CyberDefenders — PacketMaze
Scenario:- As an analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer’s employee whose network activity has been monitored for a while -possible insider.
Tools required:- Wireshark or Network Miner
Challenge Link:- https://cyberdefenders.org/labs/68
Q.1) What is the FTP password?
We use “ftp” filter for this & then find the password in the packets.
On seeing the above image we find out that the FTP password is “AfricaCTF2021”.
Q.2) What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)
We use “dns” filter for this & get a number of packets. We note down the MAC address of the packet whose source IP is 192.168.1.26.
Then we go to the statistics -> conversations field and then look into the ethernet field. We try to find our MAC address which we found in the above image.
After finding the MAC address we right-click on it & select find -> A<->B.
Then we find out all the packets containing that MAC address.
On seeing the above image we find out that the IPv6 address of the DNS server used by 192.168.1.26 is “fe80::c80b:adff:feaa:1db7”.
Q.3) What domain is the user looking up in packet 15174?
We have to find the domain so again we use the “dns” filter for this. We simply go to packet 15174 & check for the domain name.
The domain name is clearly visible in the info field. We also find it in the Queries field under the Domain name system section. On seeing the above image we find out that the domain name visited by the user in packet 15174 is “www.7-zip.org”.
Q.4) How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?
For this, we simply go to the Statistics -> conversations section.
Then we go to the UDP section and check for the given IP.
On seeing the above image we find out that the number of UDP packets that were sent from 192.168.1.26 to 24.39.217.246 is 10.
Q.5) What is the MAC address of the system being monitored?
We find this info in Q.2.
On seeing the above image we find out that the MAC address of the system which is being monitored is “c8:09:a8:57:47:93”.
Q.6) What was the camera model name used to take picture 20210429_152157.jpg?
In order to search for the image, we simply search for the frame which contains the name of this image using the filter “frame contains 20210429_152157.jpg”.
Then we open the TCP stream of the second packet which contains the FTP Data.
Then we save the image in Raw format.
To view its Exif data we upload the image on this site http://exif.regex.info/exif.cgi.
On seeing the result after uploading the image we find out that the camera model name is “LM-Q725K”.
Q.7) What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?
We use “tls.handshake.type==2” filter to find out all the hello responses of the server. Then we check for the above-given session id in the packets. (In order to make it simple, we go to the first packet and add Session ID in the column field as shown in the below image.)
After finding the packets we check for the server certificate public key.
We copy the value of key which is as follows “04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d”.
Q.8) What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?
We use “ssl.handshake.extensions_server_name” filter to display all the server names. We click on the first packet & find the server name field. Then we apply that field as a column so that we can easily find out protonmail.com.
After finding protonmail.com we check for its random string.
On seeing the above image we find out that the first TLS 1.3 client random that was used to establish a connection with protonmail.com is “24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70”.
Q.9) What country is the MAC address of the FTP server registered in? (two words, one space in between)
We use “ftp” filter for this. Then we click on the first packet and find the MAC address.
After finding the MAC address we perform a MAC address lookup to check for the country name.
On seeing the above image we find out that the country name is “United States”.
Q.10) What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)
Again we use “ftp” filter for this and check the TCP stream.
On seeing the above image we find out that the time of creation of a non-standard folder on the FTP server on 20th of April is “17:53”.
Q.11) What domain was the user connected to in packet 27300?
We simply go to the packet and check for the domain name but we are unable to find it. So, we note down the destination IP address.
Then we go to statistics -> Resolved address & check for the domain name corresponding to the above destination address.
On seeing the above image we find out that the domain name is “dfir.science”.
Thanks for reading 😊.