WIRESHARK: TRAFFIC ANALYSIS

NMAP SCANS

Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. What is the total number of the "TCP Connect" scans?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
 
WireShark > status bar
  * Packets: 6544 Displayed: 1000 (15.3%)
Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. Which scan type is used to scan the TCP port 80?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: tcp.port==80
  SYN, SYN/ACK, ACK
 
 * sort the packet list window by "time" in ascending order
Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. How many "UDP close port" messages are there?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: ticmp.type==3 and icmp.code==3
 
WireShark > status bar
  * Packets: 6544 Displayed: 1083 (16.5%)
Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. Which UDP port in the 55-70 port range is open?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: (udp.dstport >= 55 && udp.dstport <=70) && !(icmp.code == 3)
 Output: 67 Destination Unreachable/Port Unreachable
 Output: 69 Destination Unreachable/Port Unreachable
 Output: 68
  - must sort the "info" column IOT see that 67 & 69 were unreachable

ARP POISONING & MITM

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of ARP requests crafted by the attacker?
Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of HTTP packets received by the attacker?
Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of sniffed username&password entries?
Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the password of the "Client986"?
Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the comment provided by the "Client354"?

IDENTIFYING HOSTS | DHCP, NETBIOS & KERBEROS

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. What is the MAC address of the host "Galaxy A30"?
Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. How many NetBIOS registration requests does the "LIVALJM" workstation have?
Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. Which host requested the IP address "172.16.13.85"?
Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file. What is the IP address of the user "u5"? (Enter the address in defanged format.)

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file. What is the hostname of the available host in the Kerberos packets?

TUNNELING TRAFFIC: DNS & ICMP

Use the "Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap" file. Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
Use the "Desktop/exercise-pcaps/dns-icmp/dns.pcap" file. Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)

CLEARTEXT PROTOCOL ANALYSIS: FTP

Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. How many incorrect login attempts are there?
Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. What is the size of the file accessed by the "ftp" account?
Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. The adversary uploaded a document to the FTP server. What is the filename?
Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?

CLEARTEXT PROTOCOL ANALYSIS: HTTP

Use the "Desktop/exercise-pcaps/http/user-agent.cap" file. Investigate the user agents. What is the number of anomalous "user-agent" types?
Use the "Desktop/exercise-pcaps/http/user-agent.cap" file. What is the packet number with a subtle spelling difference in the user agent field?
Use the "Desktop/exercise-pcaps/http/http.pcapng" file. Locate the "Log4j" attack starting phase. What is the packet number?
Use the "Desktop/exercise-pcaps/http/http.pcapng" file. Locate the "Log4j" attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude "{}".)

ENCRYPTED PROTOCOL ANALYSIS: DECRYPTING HTTPS

Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. What is the frame number of the "Client Hello" message sent to "accounts.google.com"?
Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?
Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Investigate the decrypted packets and find the flag! What is the flag?

BONUS: HUNTING CLEARTEXT CREDENTIALS

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. What is the packet number of the credentials using "HTTP Basic Auth"?
Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. What is the packet number where "empty password" was submitted?

BONUS: ACTIONABLE RESULTS!

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. Select packet number 99. Create a rule for "IPFirewall (ipfw)". What is the rule for "denying source IPv4 address"?
Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. Select packet number 231. Create "IPFirewall" rules. What is the rule for "allowing destination MAC address"?
PreviousWIRESHARK: PACKET OPERATIONSNextTSHARK: THE BASICS

Last updated