TryHackMe — Tshark(Walkthrough)
Task -1: Pre-Reqs
It is pre-installed in latest version of kali linux. If you have older version then you can install it by using “apt-get” command
sudo apt-get install tshark
Task -2: Reading PCAP Files
Read the instructions Carefully and Download the task file
In mine it is named “cap”
To read the file you can just use : “tshark -r cap”
To identify the number of packets in the capture : “tshark -r cap | wc -l”
We can also apply filetrs:
to display only a particular type, we can do that as well :
tshark -r cap -Y “dns.qry.type ==1”
We can also extract the specified fields directly from the pcap, So that we can only extract the fields we need. To do that we can use : “-T fields -e filename”
so,
tshark -r cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name
NOTE: An easy way to identify field names in Wireshark is to navigate to the Packet Details in the capture, highlight the interesting field, then view the bottom left corner.
How many packets are in the dns.cap file?
Ans : 38
How many A records are in the capture? (Including responses)
Ans : 6
Which A record was present the most?
Ans: GRIMM.utelsystems.local
Task — 3: DNS Exfil
How many packets are in this capture?
Ans: 125
How many DNS queries are in this pcap? (Not responses!)
Ans: 56
(To search for queries only, use the “dns.flags.response == 0” display filter)
What is the DNS transaction ID of the suspicious queries (in hex)?
ANS: 0xbeef
What is the string extracted from the DNS queries?
Hmmm…. Now this seems little bit tricky and tedious,
First let’s filter the dns queries and then extract the query name:
all the first letters sent here might be useful to us so, let’s use some power of terminal:
first let’s separate the letters:
Now join all the rows into single row
Now this is what we need
Command : tshark -r pcap -Y “dns.flags.response ==0” -T fields -e dns.qry.name | cut -d “.” -f1 | tr -d “\n”
ANS: MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5
What is the flag?
Now, this gibberish string we got here might have something…
So, let’s try base32 decoding from this site : https://emn178.github.io/online-tools/base32_decode.html
ANS : flag{th1s_is_t0ugh_with0u7_tsh4rk!}
Congratulations !!!
