- Microsoft Azure (Virtual Machines/Compute)
- Remote Desktop
- Various Command-Line Tools
- Various Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
- Wireshark (Protocol Analyzer)
- Windows 10 (21H2)
- Ubuntu Server 20.04
- Internet Control Messaging Protocol (ICMP) Traffic
- Secure Shell Protocol (SSH) Traffic
- Dynamic Host Configuration Protocol (DHCP) Traffic
- Domain Name System (DNS) Traffic
- Remote Desktop Protocol (RDP) Traffic
You are going to create a Resource Group in Azure. I named mine RG-Lab-1 and then you're going to create 2 virtual machines. One of them will be Windows 10 and the other is going to be Ubuntu Linux.
Next, you're going to open the remote desktop, paste the public IP address of the Windows 10 VM into it, and enter your username and password. Then you're going to open Microsoft Edge and download and install Wireshark.
Open Wireshark, press on the bluefin at the top right and search for ICMP traffic. This traffic will display the relay request and delivery, also known as ping. Open you Command Prompt (CMD) and enter ping and the private IP address of the Linux VM. Mine was 10.0.0.5. Then enter ping 10.0.0.5 -t. This command will keep pinging the server forever but we are going to block it with the firewall in the next step.
Go to your Azure portal, type in Network Security groups, and press the one that correlates to your Linux VM. For me that is VM-2. Go to Inbound Security Rules and block all ICMP traffic.
Go back to your Windows VM and you should start seeing a "request timed out" response.
Now, we are going to observe SSH traffic. Type SSH in the search bar of Wireshark. In the Command Line, we are going to ssh into the Ubuntu VM. In my case, I entered ssh labuser@10.0.0.5, pressed enter, yes, and entered my password. You can now see traffic populating in Wireshark.
Now, we are observing DHCP traffic. Type dhcp into Wireshark, open the command line, and type ipconfig /renew. You should see traffic populating in Wireshark.
Now we are going to observe DNS traffic. Type dns in Wireshark, and use the command "nslookup www.google.com" in the command line. You should see traffic populating in Wireshark.
Now we are going to observe RDP traffic. Instead of typing in rdp in Wireshark, we are going to write tcp.port == 3389 in Wireshark. You should see traffic constantly flowing, showing a live stream of packets. This is because both VMs are connected via RDP and any interaction will be recorded.
We've reached the end of this project. Thank you for reading!