Page 1 of 5

Packet Analysis by Danna Penaranda – Introduction to Network Security – fall 2016 – Dr. Im

Figuring out the IP address and subnet mask of host

Ipconfig /all

• Most physical interfaces in PCs will identify the IP address as the “Wireless LAN

adapter Wi-Fi.”

• IP: 192.168.2.6

• Subnet Mask: 255.255.255.0

• Network address: 192.168.2.0/24

Figure out IP address in the Kali

Ifconfig

• IP address: 192.168.232.128

Page 2 of 5

Analyzing FTP Signatures to understand the 3-way handshaking by following the 3

initial TCP packets

• In Wireshark, this can be done by using the ftp filter right clicking on packet of

interest following the TCP Stream. A shortcut can be the filter tcp.stream eq xx

[where xx is the integer for the packet].

Following the FTP packets that show the Username and Password in plaintext.

• Following the TCP stream shows the username a4970217 and password louisville9

• Note, that most communication over the Internet is now encrypted and hence data is

not shown in plaintext. In this case, the credentials are shown because at the very

least SSL was not implemented.

Page 3 of 5

Identifying the FTP-DATA packets used for the textfile uploading.

• Follow the TCP stream and take a screenshot of the TCP stream.

• Textfile is spread across many FTP-DATA packets, so it can be found in any of these. It

will be the same for each instance.

Ping Sweeping using Nmap

• Ping Sweeping is achieved by sending ICMP echo requests to a host. It is sort like asking,

“hello 192.168.2.0/24, are you there? This IP belongs to the network.

• In the above command line, we execute Nmap -sP 192.168.2.0/24

Page 4 of 5

Port Scanning with Nmap

• Scanning available ports on a target allows to see which ports are open and actively

listening. Knowing this can facilitate connecting to the target.

• Nmap scanme.nmap.org command line enables all reserved TCP ports on the machine.

• The server sent the initial TCP packet #18 with the SYN flag. However, it took the

client 23 seconds to reply. This also evidences why there were many RST flags

increasing buffer at the server. The client did respond with packet #1334 with a

RST/ACK. All we care is that client acknowledged connection.

• TCP packet #1334 with being 23 seconds late.

Page 5 of 5

Launching a SYN Flooding Attack

• Launching a SYN Flooding attack will overflow the victim with thousands of connection

requests.

• IP address of the host machine, aka the victim and a spoofed private IP address for the

Kali machine.

• Host IP address: 10.200.251.137

• Arbitrary IP address: 192.168.100.50

• Conclusion: The host and the Kali were slowed down to where the VM wouldn’t react to

input like keyboard functionality. The IP address of my host changed because I was

connected to the UofL network. The VM froze.