Identify Non-Secure Network Traffic

Lab Overview:

This hands-on lab provides a network security analyst with a basic understanding of how to investigate whether non-secure protocols are being used within your environment. A non-secure protocol is considered a protocol that does not have a minimal level of protection (i.e., encryption) as it traverses the network. Without encryption, sensitive information can be easily captured and used to exploit an organization and its network resources further. You will generate HTTP, HTTPS, and FTP traffic within the lab and capture the network traffic from a server’s ethernet network interface, using Wireshark. You will then analyze the captured packets and determine if the traffic is in plain text or encrypted.

Understand the scenario

You are a network security analyst for a company that uses the Windows operating system. You are concerned that systems on your network may be using non-secured protocols and transmitting traffic in plain text (i.e., unencrypted). You need to capture network traffic to determine if non-secure network protocols are being used. In this challenge, you will capture and view HTTP, HTTPS, and FTP traffic. In this lab, you will use a Windows Server 2016 and a Linux virtual machine to complete these tasks. You will directly connect to the virtual machine consoles in the lab environment.

Capture and view HTTP traffic:

For the first part of this lab, you will set up the packet capture tool, Wireshark, to capture traffic on a Windows Server 2016 ethernet network interface. Once the packet capture is running, you will use a Linux virtual machine to generate traffic. You will use a Linux command-line tool, wget, to initiate an HTTP GET request to the server’s IIS web page and retrieve the index.html page. This tactic mimics someone browsing to your web server. You will then switch back to your Wireshark packet capture, stop the capture, and investigate to find the HTTP traffic.

Capture and view HTTPS traffic:

In this section, you will configure your IIS server to enforce TLSv1.2 encryption by using HTTPS. Once your server is configured, you will restart a packet capture and reissue a wget command. This time, you will learn how to use wget to retrieve an HTTPS web page. You will then switch back to your Wireshark packet capture, stop the capture, and investigate the HTTPS traffic. Is it secure?

Configure an FTP server site:

To further explore non-secure protocols, you will enable your server to host an FTP site. The file transfer protocol (FTP) is notorious for being non-secure. It is generally poor practice to use FTP, and you will see why. Once your FTP site is set up, you will resume your packet capture, switch back to your Linux virtual machine, and connect to the FTP site via command line. After successfully connecting, you will then switch back to Wireshark, stop the packet capture, and inspect the traffic for non-secure FTP.

Capture and view FTP traffic:

Once your FTP site is set up, you will resume your packet capture, switch back to your Linux virtual machine, and connect to the FTP site via command line. After successfully connecting, you will then switch back to Wireshark, stop the packet capture, and inspect the traffic for non-secure FTP packets. What will you see that an attacker could use against you and your organization?

Lab Summary Conclusion:

In this hands-on virtual lab, you will learn how to assess network traffic packet captures for security weaknesses, such as a lack of encryption. You will learn how to use Wireshark to perform packet captures, analyze the traffic captured, and use the Linux command line to generate traffic, such as HTTP, HTTPS, and FTP. These skills are essential for network security analysts and penetration testers.

Other Challenges in this series

• GUIDED CHALLENGE: Configure Linux Firewall ACL Rules
• ADVANCED CHALLENGE: Can You Secure Host Settings Through Firewall Settings and Group Policy?

‍