Welcome back to yet another blog guys. Can you imagine, we are already on Day 13 and the tasks they are uploading each day are so amazing. Thanks to tryhackme from my side. I guess we should move to today's task now. So, without any further delay, let's do this.
Simply having a wonderful pcap time
This room is mainly focusing on packet analysis. First of all, you must be thinking what is a packet? Packets are the most basic unit of the network data transferred over the network. When a message is sent from one host to another, it is transmitted in small chunks; each called a packet.
Now, what is packet analysis? It is the process of extracting, assessing and identifying network patterns such as connections, shares, commands and other network activities, like logins, and system failures, from the prerecorded traffic files.
The tool which we are going to use is Wireshark. Wireshark is an industry-standard tool for network protocol analysis and is essential in any traffic and packet investigation. You can view, save and break down the network traffic with it.
Now, let's move to today's task. I am going to give all the remaining details in the questions only.
Question1
Open your Attack box and start your Wireshark.
You can see this type of interface.
Can you see the statistics tab in Wireshark.
Click on statistics and after that clean on Protocol Hierarchy.
See the HTTP's percent packet.
Got the answer?
Question2
For this again go to the statistic tab and click on Conversations.
Now go to TCP tab.
You can see port 3389 has received more than 1000 packets.
Question3
To see the service search for this port number on the internet.
It's RDP.
Question4
Search dns in the search filter.
Right-click and then follow after that click on UDP stream.
copy this domain and paste it into cyber chef. Remember this tool? We used it in previous tasks also. In the same way, copy another domain also.
These are the two domains we got from dns filter. Search for defang url operation and see the output.
Question5
Just like the previous question, search for http.
Right-click and then follow after that click on TCP stream.
Copy the requested file and paste it in cyberchef. In the same way, copy another requested file to and paste it in cyberchef.
Question6
They are asking about .exe file and the only .exe file is mysterygift.exe.
Copy the IP address and paste it into cyberchef. Search for defang IP address and see the results.
Question7
Let's follow the same step. Right-click and then follow after that click on TCP stream.
As you can see the host is cdn.bandityeti.thm. Paste it in cyberchef and see your answer.
Question8
The non-executable file means they are talking about favicon.io. Follow the same steps again.
You can see your answer in the user-agent parameter.
Question9
For this click on the file tab option then export objects and then HTTP. Save your file according to your location.
I saved the file in the evidence folder.
Now use the command sha256sum 'your location/mysterygift.exe'
I hope you got your answer.
Question10
Copy this hash value and paste it into virustotal tool.
Under the relations tab, you can see three IP addresses.
Paste all three IP addresses in cyberchef and see the answer.
They are recommending you to complete Network Security and Traffic Analysis module
Congratulations !! we completed this task. New task will be added tomorrow. Till then you can follow me here for upcoming blogs on the advent of cyber 2022. In the end, you will get a certificate from tryhackme for completing this challenge.
Keep learning and keep spreading Knowledge.