Scenario:

Flextor Applications, Inc. has contacted you regarding a possible security breach on their network. Philo Farnsworth, the owner, believes something suspicious is going on. Specifically he thinks that someone is stealing his business secrets.

Mr. Farnsworth asked his network administrator, James Garrett, to capture network activity and email it to you. James met with you and handed over a CD with the packet capture. He seemed nervous.

Mr. Farnsworth has asked you to identify any suspicious activity in the packet capture. You are to answer the questions below, in as much detail as possible, and provide Mr. Farnsworth with a half-page summary of what you found that might be suspicious. If there's a 'mole' in his organization he wants to know, and what, if anything, might have been stolen or compromised.

Here are the details regarding the network:

Employee	Title	IP address
Server	Server	172.16.235.131
Philo Farnsworth	President	172.16.235.129
James Garrett	Network Admin	172.16.235.130
Allen Beard	Vice President	172.16.235.128

Deliverable:

SINGLE DOCUMENT, either *.doc, *.docx, or *.pdf that contains the following information:

1. A 1/2 page management summary, written in non-technical language, that provides a high level interpretation of what occurred during the sequence of events, identifying any suspicious activity (trust me there is a LOT going on). I will count off if you use ANY of the following terms (or terms like this): ftp, telnet, IP, http, port, ping, etc. Think of a way to describe what occurred without using technical lingo!

2. Answer the questions below. Keep the stems included in your document so I can identify the questions you are answering. You can type DIRECTLY into this document as I want to see the question stems!! 10 points off immediately if you don't include the stems. Answer every part of every question!

NOTE: Some activity is suspicious, some is NOT. If it's NOT suspicious, describe why its not, and go on to the next question! If you don't know whether it's suspicious -- sometimes it's difficult to tell -- say so, and describe why you can't tell whether it's suspicious or not, but you MUST describe what is going on. There are examples of EACH of the aforementioned categories of behavior included in the packet capture.

NOTE: I want a DETAILED INTERPRETATION of what is happening. Don't simply DESCRIBE what is going on, I want an expert interpretation. Heres an example:

POOR INTERPRETATION: IP xxx.xxx.xxx.xxx is accessing port 21 over TCP on IP xx.xx.xx.xx.

My feedback to you: That is useless information.

GOOD INTERPRETATION: IP xxx.xxx.xxx.xxx, Sam Smiths computers IP address, is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx (the servers IP address). Port 21 is ftp, which sends credentials in the clear. The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer.

My feedback: Whoa! Excellent! Off to the NSA you go!

Questions

1. What is occurring in packets 21-26? Is it evidence of an intrusion? Provide an interpretation of what is occurring, and the possible uses of the information gained. If theres nothing suspicious, tell me so, and explain why its normal traffic.

2. Is the activity occurring in packets 75-95 evidence of an intrusion? Provide a detailed interpretation of what is occurring, and the possible uses of the information gained. What ports are involved? What information would be gained, and how would it be used by an attacker? What tool did the attacker use? (Covered in a video.) Note there are several questions here to be answered.

3. Is the activity starting in packet 101 evidence of an intrusion? (Hint: Select the packet, right-click, Follow->TCP Stream). Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!

4. Is the activity starting in packet 507 evidence of an intrusion? (Note: this is a TCP stream so you can select the first packet, right click your mouse, select "Follow -> TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!

5. Is the activity starting in packet 661 evidence of an intrusion? (Note: this is a TCP stream so you can select the packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. Look for human readable text (a lot of what you see are formatting commands.). What text was added? To what file? What was the purpose of adding the text to this file, and who might see it? (there are a lot of questions to answer there).

6. Is the activity starting in packet 804-805 abnormal? Why or why not?

7. Is the activity starting in 1713 through 1719 a sign of an attack? Why or why not?

8. Is the activity starting in packet 2367 a sign of an attack (Note: if its sign of an attack, tell me why. If you cant tell, tell me why you cant). (Use Follow TCP Stream).

9. Is the activity starting in packet 2519 (to the end of the packet capture) evidence of an intrusion or attack? Provide a detailed description of what is occurring, and the possible consequences. What did the attacker do?

10. Who was the attacker, and were his skills low, moderate, or high? Defend your answer based on the evidence. How much is Philo Farnsworths salary?