TRYHACKME

Advent of Cyber 2022 [Day 13] -Packet Analysis Simply having a wonderful pcap time

Scenario: After receiving the phishing email on Day 6 and investigating malware on Day 12, it seemed everything was ready to go back to normal. However, monitoring systems started to show suspicious traffic patterns just before closing the case. Now Santa’s SOC team needs help in analysing these suspicious network patterns.

Day 13 Learning Objectives: Packet Analysis

• Learn what traffic analysis is and why it still matters.
• Learn the fundamentals of traffic analysis.
• Learn the essential Wireshark features used in case investigation.
• Learn how to assess the patterns and identify anomalies on the network.
• Learn to use additional tools to identify malicious addresses and conduct further analysis.
• Help the Elf team investigate suspicious traffic patterns.

Packets and Packet Analysis?

Packets are the most basic unit of the network data transferred over the network. When a message is sent from one host to another, it is transmitted in small chunks; each called a packet. Packet analysis is the process of extracting, assessing and identifying network patterns such as connections, shares, commands and other network activities, like logins, and system failures, from the prerecorded traffic files.

Why Does Packet Analysis Still Matter?

Network traffic is a pure and rich data source. A Packet Capture (PCAP) of network events provides a rich data source for analysis. Capturing live data can be focused on traffic flow, which only provides statistics on the network traffic. On the other hand, identifying and investigating network patterns in-depth is done at the packet level. Consequently, threat detection and real-time performance troubleshooting cannot be done without packet analysis.

What is Wireshark?

Wireshark is an industry-standard tool for network protocol analysis and is essential in any traffic and packet investigation. You can view, save and break down the network traffic with it.

Answer of Questions

What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?

0.3

Which port number has received more than 1000 packets?

3389

What is the service name of the used protocol that received more than 1000 packets?

RDP

What are the domain names?

bestfestivalcompany[.]thm,cdn[.]bandityeti[.]thm

What are the names of the requested files?

favicon[.]ico,mysterygift[.]exe

Which IP address downloaded the executable file?

10[.]10[.]29[.]186

Which domain address hosts the malicious file?

cdn[.]bandityeti[.]thm

What is the “user-agent” value used to download the non-executable file?

Nim httpclient/1.6.8

What is the sha256 hash value of the executable file?

0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f

What are the connected IP addresses?

20[.]99[.]133[.]109,20[.]99[.]184[.]37,23[.]216[.]147[.]64,23[.]216[.]147[.]76