FREE Trial

A complaint came in that a certain organization is hosting an illegal FTP site to download copyrighted

Fantastic news! We've Found the answer you've been seeking!

Question:

A complaint came in that a certain organization is hosting an illegal FTP site to download copyrighted software. The security team has provided a pcap file capturing all FTP traffic on the network. They've asked you to identify where the FTP site is being hosted.

- Please provide detailed steps using wireshark to solve and recognize the PCAP file

- Below is a screenshot of the wireshark application

image
Transcribed Image Text:

WGU-Win10-GNS3 Ticket2.pcap.pcapng File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help Press esc to exit full screen O Q+E Q QQ T Apply a display filter ... Time No. 1 0.000000 2 0.000388 3 38.709094 4 38.709663 5 38.712669 6 38.715618 7 38.718031 LOTTEE 8 43.798455 * 9 43.798938 10 48.076252 ******** 11 48.076682 12 48.076770 13 48.080162 14 50.727052 07 Source Ticket2.pcap.pcapng 0c:2c:41:b7:00:00 0c:c1:25:31:00:02 0c:c1:25:31:00:02 0c:2c:41:b7:00:00 10.10.60.1 10.10.20.2 10.10.60.1 AUTOTE 10.10.20.2 AUTEUTENTE 10.10.60.1 aufer:26 0c:fc:ae:26:00:00 0c:c1:25:31:00:02 www 10.10.60.1 10.10.20.2 10.10.20.2 10.10.60.1 10.10.60.1 0000 0c c1 25 31 00 02 0c 2c 0010 08 00 06 04 00 01 0c 2c 0020 0 1 25 31 00 02 0 Destination 10.10.20.2 10.10.60.1 10.10.20.2 10.10.60.1 10.10.20.2 0c:c1:25:31:00:02 0c:fc:ae:26:00:00 CONS www 10.10.20.2 **** 10.10.60.1 10.10.60.1 10.10.20.2 10.10.20.2 41 b7 00 00 08 06 00 01 41 b7 00 00 ea ea 14 03 14 fe > Frame 1: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface -, id e > Ethernet II, Src: 0c:2c:41:b7:00:00 (0c:2c:41:b7:00:00), Dst: 0c:c1:25:31:00:02 (0c:c1:25:31:00:02) > Address Resolution Protocol (request) %1 Protocol ARP ARP TCP TCP TCP FTP TCP 200 ARP -%1 .. ARP M FTP TCP FTP TCP FTP Length Info 42 Who has 10.10.20.254? Tell 10.10.20.3 42 10.10.20.254 is at 0c:c1:25:31:00:02 A A 66 54414 21 [ACK] Seq=1 Ack=36 Win=64256 Len=0 TSval=1528451789 TSecr-2636475934 60 Who has 10.10.20.254? Tell 10.10.20.2 42 10.10.20.254 is at 0c:c1:25:31:00:02 82 Request: USER anonymous 66 21 54414 [ACK] Seq=36 Ack-17 Win-65280 Len=0 TSval-2636485295 TSecr=1528461146 100 Response: 331 Please specify the password. 66 54414 21 [ACK] Seq-17 Ack-70 Win-64256 Len=0 TSval-1528461151 TSecr=2636485295 73 Request: PASS 74 54414 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1528451779 TSecr=0 WS=128 74 21 54414 [SYN, ACK] Seq=0 Ack-1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval-2636475928 TSecr=1... 66 54414 21 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval-1528451783 TSecr=2636475928 101 Response: 220 Welcome to warez FTP service. Send Ctrl+Alt+Delete Packets: 44149 - Displayed: 44149 (100.0%) 0 X + Profile: Default Reboot WGU-Win10-GNS3 Ticket2.pcap.pcapng File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help Press esc to exit full screen O Q+E Q QQ T Apply a display filter ... Time No. 1 0.000000 2 0.000388 3 38.709094 4 38.709663 5 38.712669 6 38.715618 7 38.718031 LOTTEE 8 43.798455 * 9 43.798938 10 48.076252 ******** 11 48.076682 12 48.076770 13 48.080162 14 50.727052 07 Source Ticket2.pcap.pcapng 0c:2c:41:b7:00:00 0c:c1:25:31:00:02 0c:c1:25:31:00:02 0c:2c:41:b7:00:00 10.10.60.1 10.10.20.2 10.10.60.1 AUTOTE 10.10.20.2 AUTEUTENTE 10.10.60.1 aufer:26 0c:fc:ae:26:00:00 0c:c1:25:31:00:02 www 10.10.60.1 10.10.20.2 10.10.20.2 10.10.60.1 10.10.60.1 0000 0c c1 25 31 00 02 0c 2c 0010 08 00 06 04 00 01 0c 2c 0020 0 1 25 31 00 02 0 Destination 10.10.20.2 10.10.60.1 10.10.20.2 10.10.60.1 10.10.20.2 0c:c1:25:31:00:02 0c:fc:ae:26:00:00 CONS www 10.10.20.2 **** 10.10.60.1 10.10.60.1 10.10.20.2 10.10.20.2 41 b7 00 00 08 06 00 01 41 b7 00 00 ea ea 14 03 14 fe > Frame 1: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface -, id e > Ethernet II, Src: 0c:2c:41:b7:00:00 (0c:2c:41:b7:00:00), Dst: 0c:c1:25:31:00:02 (0c:c1:25:31:00:02) > Address Resolution Protocol (request) %1 Protocol ARP ARP TCP TCP TCP FTP TCP 200 ARP -%1 .. ARP M FTP TCP FTP TCP FTP Length Info 42 Who has 10.10.20.254? Tell 10.10.20.3 42 10.10.20.254 is at 0c:c1:25:31:00:02 A A 66 54414 21 [ACK] Seq=1 Ack=36 Win=64256 Len=0 TSval=1528451789 TSecr-2636475934 60 Who has 10.10.20.254? Tell 10.10.20.2 42 10.10.20.254 is at 0c:c1:25:31:00:02 82 Request: USER anonymous 66 21 54414 [ACK] Seq=36 Ack-17 Win-65280 Len=0 TSval-2636485295 TSecr=1528461146 100 Response: 331 Please specify the password. 66 54414 21 [ACK] Seq-17 Ack-70 Win-64256 Len=0 TSval-1528461151 TSecr=2636485295 73 Request: PASS 74 54414 21 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1528451779 TSecr=0 WS=128 74 21 54414 [SYN, ACK] Seq=0 Ack-1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval-2636475928 TSecr=1... 66 54414 21 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval-1528451783 TSecr=2636475928 101 Response: 220 Welcome to warez FTP service. Send Ctrl+Alt+Delete Packets: 44149 - Displayed: 44149 (100.0%) 0 X + Profile: Default Reboot

Expert Answer:

Answer rating: 100% (QA)

To identify the FTP servers host location within a network using Wireshark and the given PCAP file you can follow these steps 1 Open the PCAP file in ... View the full answer


answer-question-section
Related Book For  answer-question
Global Strategy

Global Strategy

ISBN: 9780357512364

5th Edition

Authors: Mike W. Peng

Posted Date:
See More Questions

Students also viewed these algorithms questions

Nonlinear Optical Properties Of Materials 1st Edition - ISBN: 9401783608 - Free Book