Walkthrough / Solution to SBT's Wireshark Challenge Activity

Emmanuel Kariithi - Oct 2 - - Dev Community

I recently started my journey in the cybersecurity world, aiming to build a career in this field. After completing Google's Cybersecurity course on Coursera, I embarked on the Blue Team Junior Analyst Pathway Bundle by Security Blue Team (SBT). This article is part of a series detailing my solutions to various activities covered on the platform. Please note that the Blue Team Junior Analyst Pathway Bundle is entirely self-paced and free.

In this instalment, I'll tackle the first activity, which involves analyzing network traffic with Wireshark.

Table of Contents

Setup

If you're using Ubuntu like me, here's a guide on downloading Wireshark on your system. For other platforms, you can find installation instructions here.

Challenge Questions

The activity consists of analyzing two PCAP files and answering the following questions:

PCAP 1

  1. Which protocol was used over port 3942?
  2. What is the IP address of the host that was pinged twice?
  3. How many DNS query response packets were captured?
  4. What is the IP address of the host which sent the most number of bytes?

PCAP 2

  1. What is the WebAdmin password?
  2. What is the version number of the attacker's FTP server?
  3. Which port was used to gain access to the victim Windows host?
  4. What is the name of a confidential file on the Windows host?
  5. What is the name of the log file that was created at 4:51 AM on the Windows host?

Key Concepts

Before we dive into the solutions, let's briefly explain some key networking concepts that will be encountered in this challenge:

  1. Simple Service Discovery Protocol (SSDP) - This is a network protocol that allows network devices to advertise their services to others on the network. It's commonly used in home networks for devices like printers or media servers to make themselves discoverable.
  2. Internet Control Message Protocol (ICMP) - This is a network layer protocol used by network devices to diagnose network communication issues. The most common example is the "ping" command, which uses ICMP echo request and reply messages.
  3. Domain Name System (DNS) - Often called the "phonebook of the Internet," DNS translates human-readable domain names (like www.example.com) into IP addresses that computers use to identify each other on the network.
  4. Hypertext Transfer Protocol (HTTP) - The foundation of data communication on the World Wide Web. It defines how messages are formatted and transmitted between web browsers and servers.
  5. File Transfer Protocol (FTP) - A standard network protocol used for transferring files between a client and server on a computer network.

Now, let's proceed with the solutions.

Solutions

Which protocol was used over port 3942?

To find the protocol used over port 3942, we use the filter:

tcp.port == 3942 or udp.port == 3942

This filter shows all TCP or UDP traffic using port 3942. In the protocol column for the filtered packets, we see SSDP, which stands for Simple Service Discovery Protocol.

Therefore, the answer to the first question is SSDP.

quetion1

What is the IP address of the host that was pinged twice?

To find the IP address of the host that was pinged twice, we apply the display filter:

icmp.type == 8

This filter shows ICMP echo request packets (pings). We look for the destination IP address that appears twice, which is 8.8.4.4. Note that 192.168.1.7 is a private IP address, while 8.8.4.4 is a public IP address.

The answer is 8.8.4.4.

question2

How many DNS query response packets were captured?

To count DNS query response packets, we apply the display filter:

dns.flags.response == 1

This filter shows all DNS response packets. The number of packets can be found at the bottom right of the Wireshark window, which shows 90.

Therefore, the answer is 90

question3

What is the IP address of the host which sent the most number of bytes?

To find the IP address of the host which sent the most bytes:

  1. Go to Statistics > Endpoints
  2. In the IPv4 tab, sort by the Tx Bytes column (click on the column header)

The IP address at the top of the list is 192.168.1.7, but the answer recognized by Security Blue Team is 115.178.9.18. This discrepancy might be due to an outdated answer key or a difference in interpretation.

question4

What is the WebAdmin password?

To find the WebAdmin password:

  1. Apply the filter http to show all HTTP traffic
  2. Find the response to the GET request (frame 4121), which is frame 4123
  3. Right-click on frame 4123 and select "Follow > HTTP Stream"

The password is visible in the stream: sbt123

question5

What is the version number of the attacker’s FTP server?

To find the version number of the attacker's FTP server, check the first frame (4243). In the info column, the response is:

pyftpdlib 1.5.5 ready

This indicates that the version number is 1.5.5.

question6

Which port was used to gain access to the victim Windows host?

To find the port used to access the victim's Windows host, use the filter:

ip.src == 192.168.56.1 and ip.dst == 192.168.56.103 and tcp.flags.ack == 1

This filter shows all packets from the attacker to the victim with an ACK flag set.

The port used is 8081.

question7

What is the name of a confidential file on the Windows host?

To find the name of the confidential file:

  1. Right-click on the first frame (4130) from the previous step
  2. Select "Follow > TCP Stream"

The confidential file name is visible in the stream as Employee_Information_CONFIDENTIAL.txt

question8

What is the name of the log file that was created at 4:51 AM on the Windows host?

In the same TCP stream as the previous question, you can find the log file created at 4:51 AM.

The answer is LogFile.log

question9

Conclusion

This Wireshark challenge activity provides an excellent opportunity to practice network traffic analysis skills. By working through these questions, you'll gain hands-on experience with filtering packets, analyzing protocols, and extracting valuable information from network captures.

Image
Leetcode Solution #8

100daysofcode, codenewbie, coding, cpp
Image
Mastering C# Fundamentals: Working with Date and Time

dotnet, csharp
Image
Logical Processing order of a SQL query

sql, plsql, backend, database
Image
🛑 Stop Coding Already! 🛑

beginners, programming, ai, productivity
Image
Day 14. Monday

android, 100daysofcode, mobile, kotlin
Image
Agile isn’t tailored for Product and Design needs: Insights from Jessica Hall

agile, scrum, productmanagement, agilecoaching
Image
Getting Started with Nginx, Docker, and Kubernetes on Windows

docker, kubernetes, nginx
Image
Mastering bufio.NewScanner vs os.ReadFile In Go(Golang)
Image
Dica Java: Functional Interface #001

java, javatip
Image
Built a Slack Employee recognition bot with Nextjs (free code link included)

opensource, webdev, tutorial, react
Image
What is Nginx? A Beginner's Guide (Windows Edition)

nginx, docker
Image
How to publish custom cdk-nag rules and rule packs with Projen

cdk, projen, security, aws
Image
How to Create Blog Categories and Tags in Webflow

webflow, webdev, nocode, writing
Image
Using Terraform to deploy a web site to a DigitalOcean droplet with Cloudflare

terraform, digitalocean, cloudflare, nginx
Image
PL/SQL Triggers

sql, plsql, backend, database
Image
Mastering C# Fundamentals: Exploring Built-in Members in C#

dotnet, csharp
Image
Buying the Best Shampoo Online in the UAE
Image
Mastering C# Fundamentals: Exploring Operators in C#

dotnet, csharp, programming, tutorial
Image
Week 2 of #100DaysOfCode: Flexbox, Typography, Accessibility, and More!

webdev, beginners, css, html
. . . . . . . .
Terabox Video Player