Packet captures from a wireless network

You are hired by an organization to analyze packet captures from a wireless network. You are looking to assess if the captures pose a threat.

Analyze the packet captures provided by Wireshark by doing the following:

Visit the Gitlab SampleCaptures webpage to download the following:
o wpa-Induction.pcap.gz Wi-Fi 802.11 WPA traffic
o wpa-eap-tls.pcap.gz WiFi 802.11 WPA-EAP/Rekey sample
o nb6-hotspot.pcap Someone connecting to SFR’s wireless community network
o ciscowl.pcap.gz (libpcap) Cisco Wireless LAN Context Control Protocol (WLCCP) version 0x0
o wap_google.pcap contains two WSP request-response dialogs

Note: Only download these sample captures. Other captures may set off your computer’s system defenses.

Use Wireshark to view and analyze the sample captures.

Create a 1- to 2-page table that ranks the packet captures from the highest to lowest threat. In your table, provide the following for each packet capture:
o Description of the traffic
o Description of the risks, if any, the traffic poses to the wireless network
o Countermeasures to take to secure the network from any threat

Write a 2- to 3-page memo to management as a network security specialist, and ensure you do the following:
o Explain how to distinguish hostile packet data from normal packet data.
o Explain how to recognize any attack signatures in the packets you analyze.
o Provide a rationale for ranking the packets as you did.

 

Sample Solution

Table Ranking Packet Captures from Highest to Lowest Threat

Packet Capture Description of Traffic Description of Risks, if any, the Traffic Poses to the Wireless Network Countermeasures to Take to Secure the Network from Any Threat
wpa-Induction.pcap.gz WPA 2-Enterprise authentication process, including the EAP-TLS handshake Potential for man-in-the-middle attacks to intercept and decrypt traffic Ensure strong encryption is used for all sensitive data, implement strong password policies, and educate users about phishing attempts
wpa-eap-tls.pcap.gz WPA-EAP/TLS rekeying process Potential for attackers to exploit vulnerabilities in the EAP-TLS protocol to decrypt traffic Regularly update security patches for EAP-TLS, monitor network traffic for anomalies, and consider using alternative authentication protocols
nb6-hotspot.pcap Someone connecting to SFR’s wireless community network Potential for unauthorized access to the network and its resources Implement strong access control mechanisms, use network segmentation to isolate sensitive data, and educate users about the risks of using public Wi-Fi networks
ciscowl.pcap.gz Cisco Wireless LAN Context Control Protocol (WLCCP) version 0x0 Potential for attackers to exploit vulnerabilities in WLCCP to gain unauthorized access to the network Disable WLCCP if not needed, regularly update Cisco firmware, and implement strong password policies for wireless access points
wap_google.pcap Two WSP request-response dialogs Potential for attackers to exploit vulnerabilities in WSP to gain unauthorized access to the network or its resources Disable WSP if not needed, regularly update web servers, and implement strong password policies for web services

Memo to Management from Network Security Specialist

Subject: Analysis of Packet Captures for Threat Assessment

Dear Management,

I am writing to you today to provide an analysis of the packet captures provided by Wireshark. These captures represent a variety of network traffic, and I have assessed each capture for potential threats to the wireless network.

Distinguishing Hostile Packet Data from Normal Packet Data

Distinguishing hostile packet data from normal packet data can be a challenging task, but there are a number of indicators that can be used to identify suspicious activity. These indicators include:

  • Unexpected traffic patterns: Hostile packet data may exhibit unusual patterns, such as a high volume of traffic from a single source or a large number of failed authentication attempts.
  • Known attack signatures: Attackers often use known attack signatures to exploit vulnerabilities in software or protocols. Wireshark can be used to identify these signatures by comparing captured traffic to a database of known attacks.
  • Suspicious destination addresses: Hostile packet data may be directed to suspicious destination addresses, such as known malicious IP addresses or domains.

Recognizing Attack Signatures in Packet Analysis

I have analyzed the provided packet captures and identified a number of potential attack signatures. These signatures include:

  • WPA-EAP/TLS handshake vulnerabilities: The wpa-eap-tls.pcap.gz capture contains a number of potential vulnerabilities in the WPA-EAP/TLS handshake, which could allow attackers to decrypt traffic.
  • WSP vulnerabilities: The wap_google.pcap capture contains two WSP request-response dialogs, which could be exploited by attackers to gain unauthorized access to the network or its resources.

Rationale for Ranking Packets

I have ranked the packet captures from highest to lowest threat based on the potential severity of the identified risks. The wpa-Induction.pcap.gz capture poses the highest threat because it contains traffic associated with a critical authentication process. The wpa-eap-tls.pcap.gz and nb6-hotspot.pcap captures pose a moderate threat due to the potential for unauthorized access to the network. The ciscowl.pcap.gz and wap_google.pcap captures pose the lowest threat because the identified risks are less severe.

Recommendations

I recommend the following countermeasures to secure the network from the identified threats:

  • Implement strong encryption for all sensitive data.
  • Implement strong password policies.
  • Educate users about phishing attempts.
  • Regularly update security patches for EAP-TLS.
  • Monitor network traffic for anomalies.
  • Implement strong access control mechanisms.
  • Use network segmentation to isolate sensitive data.
  • Educate users about the risks of using public Wi-Fi networks.
  • Disable WLCCP if not needed.
  • Regularly update Cisco firmware.
  • Disable WSP if not needed.
  • **Regularly update web

This question has been answered.

Get Answer