TryHackMe: Cyber Defense Learning Path P1D3
05 May, 2021
We could say that, network traffic and Wireshark are getting along as much as crêpes with chocolate and strawberries ( I will accept no argument on that). Often in forensic challenges you
will have to analyze a .pcap file. Wireshark is the tool you need. It will present you a nice overview of packets transmitted, categorized by protocol, time, source and destination
address and that’s not all. Wireshark provides, as well, a number of filters you may use in order to preview the results of a capture in your own, customized way. Are you ready to dive
deeper?
Today, I’m gonna skip to Task 7. The previous tasks have a bunch of usefull informations about the tool, giving us the heads-up we need. For the rest tasks, we will have to download the
pcap files and examine them further.
Wireshark 101
Task 7
Our first stop is on ARP traffic. Address Resolution Protocol is the protocol that acts as a bridge between MAC and IP addresses.-
What is the Opcode for Packet 6?
After clicking on packet 6 you have to check the Address Resolution Protocol (request) tab from it's description. The Opcode is request (1) -
What is the source MAC Address of Packet 19?
You need the MAC address, not the IP. Once more, click on packet 19. The answer is 80:fb:06:f0:45:d7 -
What 4 packets are Reply packets?
Have you thought of applying a filter? Try arp.opcode == 2. The packes are 76,400,459,520. -
What IP Address is at 80:fb:06:f0:45:d7?
The same MAC from the second question. Go back to packet 19. 10.251.23.1 is your address.
Task 8
Moving on with OSI's layers, ICMP is the protocol that works with the famous ping tool (remember from the Introductory Networking room). Tip time: I recently learned from a ctf challenge that, among all the exfiltration attack types there is also the ICMP exfiltration attack. Keep that in mind and learn how to examine ICMP traffic.-
What is the type for packet 4?
It's an Echo (ping) request of type 8. -
What is the type for packet 5?
You can also google of the different ping types. A reply ping is of type 0. -
What is the timestamp for packet 12, only including month day and year?
Click on the packet. The answer is May 30, 2013. -
What is the full data string for packet 18?
Just copy and paste 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
Task 10
The already called (by me) Savior, DNS can make it's own traffic trail. I referenced before the ICMP exfiltration attack but, a way more "popular" one is the DNS exfiltration attack.-
What is being queried in packet 1?
You have to check the field Queries after the Domain Name System tab. The answer is 8.8.8.8.in-addr.arpa -
What site is being queried in packet 26?
The last column, named Info, is giving us the answer. www.wireshark.org -
What is the Transaction ID for packet 26?
Look at the Domain Name System tab. The first thing you'll see is the Transaction ID: 0x2c58.
Task 11
A familiar protocol, isn't it? Hypertext Transfer Protocol is the layer's 7 protocol that transforms data to a human readable form.-
What percent of packets originate from Domain Name System?
Look at the top of the wireshark's window and select Statistics > Protocol Hierarchy. That's a good start for analysing pcaps from forensics challenges. For this question, the answer is 4.7. -
What endpoint ends in .237?
Once more, go to Statistics and then Endpoints. Now think. A .237 looks a lot like the last 8 bits of an IPv4 address. The full is 145.254.160.237. -
Looking at the data stream what is the full request URI from packet 18?
Pretty long so copy it, it's https://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 -
What domain name was requested from packet 38?
You need just the domain, meaning www.ethereal.com. -
Looking at the data stream what is the full request URI from packet 38?
And now the full request, http://www.ethereal.com/download.html.
Task 12
Same with HTTP but Secure, HTTPS protects your data by encrypting them. Note: If you can't find the SSL protocol you have to select the TLS > RSA keys list > Edit. Google why.-
Looking at the data stream what is the full request URI for packet 31?
With the data now decrypted we can get that, the full request is https://localhost/icons/apache_pb.png. -
Looking at the data stream what is the full request URI for packet 50?
https://localhost/icons/back.gif -
What is the User-Agent listed in packet 50?
Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n