Secure Systems Engineering, Fall 2024

Lab 5

• Out on: Wed Sep 25
• Due on: Tue Oct 1, 10p EDT
• Collaboration: groups of 2 (randomly assigned)
• Grading: completion, out of 22 points
  • 2 points per question response

Please read this description in its entirety before starting the lab!

Introduction

Transport Layer Security (TLS) is the most important security protocol on the Internet today, protecting the communications of billions of people every day. In this lab, we will dive into the world of TLS through Wireshark, a powerful network sniffer. With Wireshark, we will dissect network traffic, analyze TLS traffic, and expose potential vulnerabilities along the way.

Learning objectives

In this lab, you will:

• Configure Wireshark to capture network traffic on your system.
• Decode and analyze captured TLS packets, including handshakes, application data, and alerts.
• Interpret the information contained in TLS records, such as cipher suites, certificate information, and session keys.
• Recognize common weaknesses in TLS configurations and implementations, such as outdated versions, weak cipher suites, and insecure certificate practices.
• Explore different versions of TLS and their major differences.

Helpful resources

• The Illustrated TLS 1.2 Connection
• The Illustrated TLS 1.3 Connection
• BadSSL

Lab setup

We will be using Wireshark for this lab. Wireshark allows us to visualize the flow of packets over your computer’s (or, in this case, virtual machine’s) network link. To run a Wireshark capture, perform the following steps:

1. Open the Wireshark
2. Click on “Capture > Interfaces”. A pop-up window will display.
3. You’ll want to capture traffic that goes through your ethernet driver. Click on the Start button to capture traffic via this interface.
4. Perform the network action you wish to investigate.
5. After completing the action, go back to your Wireshark screen and press the stop button to stop capturing.

Starter code

The code and Wireshark traces can be found in the lab’s GitHub repository.

Part 1: Plain old HTTP

Our first task will be investigating how standard HTTP traffic (i.e., without TLS) behaves. Because the vast majority of traffic on the Internet now uses TLS, we’ll have to take a look at a host specifically using HTTP only. 

Open the Wireshark capture http.pcap.

Take a look through the Wireshark capture. What do you see? Try to use Wireshark’s filtering capabilities to search for the web traffic we just generated (hint: try http). Try to dissect the packets — looking through its different layers — until you can find the data you requested. Think about what this cleartext communication means for communications security and privacy. 

As you go through this part, answer the following questions:

1. Where is the webpage data in your Wireshark trace from Part 1? Include a screenshot in your response.

Part 2: Putting the S in HTTPS

The GitHub repository contains a file, handshake.py. It makes TLS connections and prints out the certificate of the server. It is invoked as follows:

$ python3 handshake.py example.com

where you replace example.com with your host.

Open https.pcapng. This file was generated using handshake.py.

As you go through this part, answer the following questions:

2. In the TLS client, handshake.py, what is the purpose of /etc/ssl/certs?
3. How does the HTTPS Wireshark trace in Part 2 differ from the HTTP Wireshark trace in Part 1?
4. How are the TLS and TCP handshakes related?
5. Compare and contrast the information exchanged in the ClientHello and ServerHello messages in Part 2. What cipher suite is agreed upon between the client and server?
6. Analyze the content of encrypted application data (if possible) in your Part 2 trace and discuss any privacy implications. Include a screenshot in your response.

Part 3: Epic fail

Now, open the Wireshark capture fail.pcapng, and take a look through the trace.

As you go through this part, answer the following question:

7. Use Wireshark to show why the TLS connection in this part fails. Include a screenshot in your response.

Part 4: The future

Open the Wireshark capture future.pcapng, and take a look through the trace.

As you go through this part, answer the following question:

8. How does the Wireshark trace for this part compare to the trace in Part 2? Be specific.

Part 5: Comprehension & reflection

After you complete the lab, answer the following questions:

9. How did capturing network traffic using Wireshark differ from your expectations?
10. What was the most challenging aspect of identifying and interpreting TLS messages within the capture?
11. What ethical considerations arise when capturing and analyzing network traffic?

What to turn in

Your repository for this lab should contain the following by the due date:

• A PDF containing the responses to the 11 questions above
  • Make sure to include screenshots where requested
  • List all group members at the top of the document

Only one submission per group is necessary. Blackboard is set up with randomly selected groups for this lab.