TSHARK CHALLENGE I: TEAMWORK
Last updated
Last updated
SCENARIO: An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation." The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling. The available tools are: TShark, .
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
teamwork.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.name Name Character string 1.0.0 to 4.4.5
root@thm:~$ tshark -r teamwork.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
19 www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
6 toolbarqueries.google.com
4 wittyserver.hsd1.md.comcast.net
4 wittyserver
* the "awk NF" in the pipeline will remove empty lines.
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
1/94 security vendor flagged this domain as malicious
root@thm:~$ BROWSER > cyberchef.io
input: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
recipe: Defang URL
output: www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]comroot@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
teamwork.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.name Name Character string 1.0.0 to 4.4.5
root@thm:~$ tshark -r teamwork.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
19 www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
6 toolbarqueries.google.com
4 wittyserver.hsd1.md.comcast.net
4 wittyserver
* the "awk NF" in the pipeline will remove empty lines.
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
1/94 security vendor flagged this domain as malicious
VirusTotal > Details > History
First Submission: 2017-04-17 22:52:53 UTC
Last Submission: 2025-03-21 22:38:49 UTC
Last Analysis: 2025-03-21 22:38:49 UTCroot@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
teamwork.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.name Name Character string 1.0.0 to 4.4.5
root@thm:~$ tshark -r teamwork.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
19 www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
6 toolbarqueries.google.com
4 wittyserver.hsd1.md.comcast.net
4 wittyserver
* the "awk NF" in the pipeline will remove empty lines.
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
1/94 security vendor flagged this domain as malicious
VirusTotal > Details > Final URL
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.comroot@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
teamwork.pcap
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: dns
https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
search: qry
dns.qry.type Type Unsigned integer (16 bits) 1.0.0 to 4.4.5
root@thm:~$ tshark -r teamwork.pcap -Y 'dns.qry.type == 1' --color
29 3.877040 192.168.1.100 ? 75.75.75.75 DNS 120 Standard query 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
38 8.876570 192.168.1.100 ? 75.75.75.75 DNS 120 Standard query 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
39 8.965505 75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
437 108.586825 192.168.1.100 ? 75.75.75.75 DNS 120 Standard query 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
438 108.586828 192.168.1.100 ? 75.75.75.75 DNS 120 Standard query 0x32f6 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
443 108.673854 75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
445 108.675070 75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x32f6 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
716 192.616682 192.168.1.100 ? 75.75.75.75 DNS 120 Standard query 0x6aef A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
719 192.616911 192.168.1.100 ? 75.75.75.75 DNS 120 Standard query 0x38b9 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
722 192.635487 75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x6aef A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
724 192.640405 75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x38b9 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
738 236.083617 192.168.1.100 ? 75.75.75.75 DNS 85 Standard query 0x4e6a A toolbarqueries.google.com
740 236.084019 192.168.1.100 ? 75.75.75.75 DNS 85 Standard query 0x202d A toolbarqueries.google.com
741 236.100171 75.75.75.75 ? 192.168.1.100 DNS 132 Standard query response 0x4e6a A toolbarqueries.google.com CNAME toolbarqueries.l.google.com A 172.217.7.228
742 236.106015 75.75.75.75 ? 192.168.1.100 DNS 132 Standard query response 0x202d A toolbarqueries.google.com CNAME toolbarqueries.l.google.com A 216.58.217.100
* ALT: VirusTotal
- root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
- VirusTotal > Relations > Passive DNS Replication (1)
Date resolved Detections Resolver IP
2017-04-17 0/94 VirusTotal 184.154.127.226
root@thm:~$ BROWSER > cyberchef.io
input: 184.154.127.226
recipe: Defang IP Addresses
output: 184[.]154[.]127[.]226root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
teamwork.pcap
root@thm:~$ tshark -r teamwork.pcap -z io,phs -q
* get an overview of the protocols in the pcap
- since there is no smtp packets, focus on the HTTP
- idea is there may have been a login form where an email address was entered
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
search: http
https://www.wireshark.org/docs/dfref/h/http.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
search: uri
http.request.uri Request URI Character string 1.0.0 to 4.4.5
root@thm:~$ tshark -r teamwork.pcap -V -T fields -e http.request.full_uri | awk NF
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/js/script.js?_=1492480834538
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/inc/visit.php
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/inc/login.php
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/suspecious.php
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/shield.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/update.php
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/icon_checked.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/icon_uncheck.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/feedback.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/logo.svg
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/font/PayPalSansSmall-Medium.woff2
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/setting.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/js/jquery.creditCardValidator.min.js?_=1492480834539
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/arrow.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/profile.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/js/cc.js?_=1492480834540
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/csc_standard.png
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/logo_ccVisa.gif
http://toolbarqueries.google.com/tbr?client=navclient-auto&ch=63514382238&features=Rank&q=info%3Ahttp%3A%2F%2Fwww.paypal.com4uswebappsresetaccountrecovery.timeseaways.com%2F%23
root@thm:~$ tshark -r teamwork.pcap -z follow,http,ascii,1 -q -Y 'http contains paypal.com4 && http contains login.php' -V
[Full request URI: http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/inc/login.php]
[HTTP request 1/1]
File Data: 285 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "user" = "johnny5alive@gmail.com"
Key: user
Value: johnny5alive@gmail.com
Form item: "pass" = "johnny5alive"
Key: pass
Value: johnny5alive
Form item: "xBrowser" = "Mozilla FireFox v43"
Key: xBrowser
Value: Mozilla FireFox v43
Form item: "xOperatingSystem" = "Linux"
Key: xOperatingSystem
Value: Linux
Form item: "xPlatForm" = "Desktop Platform"
Key: xPlatForm
Value: Desktop Platform
Form item: "xTimeZone" = "Mon Apr 17 2017 22:00:35 GMT-0400 (EDT)"
Key: xTimeZone
Value: Mon Apr 17 2017 22:00:35 GMT-0400 (EDT)
Form item: "xResoLution" = "Computer: 1920x1080; Browser inner: 1920x762; Browser outer: 1920x1027"
Key: xResoLution
Value: Computer: 1920x1080; Browser inner: 1920x762; Browser outer: 1920x1027
Form item: "xLang" = "en-US"
Key: xLang
Value: en-US
===================================================================
Follow: http,ascii
Filter: tcp.stream eq 1
Node 0: :0
Node 1: :0
===================================================================
root@thm:~$ BROWSER > cyberchef.io
input: johnny5alive@gmail.com
recipe: Defang URL
output: johnny5alive[at]gmail[.]com
- Replace @ with "AT" then enclose in brackets