In this post, we solve the room named TryHackMe TShark Challenge I: Teamwork
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Case Breif As Put in TryHackMe
An alert has been triggered: “The threat research team discovered a suspicious domain that could be a potential threat to the organisation.”
The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.
Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is Tshark?
TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.
TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools.
Extracting Statistics with Tshark
Protocol hierarchy helps analysts to see the protocols used, frame numbers, and size of packets in a tree view based on packet numbers. As it provides a summary of the capture, it can help analysts decide the focus point for an event of interest. Use the -z io,phs -q parameters to view the protocol hierarchy.
tshark -r demo.pcapng -z io,phs -q
After viewing the entire packet tree, you can focus on a specific protocol as shown below. Add the udp keyword to the filter to focus on the UDP protocol.
tshark -r demo.pcapng -z io,phs,udp -q
The packet lengths tree view helps analysts to overview the general distribution of packets by size in a tree view. It allows analysts to detect anomalously big and small packets at a glance! Use the -z plen,tree -q parameters to view the packet lengths tree.
tshark -r demo.pcapng -z plen,tree -q
Exporting Objects & Extracting Credentials with Tshark
This option helps analysts to extract files from DICOM, HTTP, IMF, SMB and TFTP. The query structure is explained in the command given below.
tshark -r demo.pcapng --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
You can filter the packets and find the cleartext credentials using the parameters below.
tshark -r credentials.pcap -z credentials -q
Display Filters vs Capture Filters
There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets.
TryHackMe Room answers | TShark Challenge I: Teamwork
Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is the full URL of the malicious/suspicious domain address?
Enter your answer in defanged format.
hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/
When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?
2017-04-17 22:52:53 UTC
Which known service was the domain trying to impersonate?
PayPal
What is the IP address of the malicious domain?
Enter your answer in defanged format.
184[.]154[.]127[.]226
What is the email address that was used?
Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)
johnny5alive[at]gmail[.]com
