In this post, we solve the room named TryHackMe TShark Challenge I: Teamwork
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Network Packets Analysis Study Notes
Case Breif As Put in TryHackMe
An alert has been triggered: “The threat research team discovered a suspicious domain that could be a potential threat to the organisation.”
The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.
Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is Tshark?
TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.
TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools.
Extracting Statistics with Tshark
Protocol hierarchy helps analysts to see the protocols used, frame numbers, and size of packets in a tree view based on packet numbers. As it provides a summary of the capture, it can help analysts decide the focus point for an event of interest. Use the -z io,phs -q parameters to view the protocol hierarchy.
tshark -r demo.pcapng -z io,phs -q
After viewing the entire packet tree, you can focus on a specific protocol as shown below. Add the udp keyword to the filter to focus on the UDP protocol.
tshark -r demo.pcapng -z io,phs,udp -q
The packet lengths tree view helps analysts to overview the general distribution of packets by size in a tree view. It allows analysts to detect anomalously big and small packets at a glance! Use the -z plen,tree -q parameters to view the packet lengths tree.
tshark -r demo.pcapng -z plen,tree -q
Exporting Objects & Extracting Credentials with Tshark
This option helps analysts to extract files from DICOM, HTTP, IMF, SMB and TFTP. The query structure is explained in the command given below.
tshark -r demo.pcapng --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
You can filter the packets and find the cleartext credentials using the parameters below.
tshark -r credentials.pcap -z credentials -q
Display Filters vs Capture Filters
There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets.
TryHackMe Room answers | TShark Challenge I: Teamwork
Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is the full URL of the malicious/suspicious domain address?
Enter your answer in defanged format.
hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/
When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?
2017-04-17 22:52:53 UTC
Which known service was the domain trying to impersonate?
PayPal
What is the IP address of the malicious domain?
Enter your answer in defanged format.
184[.]154[.]127[.]226
What is the email address that was used?
Enter your answer in defanged format. (format: aaa[at]bbb[.]ccc)
johnny5alive[at]gmail[.]com
Full Video Course
