You are hired by an organization to analyze packet captures from a wireless network. You are looking to assess if the captures pose a threat.
Analyze the packet captures provided by Wireshark by doing the following:
Visit the Gitlab SampleCaptures webpage to download the following:
o wpa-Induction.pcap.gz Wi-Fi 802.11 WPA traffic
o wpa-eap-tls.pcap.gz WiFi 802.11 WPA-EAP/Rekey sample
o nb6-hotspot.pcap Someone connecting to SFR’s wireless community network
o ciscowl.pcap.gz (libpcap) Cisco Wireless LAN Context Control Protocol (WLCCP) version 0x0
o wap_google.pcap contains two WSP request-response dialogs
Note: Only download these sample captures. Other captures may set off your computer’s system defenses.
Use Wireshark to view and analyze the sample captures.
Create a 1- to 2-page table that ranks the packet captures from the highest to lowest threat. In your table, provide the following for each packet capture:
o Description of the traffic
o Description of the risks, if any, the traffic poses to the wireless network
o Countermeasures to take to secure the network from any threat
Write a 2- to 3-page memo to management as a network security specialist, and ensure you do the following:
o Explain how to distinguish hostile packet data from normal packet data.
o Explain how to recognize any attack signatures in the packets you analyze.
o Provide a rationale for ranking the packets as you did.
Table Ranking Packet Captures from Highest to Lowest Threat
Packet Capture | Description of Traffic | Description of Risks, if any, the Traffic Poses to the Wireless Network | Countermeasures to Take to Secure the Network from Any Threat |
---|---|---|---|
wpa-Induction.pcap.gz | WPA 2-Enterprise authentication process, including the EAP-TLS handshake | Potential for man-in-the-middle attacks to intercept and decrypt traffic | Ensure strong encryption is used for all sensitive data, implement strong password policies, and educate users about phishing attempts |
wpa-eap-tls.pcap.gz | WPA-EAP/TLS rekeying process | Potential for attackers to exploit vulnerabilities in the EAP-TLS protocol to decrypt traffic | Regularly update security patches for EAP-TLS, monitor network traffic for anomalies, and consider using alternative authentication protocols |
nb6-hotspot.pcap | Someone connecting to SFR’s wireless community network | Potential for unauthorized access to the network and its resources | Implement strong access control mechanisms, use network segmentation to isolate sensitive data, and educate users about the risks of using public Wi-Fi networks |
ciscowl.pcap.gz | Cisco Wireless LAN Context Control Protocol (WLCCP) version 0x0 | Potential for attackers to exploit vulnerabilities in WLCCP to gain unauthorized access to the network | Disable WLCCP if not needed, regularly update Cisco firmware, and implement strong password policies for wireless access points |
wap_google.pcap | Two WSP request-response dialogs | Potential for attackers to exploit vulnerabilities in WSP to gain unauthorized access to the network or its resources | Disable WSP if not needed, regularly update web servers, and implement strong password policies for web services |
Memo to Management from Network Security Specialist
Subject: Analysis of Packet Captures for Threat Assessment
Dear Management,
I am writing to you today to provide an analysis of the packet captures provided by Wireshark. These captures represent a variety of network traffic, and I have assessed each capture for potential threats to the wireless network.
Distinguishing Hostile Packet Data from Normal Packet Data
Distinguishing hostile packet data from normal packet data can be a challenging task, but there are a number of indicators that can be used to identify suspicious activity. These indicators include:
Recognizing Attack Signatures in Packet Analysis
I have analyzed the provided packet captures and identified a number of potential attack signatures. These signatures include:
Rationale for Ranking Packets
I have ranked the packet captures from highest to lowest threat based on the potential severity of the identified risks. The wpa-Induction.pcap.gz capture poses the highest threat because it contains traffic associated with a critical authentication process. The wpa-eap-tls.pcap.gz and nb6-hotspot.pcap captures pose a moderate threat due to the potential for unauthorized access to the network. The ciscowl.pcap.gz and wap_google.pcap captures pose the lowest threat because the identified risks are less severe.
Recommendations
I recommend the following countermeasures to secure the network from the identified threats: