TryHackMe | Wireshark 101 Writeup
Recently, I’ve completed the two newest Wireshark rooms released by TryHackMe, so I figured I should go back and redo one of the earlier Wireshark rooms and make a writeup for that one. This room includes collection methods, basic filtering, packet dissection, and analyzing various different types of traffic.
Task 1: Introduction
1. Read the above and move on to Installation.
Read the information above and click “Completed”.
Task 2: Installation
1. Read the above, and ensure you have Wireshark installed.
To download Wireshark, first head to the download page here. I’m using a 64-bit Windows machine so I’ll download that installer.
After downloading and running the installer, you should be greeted with the setup wizard.
Clicking next brings up the license agreement, and clicking “Noted” leads to the component selection. I chose to only download Wireshark and Tools.
The next screen asks about creating shortcuts and associating file extensions with Wireshark, I just clicked next. I then chose my place of installation, clicked next, and then clicked next again to install Npcap. This then brings us to the final screen where we can choose to install USBPcap, which I chose not to, then I clicked Install.
After Wireshark finished installing, we can click next and finish to close the wizard, and we should be good to move on to the next task. We can click “Completed”.
Task 3: Wireshark Overview
1. Read the above and play around with Wireshark.
This task wants us to familiarize ourselves with the various menus and tools in Wireshark. Since I’ve already used Wireshark before and in my other writeups, I’ll just click “Completed” and move on to the next task.
Task 4: Collection Methods
1. Read the above and practice collecting captures, as well as understand the various capture techniques available.
To start a packet capture with Wireshark, we can click button “Capture” at the top of the window and then “Options”. This will show us the different interfaces that we can capture from. Pick whichever one you use to connect to the internet and click Start. This should show a bunch of packets being captured. After that we can stop the capture and click “Completed”.
Task 5: Filtering Captures
1. Read the above and understand the basics of packet filtering.
Read how to filter packet captures. I have some practice in this and I wrote about it in my Wireshark: Packet Operations writeup, which is another room that TryHackMe has which goes over different ways to filter packets. After familiarizing ourselves with it, we can click “Completed” and move on to packet dissection.
Task 6: Packet Dissection
1. Read the above and move on to analyzing application protocols.
This task wants us to be familiar with the OSI Model and what packets are composed of. If you are unfamiliar with what the OSI Model is, here’s a great introduction to it by RealPars. After reading the information on packet details, we can click “Completed” and finally move on to actually looking at packets.
Task 7: ARP Traffic
1. What is the Opcode for Packet 6?
When we download and open this packet capture, we should see a long list of different colored packets along with which number they are in the capture. Let’s click on number 6 and then use the dropdown tab for “Address Resolution Protocol” which will let us see the opcode type.
2. What is the source MAC Address of Packet 19?
Scrolling to packet 19 and dropping down the “Address Resolution Protocol” shows us the sender MAC address right under the opcode. We can copy the value of the MAC address by right-clicking the sender mac address and clicking Copy>Value.
3. What 4 packets are Reply packets?
We can apply a display filter to find any reply packets. We know that the packets ARP opcode contains whether it is a request or a reply packet. So we can use “arp.opcode == reply” to see the four packets.
4. What IP Address is at 80:fb:06:f0:45:d7?
This one stumped me for a bit, and I still don’t know if I solved it the correct way. I first looked at the “arp.src.proto_ipv4” filter but it brought up a bunch of different IP addresses so I didn’t know for sure which one was correct, and I didn’t want to guess and check.
I then tried using the “eth.addr” filter and looked for the MAC address but again it displayed a ton of IP addresses. I then looked back at the last question and noticed that under the “info” column it said one IP was at the MAC address, so I searched the source ethernet address and the reply opcode. All it did was display the exact same results as the filter in the last question. I downloaded another example packet capture with multiple IP assignments and it seemed to work correctly so I think this is the correct way to solve it.
Task 8: ICMP Traffic
1. What is the type for packet 4?
Looking in the Internet Control Message Protocol dropdown immediately reveals the code that we are looking for.
2. What is the type for packet 5?
The exact same procedure that was used for the last question can be used here.
3. What is the timestamp for packet 12, only including month day and year?
In the Internet Control Message Protocol dropdown for packet 12, near the bottom is the “Timestamp from icmp data” which lists the date, year, and time of the capture.
4. What is the full data string for packet 18?
Right under the icmp timestamp in packet 18 there is a dropdown called “Data” which includes the string. We can copy it by right-clicking the string and clicking Copy>Value.
Task 9: TCP Overview
1. Read the above and move into Task 10.
Read the information on TCP and click “Completed”.
Task 10: DNS Traffic
1. What is being queried in packet 1?
Looking at the first packet, there is a dropdown titled “Domain Name System (query)”. Looking in this dropdown reveals another dropdown titled “Queries” which reveals another dropdown, this dropdown has a “Name” label. The value after this label is what is being queried.
2. What site is being queried in packet 26?
The same method from the last question can be used to find what website is being queried in this question.
3. What is the Transaction ID for packet 26?
Scrolling up slightly allows us to see a label titled “Transaction ID:” right under the Domain Name System dropdown.
Task 11: HTTP Traffic
1. What percent of packets originate from Domain Name System?
We can open this capture and apply “dns” as a filter. The percent of packets will be listed after the number in the “Displayed:” label.
2. What endpoint ends in .237?
To see the endpoints, we can navigate to Statistics>Endpoints. In that menu, we can click the “IPv4” tab and see the endpoint that ends in .237.
3. What is the user-agent listed in packet 4?
If we look at packet 4 and look under the “Hypertext Transfer Protocol” dropdown, there is a label titled “User-Agent” which is what we’re looking for.
4. Looking at the data stream what is the full request URI from packet 18?
To find the request URI, we can go to packet 18, click the “Hypertext Transfer Protocol” dropdown and look at the label called “Full request URI [truncated]”, that value is the URI we are looking for.
5. What domain name was requested from packet 38?
One way to look at the requested domain name would be to follow the HTTP stream. We can right-click packet 38 and select Follow>HTTP Stream. Near the top of the window, we can see a GET request, under that is a label called “Host”. the value there is the domain name that is being requested.
6. Looking at the data stream what is the full request URI from packet 38?
We can use the same method that we used for question 4 to find the URI for this question. The only difference is that the tag is slightly different, this time saying “Request URI”.
Task 12: HTTPS Traffic
1. Looking at the data stream what is the full request URI for packet 31?
Like in the last task, we can see the full request in the “Hypertext Transfer Protocol” dropdown.
2. Looking at the data stream what is the full request URI for packet 50?
We can use the same method as the last question to find this URI.
3. What is the User-Agent listed in packet 50?
Like in the last task, we can find the user agent by scrolling up a little in the “Hypertext Transfer Protocol” dropdown to the “User-Agent” label.
Task 13: Analyzing Exploit PCAPs
1. Read the above and analyze the PCAP yourself to piece together the events that occurred.
Follow the steps above to see how to analyze the packet capture. If you want to see the ZeroLogon exploit being done, here’s a great video by The Cyber Mentor. After we understand what was done, we can click “Completed”.
Task 14: Conclusion
1. Check out the provided links and keep learning!
Take a look at the links above and click “Completed”.
This concludes TryHackMe’s Wireshark 101 room. I hope this writeup could be helpful in completing the room! If you are still struggling please leave a comment or message me on Twitter and I will try my best to assist!
Lessons Learned:
- Different protocols have different information available
- Wireshark is important when analyzing exploits
- Wireshark has a wide variety of different installation options
What I would do different a second time:
I struggled with the ARP question with the MAC address. I had to do a lot of Googling to find out how to solve it. I think it made it difficult because the capture did not have multiple IP assignments with the MAC addresses. I had to go to another source to find out if my filter was correct, and I’m still not sure if I was 100% correct.
Final Thoughts:
This room is pretty good at refreshing Wireshark knowledge. I wish the questions would have been slightly more in-depth as I felt that most of the tasks were just repeats with different information.
