This report covers the analysis of the organization’s wireless network analysis. It covers all the aspects of network security like the port scan, the hypertext transfer protocol filter, analysis of transmission control protocols, analysis of internet control message protocol, TCP keep live, TCP RST, ACK and TCP out of order. The reports aim is to find a member of the organization responsible for a serious crime and it therefore calls for network security scans like scanning for ports scan. Port scan is prioritized for that matter. For each analysis the report contains the evidence for the presence of the various problems mentioned. For instance the packet data that was evaluated for a port scan and out of order. There is also a conclusion section that summarizes all the findings and details of the report. After the conclusion a recommendation is given on how to deal with the various problems encountered during the analysis of the wireless network in the organization.
Scanning of the ports
To establish whether the packet was vulnerable to external attack where an attacker gains access to the network by evaluating and trying out the ports (Sanders 2018, May 30).
There was a ports scan attack where an attacker sends the packets to the same port for a given duration of time (Sanders 2017). The attacker tends to gain information about the organization wireless network. Once the attacker knows the structure and the design of the organization’s wireless network he or she is able to design channels to gain access to the organization’s wireless network. After gaining access he or she did whatever he or she desired with the wireless network.
From the above image of the port scan attack, packets 448189, 570523 and 608737 have the same source and destination which becomes very suspicious. In the three packets an attacker sends messages repeatedly to internet protocol 18.104.22.168 through port 66 to identify the vital security issues about the organization’s wireless network security. The organization’s wireless security information maybe the vulnerabilities or weaknesses on the authentication processes, authorization processes like the passwords and the access levels of the various members of the organization. It is therefore likely that the organization’s wireless network was invaded by a malicious attacker who had malicious reasons
Hypertext transfer protocol filter
This gives information on the version of the hypertext transfer protocol version, the time intervals, the server used in the communication, the details of the communication and the characters used in the communication (Wondracek et.al 2008, February).
For this case there is no hypertext transfer communication at all.
Transmission Control Protocol retransmission and Transmission Control Protocol spurious retransmission (Karthik & Pramod 2011, February 11)
Transmission Control Protocol retransmission means that a message has been sent but the receiver cannot receive unless the message is retransmitted by the sender. The Transmission Control Protocol retransmissions are quite normal but when experienced too frequently, they become abnormal. The occurrence of the Transmission Control Protocol retransmission only happens with transmissions between internet protocol addresses 192.168.43.212 and 22.214.171.124. Whether either of them is sending or receiving a message in the wireless network. This raises suspicion on the two members with the two internet protocol addresses, why is it that every time they sent information it has to be resent, it may be due to their clearance or access level that may not be permitting them to share the information.
Transmission Control Protocol Duplicate ACK
Duplicate ACK are observed on port 66 and are very frequent. This means there has been a large transfer of messages through port 66 and there was congestion, where the messages could not be completely sent once and therefore had to be sent twice for it to be received. This is an anomaly, why would a member of an organization want to send a large amount of message to the same person from time to time.
At 64.207776 which is Thursday, January 1, 1970 12:01:04.207 AM (Misja 2018, May 30) internet protocol address 192.168.43.212 receives a huge message to internet protocol address 126.96.36.199. Why would someone send information at twelve after midnight when it is not the working hours of the organization. This is weird for members of the organization to send huge amounts of information at wee hours of the night.
The time between the two Transmission protocols duplicate ACKs is a split second just almost the same time. This can also be done to prevent or avoid packet loss where one sends packets through the wireless network and the receiver does not get the whole packet as sent by the sender.
Transmission Control Protocol keep alive
Keep alive is used to establish whether the connection between the two hosts is still valid (Kaushik & Joshi 2010). 192.168.43.212 sends a transfer control protocol packet to 188.8.131.52 to establish whether they are still connected or the connection between them is still live. 184.108.40.206 sends back another transmission control protocol to 192.168.43.212 claiming that it has changed that it has changed its connection therefore the connection between the two internet protocol addresses is terminated. There is no more conversation between the two members with the two addresses.
Transmission Control Protocol out of order
Transmission control out of order is when the messages or information send in the wireless network of the organization is received in a different sequence from the one it is supposed to or from the one it was send with. This is caused by the different channels the messages will pass through to reach their expected destination or the network infrastructure was designed in a way as not to preserve the order in which the messages sent through the organization’s wireless network is supposed to be received.
In the above packet filter the information on packet 868, the order in which a member on internet protocol 220.127.116.11 receives messages from the source is different from the order in which the sender, a member using internet protocol 18.104.22.168 did sent the message. The cause maybe the different channels through which the information passes to reach destination or the network design of the organization’s wireless network.
Transmission control protocol out of order is not a major problem because the Transmission Control Protocol is supposed to reassemble the packet and rearrange the order of the message to appear as intended but in this case the Transmission control protocol does not reassemble the order of the messages send. Therefore the message retrieved by 22.214.171.124 is not arranged in the same sequence as the one sent by 126.96.36.199.
Transmission control protocol RST
RST (Baxter 2014) tries to acknowledge the presence of a packet send with a previous ACK that was closed. Therefore it puts the two packets together the previous packet and the current packet. This causes an abnormal termination of the Transmission Control Protocol but is not treated as a problem.
A packet that has been sent successfully is terminated using RST alone and not RST,ACK or FIN, ACK. The use of RST to terminate a packet is a fast and efficient way of terminating a packet because it either blocks a number of resources or none at all. Terminating a transfer protocol packet using FIN, ACK as seen in the above image is not normal because it is slow and blocks resources from access by other packets.
Looking for secret information shared by a member
When looking for secretive information or messages shared by the members of the organization, a filter of icmp (Kaushik & Joshi 2010) packets was done to identify whether there were anomalies with the way the members of the organization shared the organization’s information. This is where abnormal activities like ping between two members of an organization are checked. For instance if two members in the organization ping each other it would raise concern as to why they were pinging each other in the organization’s wireless network. The image below represents the icmp packet filter (Bansal et.al 2013, April).
The image has no activities in the table meaning there were no internet control message protocol activities between the members of the organization.
This is the expert information on the analyzed live captured packets. There are warnings of an out of order transfer control protocol in the segment, there is a warning of a DNS response retransmission and query retransmission. There are spurious retransmissions and suspected retransmissions.
The above analysis of the system has proved that the member of the organization using the internet protocol address is responsible or took part in the serious crime that may have crippled the organization. First there is evidence of a port scan where packets are repeatedly sent from the internet protocol address 192.168.43.212 to 188.8.131.52 through port 66. Port scans are most commonly used by attackers to identify the vulnerabilities of a network for malicious reasons either gaining access privileges one is not entitled to, gaining unauthorized access to information or crippling the organization’s network. Denial of service attacks and denial of access attacks can also be administered after acquiring important information about a network through the port scan.
The member of the organization using internet protocol 192.168.43.212 is also observed to be sending huge amounts of data at wee hours in the morning like 12:04 after midnight. This is evident that the member is involved in a given crime where he or she used the information acquired from the port scan to gain access to certain information, the information he or she acquired is the one being sent during the wee hours of 12:04 after midnight. Which is an indication that the person stays late in the night, in the organization offices to administer the malicious activities.
Apart from identifying the member of the organization responsible for the serious crime in the organization, the organization wireless network design and structure was also found to have a problem. There is the out of order anomaly where the sequence in which messages are sent by a sender in the network, is not the sequence in which the same messages are received by the destination. This is caused by the existence of different channels in which the message goes through from the source to reach its destination. The existence of the different channels is brought about by poor design of the wireless network of the organization.
The member using the internet protocol address 192.168.43.212 should be identified as the person responsible for the serious crime against the organization.
A firewall should be put in place to filter every event performed in the host computers of the organization. With the presence of the firewall activities like a ports scan can be identified in real time as they happen.
The structure of the organization’s wireless network connection should be redesigned or restructured so as to avoid out of order of the received messages or information sent in the wireless network.
Karthik. R, Pramod S.(Lecturer)(2011, February 11). Advanced Wireshark Tutorial. Packet and Network Security Analysis. Retrieved from https://www.computerweekly.com/tip/Advanced-Wireshark-tutorial-Packet-and-network-security-analysis
Sanders, C. (2017). Practical packet analysis: Using Wireshark to solve real-world network problems. No Starch Press.
Sanders. C(Lecturer)(2018, May 30). Practical Packet. Using Wireshark to Solve Real World Problems. Retrieved from https://books.google.co.ke/books/about/Practical_Packet_Analysis.html?
Misja, E(Epoch Converter)(2018, May 30).Epoch Converter. Epoch and Unix Timestamp Conversion Tools. Retrieved from https://www.epochconverter.com
Ndatinya, V., Xiao, Z., Manepalli, V. R., Meng, K., & Xiao, Y. (2015). Network forensics analysis using Wireshark. International Journal of Security and Networks, 10(2), 91-106.
Hunt, R., & Zeadally, S. (2012). Network forensics: an analysis of techniques, tools, and trends. Computer, 45(12), 36-43.
Kaushik, A. K., & Joshi, R. C. (2010). Network forensic system for ICMP attacks. International Journal of Computer Applications (0975–8887) Volume.
Baxter, J. H. (2014). Wireshark essentials. Packt Publishing Ltd.
Wondracek, G., Comparetti, P. M., Kruegel, C., Kirda, E., & Anna, S. S. S. (2008, February). Automatic Network Protocol Analysis. In NDSS (Vol. 8, pp. 1-14).
Bansal, A., Kulkarni, P., & Pais, A. R. (2013, April). Effectiveness of SIP messages on SIP server. In Information & Communication Technologies (ICT), 2013 IEEE Conference on (pp. 616-621). IEEE.