. Type the command ifconfig eth0 up4 6. Type ifconfig eth0 again and record your results (either as a screen shot OR as a text file, you will need to turn it in) 7. Now revert back to the old MAC address by re-doing steps 3-5, but using the MAC address from step 2 in step 4. Type ifconfig eth0 to ensure that you did this correctly. (You do not need a screenshot). Q4.1 What would happen if two hosts on the same network had the same MAC


View Full Document

GT ECE 4110 - Network Traffic Analyzers and Other Tools

Documents in this Course
PUSH Flag

PUSH Flag

17 pages

Ethernet

Ethernet

33 pages

Load more
Download Network Traffic Analyzers and Other Tools
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Traffic Analyzers and Other Tools and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Traffic Analyzers and Other Tools 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?