Scribd
Upload
31 views5 pages

Week 3 Lab Exercises B Linux Networks

This document outlines a Week 3 lab exercise focused on Linux network analysis using Volatility plugins to investigate network activity from memory samples. The lab goals include learning to access and analyze network information and user activity, with specific exercises related to TCP/UDP connections, network interfaces, and ARP cache. Additionally, it presents a series of questions for analysis using a provided memory sample to assess understanding of the material covered.

Uploaded by

ussy1804
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views5 pages

Week 3 Lab Exercises B Linux Networks

This document outlines a Week 3 lab exercise focused on Linux network analysis using Volatility plugins to investigate network activity from memory samples. The lab goals include learning to access and analyze network information and user activity, with specific exercises related to TCP/UDP connections, network interfaces, and ARP cache. Additionally, it presents a series of questions for analysis using a provided memory sample to assess understanding of the material covered.

Uploaded by

ussy1804
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Week 3 Lab Exercises B

Linux Network Analysis


Introduction
In this part of this weeks Lab we will look at the plugins that Volatility provides to investigate
network activity on a Linux system. You have already gained significant experience of
networks during the module and so less explanation is provided than usual. At the end of the
usual exercises you will have to complete some analysis to answer questions about activity
on the provided memory sample. It is important that you try to reach this part of the Lab as
it is your first really attempt the tyspe of analysis that will be required for assessment on the
module.

Lab Goals
During this Lab you will learn a number of skills that will be vital for your first assessment
which takes place in the lab during week 6.

1. Learn how to access and analyse information about networks that is found in memory
samples.
2. Have your first practice of analysing user activity on a memory sample.

Tools and Resources

For today’s Lab you will require the following tools and software;

• Learning slides for reference– LS7


• debian.dump & debianNet.dump
o Can be found under Week 3 Lab materials on MyLearning
o Need to unzip them before use.
• linux-sample-2.bin – this dump can be found in the AMF Memory samples
o Can be found under Week 3 Lab materials on MyLearning
• MemoryAnalysis.ova
o Kali VM can be found on Lab machine at C:\CST3510\VM
• VirtualBox Application

Virtual Machine Username Password


Kali-Linux kali MDXK4l1

CST3510 Week 2 Lab Exercises A 1 ©2024 [email protected]


Exercises

TCP and UDP Connections

The first and most simple step is to list the available network connections identified in the
memory dump, for that we can use a command that is similar to netstat:

$> volatility -f debianNet.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_netstat

Figure 1. Enumerating the net work connections using linux_netstat plugin

This command shows the transport and application protocol used for the connection, the
ports, the state and the process id associated with it. This produces the same information
as the command does from running netstat on a live system.

We can see in this example that there is an established SSH connection between 10.0.2.15
and 10.0.2.5, whose PID is 998.

Packet Queues

We can also try to recover the list of packets in the queue but before you do this you need to
create a directory for the outputs. Used mkdir to create it.

$> volatility -f debianNet.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_pkt_queues -D outputs/

Note: There are no outputs for the dumps you have been provided with but the below
iinstruction is provided in case you do in future dumps. It is not uncommon to have zero
outputs for this plugin, as it is dependent how active the system was at the time of capture.

The packages will have the associated PID in their names. To visualize these packages, you
can simply use:

$> xxd -a outputs/package.pid.num

In this example package.pid.num replace the name of the specific package to recover.

CST3510 Week 2 Lab Exercises A 2 ©2024 [email protected]


Raw Sockets

If we would like to check whether there are raw sockets, i.e. potential sniffers, we can list all
the connections with raw sockets:

$> volatility -f debianNet.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_list_raw

In this case, we can see that the only raw socket is the dhclient and this output is not a
suspicious one. The dhclient needs this to operate during bootup as it does not have an
ipaddress yet

Exercise 1: Enumerate the connections of the debian (instead of debianNet)


machine that are TCP.

Network Interfaces

It is important to know the details about the network interfaces in order to identify where
an attack comes from, and which network might be affected. For that we can simply
enumerate the network interfaces with:

$> volatility -f debianNet.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_ifconfig

In the above out put you can see just two devices present: lo (local network) and eth0
(ethernet). Each of these represent the defaults which you would also expect to see on a clean
system. This also shows whether there is any device in promiscuous mode, that is, listening
to all the packets of the network. In this case these are both set to false, but any set to True
would obviously merit further investigation of the specific sockets involved.

Exercise 2: Enumerate the interfaces of the debian (not debianNet) machine.

ARP Cache

It is interesting to check which network information remain in cache. For that, we can
investigate the ARP cache of the network with the following command:

$> volatility -f debianNet.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_arp

CST3510 Week 2 Lab Exercises A 3 ©2024 [email protected]


Analysis of the MAC address can let you find out more information about the type of system
that it was connected to, see the learning slides (LS8) for more details.

Exercise 3: Check the ARP Cache of the debian (instead of debianNet) machine

Exercise Solutions

Exercise 1:
$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-
amd64_profilex64 linux_netstat

Exercise 2:
$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-
amd64_profilex64 linux_ifconfig

Exercise 3:
$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-
amd64_profilex64 linux_arp

These were very straightforward. You should find the final exercise for today more challenging
and will require you to think beyond what you have learnt so far. See details below.

Network Analysis Questions –


Below is an exercise which will combine some of the skills you have leant in both of the Lab
Exercises today. You will need to download and import the memory dump below. Use the
profile name which is also given below, but there is no need to import as it is already in the
Kali Analysis VM. You may need to do some research to assist your work.

Memory Sample: linux-sample-2.bin

Profile name to use: - - profile=Linuxbookx64

1. Which web browser was used by the user of the system?

CST3510 Week 2 Lab Exercises A 4 ©2024 [email protected]


2. What was the PID of the main browser in use?

3. Which IP addresses were contacted using HTTPS?

4. What type of browsing activity does the route cache show?

5. Which processes are listening for connections?

6. How many network interfaces are active on the system?

7. Are any of the interfaces in promiscuous mode?

Make a note of the answers and your tutor will go through at the end of the session. The
solutions will be posted to the weeks lab folder at the end of the week.

CST3510 Week 2 Lab Exercises A 5 ©2024 [email protected]

You might also like