Computer Science Assignment help needed

In this project, students will get familiar with reading packet captures (PCAP) and some standard
man-in-the-middle techniques. This is where a malicious user puts themselves in the middle of a
conversation with another user and an application and eavesdrops on all the tra ic. Students will
familiarize themselves with Layer 2 – 7 network tra ic and how to analyze network tra ic using
Wireshark, a network protocol analyzer, and its libraries such as pyShark.

The assignment documentation and instructions are at the following link
to an
external site.

Part 1 PCAP is available at:
1.amazonaws.com/MITM/mitm_2025.pcapLinks to an external site.

Part 2 Programming Assignment is available
at: to an external site.

MITM/PCAP

Learning Goals of this Project:

Students will get familiar with packet capture (PCAP) reading and some common man in the middle
techniques. This is where a malicious user puts themselves in the middle of the conversation with
another user or application and eavesdrops on all the tra ic. Some papers which demonstrate this
concept are the following:

 Man-In-The-Middle Attack in Wireless and Computer Networking- A review

 Detection of man-in-the-middle attacks using physical layer wireless security techniques

 On the Feasibility of Large-Scale Infections of iOS Devices

Students will familiarize themselves with Layer 2 – 7 network tra ic and how to analyze network
tra ic using Wireshark, a network protocol analyzer, and its libraries such as pyShark.

 For more details about Wireshark you can visit

 For details about pyShark and tshark you can visit

Students will also familiarize themselves with application layer protocols such as HTTP and IRC.

 If you are not familiar with HTTP, we strongly recommend you learn about the protocol,
methods, and requests. You can find a good introduction at Mozilla’s developer
page and Sam Barros’ Medium page

 IRC was a very common protocol in the early 2000s. For its simplicity and e iciency it’s still
in use on multiple settings. Several Botnets use it for Command and Control (C&C) and

hacking groups still rely on IRC to exchange information. You can read more and get familiar
by reading this Medium article.

Finally, this is a graduate course. So it is expected that students will research and understand how
these network protocols work by reviewing their RFCs:

 RFC1459 (Internet Relay Chat Protocol):

 RFC2616 (Hypertext Transfer Protocol):

The final deliverables:

There are two deliverables for this project, each is under their own Gradescope assignment named
Man in the Middle – PCAP Analysis and Man in the Middle – Programming Assignment.

Man in the Middle – PCAP Analysis template A single JSON file named project_mitm.json. A
template can be found below. Please See Submission Details for more information. This
submission consists of Flag 1 to Flag 5.

Man in the Middle – Programming Assignment The modified pcapanalysis.py file with the three
new functions described under this submission consists of Flag 6 only. Please See Submission
Details for more information.

Important Reference Material:

 Youtube Video from our TA Renan showing how to install dependencies for Flag 6 and a
short example

 O icial Wireshark Guide

 Read the RFCs provided.

 If you have no experience with networking or application layer protocols, we STRONGLY
encourage you to research those topics. There are many great resources online like Google
and YouTube.

Submission:

Gradescope (autograded). Please See Submission Details for more information.

Requirements

Wireshark

Python3 – Download Python

 Pyshark Library –

 TShark –

Ensure you have nslookup installed on your OS (DNSUtils) (it should come default on any Windows,
MacOS or Linux environment)

Packet Capture – Part 1:

The packet capture can be downloaded at: canvas

Programming Assignment – Part 2:

The programming assignment .zip including pcapanalysis.py and the corresponding pcap can be
downloaded on canvas

Hint: You can watch the Youtube Video from our IA Renan showing how to install dependencies for
Flag 6

File submission instructions:

These are the instructions for how the Attorney General needs you to submit your findings.

File submission instructions:

This project needs to be submitted via Gradescope. Navigate to the course in Canvas and click
‘Gradescope’. On the Gradescope website, click ‘Project MITM and submit there. For this project
there is a limit of 10 submissions for both sections. Section 1 contains Flags 1-5 and Section 2
is the Programming Assignment which contains Flag 6.

Man in the Middle – WireShark Assignment – Max of 85 points

There is a limit of 10 submissions for this assignment.

Name your submission file: project_mitm.json. In addition, ensure you replace the placeholders
with the flags you retrieve from each relevant task.

Note: You can use Notepad++/TextEdit or Vim to create and edit this file. IMPORTANT: Do not use
LibreO ice, Word, or any similar document editor. Your submission must be in proper JSON format
with no special characters in order to pass the autograder; these document editors are likely to
introduce special characters that will make your submission fail the autograder.

Here is an example of the provided JSON file:

{

“task1.1”: “<copy flag 1 here>”,

“task1.2”: “<copy flag 2 here>”,

“task1.3”: “<copy flag 3 here>”,

“task1.4”: “<copy flag 4 here>”,

“task1.5”: “<copy flag 5 here>”,

“task2.1”: “<copy flag 6 here>”,

“task2.2”: “<copy flag 7 here>”,

“task2.3”: “<copy flag 8 here>”,

“task2.4”: “<copy flag 9 here>”,

“task3.1”: “<copy flag 10 here>”,

“task3.2”: “<copy flag 11 here>”,

“task3.3”: “<copy flag 12 here>”,

“task3.4”: “<copy flag 13 here>”,

“task4.1”: “<copy flag 14 here>”,

“task4.2”: “<copy flag 15 here>”,

“task4.3”: “<copy flag 16 here>”,

“task4.4”: “<copy flag 17 here>”,

“task4.5”: “<copy flag 18 here>”,

“task4.6”: “<copy flag 19 here>”,

“task5.1”: “<copy flag 20 here>”,

“task5.2”: “<copy flag 21 here>”,

“task5.3”: “<copy flag 22 here>”

}

And here is an example of how your submitted file should look: (Note: this is an example; none of
these values are correct.)

An example of what the submitted file content should look like:

{

“task1.1”: “something.something.something”,

“task1.2”: “BigBird,CookieMonster,OscarTheGrouch”,

“task1.3”: “#WOW”,

“task1.4”: “a12342342bcde393202013434”,

“task1.5”: “Atlantis”,

“task2.1”: “maliciousactor”,

“task2.2”: “somefile.extension”,

“task2.3”: “something”,

“task2.4”: “a123242342342342342934234”,

“task3.1”: “something.something”,

“task3.2”: “192.168.1.10”,

“task3.3”: “ns-something-something.something.something”,

“task3.4”: “abcdef1234567890953453434”,

“task4.1”: “192.168.8.7”,

“task4.2”: “something”,

“task4.3”: “something”,

“task4.4”: “something”,

“task4.5”: “something”,

“task4.6”: “12123123129413249121249aa”,

“task5.1”: “tr95843fkdspugr8euyre0gfd”,

“task5.2”: “something”,

“task5.3”: “58437594ejgfdiohr8e054309”

}

Man in the Middle – Programming Assignment – Max of 15 points

There is a limit of 10 submissions for this assignment.

To submit, name your submission file: pcapanalysis.py and wait for the code to execute. There are
only three tests. Your grade will be displayed within a few seconds or minutes depending on how
many submissions are being evaluated at the time

Submission Reminder

If you go over the submission limit you are responsible to activate the submission you want to
be graded. The TA’s will not do this for you.

Canvas will show no grades until we export them from gradescope to canvas. This will only be done
once all extensions are finalized.

Background and Setup

The Necrocryptors (TNC) is a hacking group known for multiple data leaks and has been active at
underground forums selling personally-identifiable information (PII) and credit card data stolen
from vulnerable websites.

Recently, TNC led a DDoS campaign against multiple targets in the United States, leading to a
Federal Investigation by the National Cyber Investigative Joint Task Force (NCIJTF). This
investigation was coordinated by the FBI Cyber Crime division and after months of undercover
investigation, NCIJTF was able to capture unencrypted communication between members of TNC.

While NCIJTF did not disclose how this communication was captured, we can infer that either it
came from an insider member of the organization or a sophisticated attack led by NCIJTF allowed
this communication to be captured.

In this project, you are playing the role of Mark, an FBI agent from the Cyber Crime division.

You walk into the o ice, just back from a nice vacation in the Bahamas, and pour some co ee from
the shared pot near your cubicle when you hear, “Mark! Great to see you are back! Come over to my
desk right now, we need to talk.” It’s your boss, Bill. You think to yourself, Geez! I just came back.
This guy doesn’t give me a break.

You take your co ee to Bill’s o ice, close the door and listen as Bill starts.

“Mark, I have a task for you. We finally got our hands on some incriminating evidence against TNC.
With this pile of evidence, the Attorney General is on my neck to bring those guys to justice. But we
need some strong evidence of criminal activity that can’t be disputed in court.”

“Okay…” My wife told me to take some extra days o , but no. I had to come back today…

“I’m sending the packet your way,” Bill says, “You have one week to analyze the data and find clear
evidence of criminal activity. The Attorney General sent us a list of things they are looking for. It’s all
on your desk.”

“Sounds good, boss. It’s great to be back.”

You leave his desk, take a sip of co ee and go back to your computer. No time to slowly get up to
speed, you think, but that’s OK. I’m excited to help take TNC down.

Flag 1 (5 points)

Your first task is to figure out where the hackers are spending their time and gather some evidence
for the Attorney General. This will also give you a good overview of Wireshark filters.

The Attorney General needs some evidence of The Necrocryptors’ associates and where the group
meets.
For this, you need to gather the following information:

Task 1.1

 Based on the provided packet capture (pcap) file, identify the server address used by the
hackers to communicate.

o Example: irc.someplace.net

o Points: 1

Task 1.2

 Based on the provided packet capture (pcap) file, identify the nicknames of the malicious
actors involved in the conversation. List the nicknames in the order they appear in the
conversation following the format below:

o Example: firstactor,secondactor,thirdactor

o Points: 1

Task 1.3

 Based on the provided packet capture (pcap) file, identify the channel the malicious actors
use to communicate. Remember, channel names always start with #, so include # in your
answer.

o Example: #WOW

o Points: 1

Task 1.4

 Based on the provided packet capture (pcap) file, identify the hash used by the malicious
actor to validate its identity.

o Example: a12342342bcde393202013434

o Points: 1

Task 1.5

 Based on the pcap file provided, analyze the network tra ic to determine the potential origin
country of the last identified malicious actor. Consider the IP addresses, any geolocation
data. Provide the name of the country

o Example: Atlantis

o Points: 1

Flag 2 (27 points)

Your second task will require you to recover a payload from the conversation. There are multiple
ways to do this. You can use Wireshark, pyShark or any other library available.

As part of the evidence gathering, the Attorney General needs concrete evidence of malicious
intent. For Task 2, you will need to review the conversation between members of TNC and gather
incriminating data from this conversation.

Task 2.1

 Based on the provided pcap file, identify which malicious actor initiated a private chat
during the conversation.

o Example:maliciousactor

o Points: 2

Task 2.2

 Based on the provided pcap file, identify the name of the file transferred by one hacker to
another via IRC DCC. (Including extension)

o Example:somefile.extension

o Points: 5

Task 2.3

 Based on the provided pcap file, determine the encryption method or algorithm used to
encrypt the file transferred between the hackers. (Just the 3-letter name)

o Example:something

o Points: 4

Task 2.4

 If you decrypt and run the file, you’ll get a unique hash based on your ID (I will provide).
What is the hash generated?

o Example:a123242342342342342934234

o Points: 16

Flag 3 (21 points)

The Attorney General lets you know that they think there is a web server in here that is phishy and is
spitting out long numbers and letters. The Necrocryptors hacking group is known to play tricks with
these values. The Attorney General needs the following information to track the folks operating the
website:

Task 3.1

 The site domain name (Record just the site’s domain name and the top-level-domain (TLD)
name, with the period. E.G: something.hostname.tld)

o Example: something.something.something

o Points: 2

Task 3.2

 What is the public IP address?

o Example: 192.168.1.10

o Points: 2

Task 3.3

 The primary nameserver for this domain (You may need to look outside the pcap for this
information. Think about tools that will give you the nameserver data for a specific domain)

o Example: ns-something-something.something.something

o Points: 6

Task 3.4

 The hash provided by entering your ID in the field (i.e. 9021042) (NOTE: The website is real
and safe to access)

o Example: abcdef1234567890953453434

o Points: 11

Flag 4 (27 points)

The Attorney General is impressed by you but says they believe the group is also using another
server to host a malicious file. It appears that one of the hackers recently accessed this server and
downloaded a file from it. As a last minute request, the Attorney General is asking you to investigate
what this file is, and where it is hosted.

Task 4.1

 What is the IP address for the server in question?

o Example: 192.168.8.7

o Points:2

Task 4.2

 What is the username used to log in the server?

o Example: something

o Points:4

Task 4.3

 What is the password used to log in the server?

o Example: something

o Points:4

Task 4.4

 One file is downloaded from the server, what is the file name?

o Example: something

o Points:3

Task 4.5

 What is the programming language used to create this file?

o Example: something

o Points:5

Task 4.6

 If you run this file you’ll get a Combined hash. What is the unique hash for your ID (i.e I will
provide)?

o Example: 12123123129413249121249aa

o Points:9

Flag 5 (5 points)

Exhausted from the prior exercises, the attorney general has two more exercises for you to prove
you belong here and that he shouldn’t fire you despite doing a good job. He mentions to you the
hackers are getting smart and they have a website called
that has absolutely nothing to do with Azure Firewalls but everything to do with web application
firewalls.

Task 5.1

 There is a flag labeled 5.1 that outputs a hash when you input in your ID (I will provide). Try to
find the page and recover the flag.

o Example: tr95843fkdspugr8euyre0gfd

o Points: 2

Task 5.2

 From the main page on the website, click the blue box that says “Download the Zip”. When
you do, it downloads a file that is zipped and encrypted with a password. You have to use
the tool “John the Ripper” to crack the encryption to find the password. What is the
password for your file?

o Hint: The password is seven numbers long

o Points: 1

Task 5.3

 When you use the password to unlock the file and unzip it, it contains a program. After you
run the program, what is the hash provided?

o Example: 58437594ejgfdiohr8e054309

o Points: 2

Suddenly, your phone rings. You see that the call is coming from Bill’ extension.You were ready to
head back home and watch Netflix. Here we go again…

“Mark, great job so far! I was thinking here. This will not be the last time you will be doing this
analysis on pcaps, so why don’t we start building a python class with several methods to automate
some of the work for next time?” “When you say we, you are saying, why dont I build this class
right?” you say.

“Of course not! I already created some skeleton code to help you out. You just need to build 3
functions now” Bill says.

“Oh, ok. Thank you Boss..”

As you hang up the call, Bill sends you via IM a zip file containing the python class and a attack pcap
from a past incident so you can create the functions and test.

Flag 6 (15 points)

For this task, you need to use the provided pcapanalysis.py and Flag6.pcap files to create three
functions. The snippet below shows where you need to code the functions and the expected output
on each variable n. You can create as many functions and variables you need, however the provided
functions need to return the expected output.

Function Skeleton

# TODO:

# Task 1: Return n being:

# n = Number of ICMP Packets

def icmp_count(self):

n = 0

# TODO: Implement me

return n

# TODO:

# Task 2: Return r,a, being:

# r = Number of ICMP Echo Requests

# a = ICMP Echo Reply

def icmp_request_reply(self):

r = 0

a = 0

# TODO: Implement me

return r,a

# TODO:

# Task 3: Return m,n, being:

# m = Most Common Destination MAC Address

# n = Number of Occurrences

def dest_mac(self):

m,n = 0,0

# TODO: Implement me

return m,n

if __name__ == ‘__main__’:

pcap_analysis = MITMProject()

icmp_count = pcap_analysis.icmp_count()

request,reply = pcap_analysis.icmp_request_reply()

dest_mac,occurences = pcap_analysis.dest_mac()

print(“Number of ICMP Packets : “, icmp_count)

print(“Number of ICMP Requests and Replies : “,request,reply)

print(“Most Common MAC Address and Number of Ocurrences: “, dest_mac,occurences)

To start, make sure that the package pyshark is installed on your system. Please review pyshark
Github page to install the package and its dependency (tshark) :
and When you open
pcapanalysis.py, make sure student_id is updated with your 9-digit id

# TODO: Change this to YOUR ID!!!

# This is your 9-digit ID

self.student_id = ‘ (I will provide)

Do not modify the import statements. All you need to complete this assignment is there. New
imports may be ignored by the autograder and your code will fail.

Deliverables:

Task 6.1

 Modify the def icmp_count(self): function so that it returns an integer, n, which represents
the number of ICMP packets in the flag6.pcap file.

 Points: 3

Task 6.2

 Modify the def icmp_request_reply(self): function to return r (the number of ICMP Echo
Requests as a integer) and a (the number of ICMP Echo Reply as an integer).

 Points: 5

Task 6.3

 Modify the def dest_mac(self): function to return m (the most common destination MAC
address as a string) and n (its number of occurrences as an integer).

 Points: 7