Use Tcpdump to Intercept Network Traffic
This IT Pro Challenges virtual lab teaches learners how to capture FTP and SSH traffic by using the tcpdump utility. Learners will gain experience using tcpdump to verify exposed authentication information. Skills learned in this lab are valuable in multiple job roles such as security analyst, system administrator.
The tcpdump is a most robust and extensively used command-line packets sniffer or package analyzer tool. This tool is utilized to obtain or filter TCP/IP packets that are collected or transported over a network on a particular interface. It is accessible under most of the Linux/Unix based operating systems.
In this hands-on lab, you will learn how to use tcpdump to intercept network traffic. First, you will install and configure the FTP service. Next, you will test the security of FTP by intercepting network traffic to discover whether the authentication information is exposed. Finally, you will intercept SSH traffic to discover whether the authentication information is exposed. The other guided and advanced challenges in this series are “Identify Attack Types” and “Can You Use Wireshark to Intercept Network Traffic?” respectively.
Understand the Scenario
In this virtual lab, you are a systems administrator responsible for multiple network servers. Your job is to review your security practices to ensure that authentication information is secure. To accomplish this, you will use a default installation of CentOS 7 Linux with the Server with the GUI package installed and the default installation of Kali Linux. You do not need to have experience with Linux to complete this challenge. Non-privileged accounts have been created for you.
Install and configure FTP
The File Transfer Protocol is a conventional network custom utilized for the transfer of files between a client and a server on a network. FTP is developed on a client-server model architecture utilizing separate control and data links. In this section of the virtual lab, you will learn how to install and configure FTP. First, you will sign in to the CentOS7-A and get root privileges. Next, in the lab interface, you will select Resources, and then on the DVD Drive menu, select InstallationScript1.iso and then configure access to the installation scripts on the DVD drive. Next, you will configure the CentOS7-A virtual machine for the lab to display the IP address and then record the IP address in the following text box. Finally, you will check and confirm that you executed the install-script-1.bash configuration script, and you entered the IP address of CentOS7-A in the text box.
Use tcpdump to intercept FTP network traffic
In this section of the lab, you will now use tcpdump to intercept FTP network traffic. First, you will switch to the Security-CS1-Kali virtual machine. During this challenge, you will be capturing network traffic from the same computer that you are using to connect to the server. This method is effective for network troubleshooting by an administrator. In an eavesdropping attack, the capture would occur on a third computer on the network. Next, you will open the terminal and install the FTP client and then press Ctrl C to return to the command prompt. Next, you will run the command to get the top output. In the top output, you will find the Process ID for the packagekitd process, and then you will substitute your Process ID for the [PID] placeholder. Finally, you will check and confirm that you used tcpdump to intercept FTP traffic and established an FTP connection to the CentOS7-A server. You will also confirm that you collected network data by using tcpdump, and the FTP authentication information is exposed in the captured network traffic.
Use tcpdump to intercept ssh network traffic
In this section of the virtual lab, learners will use tcpdump to intercept ssh network traffic. First, they will begin intercepting SSH network traffic by using tcpdump and then switch to the terminal window in which they established the FTP connection in the previous section of the lab. Next, they will connect to CentOS7-A by using SSH and then disconnect from the SSH server. Next, they will switch to the terminal window in which tcpdump is running, and then press Ctrl+C to stop the capture. After this, they will search for root user information in the capture. SSH encrypts the username and password, making it far less vulnerable to eavesdropping attacks. That is why there will be no results for the search for the root user. Finally, learners will check and confirm that they used tcpdump to intercept SSH traffic and established an SSH connection to the CentOS7-A server and collected network data by using tcpdump.
Lab Summary Conclusion
After completing the “Use Tcpdump to Intercept Network Traffic” virtual lab, you will have accomplished the following:
- Installed and configured FTP services.
- Captured FTP and SSH traffic by using the tcpdump utility.
- Viewed the exposed authentication information in the captured FTP traffic.
- Verified that the SSH authentication information was not exposed in the captured SSH traffic.