IP LAB EXPERIMENT – 2 - NANDITHA90/-IP-LAB2 GitHub Wiki

1) PING

a) Using ping on google.com and documenting the results based on the output received. [Finding the IP address, Time to live value, and round-trip time value].

image

b) By default, ping will send 4 packets to check the details, here you must send 8 packets to check the output over google.com.

Purpose of having many packets is advantageous.

  • Statistical Reliability: By sending multiple packets, we can calculate more reliable statistics, such as average round-trip time, packet loss rate, and standard deviation. With just a few packets, the results may have more possibility to get harmed (kind of risk) to fluctuations caused by temporary network issues.

  • Packet Loss Detection: Sending more packets allows us to identify potential packet loss issues. If some packets are lost during the process, it can indicate network congestion or connectivity problems.

  • Response Time Variability: The RTT (Round-Trip Time) values can vary from packet to packet due to network conditions. Collecting multiple RTT values helps us to understand the variability of response times.

  • Path Diversity: In some situations, network traffic might be routed differently for different packets. By sending more packets, we can know if the paths taken by different packets show any significant differences.

  • Network Fluctuations: Network conditions can change over time. By sending more packets, we can observe how the network performance evolves during the process of Ping command test.

c) Ping-ing your local host.

image

  • It helps to perform a basic test of the computer's networking capabilities and to ensure that the TCP/IP stack is functioning correctly.

  • Testing Network Stack: By pinging the local host, we are sending an ICMP (Internet Control Message Protocol) echo request packet to our own machine and waiting for the echo reply. This ensures that the networking stack is operational and capable of processing network packets.

  • Verifying TCP/IP Configuration: Pinging the local host is a way to verify that the computer's IP address and TCP/IP configuration are perfectly set up. If we successfully ping the loopback address, that indicates that the network configuration is functioning as expected.

  • Testing Network Interface: The loopback test confirms that the network interface (NIC or network adapter) is working correctly. If the loopback test fails, it could indicate an issue with the network adapter or its drivers.

  • Isolation of Network Issues: Pinging the local host helps to isolate networking problems. If we successfully ping the loopback address but have issues pinging external hosts, it informs that the problem lies outside the local machine.

  • Debugging and Troubleshooting: While troubleshooting network-related issues, pinging the local host can help to check basic connectivity. It allows us to ensure that the computer can communicate with itself and that network protocols are functioning as expected.

2) TRACERT

  • Hop-by-Hop Route Visualization: Tracert visualizes the route taken by packets as they traverse the network from the source to the destination. The command displays a list of HOPS (Intermediate Routers) along the way and provides valuable information about round-trip times to each hop. This helps in diagnosing connectivity issues and understanding the network path.

  • Round-Trip Time (RTT) Statistics: Tracert display the round-trip time (RTT) for each hop. RTT represents the time taken for an ICMP packet to travel from the source to a specific hop and back. This information allows us to assess network latency and identify potential bottlenecks. Higher RTT values may indicate network congestion or longer paths.

  • Diagnostic Information: The traceroute command sometimes provides other diagnostic information, such as the IP addresses and hostnames of HOPS (Intermediate routers). This data can be useful in identifying specific network devices involved in the routing process. Traceroute also shows the number of packets sent to each hop, packet loss percentage, and the maximum time allowed for a reply.

Screenshot (166) (Attaching [a]Try tracert over google.com [b]Type tracert -d google.com)

a) It starts the traceroute to "google.com" and display the hops and round-trip times. Number of hops the machine away from google.com : over a maximum of 30 hops.

(Performing the Operation again after some time for checking the results) Screenshot (167)

b) While performing the command again after some time, the results vary each time when we run it. Network conditions are dynamic. The routing path may change based on network congestion, traffic, and other factors. The number of hops and round-trip times may differ in subsequent runs due to changes in the network topology, load balancing, or routing policies.

3) NETSTAT

a) Use netstat to display information about the routing table.

image image

b) Use netstat to display about ethernet statistics.

  • Using netstat -e

image

  • Using netstat -s

Screenshot (172) Screenshot (173) Screenshot (174)

4) NSLOOKUP

  • The 'nslookup' (Name Server Lookup) command is a network tool.

  • It is used to query Domain Name System (DNS) servers to obtain information about domain names or IP addresses.

  • Its main purpose is to help users and system administrators troubleshoot DNS-related issues, gather DNS information, and perform DNS-related tasks.

  • DNS Resolution: The most common use of nslookup is to resolve domain names to their corresponding IP addresses and vice versa.

  • Checking DNS Records: nslookup allows us to query DNS records of different types, such as A records (IPv4 address), AAAA records (IPv6 address), MX records (mail exchange servers), CNAME records (canonical name), and more. This is useful for verifying the DNS configuration and troubleshooting issues related to specific DNS records.

  • Testing DNS Servers: nslookup enables us to test the responsiveness and reliability of DNS servers by querying them directly.

  • Troubleshooting Network Issues: When we are facing network connectivity issues, nslookup can help us identify if the problem is related to DNS resolution. If the name resolution fails or returns unexpected results, it can indicate DNS misconfigurations or issues with the DNS infrastructure.

  • Analyzing DNS Propagation: When making changes to DNS records, such as updating the IP address of a website, nslookup can be used to check DNS propagation. This is helpful to see if the DNS changes have propagated across different DNS servers worldwide.

  • Reverse DNS Lookup: nslookup can perform reverse DNS lookups, where we input an IP address, and it provides the corresponding domain name if available. This is useful for verifying the ownership of IP addresses.

a) Use nslookup to find out the internet address of the domain amrita.edu

image

b) Mail exchanger for the domain google.com.

The mail exchanger (MX) records for the domain "google.com" indicate the mail servers responsible for handling incoming email messages for the domain. These MX records are used by other mail servers to determine where to deliver emails addressed to users at the "google.com" domain.

image

c) Name server for amrita.edu.

image

5) ARP and RARP

ARP (Address Resolution Protocol) and RARP (Reverse Address Resolution Protocol) are network protocols used in the TCP/IP protocol suite to map between IP addresses and MAC (Media Access Control) addresses in a local network.

- ARP

  • used to resolve or map an IP address to the corresponding MAC address on a local area network (LAN).
  • When a device wants to communicate with another device on the same LAN, it needs the MAC address of the target device to deliver the data at the link layer (data link layer) of the OSI model. ARP is used for this purpose.

- RARP

  • older and less commonly used protocol than ARP.
  • Its purpose is the reverse of ARP: RARP is used to resolve a MAC address to the corresponding IP address on a local network.

a) Using arp command to find the gateway address and host systems hardware address.

image

b) Finding the arp entries for a particular interface.

image

c) Deleting an arp entry.

image

d) Add and arp entry in arp cache.

image

6) TCPDUMP

a) Using tcpdump, getting the information about the general incoming network traffic with domain names.

image

b) Using tcpdump, get the information about the general incoming network traffic with ip address on specific interface

image image

7) WIRESHARK

Using Evidence.pcapng as evidence file.

image

A) Analyzing the traffic file.

  • Capture Traffic: Using tool like Wireshark allows us to inspect the packets and understand the communication.
  • Filtering Relevant Packets: Applying filters in Wireshark to isolate the packets that are relevant to the PING activity and the unknown IP address. Here we are using PING, so using ICMP for the filtering process.

Filtering by ICMP

image

After Filtering, we find 2 packets.

image

a) Data Transferred: 70:61:73:73:21:40:23:24 image

b) Finding the source and destination IP of that log:

  • Source : 192.168.31.89
  • Destination : 192.168.31.16

c) Data length (Bytes) and the checksum status on destination.

  • Data length (Bytes) : 8
  • Checksum status on destination : Good

image

B) Unencrypted Web Traffic.

image

a) The name and type of file :

image Screenshot (206)

b) Exporting the file from that web traffic, then analyzing the file for any secret information.

Screenshot (188)

c) The hostname in which the file is stored.

  • Hostname : 192.168.31.67

Screenshot (188)

C) Sensitive Information Via Call, the traffic has been captured.

a) Analyzing the traffic and finding those conversations and extracting the sensitive information in it.

Screenshot (190)

Conversation:

  • Hi.
  • Hi customer support team.
  • This is Sashi here.
  • I would want to be as knapshot to clear this level.
  • Could you help me with that?
  • Okay, don't share this password to anyone.
  • Sure,
  • L for lassoer
  • I for igive
  • M for a Masterbilt
  • B as a battlefield
  • O as an outthrust
  • Thank you.
  • Alright thank you.

b) The call-ID when the status of the call is Ringing.

Screenshot (193)

Screenshot (195)

D) Bluetooth Devices Communications

Screenshot (197)

a) WPA Handshake

image

ANonce: The random number generated by the access point and sent to the client. :

  • WPA Key Nonce: 2cd0a4368c93b6803ffe7f1ad80e286fee9813bba98fca5e14eebcb3be3a288c

SNonce: Random number generated by the client and sent to the access point. :

  • WPA Key Nonce: 2cd0a4368c93b6803ffe7f1ad80e286fee9813bba98fca5e14eebcb3be3a288c

MIC (Message Integrity Code): Value used to verify the integrity of the handshake messages.

  • WPA Key MIC: 00000000000000000000000000000000

RSN (Robust Security Network) Information: Includes details about the encryption and authentication algorithms used.

  • WPA Key RSC: 0000000000000000

PWK (Pair Wise Key):

  • .... .... .... 1... = Key Type: Pairwise Key

image

b) Geo-locating all the endpoint of wireless devices.

image image

c) Protocol Level Information Transfer

image