Advent of Cyber 2022 [Day 13]-Packet Analysis | Simply having a wonderful pcap time — Simple Write up
Advent of Cyber 2022 [Day 13] Packet Analysis | Simply having a wonderful pcap time | Task 18 Answers Write-up and Walkthrough By Karthikeyan Nagaraj
Why Does Packet Analysis Still Matter?
- Network traffic is a pure and rich data source. A Packet Capture (PCAP) of network events provides a rich data source for analysis.
- Capturing live data can be focused on traffic flow, which only provides statistics on the network traffic. On the other hand, identifying and investigating network patterns in-depth is done at the packet level.
- Consequently, threat detection and real-time performance troubleshooting cannot be done without packet analysis.
Tools and Website Used For this Task are!!
- Wireshark — For Packet Capture and Analysis
- Cyberchef Online Version — For Defang
- Virustotal.com — To Analyse Hash
Start your Machine and Navigate into it
Task 18 [Day 13] Packet Analysis | Simply having a wonderful pcap time
1. What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?
View the “Protocol Hierarchy” menu.
Drag and drop the pca file into the Wireshark and Navigate into Statistics →Protocol Hierarchy
Ans: 0.32. Which port number has received more than 1000 packets?
As we know TCP has Received more than 1000 Packets
View the “Conversations”
Navigate to Statistics → Conversations and Choose TCP
Ans: 33893. What is the service name of the used protocol that received more than 1000 packets?
Ans: RDP4. What are the domain names?
Enter the domains in alphabetical order and defanged format. (format: domain[.]zzz,domain[.]zzz)
Filter the DNS packets.
Follow the Same for other Packets
The Defanged Url is Below by Cyberchef
Ans: bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm5. What are the names of the requested files?
Enter the names in alphabetical order and in defanged format. (format: file.xyz,file.xyz)
Filter the HTTP packets.
Apply the http filter
File in Alphabetical and in Defanged Format (By Cyberchef)
Ans: favicon[.]ico,mysterygift[.]exe6. Which IP address downloaded the executable file?
Enter your answer in defanged format.
The Source is the Machine Which is the host that Downloads the File in this Case!!
The Below Ip is in Defanged Format!
Ans: 10[.]10[.]29[.]1867. Which domain address hosts the malicious file?
Enter your answer in defanged format.
Right Click on the Packet that uses GET Request to mysterygift.exe and click Follow → http Stream
Ans: cdn[.]bandityeti[.]thm8. What is the “user-agent” value used to download the non-executable file?
Right-click on the Packet of Non-executable File and Follow the http stream
Ans: Nim httpclient/1.6.89. What is the sha256 hash value of the executable file?
Export objects from the PCAP file.
Calculate the file hashes.
Click File→Export Objects-> HTTP and save the File as it is
Now open Terminal and Type the Command!! (Navigate to the File if Needed)
sha256sum mysterygift.exe
Ans: 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f10. What are the connected IP addresses?
Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)
Search the hash value of the executable file on Virustotal.
Navigate to the “Behaviour” section.
There are multiple IP addresses associated with this file.
Open the Virustotal website and Search for the Hash
Click the Behaviour tab and Scroll below to Find IP
Ip in defanged and Alphabetical Order without Space and We don’t need the 8.8.8.8 — Dns server of Google
The Challenge is Updated, So One More IP is Added with it
Ans: 20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76Thank you for Reading!!
Happy Hacking ~
Author : Karthikeyan Nagaraj ~ Cyberw1ngQueries:
THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 13, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 13 Answers
