Wireshark Traffic Analysis
In this TryHackMe room, we will be using basic and advanced Wireshark techniques of traffic analysis to detect suspicious activities.
Nmap
Nmap, short for Network Mapper, is widely recognized as an industry-standard tool utilized for mapping networks. It is essential for security analysts to possess the capability to discern and analyze intricate network patterns through its usage.
Lab Questions:
What is the total number of the “TCP Connect” scans?
Which scan type is used to scan the TCP port 80?
How many “UDP close port” messages are there?
Which UDP port in the 55-70 port range is open?
What is the total number of the “TCP Connect” scans?
To answer this question, we need to figure out what a TCP Connect scan is.
Using Nmap, TCP Connect scans are usually conducted using “nmap -sT” command. The scan type relies on the TCP three-way handshake to identify hosts/services. It can be used by non-root users and has a windows size larger than 1024 bytes.
The hand shake process differs on whether the TCP port is open or closed
-
SYN —>
<—SYN, ACK
ACK —>
(RST, ACK —>)
-
SYN —>
<— RST,ACK
Using Wireshark, we will have to create a display filter to figure out how many TCP Connects scans were conducted.
Whether the TCP port is open or closed, we know that our SYN flag has to be set to 1. We do not need to validate whether our server sent a SYN/ACK packet back because it’s asking about what the server received. We should also include the window size being greater than 1024 just incase. Therefore, our filter will be
tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.window_size > 1024
The filter worked! We are now able to investigate TCP packets that were sent using TCP Connect scans!
In the lower right corner of the image, Wireshark shows 1000 packets found in the search.
The answer must be:
1000
Which scan type is used to scan the TCP port 80?
To answer this question, we need to figure out what packets were sent to our server via port 80. We can verify this using this filter command:
tcp.port == 80
The filter shows us 6 different TCP packets that contain port 80 in their source and/or destination port.
After looking at the initial packet, we can identify the following steps:
A SYN packet was sent from source port 42026 to the destination port 80.
The port 80 then sent a SYN/ACK packet back to port 42026
Afterwards, port 42026 sent an ACK packet back to port 80.
An additional RST/ACK packet was then sent by port 42026 to port 80 to establish the end of the connection.
This is a textbook TCP Acknowledgement. Therefore it has to be a TCP Connect Scan.
How many “UDP close port” messages are there?
To answer this question, we need to figure out how a UDP scan works. The command is usually conducted using “nmap -sU”.
It does not require a handshake process. Specifically, it shows an ICMP type 3 error message (Destination unreachable) for closed UDP ports and no message for open UDP ports.
We can investigate the amount of UDP close port messages by using this filter:
icmp.type == 3
Using the filter, we were able to display packets that have the ICMP error code of 3.
In the bottom right of the screenshot, Wireshark is displaying 1000 packets that matched the search.
Therefore the answer has to be:
1083
Which UDP port in the 55-70 port range is open
To answer this question, we will need to figure out a filter that will only give us the ports between 55 and 70. To be even more specific, we need to specify that we only want UDP packets, not TCP. We also need to specify that we want to see connections made only to our ports.
Therefore, the filter will be:
udp.dstport > 55 && udp.dstport < 70
From the screenshot, we can see that there are 12 packets that matched the filter. However, there is only one port that is open. Our choices are 67, 68, or 69.
After analyzing the data, I found that multiple different ports made connections to port 68. In addition, there were more connections made to that specific port than to 67 or 69.
Therefore, it has to be 68.
ARP Poisoning
ARP (Address Resolution Protocol) is responsible for allowing devices to identify themselves on a network. ARP Poisoning (Spoofing or MITM Attack) involves the manipulation of the network by sending malicious ARP packets to the default gateway. The goal of the attack is to manipulate the MAC/address table and sniff the traffic of the target host.
ARP uses a series opcodes to determine whether the packet is an ARP request or an ARP response.
Opcode 1: ARP Requests
Opcode 2: ARP Responses
Lab Questions:
What is the number of ARP requests crafted by the attacker?
What is the number of HTTP packets received by the attacker?
What is the number of sniffed username&password entries?
What is the password of the "Client986"?
What is the comment provided by the "Client354"?
What is the number of ARP requests crafted by the attacker?
To answer this question, we first need to identify which mac address was the target of the attacker. We can verify this by looking for a “duplicate IP address detected” error. We would then type this into the filter:
arp.duplicate-address-detected
After typing the command into the filter we are presented with 138 ARP responses that are detecting a duplicate address.
The duplicated MAC address is 00:0c:29:e2:18:b4. Now we can proceed with the next step.
The next step is to type the duplicated MAC address into the filter. Because the question is asking about only the attacker, you want to indicate that source MAC address, not the destination. Therefore the filter command will be:
(arp.opcode == 1) && (arp.src.hw_mac == 00:0c:29:e2:18:b4)
We added (arp.opcode ==1) because we only want to filter for requests, not responses.
The final answer is 284
What is the number of HTTP packets received by the attacker?
We know that the attackers spoofed mac address is 00:0c:29:e2:18:b4. Therefore, we need to filter our results to only include the destination of the spoofed mac address and look for HTTP packets. The filter command is:
eth.dst == 00:0c:29:e2:18:b4 && http
The filter worked! Now we can look at the bottom right to check how many packets were received by the attacker.
What is the number of sniffed username&password entries?
To answer this, we need to find unencrypted HTTP POST Method. If we scroll to the right, we have some.
In order to find the total count of username and password entries, we will add this specific POST request to our filter.
http.request.full_uri == "http://testphp.vulnweb.com/userinfo.php"
Now, there are 8 packets shown. 2 are for logins. So, the answer is
6.
What is the password of the "Client986"?
Inside of one of the packets, you will find the answer in the packet details box under “HTML Form URL Encoded”.
The answer is clientnothere!
What is the comment provided by the "Client354"
Remove everything out of the display filter and then press “Ctrl+F” to view the Find tool. Afterwards, type in the name “Client354” and view the packet details box under “HTML Form URL Encoded” to view the comment left behind.
The answer is Nice work!
DHCP, NetBIOS, and Kerberos
-
DHCP (Dynamic Host Configuration Protocol) is the protocol responsible for automatically assigning IP addresses and other communications parameters to devices connected to the network.
Options:
Option 3 = DHCP Request
Option 5 = DHCP ACK
Option 6 = DHCP NAK
Option 12 = Hostname
Option 15 = Domain name
Option 50 = Requested IP address
Option 51 = Requested IP lease time
Option 56 = Message (rejection details/reason)
Option 61 = Client's MAC address
-
NetBIOS (Network Basic Input/Output System) is responsible for allowing applicatications on seperate computers to communicate over a LAN.
-
Kerberos is the default authentication service for Microsoft Windows. It is responsible for authenticating service requests between two or more computers over an untrusted network. It works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
pvno = Protocol version.
realm = Domain name for the generated ticket.
sname = Service and domain name for the generated ticket.
addresses = Client IP address and NetBIOS name.
Lab Questions:
What is the MAC address of the host "Galaxy A30"?
How many NetBIOS registration requests does the "LIVALJM" workstation have?
Which host requested the IP address "172.16.13.85"?
What is the IP address of the user "u5"? (Enter the address in defanged format.)
What is the hostname of the available host in the Kerberos packets?
What is the MAC address of the host "Galaxy A30"?
To find this, first type dhcp.option.dhcp == 3 into the filter to search for packets that contain hostname information. We can then utilize the Find tool to look for the packet that contains “Galaxy-A30”
How many NetBIOS registration requests does the "LIVALJM" workstation have?
To find this, first type in nbns.name contains “LIVALJM” into the filter.
It will display 40 packets, but this is not the information that we need.
We want to filter out everything that is not the Opcode for a registration request or the name “LIVALJM”. Therefore, our next filter will be:
nbns.flags.opcode == 5 && nbns.name contains "LIVALJM"
Now our Packet List is full of packets that have an Opcode of 5!
Check the amount of displayed packets there are and there’s our answer!
16
Which host requested the IP address "172.16.13.85"?
To find this, filter for DHCP option 3 by typing dhcp.option.dhcp == 3. Now open the Find tool and type in the IP address (172.16.13.85).
Wireshark will then highlight the packet that contains the host that requested the IP address. Scroll down and you’ll find it under “Option: (12) Host Name”.
Galaxy-A12
What is the IP address of the user "u5"? (Enter the address in defanged format.)
We are trying to find the IP address of a user named “u5”. This user authenticated via Kerberos so we should also specify Kerberos in the filter. This will be our filter: kerberos.CNameString == "u5"
There will be 9 packets displayed. All of the packets have a CName of u5. Inside the Packet Details pane, you’ll be able to find the source IP address.
After defanging the IP address in CyberChef, the answer came out to be: 10[.]1[1.]12[.]2
What is the hostname of the available host in the Kerberos packets?
This one was a little confusing. To find the hostnames, we need to do a global search by typing kerberos into the filter. Since we are looking for a hostname, we need to look for CNames. There are two ways we can do this. We can look through each packet or put Cname into its own column.
The column choice seems much easier.
In the Packet Details pane, expand Kerberos -> as-req -> req-body -> cname -> cname-string
You will then see “CNameString:”. Right click on it and click “Apply as Column”.
A column titled “cname” will then appear inside of the Packet List. Look through the column to find an outlier.
The answer is xp1$
ICMP and DNS
-
ICMP is designed for diagnosing an reporting network communication issus. It isused in error reporting and testing. It is also used for denial of service attacks. Attackers use utilize ICMP in data exfiltration and C2 tunneling.
-
DNS translates IP domain addresses to IP addresses. It is the “phonebook” of the internet. Attackers commonly use it in data exfiltration and C2 activities.
Both ICMP and DNS attacks begin to appear after malware execution(s) or vulnerability exploitation.
Lab Questions:
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
An average ICMP packet is usually 64 bytes. Bigger ICMP packets might show ICMP tunneling. To find unusual packets, use the filter: data. len > 64 && icmp
This will present us with a list of packets with a length greater than 64. Based on the information captured in the screenshot, we are able to clearly observe the event taking place. Some packets are even 1000+ bytes long!
Obviously there is something other than a ICMP flood attack occurring. My guess would be an SSH attempt.
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
In order to scope out suspecious domain addresses, we want to investigate what IP addresses are making malicious connections. To do this go to Statistics —> Conversations —> IPv4.
There is a worrisome amount of traffic between 8.8.8.8 to 192.168.94.132 and 192.168.94.131 to 192.168.94.132. We should investigate this.
In the filter box, type in ip.dst == 192.168.94.132 && dns
After analyzing, we can see that connections made from 192.168.94.131 to 192.168.94.131 have a DNS query titled BA7C01B0DE682B2B4554B6000101E88144.dataexfil.com. The website link looks very suspicious, especially with a name like "data exfil," indicating it's probably malicious.
Upon putting the domain “dataexfil.com” into a defanger, the answer came out to dataexfil[.]com
HTTPS
HTTPS (Hypertext Transfer Protocol Secure) is the extension of HTTP (Hypertext Transfer Protocol). It has enhanced security against spoofing, sniffing, and intercepting attacks. HTTPS uses TLS (Transport Layer Security) to encrypt communications; thereby, making it impossible to decrypt the traffic without key pairs.
TLS has its own handshake process, similar to TCP. The first two steps are client requests (Server Hello) and server requests (Client Hello)
TLS Types:
Type 1: Client Request
Type 2: Server Response
Lab Questions:
What is the frame number of the "Client Hello" message sent to "accounts.google.com"?
Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?
Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
Investigate the decrypted packets and find the flag! What is the flag?
What is the frame number of the "Client Hello" message sent to "accounts.google.com"?
The question is asking us for “Client Hello”, meaning the server is communicating with the client. Therefore, our TLS Type in the filter should be Type 1.
tls.handshake.type==1
After searching, there should be 20 displayed packets. One of these has “accounts.google.com”. In order to speed up the search, let’s use the Find tool.
After using the find tool, packet number 16 was highlighted. Therefore our answer is 16
Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?
To decrypt the traffic, we need to configure Wireshark to read the KeysLogFile.
To do this, open Preferences by pressing Ctrl+ Shift + P. Click on Protocols —> TLS —> Pre-Master-Secret log filename (Browse)
Select the KeysLogFile.txt file and then click “OK”.
All of the logs should be decrypted. We now need to figure out the number of HTTP2 packets. To do this we’re going to do a global search of HTTP2 packets:
After searching, the number of packets displayed is 115.
Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
To find this answer, locate Frame 322. Inside of Packet Details, expand HyperText Transfer Protocol 2 —> Stream and then you’ll find the authority header.
Plug it into a defanger and then the final answer is: safebrowsing[.]googleapis[.]com
Investigate the decrypted packets and find the flag! What is the flag?
Because the question is asking specifically about the decrypted packets, we know that is has to be HTTP related. Therefore, we should type HTTP2 into the filter. Afterwards, there will be 115 packets displayed. Upon further examination of the packets, packet 1576 has something worth questioning.
The request method is GET which signifies the retrieving of a file. In the Info section, it also displays path: /f6l4ta5w6gidsga3/flag.txt. Using common sense, we can assume that this is the flag.
For further research, we can export this packet as an object by going to File —> Export Objects —> HTTP. If the packet Make sure that packet 1576 is highlighted or else this won’t work. Click save and then pick a file location to save it to.
After opening the file you’ll be greeted by an alien with the flag.
FLAG{THM-PACKETMASTER}
