I recently started my journey in the cybersecurity world, aiming to build a career in this field. After completing Google's Cybersecurity course on Coursera, I embarked on the Blue Team Junior Analyst Pathway Bundle by Security Blue Team (SBT). This article is part of a series detailing my solutions to various activities covered on the platform. Please note that the Blue Team Junior Analyst Pathway Bundle is entirely self-paced and free.
In this instalment, I'll tackle the first activity, which involves analyzing network traffic with Wireshark.
Table of Contents
- Setup
- Challenge Questions
- Key Concepts
-
Solutions
- Which protocol was used over port 3942?
- What is the IP address of the host that was pinged twice?
- How many DNS query response packets were captured?
- What is the IP address of the host which sent the most number of bytes?
- What is the WebAdmin password?
- What is the version number of the attacker’s FTP server?
- Which port was used to gain access to the victim Windows host?
- What is the name of a confidential file on the Windows host?
- What is the name of the log file that was created at 4:51 AM on the Windows host?
- Conclusion
Setup
If you're using Ubuntu like me, here's a guide on downloading Wireshark on your system. For other platforms, you can find installation instructions here.
Challenge Questions
The activity consists of analyzing two PCAP files and answering the following questions:
PCAP 1
- Which protocol was used over port 3942?
- What is the IP address of the host that was pinged twice?
- How many DNS query response packets were captured?
- What is the IP address of the host which sent the most number of bytes?
PCAP 2
- What is the WebAdmin password?
- What is the version number of the attacker's FTP server?
- Which port was used to gain access to the victim Windows host?
- What is the name of a confidential file on the Windows host?
- What is the name of the log file that was created at 4:51 AM on the Windows host?
Key Concepts
Before we dive into the solutions, let's briefly explain some key networking concepts that will be encountered in this challenge:
- Simple Service Discovery Protocol (SSDP) - This is a network protocol that allows network devices to advertise their services to others on the network. It's commonly used in home networks for devices like printers or media servers to make themselves discoverable.
- Internet Control Message Protocol (ICMP) - This is a network layer protocol used by network devices to diagnose network communication issues. The most common example is the "ping" command, which uses ICMP echo request and reply messages.
- Domain Name System (DNS) - Often called the "phonebook of the Internet," DNS translates human-readable domain names (like www.example.com) into IP addresses that computers use to identify each other on the network.
- Hypertext Transfer Protocol (HTTP) - The foundation of data communication on the World Wide Web. It defines how messages are formatted and transmitted between web browsers and servers.
- File Transfer Protocol (FTP) - A standard network protocol used for transferring files between a client and server on a computer network.
Now, let's proceed with the solutions.
Solutions
Which protocol was used over port 3942?
To find the protocol used over port 3942, we use the filter:
tcp.port == 3942 or udp.port == 3942
This filter shows all TCP or UDP traffic using port 3942. In the protocol column for the filtered packets, we see SSDP, which stands for Simple Service Discovery Protocol.
Therefore, the answer to the first question is SSDP.
What is the IP address of the host that was pinged twice?
To find the IP address of the host that was pinged twice, we apply the display filter:
icmp.type == 8
This filter shows ICMP echo request packets (pings). We look for the destination IP address that appears twice, which is 8.8.4.4. Note that 192.168.1.7 is a private IP address, while 8.8.4.4 is a public IP address.
The answer is 8.8.4.4.
How many DNS query response packets were captured?
To count DNS query response packets, we apply the display filter:
dns.flags.response == 1
This filter shows all DNS response packets. The number of packets can be found at the bottom right of the Wireshark window, which shows 90.
Therefore, the answer is 90
What is the IP address of the host which sent the most number of bytes?
To find the IP address of the host which sent the most bytes:
- Go to Statistics > Endpoints
- In the IPv4 tab, sort by the Tx Bytes column (click on the column header)
The IP address at the top of the list is 192.168.1.7, but the answer recognized by Security Blue Team is 115.178.9.18. This discrepancy might be due to an outdated answer key or a difference in interpretation.
What is the WebAdmin password?
To find the WebAdmin password:
- Apply the filter http to show all HTTP traffic
- Find the response to the GET request (frame 4121), which is frame 4123
- Right-click on frame 4123 and select "Follow > HTTP Stream"
The password is visible in the stream: sbt123
What is the version number of the attacker’s FTP server?
To find the version number of the attacker's FTP server, check the first frame (4243). In the info column, the response is:
pyftpdlib 1.5.5 ready
This indicates that the version number is 1.5.5.
Which port was used to gain access to the victim Windows host?
To find the port used to access the victim's Windows host, use the filter:
ip.src == 192.168.56.1 and ip.dst == 192.168.56.103 and tcp.flags.ack == 1
This filter shows all packets from the attacker to the victim with an ACK flag set.
The port used is 8081.
What is the name of a confidential file on the Windows host?
To find the name of the confidential file:
- Right-click on the first frame (4130) from the previous step
- Select "Follow > TCP Stream"
The confidential file name is visible in the stream as Employee_Information_CONFIDENTIAL.txt
What is the name of the log file that was created at 4:51 AM on the Windows host?
In the same TCP stream as the previous question, you can find the log file created at 4:51 AM.
The answer is LogFile.log
Conclusion
This Wireshark challenge activity provides an excellent opportunity to practice network traffic analysis skills. By working through these questions, you'll gain hands-on experience with filtering packets, analyzing protocols, and extracting valuable information from network captures.
Top comments (0)