In this post, we solve the room named TryHackMe TShark Challenge II: Directory
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Network Packets Analysis Study Notes
Case Breif As Put in TryHackMe
An alert has been triggered: “A user came across a poor file index, and their curiosity led to problems”.
The case was assigned to you. Inspect the provided directory-curiosity.pcap located in ~/Desktop/exercise-files and retrieve the artefacts to confirm that this alert is a true positive.
Investigate the contacted domains.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is Tshark?
TShark is an open-source command-line network traffic analyser. It is created by the Wireshark developers and has most of the features of Wireshark. It is commonly used as a command-line version of Wireshark. However, it can also be used like tcpdump. Therefore it is preferred for comprehensive packet assessments.
TShark is a text-based tool, and it is suitable for data carving, in-depth packet analysis, and automation with scripts. This strength and flexibility come out of the nature of the CLI tools, as the produced/processed data can be pipelined to additional tools.
Extracting Statistics with Tshark
Protocol hierarchy helps analysts to see the protocols used, frame numbers, and size of packets in a tree view based on packet numbers. As it provides a summary of the capture, it can help analysts decide the focus point for an event of interest. Use the -z io,phs -q parameters to view the protocol hierarchy.
tshark -r demo.pcapng -z io,phs -q
After viewing the entire packet tree, you can focus on a specific protocol as shown below. Add the udp keyword to the filter to focus on the UDP protocol.
tshark -r demo.pcapng -z io,phs,udp -q
The packet lengths tree view helps analysts to overview the general distribution of packets by size in a tree view. It allows analysts to detect anomalously big and small packets at a glance! Use the -z plen,tree -q parameters to view the packet lengths tree.
tshark -r demo.pcapng -z plen,tree -q
Exporting Objects & Extracting Credentials with Tshark
This option helps analysts to extract files from DICOM, HTTP, IMF, SMB and TFTP. The query structure is explained in the command given below.
tshark -r demo.pcapng --export-objects http,/home/ubuntu/Desktop/extracted-by-tshark -q
You can filter the packets and find the cleartext credentials using the parameters below.
tshark -r credentials.pcap -z credentials -q
Display Filters vs Capture Filters
There are two dimensions of packet filtering in TShark; live (capture) and post-capture (display) filtering. These two dimensions can be filtered with two different approaches; using a predefined syntax or Berkeley Packet Filters (BPF). TShark supports both, so you can use Wireshark filters and BPF to filter traffic. As mentioned earlier, TShark is a command-line version of Wireshark, so we will need to use different filters for capturing and filtering packets.
Room Answers | TryHackMe TShark Challenge II: Directory
Investigate the DNS queries.
Investigate the domains by using VirusTotal.
According to VirusTotal, there is a domain marked as malicious/suspicious.
What is the name of the malicious/suspicious domain?
Enter your answer in a defanged format.
jx2-bavuong[.]com
What is the total number of HTTP requests sent to the malicious domain?
14
What is the IP address associated with the malicious domain?
Enter your answer in a defanged format.
141[.]164[.]41[.]174
What is the server info of the suspicious domain?
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
Follow the “first TCP stream” in “ASCII”.
Investigate the output carefully.
What is the number of listed files?
3
What is the filename of the first file?
Enter your answer in a defanged format.
123[.]php
Export all HTTP traffic objects.
What is the name of the downloaded executable file?
Enter your answer in a defanged format.
vlauto[.]exe
What is the SHA256 value of the malicious file?
b4851333efaf399889456f78eac0fd532e9d8791b23a86a19402c1164aed20de
Search the SHA256 value of the file on VirtusTotal.
What is the “PEiD packer” value?
.NET executable
Search the SHA256 value of the file on VirtusTotal.
What does the “Lastline Sandbox” flag this as?
MALWARE TROJAN
Full Video Course
