Project 5: Command-Line Tools (15 pts.)

What You Need

A SecurityOnion virtual machine, which you prepared in a previous project.

Purpose

To practice using these tools:

Starting SecurityOnion

Start your SecurityOnion virtual machine and log in with the username and password you chose (I recommended so and so).

Connect to the SO machine via SSH.


Task 1: Using Tcpdump

Capturing All Packets with Tcpdump

In your SSH session, execute this command:
sudo tcpdump -i eth0 -c 10
When asked for your password, enter it.

Tcpdump displays twn packets, as shown below.

These packets are from SSH, showing the traffic we are using to control SecurityOnion.

Capturing ICMP Packets with Tcpdump

In your SSH session, execute this command:
sudo tcpdump -i eth0 -c 10 icmp
Tcpdump just sits there listening, as shown below. It's waiting for ICMP packets and ignoring everything else.

On your SecurityOnion desktop, right-click and click "Open Terminal Here".

In the Terminal window, execute this command:

ping 8.8.8.8
Wait for five or more replies, and then press Ctrl+C to stop the pings, as shown below.

In your SSH session, tcpdump displays the ICMP packets, as shown below.

Making a PCAP with Tcpdump

On your SecurityOnion desktop, in a Terminal window, execute these commands:
cd Desktop
sudo tcpdump -i eth0 -c 500 -w YOURNAME.pcap
Tcpdump just sits there listening, as shown below.

On your SecurityOnion desktop, right-click and click "Open Terminal Here".

In the Terminal window, execute this command:

ping 8.8.8.8

Making Traffic

On your SecurityOnion desktop, in the Terminal window, from the menu bar, click File, "Open Terminal".

In the new terminal, execute these commands:

ping 8.8.8.8 -c 5
ping 8.8.4.4 -c 5
ping 208.67.222.222 -c 5
dig @8.8.8.8 kittenwar.com
dig @8.8.4.4 yahoo.com
dig @208.67.222.222 msn.com
wget ad.samsclass.info
The commands complete, as shown below.

In your SSH session, execute these commands:

ping 8.8.8.8 -c 5
ping 8.8.4.4 -c 5
ping 208.67.222.222 -c 5
dig @8.8.8.8 kittenwar.com
dig @8.8.4 4 yahoo.com
dig @208.67.222.222 msn.com
wget ad.samsclass.info
The tcpdump command should now have enough packets and finish, as shown below.

Reading a PCAP with Tcpdump

In your SSH session, execute these commands:
cd Desktop
ls -l
You should see a PCAP file with your name on it, as shown below.

Viewing All Packets

In your SSH session, execute this command:
tcpdump -r YOURNAME.pcap
500 lines of text scroll by.

Viewing ICMP Packets

In your SSH session, execute this command:
tcpdump -r YOURNAME.pcap icmp
The output is a lot shorter, but still many lines, as shown below.

Viewing ICMP Packets To or From 8.8.8.8

In your SSH session, execute this command:
tcpdump -r YOURNAME.pcap icmp and host 8.8.8.8
The output is even shorter, as shown below.

Viewing ICMP Packets From 8.8.8.8

In your SSH session, execute this command:
tcpdump -r YOURNAME.pcap icmp and src host 8.8.8.8
The output is even shorter, as shown below.

Capturing a Screen Image

Make sure these required items are visible, as shown above:

Capture a whole-desktop image and save it as "Proj 5a from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT


Task 2: Using Dumpcap and Tshark

Running Dumpcap Without Root Privileges

In your SSH session, execute this command:
dumpcap -i eth0
You see an error message, as shown below.

Reconfiguring Permissions

In your SSH session, execute this command:
sudo dpkg-reconfigure wireshark-common
A purple window appears, with the message shown below.

Use Tab as needed to highlight Yes and press Enter. In your SSH session, execute these commands, replacing "so" with your login name:

sudo usermod -a -G wireshark so
sudo reboot

Running Dumpcap Without Root Privileges

In your SSH session, execute this command:
dumpcap -i eth0
Dumpcap runs now. Stop the capture with Ctrl+C, as shown below.

Using Tshark

In your SSH session, execute these commands:
cd
tshark -r YOURNAME.pcap -Y 'icmp and ip.src == 8.8.8.8'
You see only echo replies from 8.8.8.8, as shown below.

Capturing a Screen Image

Make sure these required items are visible, as shown above:

Capture a whole-desktop image and save it as "Proj 5b from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT


Task 3: Using Argus

Starting Argus

In your SSH session, execute these commands:
sudo sed -i 's|ARGUS_ENABLED="no"|ARGUS_ENABLED="yes"|g' /etc/nsm/*/sensor.conf
sudo service nsm restart
sudo nsm_sensor_ps-status
"argus" should now show a status of OK, as shown below.

Making Traffic

In your SSH session, execute these commands:
ping 8.8.8.8 -c 5
dig @8.8.8.8 kittenwar.com
wget ad.samsclass.info
The commands complete, as shown below.

Viewing Raw Session Data

In your SSH session, execute these commands:
cd /nsm/sensor_data/so-virtual-machine-eth0/argus/
ls -l
You should see one or more log files, as shown below.

In your SSH session, execute this command, replacing the file name with the name of your most recent logfile:

ra -r 2017-10-10.log
The command shows many lines of data, as shown below.

Viewing Clustered Data

In your SSH session, execute this command, replacing the file name with the name of your most recent logfile:
racluster -nr 2017-10-10.log
The command shows many types of data, as shown below.

Viewing Grouped Data

In your SSH session, execute this command, replacing the file name with the name of your most recent logfile:
racluster -nr 2017-10-10.log -m saddr daddr
The command shows a short list of grouped data, as shown below.

Capturing a Screen Image

Make sure this line visible, as shown above:
ip ... <-> 8.8.8.8
Capture a whole-desktop image and save it as "Proj 5c from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Email the image to cnit.50sam@gmail.com with a subject line of "Proj 5 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

References

How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions

Posted 10-11-17
Rev. 10-28-17 to fix space in IP Address