For this task we are given a pcap file and will need to analyze it in Wireshark. Wireshark is a very powerful tool, capable of reading network captures, as well as capturing network traffic. This is great to learning about machines on the network and possibly capturing some juicy data. Defenders use this a lot to see what strange things are going on in the network, to try and stop security incidents before the attacker steals important data or causes other damages to a network.
Let’s open up Wireshark and then open up pcap1.pcap. We can see a lot of traffic and it can be overwhelming, but let’s focus on the questions we need to answer
So first we need to know who initiated the ICMP/Ping packets. We can see that under source it was 10.11.3.2, the answer to our 1st question.
Since we only want to see HTTP GET request for the next question the filter will be, http.request.method == GET. This filter is the answer to our 2nd question. Let’s apply that filter to our pcap and see what we can see. We need to know the article that the IP address 10.10.67.199 visited. We can see below that is reindeer-of-the-week, our 3rd question.
Now we need to switch to the pcap2 file and add a filter to view the FTP traffic. We can do this using tcp.port == 21, because we know that ftp runs on port 21.
Now we need to find the password used to login. Lucky for us, the protocol FTP transmits everything in cleartext so we will be able to recover the password from the pcap file, the answer to the 4th question.
Now clear out the filter and look for Encrypted packet in the info section, we find out it is coming from the SSHv2 protocol, but for the answer we can be generic with ssh.
Finally open pcap3.pcap and let’s save Christmas!
We are looking for Elf McSkidy’s wishlist.
Scrolling through I noticed that there was a christmas.zip file in an HTTP GET request, so maybe we can export that out of Wireshark. That’s a really useful feature is being able to export objects out of Pcap files. This is really cool to look at when you are analyzing Pcapfiles that contain malicious traffic. Sometimes you can export pictures that let you get a look of what websites and images the malware visited.
Click of File > Export Objects > HTTP.
We are able to export the Christmas.zip file and then when you unzip it there is elf_mcskidy_wishlist.txt. We can see Elf McSkidy wants a rubber ducky to replace Elf McEager.
Thanks for joining on the road of analyzing Pcap files. These files can be used to detect attacks against a network, or watch to see what malware does once it lands on a machine.