Course Notes - Day 4 laura@chappellu.com Send an email if you want TCP posters - tell me how many. Page 132 http matches "\.jpg" && !http contains ".jpg" 23 packets 22 packets != 1. Do not use this with a "combo field." ip.addr tcp.port (srcport/dstport) udp.port (srcport/dstport) Sample display filters to remove specific application traffic from view: !tcp.port==21 (no FTP) !udp.port==161 (no SNMP) OSI Model is OLD/OUTDATED/not map to TCP/IP! We need to get rid of that from ALL COURSEWARE!!! Routers - OSI layer 3 Switches - OSI layer 2 FTP Active vs. Passive Mode Trace File Repository ARP man-in-the-middle attacks Ettercap Button******** dns.flags.response == 1 DNSResp Recursive (default) You go look it up for me please. Iterative (weird to see) - SEC?! DNS walking - (NetScanTools Pro) dns contains "www.espn.com" dns.qry.name matches "\.(ru|cn|to|kp)$" dns.qry.name matches "(sex|duh|skank)" Button ************** dns.flags.rcode > 0 DNSErrs Button ************** dns.time > 1 DNS>1 ================ LUNCH RETURN Please do Lab 6 (page 159) and the end-of-chapter questions (page 162) If you did the lab... I suggest... going out to trace file repository - picking up some more trace files... https://www.chappell-university.com/traces DNS over TLS Dr. Paul Vixie DOH vs. DOT Turning on a machine Address expired DORK Discover - Offer - Request - ACK Within your lease time RK Request - ACK arp-bootup.pcapng Colasoft Packet Builder Ettercap Router's true hardware address 00:01:5C:31:BB:C1 24.6.170.101 Client's address 00:23:54:69:8F:58 MiTM suspect D4-3D-7E-A6-41-FD Lab 7: 184.84.222.27 184.84.222.8 Packet 24 Packets 29,875 !ip.addr==184.84.222.27/24 ip.addr==184.84.222.27/24 || dns contains "newsrss" Start Capture Browse to www.johnsgarage.com Stop capture dns contains "johnsgarage" or I could filter on dns.qry.name=="www.johnsgarage.com" Got his IP address from the traffic now... (Look in the Info column at the DNS reply) filter for the traffic to/from that host as well as the related name resolution traffic... ip.addr==x.x.x.x || dns contains "johnsgarage" voip-extension.pcapng to see DSCP Page 193 You should never see these ICMP Type numbers on a network (outdated) 1, 2, 4, 6, 7, 12, 19-254 You should never see these ICMP Type numbers on a network (security or configuration concern) 0 - Echo Reply (do you allow ping?) 5 - redirect (why is it sent? router) if there are two gateways/routers on your local network. 8 - Echo (do you allow ping on your network?) 9/10 - This is a routing problem... Win10 - SYN, SYN, SYN ... Router Solicitation (help!) "Hacker sends Router Advertisement and now we have a MiTM issue). 11 Generated with traceroute. 13/14, 15/16, 17/18 - OS Fingerprinting Part of a recon process - suspect. OK ICMP I guess... Type 3 -Destination Unreachable Service refusal for UDP packets UDP port scan? Page 194 Circle, underline, highlight and asterisk ICMP Type 3, Code 4 DO NOT BLOCK THIS PACKET GLOBALLY Button ********** icmp || icmpv6 ICMP Homework: Lab 8 Lab 9 + End of Chapter Questions (UDP) LOTS OF COFFEE BEFORE WE START IN THE MORNING!!!! BE RESTED! NO PARTYING TONIGHT?