TSHARK CHALLENGE I: TEAMWORK

SCENARIO: An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation." The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling. The available tools are: TShark, VirusTotal.

Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the full URL of the malicious/suspicious domain address? Enter your answer in defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 teamwork.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.name	Name	Character string	1.0.0 to 4.4.5

root@thm:~$ tshark -r teamwork.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
 19 www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  6 toolbarqueries.google.com
  4 wittyserver.hsd1.md.comcast.net
  4 wittyserver

 * the "awk NF" in the pipeline will remove empty lines.
 
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
 search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  1/94 security vendor flagged this domain as malicious 

root@thm:~$ BROWSER > cyberchef.io
 input: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 recipe: Defang URL
 output: www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com
Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 teamwork.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.name	Name	Character string	1.0.0 to 4.4.5

root@thm:~$ tshark -r teamwork.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
 19 www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  6 toolbarqueries.google.com
  4 wittyserver.hsd1.md.comcast.net
  4 wittyserver

 * the "awk NF" in the pipeline will remove empty lines.
 
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
 search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  1/94 security vendor flagged this domain as malicious 

VirusTotal > Details > History
 First Submission: 2017-04-17 22:52:53 UTC
 Last Submission: 2025-03-21 22:38:49 UTC
 Last Analysis: 2025-03-21 22:38:49 UTC
Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. Which known service was the domain trying to impersonate?
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 teamwork.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.name	Name	Character string	1.0.0 to 4.4.5

root@thm:~$ tshark -r teamwork.pcap -T fields -e dns.qry.name | awk NF | sort -r | uniq -c | sort -r
 19 www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  6 toolbarqueries.google.com
  4 wittyserver.hsd1.md.comcast.net
  4 wittyserver

 * the "awk NF" in the pipeline will remove empty lines.
 
root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
 search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  1/94 security vendor flagged this domain as malicious 

VirusTotal > Details > Final URL
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the IP address of the malicious domain? Enter your answer in defanged format.
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 teamwork.pcap

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: dns
  https://www.wireshark.org/docs/dfref/d/dns.html
root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/d/dns.html > CTRL+F
 search: qry
  dns.qry.type	Type	Unsigned integer (16 bits)	1.0.0 to 4.4.5

root@thm:~$ tshark -r teamwork.pcap -Y 'dns.qry.type == 1' --color
  29   3.877040 192.168.1.100 ? 75.75.75.75  DNS 120 Standard query 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  38   8.876570 192.168.1.100 ? 75.75.75.75  DNS 120 Standard query 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
  39   8.965505  75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x6926 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 437 108.586825 192.168.1.100 ? 75.75.75.75  DNS 120 Standard query 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 438 108.586828 192.168.1.100 ? 75.75.75.75  DNS 120 Standard query 0x32f6 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 443 108.673854  75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x60ea A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 445 108.675070  75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x32f6 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 716 192.616682 192.168.1.100 ? 75.75.75.75  DNS 120 Standard query 0x6aef A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 719 192.616911 192.168.1.100 ? 75.75.75.75  DNS 120 Standard query 0x38b9 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
 722 192.635487  75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x6aef A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 724 192.640405  75.75.75.75 ? 192.168.1.100 DNS 136 Standard query response 0x38b9 A www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com A 184.154.127.226
 738 236.083617 192.168.1.100 ? 75.75.75.75  DNS 85 Standard query 0x4e6a A toolbarqueries.google.com
 740 236.084019 192.168.1.100 ? 75.75.75.75  DNS 85 Standard query 0x202d A toolbarqueries.google.com
 741 236.100171  75.75.75.75 ? 192.168.1.100 DNS 132 Standard query response 0x4e6a A toolbarqueries.google.com CNAME toolbarqueries.l.google.com A 172.217.7.228
 742 236.106015  75.75.75.75 ? 192.168.1.100 DNS 132 Standard query response 0x202d A toolbarqueries.google.com CNAME toolbarqueries.l.google.com A 216.58.217.100
 
 * ALT: VirusTotal
    - root@thm:~$ BROWSER > https://www.virustotal.com/gui/home/url
       search: www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com
    - VirusTotal > Relations > Passive DNS Replication (1)
       Date resolved     Detections     Resolver     IP
       2017-04-17        0/94           VirusTotal   184.154.127.226

root@thm:~$ BROWSER > cyberchef.io
 input: 184.154.127.226
 recipe: Defang IP Addresses
 output: 184[.]154[.]127[.]226
Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious. What is the email address that was used? Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)
root@thm:~$ cd Desktop/exercise-files/
root@thm:~$ ls
 teamwork.pcap
 
root@thm:~$ tshark -r teamwork.pcap -z io,phs -q

 * get an overview of the protocols in the pcap
    - since there is no smtp packets, focus on the HTTP
       - idea is there may have been a login form where an email address was entered

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref > CTRL+F
 search: http
  https://www.wireshark.org/docs/dfref/h/http.html

root@thm:~$ BROWSER > https://www.wireshark.org/docs/dfref/h/http.html > CTRL+F
 search: uri
  http.request.uri	Request URI	Character string	1.0.0 to 4.4.5

root@thm:~$ tshark -r teamwork.pcap -V -T fields -e http.request.full_uri | awk NF
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/js/script.js?_=1492480834538
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/inc/visit.php
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/inc/login.php
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/suspecious.php
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/shield.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/update.php
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/icon_checked.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/icon_uncheck.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/feedback.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/logo.svg
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/font/PayPalSansSmall-Medium.woff2
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/setting.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/js/jquery.creditCardValidator.min.js?_=1492480834539
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/arrow.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/profile.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/js/cc.js?_=1492480834540
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/csc_standard.png
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/
 http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/img/logo_ccVisa.gif
 http://toolbarqueries.google.com/tbr?client=navclient-auto&ch=63514382238&features=Rank&q=info%3Ahttp%3A%2F%2Fwww.paypal.com4uswebappsresetaccountrecovery.timeseaways.com%2F%23

root@thm:~$ tshark -r teamwork.pcap -z follow,http,ascii,1 -q -Y 'http contains paypal.com4 && http contains login.php' -V
 [Full request URI: http://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/inc/login.php]
    [HTTP request 1/1]
    File Data: 285 bytes
 HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "user" = "[email protected]"
        Key: user
        Value: [email protected]
    Form item: "pass" = "johnny5alive"
        Key: pass
        Value: johnny5alive
    Form item: "xBrowser" = "Mozilla FireFox v43"
        Key: xBrowser
        Value: Mozilla FireFox v43
    Form item: "xOperatingSystem" = "Linux"
        Key: xOperatingSystem
        Value: Linux
    Form item: "xPlatForm" = "Desktop Platform"
        Key: xPlatForm
        Value: Desktop Platform
    Form item: "xTimeZone" = "Mon Apr 17 2017 22:00:35 GMT-0400 (EDT)"
        Key: xTimeZone
        Value: Mon Apr 17 2017 22:00:35 GMT-0400 (EDT)
    Form item: "xResoLution" = "Computer: 1920x1080; Browser inner: 1920x762; Browser outer: 1920x1027"
        Key: xResoLution
        Value: Computer: 1920x1080; Browser inner: 1920x762; Browser outer: 1920x1027
    Form item: "xLang" = "en-US"
        Key: xLang
        Value: en-US

===================================================================
Follow: http,ascii
Filter: tcp.stream eq 1
Node 0: :0
Node 1: :0
===================================================================
 
root@thm:~$ BROWSER > cyberchef.io
 input: [email protected]
 recipe: Defang URL
 output: johnny5alive[at]gmail[.]com
  - Replace @ with "AT" then enclose in brackets
PreviousZEEK EXERCISESNextTSHARK CHALLENGE II: DIRECTORY

Last updated