This lab will focus on using Wireshark to examine network traffic flowing between Azure Virtual Machines (VMs). We will also explore the functionality of Network Security Groups (NSGs).
In simpler terms, this lab will teach you how to use Wireshark to monitor network traffic between Azure VMs and how to use NSGs to control access to Azure VMs.
- Microsoft Azure (Virtual Machines/Compute)
- Remote Desktop
- Various Command-Line Tools
- Various Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
- Wireshark (Protocol Analyzer)
- Windows 10 Pro (22H2)
- Ubuntu Server 20.04
- Create Resource Group
- Create Virtual Machine in Windows and Linux
- Connect to both VMs using RDP (Remote Destop Protocol)
- Download Wireshark on VM1 (Windows 10 Pro)
- Initiate a perpetual/non-stop ping from VM1 to VM2
- Create a Network Security Group in Azure to deny the perpetual/non-stop ping
- Observe SSH,DNS,RDP, and ICMP traffic in Wireshark
- Log into VM2 using SSH
- Run Powershell Commands in VM2
- Exit VM1
- Delete Resource Groups in Azure for both VMs
To create the resource group, log into your Azure portal and click "Resource group" labeled box (1) in the image above. You can also click the search bar to search for "resource group".
Click the "Create" tab at the top left.
In the "Resource group" page, select your Microsoft Azure subscription as shown in box (1). Name your resource group "RG-LAB-02" as shown in box (2). For the region, select "(US) West US 3" as shown in box (3). Now, click the "Review + create" tab in the lower left labeled box (4).
You will see a "Vallidation passed" message, go ahead and click the "Create" tab at the lower left labeled box (2) to create the resource group.
The "Resoucre group created" notification indicates that our Resource group was created successfully. You will also see "RG-LAB-02" listed as available Resource group, as shown in the box labeled (2)
To create virtual machines, click the search bar and search for "virtual machines". Select "Virtual machines" labeled box (2)
Click "Create" tab, and then click "Azure virtual machines".
Select your Azure subscription, select the resource group "RG-LAB-02" we created, and name your virtual machine "VM1". For the region, select "(US) West US 3" and select "No infrastructure redundancy required" as the Availability option. For the Image, select "Windows 10 Pro, version 22H2 - x64 Gen2 (free services eligible)". For the Size, select "Standard _E2s_v3 - 2vcpus, 16 GiB memory". We will use "labuser" as the VM1 Username. check the Licensing box, and click the "Networking" tab at the top
In the networking section, the virtual network, subnet, and public IP will be automatically created for you. So make sure they all say "(new)". Then click "Review + create" tab at the lower left.
"Deployment is in progess" means that the virtual machine is being created.
"Your deployment is complete" means that the virtual machine has been created.
To create the Linux virtual machine, click the search bar and click "Virtual machines".
Click "Create", and then click "Azure virtual machine".
Select your Azure subscription and select "RG-LAB-02" for the Resource group
NOTE: We want to make sure that both virtual machines are in the same Resource group.
Name your virtual machine "VM2", for the virtual machine Region, select "(US) West US 3". For Availability options, select "No infrastructure redundancy required". For Image, select "Ubuntu server 20.04 LTS x64 Gen2 (free services eligible)". For Size, select "Standard_E2s_v3 - 2vcpus, 16 GiB memory". For the Authentication type, select "Password", and use "labuser" as your Username. Choose a unique password you can remember, and click the "Networking" tab at the top
Make sure your VM2 is on the same virtual network as VM1, which is "VM1-vnet". The Subnet and Public IP will be generated automatically, then click "Review + create" tab at the lower left.
You will see a "Validation passed" message. Click the "Create" tab at the lower left.
"Your deployment is complete" message means that VM2 has been created. Click the search bar and search for "virtual machines".
Click "Virtual machines".
We will go ahead and connect both virtual machines using RDP (Remote Destop Protocol).
Click "VM1".
Copy the Public IP of VM1
On your local computer, click the search bar, search for "remote desktop", and click "open" to open RDP.
Paste the VM1 public IP, and click Connect.
Click "More choices" > "Use a different account", type in VM1 username and password, and click the "Ok" button.
We are now connected to VM1, you can choose "No" for all the options as shown in the above image. Click the "Accept" button at the lower right to proceed.
Click the "Yes" button.
On your VM1 desktop, click the "Microsoft Edge" application to open it
Select "Start without your data" > "Confirm and continue" > "Continue without this data" > "Confirm and start browsing".
In the search bar, search for "wireshark download", and click Enter.
Click on the first link on the web page.
Click "Windows x64 Installer" and click the three dots (...) at the top right of the page. click the downloaded Wireshark application to proceed with installation.
Click "Next" > "Noted" > "Next" > "Next" > "Next" > "Next" > "Install" > "I Agree" > "Install" > "Next" > "Finish" > "Next" > "Finish".
You've now successfully installed Wireshark on your Windows 10 Pro VM.
In VM1, search for "Wireshark" on the search bar and click "Open".
Select "Ethernet" and click the blue wireshark icon at the top left to start capturing packets.
You can see the live traffic that is happening on our virtual machine.
Let's go ahead and filter the traffic so that it stops spamming.
Search for "icmp" on the search bar, select "icmp" from the list of options provided and press "Enter" on your keyboard
NOTE: ICMP (Internet Control Messaging Protocol) is a network layer protocol used by network devices to communicate errors or other information to other devices (test connectivity to different hosts on a network).
In this case, we will use it to test connectivity to VM2 by pinging VM2's private IP address.
Go back to your Azure portal and click VM2. Take note of VM2's private IP address.
Go back to VM1 remote desktop connection, search for "powershell" in the search bar, and click open.
In Powershell, ping VM2's private IP address by typing "ping 10.0.0.5" and pressing the Enter button on your keyboard.
The image above shows that our ping was successful, as indicated by the 4 replies we got from VM2 (10.0.0.5).
The Ping statistics show that 4 packets were sent and received, and 1 packet was lost.
You can also confirm this on the Wireshark app, which shows us the source and destination IP addresses (VM1 and VM2) and the protocol used (ICMP). It also shows us that four requests was sent and we received four replies
Let's ping www.comptia.org (ping wwww.comptia.org -4). The -4 means that we are specifying ICMP to ping www.comptia.org IPV4 address.
As you can see from the image above, we got 4 replies, 4 packets were sent and received, and 1 packet was lost.
In the Wireshark app, you can see the source and destination IP addresses of VM1 (10.0.0.4) and www.comptia.org (104.18.16.29).
We will now initiate a non-stop ping from VM1 to VM2.
Let's clear the current ICMP traffic by clicking the green symbol and selecting "Continue without Saving."
In Powershell, initiate a non-stop ping to VM2 by typing "ping 10.0.0.5 -t", where -t means non-stop.
Non-stop pinging is now initiated.
Let's change the firewall setting of VM2 to not allow ICMP traffic to come through.
Go back to your Azure portal and search for "network security group" in the search bar. Click "Network security groups".
From the above image, you can see both VMs have separate network security groups. Click "VM2-nsg" to open VM2's network security group.
In the "VM2-nsg" page, click "Inbound security rules".
NOTE: The "Inbound security rules" page allows us to deny inbound ICMP traffic so that it blocks the pings coming from VM1. We will create a new security rule that denies ICMP traffic.
Click the "Add" tab at the top of the page, leave "Source", "Source port ranges", "Destination", "Services" as default. For the Protocol, select "ICMP", you will notice the "Destination port ranges" changes to asterisk (*). For Action, select "Deny", and for Priority, type "200".
NOTE: Priority determines the order in which the rule is processed. Rules are processed in order, from lowest priority to highest priority. The lower the number, the higher the priority.
Name the rule "DENY_ICMP_PING_FROM_ANYWHERE", and click the "Add" button. Go back to VM1 and observe the ping request and traffic.
You can see the ping requests have started timing out on PowerShell (they're getting blocked by VM2's firewall).
Observe the traffic on Wireshark. You will notice that there's only request but no response.
Go back to Azure portal and allow ICMP traffic
Click the new rule we added earlier "DENY_ICMP_PING_FROM_ANYWHERE".
Select "Allow" for Action, and click the "Save" button.
The "Action" column now says allow. Go back to VM1 and observe Powershell ping requests and Wireshark traffic.
By observing PowerShell and Wireshark, you will notice we're now getting replies from VM2.
Click PowerShell and press "Ctrl + C" on your keyboard to stop the non-stop pings.
Now, let's observe SSH traffic on Wireshark.
NOTE: SSH (Secure Shell) is a network protocol that provides a secure way to access a remote computer. We will connect to VM2 from VM1 through SSH.
In Wireshark, click the green Wireshark symbol at the top and click "Continue without Saving".
Type "ssh" in the search bar and press the Enter button on your keyboard to filter for ssh traffic only.
In VM1, we will now ssh into VM2 by typing "ssh labuser@10.0.0.5" in PowerShell and press Enter.
NOTE: "labuser" is VM2's username, and "10.0.0.5" is VM2's private IP address.
Notice the ssh traffic on Wireshark.
Type "yes" when asked "Are you sure you want to continue connecting".
Type in your VM2 password (this is the password we used when we creating Linux virtual machine).
NOTE: The password won't be visible when you are typing it in PowerShell.
We have now successfully connected to VM2 through SSH.
Let's run some Linux commands.
Type "id" and press Enter to print the user ID of VM2.
Type "uname -a" and press Enter to print all of the system information about VM2 (including the kernel name, hostname, kernel version, operating system, machine hardware name, and processor architecture).
Type "pwd" and press Enter to print the current working directory.
Type "ls lasth" to list the contents of the current directory in long format.
Type "touch -hi.txt" and press enter to create a text file.
Type "ls lasth" and press Enter to list the text file.
Type "exit" and press Enter to close SSH connection to VM2.
Notice that whenever we type a command on Powershell, it goes over the network and spams ssh traffic on WireShark.
We are now back to VM2.
Type "ipconfig" and press Enter. This will display the private IP of VM1, which is 10.0.0.4.
Let's filter DHCP traffic on WireShark.
NOTE: DHCP (Dynamic Host Configuration Protocol) is a network management protocol that automatically assigns IP addresses and other network configuration parameters to devices on a network.
On WireShark, filter for DHCP traffic by typing "dhcp" in the search bar and pressing Enter.
In PowerShell, type "ipconfig /renew". This will reissue our private IP address.
Observe the DHCP traffic in WireShark.
Let's filter DNS traffic on WireShark.
NOTE: DNS (Domain Name System) translates domain names meaningful to humans into numerical IP addresses.
In WireShark, type dns in the search bar and press Enter. You will notice the DNS traffic spam on WireShark.
Click the green WireShark icon at the top, and click "Continue without Saving". This will clear current DNS traffic.
In PowerShell, type "nslookup www.comptia.org", this will query Internet domain name servers (DNS) to obtain information about www.comptia.org domain names or other DNS records.
Observe the DNS traffics in WireShark (the source and destination IP addresses).
Let's lookup www.google.com IP address.
In WireShark, instead of typing "dns" in the search bar, we can also filter DNS traffics by typing "udp.port == 53" in the search bar (since DNS uses port 53). Press Enter button on your keyboard.
Click the green WireShark icon at the top, and click "Continue without Saving".
In PowerShell, type "nslookup wwww.google.com" and press Enter. Observe Google's IP addresses, and in WireShark, observe our source and destination IP addresses. Also, observe the protocol used (DNS).
Let's filter for RDP traffic.
NOTE: RDP (Remote Desktop Protocol) provides users with a graphical interface to connect (remote access) to another computer over a network connection.
Since RDP uses port 3389, we will type "tcp.port == 3389" in the Wireshark search bar and press Enter. You will notice a non-stop traffic spamming on WireShark. The reason is because the RDP (protocol) is constantly showing us a live stream from our local computer to our virtual machine, therefore traffic is always being transmitted.
Let's exit from our Virtual machine by clicking the "X" button and clicking "Ok".
Let's delete our resource group so we won't get charged.
In your Azure portal, click the search bar and select "Resource groups".
Click "RB-LAB-02"
Click "Delete resource group" at the top, type in the name of your resource group "RG-LAB-02", click the "Delete" button, and click "Delete".
Let's confirm the deletion by clicking the notification tab at the top, you can see our resource group has been deleted.