THM - Advent of Cyber [Day 9]
Today’s task is all about packet analysis. Being able to diagnose network issues via packet analyzation is an invaluable skill for IT professionals. For attackers, if there is any data traveling over a network via insecure protocols (ie HHTP instead of HTTPS), that could be caught by a packet sniffer like Wireshark, and credentials could be leaked.
Wireshark
Wireshark uses Berkeley Packet Filter syntax to filter packets. Below are some examples of the filters we can use and what they do.
| Filter | Explanation |
|---|---|
| ip.addr == 10.10.10.10 | returns only packets from address 10.10.10.10 |
| http contains google.com | returns only http packets from google.com |
| tcp.port == 3389 | returns all tcp packets from port 3389 (which is RDPs port) |
| not [filter] | will negate the filter |
| http.request.method == GET | returns all http Get requests |
| udp.port == 53 or dns | returns all DNS packets |
| repsonse QUERY_ID A example.com | returns response to the DNS query. You can find the QUERY_ID by investigating the packet and finding the Transaction ID |
| tcp.port == 21 or ftp | returns all ftp packets. |
More Information
You can double click on any packet to get more information on a given packet. You can follow the http stream by right clicking the http request, selecting follow and then http steam. This can give a good look at what the user was doing and if there was an telnet session or ftp session it will list all the commands that they typed in plain text. There really isn’t much to this room, you can get the answers by typing in the right filter and looking around a little bit. Still good information and practice with an invaluable IT skill though.
