Home‎ > ‎CIS 140NA‎ > ‎CIS-140NA Final Spring 2016‎ > ‎


Part 1

  1. The capture was started on 2016-05-16 16:43:30 and finished on 2016-05-16 16:48:55.
  2. It contains 1,809 packets
  3. The capture was taken on an unknown operating system. 
  4. Wireshark 4ever 
  5. Expert mode has
    1. 8 errors
    2. 8 warnings

Part 2

There are four hosts that are visible on this network. Looking at Statistics -> Endpoints shows 12 distinct MAC addresses in the capture. 
  • Four of them start with 00:50:56 (vmWare) and are real hosts 
  • Seven of them start with 33:33:33, the IPv6 multicast MAC address 
  • One of them is ff:ff:ff:ff:ff, the broadcast MAC address
The router has the IP addresses: 
  1. fe80::250:56ff:feaf:7da3
The RA in packet 23 shows the MAC address and IPv6 address of the router (which is a link-local address). Filtering for the MAC address (eth.addr == 00:50:56:af:7d:a3) shows an ARP reply in packet 10 that gives the IPv4 address of the router. 

The IPv4 subnet is That was discovered by looking at the DHCP offer in packet 4. The IPv6 subnet is 2607:f380:80f:f901::/64. That was discovered by looking at the router advertisement in packet 68.

Part 3

The DNS servers on this network are:  
  1. - Used for most queries. 
  2. 2607:f380:80f:f425::252 - Used for one query. 
  3. 2607:f380:80f:f425::253 - Specified by the RA but not used (Extra credit for this one) 
The best DNS lookup time was 0.000428 seconds and the worst was 0.0085 seconds. 

The DHCP lease time is 600 seconds, or 10 minutes. The lease time is sent by the server to the client in packet 4. Two DHCP offers were made for the IP addresses:

Part 4

Looking at Statistics -> Conversations and selecting the TCP tab shows that there are 31 TCP connections in this capture file. Those conversations all take place on the ports:
  • 80 and 8080 (HTTP)
  • 3306 (MySQL)
Based on that information this network seems to be running a web server on IP address 2607:f380:80f:f901:250:56ff:feaf:c5d1 and a database server on IP address 2607:f380:80f:f901:250:56ff:feaf:69d7. 

The JPEG image is of a cute cat (of course). It was found by selecting File -> Export Object -> HTTP and simply looking at the file names. 

Looking at the MySQL traffic with the filter (mysql.login_request) shows the packets where user credentials were supplied. The following users were seen:
  • root (first login in packet 493)
  • wikiuser (first login in packet 616)
MySQL doesn't reveal passwords in its own protocol. Searching the packets for instances of the word "password" using the filter (tcp matches "root" and tcp matches "password") shows several conversations that match. Looking through them by following the TCP stream and using the Find button shows the root password is "Cabri11o". A failed password attempt with "Cabri1oo" is also seen and will be taken for credit. Doing the same trick with wikiuser does not reveal their password. 

Part 5

I detected the following errors, more than these may be taken for credit. 
  1. Searching for icmpv6 shows that there are two packets ICMP "Packet too Big" errors in packets 248 and 254. Both count for credit. 
  2. The TCP reset packets 1768, 1770 and 1772 are caused when 2001:470:4862:beef:259f:e7e5:9143:a18e attempts to connect to 2607:f380:80f:f901:250:56ff:feaf:c5d1 using port 8080. The reset packet is the expected behavior if the port is closed. These count as one error.
  3. There are HTTP 400 codes in the following packets. The 404s and the 403s each count for credit, you need only name one. 
    1. 404 (code 404)
    2. 468 (code 403)
    3. 499 (code 403)
    4. 1044 (code 404)
    5. 1778 (code 404)
  4. The following DNS packets returned an error that the name was not found (dns.flags.rcode == 3)
    1. 490 (8.8.f.0.9.5.b.d.2.c.2.d.8.c. type PTR, class IN)
    2. 1791 (www.somebogusedomain.com: type A, class IN)
  5. Looking at ARP requests (arp) there are requests for but no replies.