This task was created by https://tryhackme.com/p/cmnatic And was put together really well. It showcased the start of a new topic of tasks as the last were around web exploits. You can get an understanding of network traffic and analysis of that traffic via wireshark.
The first question requires us to look at a pcap file called pcap1.pcap. This is a period of time that a wireshark packet capture was created. Using the button noted below
Wire shark has a lot of versatility when you learn how to use the green filter bar. When you learn how to utilize this feature becoming a power user with wireshark is soon to come.
The task provides an amazing detailed guide on basic networking concepts and protocols. This article assumes you at least read before seeking a walk-through. The hacker mindset means plugging away until something works. This will come with time and practice.
Question One
This question asks us what the IP address that sent the ICMP request. ICMP packets are indicative of a ping command.
On inspecting the pcap1 file we apply the filter and notice the IP of 10.11.3.2 (not sure if the file is the same for everyone but probably.)
Question Two
Wireshark filters can be used to filter http traffic as well. With a quick google search you come across https://www.comparitech.com/net-admin/wireshark-cheat-sheet/ this will show us (as well as the reading) a few filters so we know how to tackle question two.
They ask us what filter would allow us to only see http get requests in the pcap1 file? Wireshark has a handy auto-fill function when typing the filter to help us deduce the correct filter is http.requests.method == get
Wireshark will turn red if any syntax errors are made
Question Three
This question gets us a little deeper into wireshark. They ask us here what the attacker accessed from IP address 10.10.67.199. This will actually use the answer from the task above for the filter. A lot like CLI commands wireshark will allow multiple filters to be use using the && feature. This way we can narrow traffic on http get requests and source IP of 10.10.67.199 by using the two together http.requests.method (without get because I did not get any packets with the get appended.)
scrolling through the capture we notice something in /posts/ he accessed that was Holiday related. Count the letters if you are really stuck, it is not always code we are after all hackers. (:
You can even see the bytes in hex as well as the start of the get request that would be sent in the browser. We can start to see the power wireshark can offer from a network blue team aspect.
Question Four
Here the actual analysis happens with pcap2. We shift our view from the top pane of wireshark down to the bottom. That is the nuts and bolts of wireshark where the actual data is. They want to know what password was used to access the FTP server. FTP we know is unencrypted so we can read what is passed through. The suggestion here is to use those filters we learned about. This one is more straight forward than the other by just applying the FTP filter to the bar.
We notice the mention of a PASS and plaintext_password_… when we look at the bottom pane we can see what is actually happening.
Not only do we have the answer to our question if you expand the frame and protocol tabs a plethora of information is provided at a deep down networking level. Cool for any nerd to analyze (:
Question Five
This question is right in our face when we open up the pcap file. This protocol SSH is named secure shell. This encrypts the traffic over the network look more into this here https://www.ssh.com/ssh/
Question Six
For this question we need to use a feature that is located in the file tab in the top left corner of wireshark.
The export objects feature will allow us to save all the files we can get from the requests.
using this we get a .zip file called Christmas. unzip it and inspect the contents inside for a wishlist. you will see elf mcskiddy might not have a job too much longer. (: Merry Christmas and happy hacking!
