Chapter 17 - Network Monitoring for Suspicious Traffic - PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Lesson 4: Security Management System (SMS) PDF
- Internet Usage Policy PDF
- Chapter 17 - 01 - Understand the Need and Advantages of Network Traffic Monitoring_ocred_fax_ocred.pdf
- Chapter 17 Network Traffic Monitoring PDF
- Chapter 17 - Network Monitoring for Suspicious Traffic PDF
- A Survey on Wireless Body Area Networks (WBAN) PDF
Summary
This document details network monitoring procedures for identifying suspicious network traffic. It covers methods for monitoring protocols like FTP and Telnet, and analyzing suspicious activities in these protocols. This includes detailed information on securing networks from these types of threats.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring...
Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring ‘ ‘ m m " Momtormg and Analyzmg Analyzmg FTP Traffic bo %l File File Edt Edit View View Go Go Capture Capture Analyze Analyze Statistics Statistics Telephony Telephony Wireless Wireless Tools Tools Help Help FTPis used OQ FTPis used to Aamge AR mNXG MmO RXQC Q-"‘Et!__.iél&@. QemnEF S _ = transfer files transfer files over ( = v = = TCP, and its default portis 21 0 e: 331 Plssuord requlr FTPsendsdataina FTP sends data in a | - T § 5 : ACK ka6 Winse4258 Lensd k=51 Win=64256 Len=0 Toval TSval cleartext format 518 5. 10.10. 10 9. 10. 10,50 p : k=37 Win=2108160 Len=0 K=37 Len= TSy Tsv 685 6. 19.10.10.16 i 87 Response 230 user loggea 686 6. 10.10.10.50 110.10. 6 10.10.10.16 TP 66 36648 - 21 [ACK] Seq=37 Ack=72 Win=64256 Len ++USER --USER A dministr 0050 61 74 6F 67 72 ed 6a 0a ator- -- ator- Figure 17.6: FTP traffic Module 17 Page 2052 EC-Council Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Monitoring and Analyzing Telnet Traffic Telnet can provide access to remote hosts including most network equipment and operating systems Telnet is not encrypted; the password and all other data are transmitted as cleartext Ideally, it should be disabled; enabling it poses huge security risks to the network It is essential to check whether any Telnet session is established within the network Monitoring and Analyzing Telnet Traffic (Cont’d) telnet.pcap file File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Teools Help g Ve mae® 51) [& e S EF EFSS == Q Perform the following to check 4‘ -JomRRE mEOREG ]S t2.E41 =P.5488% i. (N for established Telnet sessions: (Afinee T T : ;00. ro. Tim 5°urco Source Destination Protocol otol _Lengtl Info Length 10 10 8.0, 102.168.0.2 2 11 {1 )).. 11 T "£ )93 3 Telne Telne > Go to the Statistics Menu and 78 10. }1 LL click on Conversations g gg :: : Wireshark - Conversations - telnet.pcap - B8 x }2 S;_ : Ethernet 1 Ethernet: IPva-1-1 IPvd IPv6 IPvé m uop ) > Go tO the TCP tab tib and Select :; gg }‘7’ }: Address A+A~ Port A Address B Part B Packets Ililn H‘ln Packets A -+ B Packots 3 z 20 0. 11 200.. L the approp".ate appr?pri.ate Telpet gi : §§ g i: Wireshark - Follow TCP Stream Vireshark Stream (top.stream (top.streamo1 o communication indicated by 250, 250. 1 — port 23 and click Follow : Heai- F i 4::’ 039%3 I:O i AR B R Stream... >~> Ethernet Ethernet 1T1T : DR B G s s e nue N s v a s dmau s e Stream... : w Internet Pri Internet Pri Copy - 0100 Telnet traffic >» The Telnet and the traffic and the ver. 0108 »N Ditferentiated — Services Fieia: 6xio - (0% SIS i:h"io?::x;::::.‘s’::/:::gtg;:f:;oz:;};r e " LA SEL M =A S et Bl e e AN KR TERMANEZ1AS Total Length: 79 OpecfS0 2.6:beta (COF) wd: Tue Oct l? 20:42:32 0:42:32 COT 1099 credentials will be viewable -MW elconn t RRnB: The proacively secre Unse-Lie cparatin oy N Lengtnh: 1999 f:redentials will be viewable A T T Welcomn to OpenbiD: The proactively securs Unie-1ike cperatisg sy! in cleartext 0010 00 414f 46 30 40 00 40 UHI 73 07 cO@ OF>@-@@ s s- - - Figure 17.7: Telnet Telnet traffic Module 17 Page 2054 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring = Perform the following to check for established Telnet sessions: o Go to the Statistics Menu and click on Conversations. o Go to the TCP tab and select the appropriate Telnet communication indicated by port 23 and click Follow Stream... Wireshark - Conversations Wireshark Conversations -- telnet.pcap telnet.pcap PRE|o.- [R Ethernet-1 Ethenet-1 IPva-1 IPv4-1 IPv6 | TCP-1 | UDP uDP Address A~ Port A Address B Port B Packets Bytes Packets A -+» B E 192.168.0.2 1550 192 192.168.0.1 3 [ ‘ Limit to display filter Absolute start time Conversation Types ~ | Copy || Follow Stream... Figure 17.8: TCP tab o The Telnet traffic and the credentials will be viewable in cleartext. Wireshark - Follow TCP Stream (tcp.stream ec sanssscssns sali®ta, sressssenns seled®itasese O TR PN T el Be P T P. o....................... "......'.....# &..&..9..4&. & S P N 9690,9609....#.bam.zing.org:e.e....'..DISPLAY.bam.zing.org:9.9...: 9600, 9609....# bam. zing 0rg:0.0..DISPLAY.bam.zing.org:0.0.... COLOF..uecesnnnass lecocencnnananee B ecscsnssanses COLOF.cousesncnnselascnnccesancsc®acecsnsnanes OpenBSD/1386 OpenBSD/i386 (oof) (ttyp2) login: fake...... Password:user...... Last login: Sat Nov 27 20:11:43 on ttyp2 from bam.zing.org wWarning: no Kerberos tickets issued. Warning: OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999 Welcome to OpenBSD: The proactively secure Unix-like operating sys Please use the sendbug(l) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. $ /sbin/ping www.yahoo.com Figure 17.9: Cleartext credential in telnet traffic Module 17 Page 2055 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.