1)For this question you will do a little online research. Please be detailed.

a) Find a Virus attack that hit the US in the last decade and describe it.

b) Find a Worm attack that hit the US in the last decade and describe it.

c) For each, be sure to answer these questions

i. What specifically did it infect?

ii. What was the payload?

iii. What was the financial toll if any?

Answer here: Minimum 350 words for (a) and 350 words for (b). Be sure to cover all 3 parts of (c) in each.

2)Besides WireShark, what other tools are available to enable packet sniffing?

a) Describe at least two that are freely available on your favorite OS. (include URL)

b) What features do they offer over WireShark and vice versa?

Answer here: Minimum 250 words for each of two in (a). Be sure to answer (b) for each.

3)Another useful tool is called a port scanner (sniffer). It allows you to see what ports are active on your system (or someone else’s).

a) Choose your favorite OS and find one and describe it. (include URL)

Answer here: Minimum 400 words (include some features/options/commands it has).

1)

​[2 points] ​ For this question you will do a little online research. Please be detailed. 1. Find a Virus attack that hit the US in the last decade and describe it. 2. Find a Worm attack that hit the US in the last decade and describe it. 3. For each, be sure to answer these questions (please don’t use ones in Hw1) 1. What specifically did it infect? 2. What was the payload? 3. What was the financial toll if any?

Word count: 564 and 350 Samsam The virus The city of Atlanta, Georgia was the subject of a massive cyberattack which began in March 2018.The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack. Due to Atlanta’s national importance as a transportation and economic hub, the attack received wide attention and was notable for both the extent and duration of the service outages caused. Many city services and programs were affected by the attack, including utility, parking, and court services. City officials were forced to complete paper forms by hand.prior to the attack the Atlanta government was criticized for a lack of spending on upgrading its IT infrastructure, leaving multiple vulnerabilities open to attack. In fact, a January 2018 audit found 1,500 to 2,000 vulnerabilities in the city’s systems, and suggested that the number of vulnerabilities had grown so large that workers grew complacent.

The virus used to attack the city was the SamSam Ransomware, which differs from other ransomware in that it does not rely on phishing, but rather utilizes a brute-force attack to guess weak passwords until a match is found. It is known to target weaker IT infrastructures and servers. The ransomware has predominantly been behind attacks on medical and government organizations since its discovery in 2016, with previous attacks on targets ranging from small towns such as Farmington, New Mexico to the Colorado Department of Transportation and the Erie County Medical Center. It can also bypass antivirus software.Despite no suspects being identified or indicted until November 2018, the SamSam hackers were described as “opportunistic”. The payload

● Mimikatz – A tool to extract passwords, hash, PINs, and Kerberos tickets from memory ● reGeorg – A reverse proxy / web shell script ● PsExec – Used to launch interactive command prompts on remote systems ● PsInfo – Used to gather information about local or remote systems ● PaExec – An alternate, redistributable version of PsExec ● RDPWrap – Allows console and remote RDP sessions at the same time ● NLBrute – An exploit tool for public-facing RDP instances ● Impacket – A collection of Python classes that enable security teams to work with network protocols. (SamSam was observed using wmiexec.py in January of 2017.) ● CSVDE – An Active Directory tool, ships with Windows Server. Used to import or export entries from Lightweight Directory Access Protocol (LDAP); Active Directory; Active Directory Application Mode (ADAM); Active Directory Lightweight Directory Services (ADLDS); and Active Directory Domain Services (ADDS) ● PowerSploit – A collection of PowerShell scripts used for reconnaissance and persistence

The damage This hack was notable as it was the largest successful breach of security for a major American city by ransomware, potentially affecting up to 6 million people. Following the attack, the city of Atlanta cooperated with the FBI, Department of Homeland Security, and Secret Service and hired security firms such as SecureWorks to investigate, and many government computers were advised to stay powered off until 5 days later.

it was estimated that a third of the software programs used by the city remained offline or partially disabled. In addition, many legal documents and police dashcam video files were permanently deleted, though the police department was able to restore access to all its investigation files.For a while, residents were forced to pay their bills and forms by paper.

In response to this hack, Atlanta devoted $2.7 million to contractors in order to recover, but later estimated it would need $9.5 million. Conficker The worm ● Launched in 2008 ● Took advantage of an exploit in Windows 2000, XP, 2003 servers that could cause them to install an unauthenticated file ○ It could even affect servers with firewalls, as long as they had print and file sharing enabled ● Infected millions of computers ● Spread by infected USB drives and over networks ● They were four versions of virus conficker: ○ Disabling anti-malware programs ○ Creating backdoors in firewalls ○ Communicating with other infected machines via peer-to-peer networks ● Conficker was supposed to do ​something ​ on April 1, 2009, but nothing happened ● Experts were worried computers infected with Conficker would possibly:

○ Become a botnet ○ Create a criminal version of a search engine, copying private information from infected systems and then selling that information ○ Launch massive DDoS attacks The payload ● Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator (PRNG) seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload. ● Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A ● Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network. ● Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.

The Damage ● Caused $9.1 billion in damages ● French fighter planes were grounded when they couldn’t download their flight plans ● In England, military systems were infected, including: ○ More than two dozen British Royal Air Force bases ○ 75% of the Royal Navy fleet ● The Manchester City Council IT system went down, rendering the city unable to process fines ● Computers and medical devices at hospitals in the US and the UK were infected

2) ​[1½ points] ​ Besides WireShark, what other tools are available to enable packet sniffing? 1. Describe ​at least two​ that are freely available on your favorite OS. (include URL) 2. What features do they offer over WireShark and vice versa?

Answer here: Minimum 250 words ​for each​ of two in (a). Be sure to answer (b) for each.

Word count: 386 and 569

Windows os

Tool 1 :

Solarwinds Network Performance Monitor:

A Packet Sniffer is a piece of software or tool that analyzes and tracks inbound and outbound packets, monitors the network traffic and intercepts packets as well as records the path taken by the packet, and etc.It is also used to monitor the traffic of your servers, router/switch monitoring, and other network hardware used in the company.The information gathered from a Packet Sniffer will significantly help a Network Administrator troubleshoot and fix network errors in a smaller span of time by understanding what is going over the wire as well as source/destinations.

Solarwinds is a packet sniffing tools wich gives many options including the Deep Packet Inspection and Analysis Tool that are part of the Bandwidth Analyzer Pack. The Deep Packet Inspection and Analysis tool offers critical packet information.

NPM leverages DPI to capture packet-level data across your network by accessing managed Windows devices and drawing on installed sensors. Within NPM’s Quality of Experience module, you can use the step-by-step “wizard” to deploy sensors and select pre-configured or custom applications to monitor.

It inspects all the contents of the packet to determine even the smallest detail including what applications cause the most traffic within the network and which connections take the longest – furthermore diagnosing bottlenecks in slow internet/network connectivity.It can also detect and resolve minor network performance issues. Netflow Traffic Analyzer can determine users and the specific applications that consume the most bandwidth within the network. It can also analyze flow data such as Cisco® NetFlow™, IPFIX, sFlow®, Huawei NetStream™, Juniper® J-Flow, etc.

Some of the features it offers over :

● Pinpointing High Bandwidth Users/Applications ● Troubleshooting Network Connectivity Issues ● Resolving DNS Issues ● Capacity Planning ● Malware Analysis and Prevent ● Active and Passive IDS and IPS ● Categorize traffic types across your network ● Set custom, automated packet scanner alerts ● Spot potential security threats ● Leverage a built-in network packet analyzer ● Gain access to an intuitive, centralized dashboard

b) It only run in window whereas wireshark run on every platform It gives us a map of the network setup and one console to see the entire network.

It is very extensible with SWQL and API’s to where we begin to integrate it with network automation It also helps in monitoring the availability of the routers, switches, servers and virtual environments.

Source : ​https://www.solarwinds.com ​https://www.dnsstuff.com/packet-sniffers

Tool 2: Smartsniff Smartsniff is an other network packet sniffer tool which is free for windows.SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS)

Methods provided by smartsniff or TCP/IP packets:

● Raw Sockets (Only for Windows 2000/XP or greater): Allows you to capture TCP/IP packets on your network without installing a capture driver. This method has some limitations and problems. ● WinPcap Capture Driver: Allows you to capture TCP/IP packets on all Windows operating systems. (Windows 98/ME/NT/2000/XP/2003/Vista) In order to use it, you have to download and install WinPcap Capture Driver from this Web site. (WinPcap is a free open-source capture driver.) Microsoft Network Monitor Driver (Only for Windows 2000/XP/2003): Microsoft provides a free capture driver under Windows 2000/XP/2003 that can be used by SmartSniff, but this driver is not installed by default, and you have to manually install it, by using one of the following options:

● Option 1: Install it from the CD-ROM of Windows 2000/XP according to the instructions in Microsoft Web site ● Option 2 (XP Only) : Download and install the Windows XP Service Pack 2 Support Tools. One of the tools in this package is netcap.exe. When you run this tool for the first time, the Network Monitor Driver will automatically be installed on your system. ● Microsoft Network Monitor Driver 3: Microsoft provides a new version of Microsoft Network Monitor driver (3.x) that is also supported under Windows 7/Vista/2008. Starting from version 1.60, SmartSniff can use this driver to capture the network traffic. ● The new version of Microsoft Network Monitor (3.x) is available to download from Microsoft Web site.

SmartSniff allows you to easily export the captured data for using it in other applications:

● The upper pane: you can select one or more items in the upper pane, and then copy them to the clipboard (You can paste the copied items into Excel or into spreadsheet of OpenOffice.org) or save them to text/HTML/XML file (by using ‘Save Packet Summaries’). ● The lower pane: You can select any part of the TCP/IP streams (or select all text, by using Ctrl+A), copy the selected text to the clipboard, and then paste it to Notepad, Wordpad, MS-Word or any other editor. When you paste the selected streams to document of Wordpad, OpenOffice.org, or MS-Word, the colors are also transferred. Your can also export the TCP/IP streams to text file, HTML file, or raw data file, by using “Export TCP/IP Streams” option. ● Process information is only displayed for TCP packets (It doesn’t work with UDP) ● Process information may not be displayed for TCP connections that closed after short period of time. ● Retrieving process information consume more CPU resources and may slow down your computer. It’s not recommended to use this feature if you have intensive network traffic. ● Process information is currently not saved in ssp file.

b)

● It is a very simple to use. ● It is for windows only whereas wireshark in windows, mac and linux os. ● Standalone app and no need to install just run and use it. ● Can use it with or without the winpcap driver where as wireshark needs to install packet capturing drivers.

Source : ​https://www.snapfiles.com/get/smartsniff.html