PROJECT SUMMARY -

Wireshark, Firewalls|Network Security Groups (NSGs) and Inspecting Traffic Between Azure Virtual Machines

In this tutorial, we observe various network traffic to and from Azure Virtual Machines with Wireshark as well as experiment with Network Security Groups We will also take a look at some of the protocols that are used and can bve viewed frm Wireshark.

Environments and Technologies Used

• Microsoft Azure (Virtual Machines/Compute)
• Remote Desktop
• Various Command-Line Tools
• Various Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
• Wireshark (Protocol Analyzer)

Operating Systems Used

• Windows 10 (21H2)
• Ubuntu Server 20.04

Follow My Steps Below!

Part 1 (Create our Resources)

1. Create a Resource Group

2. Create a Windows 10 Virtual Machine (VM) a. While creating the VM, select the previously created Resource Group b. While creating the VM, allow it to create a new Virtual Network (Vnet) and Subnet

3. Create a Linux (Ubuntu) VM a. While create the VM, select the previously created Resource Group and Vnet

4. Observe Your Virtual Network within Network Watcher

Part 2 (Observe ICMP Traffic)

5. Use Remote Desktop to connect to your Windows 10 Virtual Machine

6. Within your Windows 10 Virtual Machine, Install Wireshark

7. Open Wireshark and filter for ICMP traffic only

8. Retrieve the private IP address of the Ubuntu VM and attempt to ping it from within the Windows 10 VM a. Observe ping requests and replies within WireShark

10. From The Windows 10 VM, open command line or PowerShell and attempt to ping a public website (such as www.google.com) and observe the traffic in WireShark

11. Initiate a perpetual/non-stop ping from your Windows 10 VM to your Ubuntu VM

a. Open the Network Security Group your Ubuntu VM is using and disable incoming (inbound) ICMP traffic

b. Back in the Windows 10 VM, observe the ICMP traffic in WireShark and the command line Ping activity

c. Re-enable ICMP traffic for the Network Security Group your Ubuntu VM is using

d. Back in the Windows 10 VM, observe the ICMP traffic in WireShark and the command line Ping activity (should start working)

e. Stop the ping activity

Part 3 (Observe SSH Traffic)

11. Back in Wireshark, filter for SSH traffic only

12. From your Windows 10 VM, “SSH into” your Ubuntu Virtual Machine (via its private IP address)

a. Type commands (username, pwd, etc) into the linux SSH connection and observe SSH traffic spam in WireShark

b. Exit the SSH connection by typing ‘exit’ and pressing [Enter]

Part 2 (Observe DHCP Traffic)

13. Back in Wireshark, filter for DHCP traffic only

14. From your Windows 10 VM, attempt to issue your VM a new IP address from the command line (ipconfig /renew) a. Observe the DHCP traffic appearing in WireShark

Part 4 (Observe DNS Traffic)

15. Back in Wireshark, filter for DNS traffic only

16. From your Windows 10 VM within a command line, use nslookup to see what google.com and disney.com’s IP addresses are a. Observe the DNS traffic being show in WireShark

Part 5 (Observe RDP Traffic)

17. Back in Wireshark, filter for RDP traffic only (tcp.port == 3389)

18. Oserve the immediate non-stop spam of traffic? Why do you think it’s non-stop spamming vs only showing traffic when you do an activity? a. Answer: because the RDP (protocol) is constantly showing you a live stream from one computer to another, therefor traffic is always being transmitted

Lab Cleanup (DON’T FORGET THIS)

19. Close your Remote Desktop connection

20. Delete the Resource Group(s) created at the beginning of this lab

21. Verify Resource Group Deletion