Network forensics is an essential branch of cybersecurity that focuses on monitoring, analyzing, and investigating network traffic to detect and respond to malicious activities. This article delves into a forensic investigation conducted through a TryHackMe challenge, utilizing tools like Wireshark and Python to analyze suspicious network traffic.

TryHackMe Extracted challenge simulates a real-world forensic investigation where participants need to identify and analyze suspicious traffic within a packet capture (PCAP) file. The primary objective is to uncover the method and extent of data exfiltration from a compromised machine.

Computer Forensics Study Notes

Acquiring and Analyzing Packet Captures

The investigation begins by:

  • Downloading PCAP files from the challenge platform.
  • Utilizing Wireshark to open the files and examine network activity.
  • Navigating to the Statistics and Conversations sections to identify unusual connections.

Key Insights:

  • TCP traffic was dominant.
  • Primary communication occurred between IP addresses 192.168.0.95 and 10.10.94.106.

Identifying Malicious Traffic

A suspicious GET request was detected, fetching a partial script. Upon closer inspection, this script:

  • Downloaded a tool named process dump to capture the system’s memory.
  • Targeted files linked to KeePass password databases.
  • Initiated encrypted and encoded data exfiltration.

Investigating the Malicious Powershell Script

The downloaded script performed the following malicious actions:

  • Memory Dump Creation:
    • Extracted memory from running processes.
    • Searched for KeePass-related files.
  • Data Encryption:
    • Applied XOR encryption with a hardcoded key.
    • Encoded data using Base64.
  • Data Exfiltration:
    • Split data into 1,224-byte chunks.
    • Transferred it to a Command & Control (C2) server via ports 1337 (memory dump) and 1338 (KeePass database).

Reconstructing the Data with Python

To retrieve the stolen data:

  1. Extract Packets: Used tshark to filter traffic based on destination IP and port.
  2. Reconstruct Data: Employed a Python script to decode and decrypt the exfiltrated information.
  3. Analyze Dump: Examined the memory dump for sensitive information.

Cracking the KeePass Password with Hashcat

The next phase involved recovering the KeePass master password:

  • Utilized KeePass Dump Master Key to extract password candidates.
  • Applied Hashcat in brute-force mode to determine the correct password.
  • Unlocked the database to reveal the final flag of the challenge.

Defensive Recommendations / SafeLine WAF

To prevent such attacks, organizations should implement:

Firewall Protection: Use tools like SafeLine Web Application Firewall to block malicious requests.

Network Monitoring: Regularly monitor traffic for unusual patterns.

Strong Access Controls: Employ robust authentication methods.

Data Encryption: Encrypt sensitive data both in transit and at rest.

What is SafeLine WAF?

SafeLine WAF (Web Application Firewall) is a security solution designed to protect web applications from various online threats, including SQL injection, cross-site scripting (XSS), and other web-based attacks. It serves as a protective barrier between the web application and external traffic, inspecting incoming requests and blocking malicious activities.

Key Features of SafeLine WAF:

Application Layer Protection (Layer 7)

Detects and mitigates attacks targeting web applications, including SQL injection, XSS, and remote file inclusion.

Real-Time Traffic Analysis

Monitors and analyzes web traffic in real-time to identify suspicious patterns and potential threats.

Zero-Day Exploit Protection

Uses patented and unique semantic analysis engine and machine learning to identify and block zero-day vulnerabilities without predefined signatures.

Customizable Security Rules

Allows users to create custom rules to adapt to specific application needs or address unique security concerns.

DDoS Mitigation

Protects against HTTP Flood DDoS attacks by features like waiting room, rate limiting.

How SafeLine WAF Works:
  1. Traffic Inspection: All incoming traffic passes through SafeLine WAF before reaching the web application.
  2. Semantic Analysis Detection: Detects threats with an innovative and robust detection mechanism, Semantic Analysis Algorithm rather than traditional signature-based detection.
  3. Anomaly Detection: Uses behavioral analysis to identify traffic anomalies that could indicate new or evolving threats.
  4. Response and Reporting: Blocks malicious traffic and provides detailed logs for analysis and incident response.

TryHackMe Investigating Windows | Room Answers

What’s the initial part of the password?
NoWaYIcanF0rGetThis123

What’s the flag?

THM{B3tt3r_Upd4t3_Y0ur_K33p455}

Video Walkthrough

Technical Insights

  • TCP Protocol → Primary communication method between attacker and victim.
  • Ports 1337 & 1338 → Used for exfiltrating memory dump and KeePass database.
  • XOR Encryption → Applied using hardcoded keys to obfuscate exfiltrated data.
  • Base64 Encoding → Used to convert binary data into a readable format for transmission.

Conclusion

This forensic investigation highlights the techniques attackers use to exfiltrate data and demonstrates the importance of thorough network monitoring. By understanding and practicing forensic analysis through challenges like TryHackMe, cybersecurity professionals can better prepare to defend against real-world network attacks.

Summary

🔍 Introduction to TryHackMe Challenge

  • The video explores a TryHackMe challenge focused on network forensics.
  • The goal is to investigate suspicious traffic using Wireshark and Python.

📥 Downloading and Analyzing Packet Captures

  • Task files contain packet captures that need forensic analysis.
  • Using Wireshark, statistics and conversations tabs help identify traffic patterns.

🔗 Identifying Suspicious Traffic

  • The investigation focuses on a GET request that downloads a partial script.
  • The script, upon execution, initiates data exfiltration from the system.

🕵️ Analyzing the Malicious Script

  • The script downloads process dump tools to extract memory dumps.
  • It searches for KeePass database files and attempts to dump them.

🔓 Extracting and Decrypting the Stolen Data

  • The script encrypts data using XOR encryption and encodes it in Base64.
  • It sends exfiltrated data to an attacker-controlled C2 server over port 1338.

🛠️ Reconstructing the Data for Investigation

  • Extracting packets using tshark to retrieve stolen data.
  • Decrypting memory dumps with Python scripts and reconstructing exfiltrated files.

🔑 Recovering the Password from the Memory Dump

  • Using tools like KeePass Dump Master Key and Hashcat for brute force.
  • The video explains how to extract and crack the missing character of the password.

🎯 Finding the Final Flag

  • The decrypted KeePass database is opened using the recovered password.
  • The flag is obtained, completing the forensic challenge.
,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles