This demonstration goes over how to observe various network traffic to and from Azure Virtual Machines with Wireshark as well as experiment with Network Security Groups.
NOTE: This demonstration uses materials created in the previous demonstration, "Configuring On-premises Active Directory within Azure VMs".
- Microsoft Azure (Virtual Machines/Compute)
- Remote Desktop
- Various Command-Line Tools
- Various Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
- Wireshark (Protocol Analyzer)
- Windows 10 (21H2)
- Ubuntu Server 20.04
- Setup 2 Virtual Machines within Azure:
- Virtual Machine #1 (Windows 10)
- Virtual Machine #2 (Linux Ubuntu) -- using same Resource Group and Vnet as VM1
- Use Remote Desktop (RDP) to VM1 and install Wireshark.
- Use Wireshark and PowerShell to Observe Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
- Add new Inbound Rules to Deny/Allow ICMP protocol.
- Bonus: How to Display and Flush DNS.
- In the Search Box at the top header, type and select "Virtual machines".
- If "Virtual machines" is already listed on the front page, then you can simply click on it, rather than manually searching.
- Click "Create", then select "Azure virtual machine".
- Name your Virtual Machine anyway you want (this example uses VM1).
- Resource Group is automatically given a name when naming the Virtual Machine, but you can change it if you wish (this example uses VM1_group).
- Change the Region that best suites your location (this example uses (US) West US 3).
- Change the Image to a Windows OS (this example uses Windows 10 Pro, version 22H2 - x64 Gen2).
- Make sure the Size is adequate enough to run this server (this example uses Standard_E2s_v3 - 2 vcpus, 16 GiB memory).
- Create a username and password of your choice (this example uses winuser).
- Skip everything else and click "Review + create".
- IF there is a Licensing Checkbox at the end, make sure that is CHECKED!
- If Validation passed, click "Create".
Essentially repeat the same steps from creating the other virtual machine, but using Ubuntu (linux):
- Set the Resource Group to the same as VM1 (this example uses VM1_group).
- Name your Virtual Machine anyway you want (this example uses VM2).
- Change Image to Ubuntu Linux (this example uses Ubuntu Server 20.04 LTS - x64 Gen2)
- Keep the size the same as the Windows VM (this example uses Standard_E2s_v3 - 2 vcpus, 16 GiB memory).
- Change the Authentication type to "Password", and create any username (this example uses the username linuser).
- Once done, press "Next:" until you reach "Networking" (or simply click the Networking tab".
- Make sure that the Virtual Network is set as the same as Windows VM (this example uses VM1-vnet).
- Set the Public IP to whatever it has automatically assigned to (you might have to confirm the selection).
- Then press "Review + create".
- If Validation passed, click "Create".
- From Azure Portal, go to VM1's Overview page and copy the Public IP address.
- Press the Windows Key/Button, then type in "Remote Desktop Connection" (RDP).
- Input the IP into RDP and click "Connect" (this example uses 20.171.65.41).
- Enter the login credentials for VM1, then click "OK" (this example uses winuser).
- When the Certificate Error prompt appears, just click "Yes".
- As it boots up, you can disable all privacy settings when prompted, then hit "Accept".
- On VM1, open Microsoft Edge (or any internet browser), then go to the Wireshark download page.
- You can simply Google Search it, or copy the link shown.
- Click on "Windows Intel Installer" to start downloading the executable.
- Once downloaded, click "Open file" to run the .exe file (you can also find this inside your Downloads folder within Windows Explorer)
- The installation prompt will appear, hit "Next".
- When the installation prompt appears, leave everything by default and keep pressing "Next" until you start Installing.
- If any agreement prompts appear during installation, just agree to them and click install (without checkmarking anything).
- After all installations are complete, click "Finish".
- While in the virtual machine, run Wireshark.
- Click the first button at the top (blue shark fin) to start capturing activity on the VM.
- You can see there is activity constantly going in the background of the VM, despite you not doing anything.
- Click in the search box above, type in "ICMP", then press ENTER to confirm.
- You should then see all boxes blank (this is due to having no activity under the ICMP protocol)
Note: The 'ping' tool within Command Prompt (cmd) / PowerShell uses protocol ICMPv4.
- Minimize the virtual machine to the Azure Portal.
- Go to VM2's Overview page and copy the PRIVATE IP address (this example uses 10.0.0.5).
- Return to VM2, press the Windows Key/Button and seach for "CMD" or "PowerShell".
- Type in
ping -t <Private IP address>(this example would use command ping -t 10.0.0.5).- On Wireshark, you should be able to see the results of packets being perpetually sent and received.
While that is infinitely pinging, we'll try to deny those packets and observe what happens next:
- Minimize the virtual machine to the Azure Portal.
- In the Search Box at the top header, type and select "Network Security Groups".
- Click on "VM2-nsg".
- Go to "Inbound security rules".
- Click "Add"
- Change the protocol to "ICMP".
- Change the Action to "Deny" (we are trying to stop any packet requests from VM1).
- Change the Priorty to a lower number than the lowest one already set (this example uses 200).
- A lower number means it performs the task before any higher number after it.
- You can change the Name if you desire, but not needed (this example uses DENY_ICMP_PING_FROM_ANYWHERE).
- Click "Add".
- Wait for a bit to take effect, but return to VM1 and observe the requests time out.
Now that we've observed the denial of packets, let's try allow it again, however, instead of deleting the added rule, we can simply edit the Action to "Allow".
- Once done, you can press Control+C to stop the pinging in PowerShell.
- From Wireshark, type "SSH" in the search bar and press ENTER (there should be no activity).
- A more direct way is typing "tcp.port == 22".
- Now accessed to VM2, from PowerShell, type "id", then ENTER.
- This will give you the indentity group information for VM2's user.
- Observe the new traffic on Wireshark.
- Type in "exit" to close the linked connection and return to VM1's control.
- From Wireshark, search for "dhcp", then ENTER (there should be no activity).
- From PowerShell, type
ipconfig /renew, then ENTER.- The virtual machine will briefly lose connection, but will return shortly.
- Observe the new activity in Wireshark.
Next to observe DNS traffic activity:
- From Wireshark, search for "dns", then ENTER (there should be a lot of traffic).
- A more direct way is typing "udp.port == 53".
- Clear the boxes by pressing the "Restart current capture" button (green shark fin).
- From PowerShell, type
nslookup www.google.com, observe the new activity in Wireshark.
Finally to observe DNS traffic activity:
- From Wireshark, search for "rdp", then ENTER (there should be a lot of traffic, non-stop).
- A more direct way is typing "tcp.port == 3389". Because we are currently using RDP to run the virtual machine, anything and everything done while in the VM is captured into Wireshark.
- From PowerShell, type
ipconfig /displaydns, the ENTER.- You should see many domain names to other websites with information below them.
- The saved data here allows your system to remember information a website that was already visited without and have access to it without making requesting for new info.
- Type
ipconfig /flushdns, then ENTER.- This will essentially delete all entries within the cache, making your system require to make requests from the site for information as if were visiting the first time, which is then saved in the cache.
- Type
ipconfig /displaydnsto see how everything has been cleared out and nothing to display.
