We covered basic packet analysis with Wireshark. We used filters to go through packets. This was part of TryHackMe Advent of Cyber 3 Day 9.
Packet analysis is a technique used to capture and intercept network traffic that passes the computer’s network interfaces. Packet analysis may also be called with different terms such as packet sniffer, packet analyzer, protocol analyzer, or network analyzer. As a cybersecurity individual, gaining packet analysis skills is an important requirement for network troubleshooting and communication protocol analysis. Using network analysis tools such as Wireshark, it captures network packets in real-time and displays them in a human-readable format. It provides many advanced features, including the live capture and offline analysis. This task covers the packet analysis steps in detail using Wireshark to analyze various protocols (unencrypted protocols) such as HTTP, DNS, and FTP.
Required Skills and Knowledge
We’re assuming that the user has basic background skills to complete this task, requires theoretical and practical knowledge, including basic networking concepts, TCP/IP Stack, OSI Model, and TCP handshake. This applies not only to packet analysis but also to most other topics we will deal with in cybersecurity.
Packet Analysis Tools
There are many tools that are used in network traffic analysis and network sniffing. Each of these tools provides a different way to capture or dissect traffic. Some offer ways to copy and capture, while others read and ingest using different interfaces. In this room, we will explore Wireshark. Keep in mind that these tools require administrator privileges.
HTTP Shenanigans
My first stop is the HTTP traffic. I want to see what web pages have been visited.
- GET Requests: I start by filtering for HTTP GET requests. This immediately shows me that a
/login
directory was accessed on the web server. - POST Requests: Next, I switch my filter to look for HTTP POST requests, which are often used to send data, like login forms. In the second packet, I find exactly what I’m looking for: the username
maxqd
and the passwordchristmas2021!
. In that same packet, I can also see the user agent, which tells me what kind of browser and operating system was used.
DNS and FTP Clues
With the web traffic analyzed, I move on to other protocols.
- DNS Queries: I filter for DNS traffic. The challenge is to find a flag hidden in a text DNS query. To narrow it down, I specifically filter for DNS queries of type 16, which corresponds to text records. And there it is, the flag, hidden in plain sight within one of the DNS answers.
- FTP Login: Now for the FTP traffic. I apply an FTP filter and can easily see the login credentials in the “Info” column: username
tryhackftp
and passwordtryhackm3
. - FTP Upload: I continue to follow the FTP conversation and see that the
STOR
command was used to upload a secret file. - Secret File Contents: To see what’s inside that secret file, I use the
ftp-data
filter. This filter shows me the raw data transferred over FTP, and right there is the final flag, the content of the secret file.
And that’s how I use Wireshark to follow the breadcrumbs and uncover all the secrets hidden in the network traffic!
Wireshark Filters
Here are the Wireshark display filters I used to solve this challenge:
http.request.method == "GET"
http.request.method == "POST"
dns
udp.port == 53
dns.query.type == 16
ftp
ftp-data
TryHackMe Advent of Cyber Challenge Answers
In the HTTP #1 – GET requests section, which directory is found on the web server?
login
What is the username and password used in the login page in the HTTP #2 – POST section?
What is the User-Agent’s name that has been sent in HTTP #2 – POST section?
In the DNS section, there is a TXT DNS query. What is the flag in the message of that DNS query?
THM{dd63a80bf9fdd21aabbf70af7438c257}
Video Walk-Through