We covered the second part of Wireshark tutorials where we went over traffic analysis using advanced filters. We analyzed network traffic with different protocols such as HTTP and DNS. We also covered analyzing NMAP scans, ARP Poisoning attacks and SSH tunneling. Additionally, we explained how to extract clear-text credentials passed over insecure protocols such as HTTP & FTP. This was part of TryHackMe Wireshark Traffic Analysis  SOC Level 1.

Get Network Traffic Analysis Study Notes

The Complete Practical Metasploit Framework Course

Video Highlights

Room Answers

Use the “Desktop/exercise-pcaps/nmap/Exercise.pcapng” file.
What is the total number of the “TCP Connect” scans?

Which scan type is used to scan the TCP port 80?

How many “UDP close port” messages are there?

Which UDP port in the 55-70 port range is open?

Use the “Desktop/exercise-pcaps/arp/Exercise.pcapng” file.
What is the number of ARP requests crafted by the attacker?

What is the number of HTTP packets received by the attacker?

What is the number of sniffed username&password entries?

What is the password of the “Client986”?

What is the comment provided by the “Client354”?

Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap” file.
What is the MAC address of the host “Galaxy A30”?

How many NetBIOS registration requests does the “LIVALJM” workstation have?

Which host requested the IP address “172.16.13.85”?

Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap” file.
What is the IP address of the user “u5”? (Enter the address in defanged format.)

What is the hostname of the available host in the Kerberos packets?
Use the “Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap” file.
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?

Use the “Desktop/exercise-pcaps/dns-icmp/dns.pcap” file.
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)

Use the “Desktop/exercise-pcaps/ftp/ftp.pcap” file.
How many incorrect login attempts are there?

What is the size of the file accessed by the “ftp” account?

The adversary uploaded a document to the FTP server. What is the filename?

The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?

Use the “Desktop/exercise-pcaps/http/user-agent.cap” file.

Investigate the user agents. What is the number of anomalous  “user-agent” types?

What is the packet number with a subtle spelling difference in the user agent field?

Use the “Desktop/exercise-pcaps/http/http.pcapng” file.
Locate the “Log4j” attack starting phase. What is the packet number?

Locate the “Log4j” attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude “{}”.)

Use the “Desktop/exercise-pcaps/https/Exercise.pcap” file.

What is the frame number of the “Client Hello” message sent to “accounts.google.com”?

Decrypt the traffic with the “KeysLogFile.txt” file. What is the number of HTTP2 packets?

Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)

Investigate the decrypted packets and find the flag! What is the flag?

Use the “Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap” file.
What is the packet number of the credentials using “HTTP Basic Auth”?

What is the packet number where “empty password” was submitted?

Use the “Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap” file.
Select packet number 99. Create a rule for “IPFirewall (ipfw)”. What is the rule for “denying source IPv4 address”?

Select packet number 231. Create “IPFirewall” rules. What is the rule for “allowing destination MAC address”?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles