Project 6: Graphical Tools (15 pts.)

What You Need

Purpose

To practice using these tools:

Starting SecurityOnion

Start your SecurityOnion virtual machine and log in with the username and password you chose (I recommended so and so).

Connect to the SO machine via SSH.

Getting the Nitroba PCAP

On your host system, in a Web browser, go to:

https://digitalcorpora.org/corpora/scenarios/nitroba-university-harassment-scenario

Near the bottom of this page, click "pcap file". Save the nitroba.pcap file in your Downloads folder. Check the file size: it should be 56,180,821 bytes.

Drag the nitroba.pcap file and drop it on the SecurityOnion desktop. If you can't drag-and-drop, execute these commands to install VMware Tools. 

sudo apt-get update
sudo apt-get install -y open-vm-tools open-vm-tools-desktop
sudo reboot

Note

Xplico is now abandoned and SecurityOnion no longer includes Xplico by default, so skip ahead to "Task 2: NetworkMiner" unless you are using an older version of SecurityOnion.

Task 1: Using Xplico

Uploading a PCAP

On your SecurityOnion desktop, double-click Xplico.

If you see the error message shown below, wait a few seconds and refresh the browser.

When you see this login screen, log in with the username xplico and the password xplico

On the left side, click "New Case". Name the case YOURNAME as shown below. Click Create.

On the left side, click "New Case". Accept the default selection of "Uploading PCAP capture file(s)". Name the case YOURNAME as shown below. Click Create.

On the next page, click YOURNAME.

On the next page, click "New Session".

Name the session YOURNAME as shown below. Click Create.

On the next page, click YOURNAME.

On the right side, click the "Choose file" button. Navigate to the nitroba.pcap file on your Desktop and click Open.

Click the Upload button.

Wait while the file is decoded.

When it's done, you will see numbers in the "HTTP" box, as shown below.

Reconstructing a Video

On the left side, click Web. On the next page, click Site. Xplico shows the last 16 sessions of Web browsing, with the newest listed first, as shown below.

At the top of the screen, click the Video button and click Go.

A link to a Google video appear, as shown below. Click the link.

A message about Flash appears, as shown below.

Click the "Click here to download latest version" link.

When I did it, I was lucky, and a box popped up asking to approve running Flash. If that works for you, you'll be able to see the video shown below.

If Flash fails, and won't install, which is the usual experience, just skip the video and proceed with the rest of the project.

This video is not streaming from the Web: it's being reconstructed from the PCAP file.

Viewing Images

On the left side, click Images. Go to the second page of images to find a photo of a backpack, as shown below.

Capturing Screen Image: A

Make sure at least one reconstructed image is visible, as shown above.

Capture a whole-desktop image and save it as "Proj 6a from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Task 2: NetworkMiner

Installing NetworkMiner on Windows

NetworkMiner only works on Windows. There is a Linux version but it's a cruel joke, requiring hours to do what the Windows version does in minutes.

On a Windows machine, in a browser, go to

https://sourceforge.net/projects/networkminer/files/networkminer/

Download the latest version: NetworkMiner-1.6.1.

There are later versions of this product on another website, but this old version worked best on my Windows 2008 Server system.

Unzip the ZIP file and run NetworkMiner.

Opening the PCAP

In NetworkMiner, click File, Open and open the nitroba.pcap file in your Downloads folder.

Wait for NetworkMiner to process the file--it will take about 5 minutes.

Examining Host 192.168.15.4

In NetworkMiner, on the Hosts tab, scroll down to 192.168.15.4 and click the + sign next to it, to expand it.

Also expand the "Host Details" section, as shown below.

NetworkMiner identifies this as a Mac computer.

Scroll down until you see the screen resolutions use by this Mac, as shown below.

Viewing Messages

Click the Messages tab. Two emails are found from this host.

Find the one threatening a teacher, as shown below.

Capturing Screen Image B

Make sure the threatening message outlined in green in the image above is visible.

Capture a whole-desktop image and save it as "Proj 6b from YOURNAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Email the image to cnit.50sam@gmail.com with a subject line of "Proj 6 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Posted 10-29-17
Rev. 12-10-17 with note about Xplico