H 420: Wireshark (110 pts)

What You Need for This Project

Installing Wireshark

If your computer doesn't already have it, go to

https://www.wireshark.org/

Download and install the latest version.

I wrote these instructions using Wireshark 2.6.1 for the Mac on 6-28-18.

Examining Layers 1-4

Download this file and double-click it to open it in Wireshark:

FTPlogin.pcapng

Find these features, as shown below:

Finding an FTP Password

FTP is a very unsafe protocol, because it sends passwords over the network without encryption. To demonstrate that, we'll steal a password.

In Wireshark, at the top, in the "Apply a display filter" box, type ftp and press the Enter key.

Wireshark filters the packets, showing only the packets using File Transfer Protocol. On the right side, you can see the login process for a user named "john".

H 420.1: John's Password (5 pts)

Find John's password, which is covered by a green rectangle in the image below. That's the flag.

H 420.2 Finding an HTTP Password

HTTP also sends passwords over the network without encryption. To demonstrate that, we'll steal a password.

Download this file and double-click it to open it in Wireshark:

httplogin.pcapng

In Wireshark, at the top, in the "Apply a display filter" box, type http and press the Enter key.

Wireshark filters the packets, showing only the packets using HTTP. In the Packet List, in the "Info" column, find the first POST request, as shown below, and click it.

In the Packet Details, expand the "Hypertext Transfer Protocol" container. The username of "Isaac" and password of "Flapper" are visibie, as outlined in red in the image below.

Following a TCP Stream

In the Packet List, in the "Info" column, right-click the first POST request, click Follow, and click "TCP Stream", as shown below,

The conversation is shown, with the client's transmission in red, and the server's response in blue, as shown below.

The TCP Stream is often very helpful, but not in this case, because the reply is zipped.

Restoring the Packet Filter to "http"

Close the "Follow TCP Stream" box.

In Wireshark, at the top, in the "Apply a display filter" box, on the right side, click the X to clear the filter.

In the "Apply a display filter" box, type http and press the Enter key.

All the "http" packets appear, as shown below.

Viewing the HTTP Reply

In the Packet List, in the "Info" column, click the packet following the first POST request, which is labelled "HTTP/1.1 200 OK", as shown below.

In the Packet Details, expand the "Line-based test data" container. The server's reply is now readable, saying "Login Denied!", as outlined in red in the image below.

H 420.2: Isaac's Password (10 pts)

Isaac made several attempts to log in before finally entering the correct password.

Find the password that worked. That's the flag.

H 420.3: HTTP Basic Authentication (15 pts)

HTTP Basic authentication obfuscates passwords with Base64 encoding before transmitting them, which is not much better than sending them in cleartext, because Wireshark automatically decodes them.

Download this file and double-click it to open it in Wireshark:

BasicLogin.pcapng

A user named WALDO logged in. Find Waldo's password. That's the flag.

APT Capture

Download this file:

apt-capture.pcap

This file contains some APT attacker traffic, which I got in the Red Team CTF on May 16, 2020.

Analyze it and answer the following questions:

H 420.4: Encrypted Transmission (10 pts)

There is only one protocol used for encrypted communication, with more than 3 packets sent.

Find the port number of the server side of the encrypted transmissions. That's the flag.

HINT: Use Statistics, "Protocol Hierarchy". Right-click a protocol to filter for it.

H 420.5: Tool (10 pts)

What tool is being used to perform encrypted communications? That's the flag.

HINT: Use a filter like:

frame contains "80"
to find frames containing a command line using the port number you found in the previous flag.

Don't forget the quotation marks!

H 420.6: Hash of Tool (10 pts)

Provide the sha1sum of the tool used to perform encrypted communications. That's the flag.

HINT: Use "frame contains" to find frames containing text including the tool name you found in the previous flag. Find the TCP stream that downloaded the tool.

H 420.7: Decrypt (15 pts)

Find the private key used for encrypted communications. Decrypt the encrypted communications and find the flag inside.

HINTS: TLS Decryption
Search for text found in the PEM File Format
Find the sequence of commands used to create the encrypted traffic
Find the keyfile name (includes .key)
Filter for the port number used to send the key

H 420.8: Port Knocking (15 pts)

There appears to be some port knocking on the network, what ports are being knocked? The flag is the answer in the form of "port,port,port", in the order the knocks are sent.

HINT: Examine the SYN packets. Look for an obvious pattern of knocks to the same server.

H 420.9: Exploitation (20 pts)

On several occasions, after three knocks, the attacker got a shell on a target machine.

Find the shell session with the largest number of bytes transferred. The attacker executed over 40 shell commands.

The flag is the last command executed in that session.

Revised to new flag system 5-17-2020
420.5 hint improved 6-14-2020
420.7 hints added 7-25-2020
420.5 hint improved more 7-26-2020
420.7 hint added 8-1-2020