حل اسئله شبكات حاسب و برمجة

السلام عليكم

ارغب في حل هذه اسئله المتعلق ب

nmap

Wireshark

Packet processing

An attacker can use a method named Port Scanning to examine which ports are open on a given host, learning details about which software the server is running on publicly-addressable interfaces. This information helps attacker to gain a better understanding of where and how to attack the victim server. Port scanning takes advantage of conventions in TCP and ICMP that seek to provide a sender with (perhaps too much!) information on why their connection failed. In this part, you will use the nmap tool* to scan the server scanme.nmap.org. By doing so, you should be able to see the powerful information that a simple scan can reveal. In your scan, make sure to:

-Only scan scanme.nmap.org! You should only scan a server if you have explicit permission from the server operator to do so.

-Record the traffic with Wireshark (see part 2)

-Use a TCP SYN scan. (Hint: Read the nmap man pages to find the appropriate flag to use)

-Enable OS detection, version detection, script scanning, and traceroute. (Hint: This is a single flag)

-Do a quick scan (-T4).

-Scan all ports.

Answer the following questions briefly based on the results of the scan; no response should take more than two sentences:

-What is the full command you used to run the port scan (including arguments)?

-What is the IP address of scanme.nmap.org?

-What ports are open on the target server? What applications are running on those ports? (For this part, you only need to report the service name printed by nmap.)

-The target machine is also running a webserver. What webserver software and version is being used? What ports does it run on?

Wireshark is a tool to monitor local network traffic. Wireshark has access to complete header information of all packets on a monitored interface and presents a helpful GUI for understanding the structure of different protocols. Use the Wireshark packet analyzer to examine the traffic generated by nmap during the scan in Part 1. You will need to start Wireshark and record traffic on the interface before running the scan in nmap. When you get the result, take a look at the Wireshark capture. Use Wireshark's filtering functionality to look at how nmap scans a single port.

Briefly answer the following question about the target server based on the results of the scan, no response should take more than three sentences:

-What does it mean for a port on scanme.nmap.org to be “closed?” More specifically, what is the TCP packet type, if any, the server gives in response to a SYN packet sent to port that is “closed?”

-What does it mean for a port on scanme.nmap.org to be “filtered?” More specifically, what is the TCP packet type, if any, the server gives in response to a SYN packet sent to port that is “ filtered?”

-In addition to performing an HTTP GET request to the webserver, what other http request types does nmap send?

You have been given a dump of packet header information for the network that your mobile device is on (trace.txt). Your device's IP address is 10.30.22.101. Lately, there have been a number of sketchy occurrences on this network. In order to learn more about network security, your job is to sift through the packet header information and detect some anomalous behavior on the network. Since the volume of packets is large, it is expected that you will write scripts in the language(s) of your choice to do the following:

-Your mobile device has accessed a number of websites. List 5 IP addresses of websites that have been accessed by your mobile device. (Hint: What port is typically used for webservers? Your mobile device's IP address is 10.30.22.101. There may be more than 5 valid answers to this question, but you should only list 5.)

-Someone sketchy has been looking for attack vectors into hosts on this network by scanning for open ports on a machine. (Hint 1: What kind of pattern would you expect from a host that is port scanning other hosts? How might you isolate this pattern in the packet dump? (Hint 2: It's okay if some small ranges of ports are 'skipped' in the port scan - think about why this might be!)

(a)What is the IP address of the origin of the port scan?

(b)What is the IP address of the host that was scanned?

(c)What range of ports was scanned?

-There has been an unusually high volume of SYN packets going from one host on this network to another host on this network. This can be indicative of a type of Denial of Service (DoS) attack called a SYN

(d)What is the IP address of the SYN-flooding sender?

(e)What is the IP address of the SYN-flooded receiver?

(f)How many SYN packets were sent from this sender to this receiver?

-Some malware on your phone has caused it to behave improperly and inject a malicious packet in the network. More specifically, your phone has sent a packet during a TCP connection that it should not have sent. Doing so can sometimes cause problems on the network and crash hosts that are not implemented correctly. What is the checksum value of the injected packet? (Hint: Under what conditions will a client send a packet with a sequence number that has already been sent and acknowledged? Should these packets always have identical content? What does the checksum of a packet indicate?)