TryHackMe Walkthrough // Wireshark Basics Room - SOC Analyst 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up I'm packing people so today we're going to talk about uh try hack me room I'm excited to do another walkthrough with you and this is going to be the Wireshark intro room so or the Wireshark the basics now I'm really excited about this room and also all of this contact from Tria acne so that's why I want to do some uh walkthroughs with it and show you how I would approach a room like this now it's not just this room but it's also really cool of the learning path that this is a part of so if you go to try hack me and if you come down to the sock level one module that whole learning path and if you come down to network security traffic analysis you're going to see that there's a lot of different rooms you got snore you got Network Miner Zeke brim so I'm going to do a walk through of several of these different rooms and I'm going to start actually kind of out of turn here because you know I'm aware shark Guy come on I'm going to start with the Wireshark the basics room and get started there so let's go ahead and do this one now I went ahead and started the virtual machine and I'm in the system here you can see my IP and just to do a little bit on the introduction here so just read through this it's going to ask these questions which file is used to simulate the screenshots so I'm just going to come here just do a little cut and paste submit so it's HTTP 1 pcapng and the exercise pcapp NG is going to be that other file to answer the questions now I can see that I have both of those pcaps for me on the virtual machine that I can interact with here on tryhakme all right so now let's go ahead and dig in now it's going to give me an overview of Wireshark as a tool which is pretty cool so we can read through this if we're new to Wireshark gives you a bit of a lay the land shows you the toolbar display filters recent files all stuff that you've seen here on the channel as well but it's just showing you that uh just to give this a good overview of the tool coming down here coloring packets you've seen that on the channel as well traffic sniffing merging so now it's asking me okay so use the exercise pcapng file to answer those questions let's go ahead and come over here to our virtual machine I'm going to pop this open and it might take you a little bit to get that P CAP to open you can see here it's taking some time here uh again this is the exercise dot pcapng file and you'll know you got it right if you have 58 620 um packets in this pcap unless that's been changed since I did this recording which is possible all right so uh the first thing what read the capture file comments what's the flag let's go to statistics capture file properties and that's going to bring up our capture file properties if I come down here you can take a look at your file comments okay so uh the flag is try hack me Wireshark demo so let me just come over here I'm just going to copy that and the way that that works is I come into my clipboard and now I can just take and I can paste that in and I can just submit that what's total number of packets we saw that already 58 5 8 6 2 0 okay so there we go and what's the Sha 256 hash value of the capture so let me show you where to find that I'm just going to clear this out put that clipboard away and if I come into statistics if I come in here to statistics and actually let me remove my head so I'm out of the way there if I go to capture file properties and the hash 256 value okay so I can just take and I can just copy this one definitely don't want to have to type that one all the way out all right so here we go there's that value let's go ahead and pop this in answer format let's submit that and whoop whoop answer is correct cool so we went ahead and got through that that second task so let's go ahead and button this one up let's come down to that third task there so now this is just going to show me just a little bit deeper into wire shark about packet Dissection the details uh you can see the different addressing information that it's showing so let's go ahead and answer these questions over here so let's go ahead and take a look at packet number 38 which markup language is used under the HTTP protocol all right so let me get this out of the way I'm going to get my big old head out of the way for you too okay so packet 38 okay so I can just scroll down to it also as a trick something I want to show you this is something just as a good to know if you ever come up here and you can actually you see a little arrows here that are a little almost kind of grayed out one of these arrows go to the specified packet this will bring down a packet little drop down there and you can actually if you want to you can type in 38 and it'll jump to that packet now when you're just looking at a packet that's at the beginning of a pcap where you don't have a ton of things to comb through that's not going to save you a ton of time but let's just say I sent you a P CAP and it had millions of packets in there and you had to jump to the 500 000th one it's a little faster to do it that way instead of scroll scroll scroll scroll scroll scroll scroll to find that that packet number again that's going to be just up on top you can hover over it go to the specified packet all right so let's go ahead and keep going so here we are on packet 38 and uh if I take a look at the uh the markup language okay extensible markup language so really that's the answer there so let's go ahead and just type that in so we're just going to do X then symbol markup language submit Okay cool so let's go ahead and move forward what's the arrival date of the packet answer format is month day year so to find that if I come up here to the frame information let me expand this this is going to show me the month day and year that it arrived into the analyzer that actually captured it all right so month is first so if I come over here arrival time May 13 2004. a little bit ago all right so that's going to be 05 for May it's going to be 13 and if I slash it it's going to be 2004 I think they wanted the full year there yep okay what's the time to live value okay let's collapse our frame 38 and I'm going to expand IP gonna come down to our time to live is 47. now you know how to use that if you can watch my channel so 47 that gives me a bit of a context on how far away this packet came from typically that number starts at 64 128 or 2 255 and decrements with every router on its route back to me so right away I can glance at that and get an idea of how far away that station is that likely sent this unless something in the middle adjusted that number okay okay so what's the payload size Now by payload typically that means anything that's encapsulated within TCP so I'm going to expand TCP come down here to the segment length and I'm going to try this number 424 and let's submit and sure enough that answer is correct so that's my actual payload of the packet so the actual application then I have the TCP header IP and so on down to the ethernet all right what's the e-tag value all right so that's going to be an HTTP thing so we can come down to the HTTP header go ahead and double click that or expand that carrot and if you come down to etag here we can see we've got this value here so what I'm going to do is I'm just going to actually right click and I'm going to say copy value and I'm going to come over here to my clipboard and here I'm just going to take that actual string itself okay and let's just do a copy I'm going to come over here e-tag and paste that in and there we go all right so this shows us with exercise pcapping G just a few other ways that we can get into this data within a packet so how to jump to a packet looking at the frame information and how to remove little values doing a right-click copy value okay so that was task number three let's go ahead and move forward to task number four okay so now this is showing us a few other things more navigation packet numbers how to jump to a packet find packets mark them packet comments exporting packets uh and objects so this is going to be fun all right so you feel free to go ahead and read through this I'm just jumping down to the um answers here so search for the r4w string in packet details what's the name of artist one okay now keep in mind for this a little bit tricky if you're used to setting display filters maybe the Temptation is to come up here and just say oh frame matches are 4w but that's not really what this exercise is asking so this is just saying hey where does r4w exist at any packet anywhere in this P CAP all right so that's not really what I'm looking for instead what I want to do I'm going to just remove this it says in packet details not in the packet hex so I want to look at the r4w string in the packet details so how do we do that well if I come up here I can go to my search see there's that little magnifying glass it's a little great out there and this is where I can go into packet details not list or bytes and I'm going to be looking for a string okay so not a filter hex value regular expression I want a string and that string and my red here is going to be R 4 W all right so find that and we're digging through so it found it here and this is where we can see down here it it spotted it down here at the bottom so artists.php and it says artist one so the question is what is the name of artist one okay so over here I can just kind of count up the numbers or count up the amount of uh characters I'm looking for one two three four five six seven okay so if I come over here I can see that I've got the artists images logo dot gif I just want to make sure that I'm on the right packet here yep I am 200 okay and we found it down here so artist and r4w8173 that definitely matches the string I'm looking for so let's go ahead and try that r4w r4w and eight one seven three okay submit correct answer so that was it so that r4w was the beginning of that artist uh name okay so that that's what I was looking for go to pack at 12 read the comments what's the answer let me remove my filter and anytime I'm further down in the pcap like this I've got 37 packets up ahead of me so I'm going to go ahead and and by the way a second ago I'm sorry if my head was in the way you can see that I have that artist PHP here and I was able to find that name over here on the right so you should be able to do the same all right bringing my head back in all right so let's go ahead and jump back up to the top here and if I go back to the beginning this is my jump back to the beginning button go back to the first packet gonna right click or I'm sorry not right click just scroll I'm gonna come down to packet number 12. and right here packet comments if I actually right click packet 12 I can come in and go to pack comments and it's going to show me the full comment here at first it says it's not a flag or this is not a flag if I scroll down though it's giving me further instructions it's saying go to packet number 39765 go to the packet details pane right click on the jpeg section export packet bytes alternative way extracting data from a capture file okay so uh 39765 okay so I'm going to go ahead and just jump to a packet 39765 go okay so uh I come down here to my JPEG file exchange format and I can see the number of bytes that are there I'm going to go ahead and just right click this and I'm going to export packet bytes and let's just name that two dot jpeg okay and that's gonna be kicked out to the um desktop I'm just gonna do a quick little peek here and just show you a little something okay this is gonna set a filter on that and if I can take a look up here let's actually this is the okay this is the get response for the get just up here and if I expand HTTP this is where I can say okay this is where we're getting you see we're getting slash pictures two dot jpeg so I had actually just seen this before so that's why I named it 2.jpg so you might have been wondering where I got that name from uh but there we go so two dot JPEG and then the response came and that's why I exported it and named it to.jpg okay so now what so let's go ahead and go to the rest of our instructions here so here I've got this file now there's a bunch of different ways we can get the md5 hash from this file I just popped open a terminal just now just navigated my desktop just gonna take a look at that 2.jpg so let's do md5 sum and I'm going to do two dot jpg boom all right so this is the actual md5 hash so let me come in here just going to right click that one or copy it and come into my clipboard and let me just do this again copy and boom submit and that's our right answer so way to go if you will follow that now typically for me and my analysis workflow I'm not going to approach a file or exporting that file the way that try hack me is asking you to do it typically what I'm going to do is go up to the file menu and then go to export objects come over here to http because that was actually an object that was transferred over HTTP from down here text filter I can just do jpg for JPEG and then I can see that packet number associated with that file that I want to export and it even gives me the file name 2.jpg I can just hit save and then I can export that to my desktop and then I can go ahead and look up that md5 that way I just wanted to show you that I typically would do it that way now this can also help me with the next question that we have in this section it's asking for a text file so instead of jpeg let's just come in here just do txt and here I've just got one text file in this pcap note dot txt let's save it and I'm going to just save it out of the desktop hit save and then going to come in here and just going to do let's just open it up and when I pop that open with pluma I can see note that text and there's actually a picture of an alien here and pack it and master it looks like that's the name so let's go ahead and just type that in packet Master submit good okay so that's that flag just gonna close this down and I'm going to jump over to back into my packets and reset things and now it says look at the expert info section what's the number of warnings so there's two ways that you can get to the expert expert info section you can either come down here to this little um basically the the little circle there that's red if you select that it's going to bring up the expert information and it said what's the number of warnings okay so if I come here if I just expand this out just a little bit I can come over here to the right and I can see 1636 is the number of warning level events okay so that's not error level events or notes or chats but just the warning level events if you expand this out you can actually see what some of those detailed warnings are and if you select this you can actually jump back into the packets and so the the Wireshark expert honestly I don't use it a whole lot but it's a good way to just head check to see if you have any low hanging fruit if you have anything that jumps out to Wireshark as a problem in the pcap okay so that's the end of task number four so let's go ahead and go down here to all right packet filtering so uh right now we're in exercise pcapng it was always go into here to take a read through here how to colorize how to add columns I've got more of that kind of content on my channel so I won't go through that with you right now but what we're going to do is go to packet four right click on hypertext transfer protocol apply it as a filter okay look at the filter pane what's the filter query okay so let's go ahead and say close and I'm going to jump back up to the top and I'm going to come down to packet number four all right so uh it's coming down to http and it says right click and apply as filter selected so our filter that we've actually applied there is HTTP so any packets that match that filter will be displayed for us so I'm just going to come over here and just say HTTP that's our filter query what's the number of displayed packets I've got 1089 that match that filter okay so on the next question we're asked to go to packet number 33 790 follow the stream and then get What's the total number of artists so uh after tinkering with this just a little bit I did find that I wasn't able to find the answer to this question from actually within um this follows stream uh I'd remember that before you could do a find and do artists and this would give you okay artist.php and then you have another artist example down there and then you're basically bouncing between those two instances remember before we used to be able to artist equals one and we would get a hit for that but we're not in this one I think maybe something might have changed with this P CAP but not All Is Lost let's go ahead and just show you just want to show you how I another way to do this okay and you might find other ways so I'm just going to show you how I would actually do this let me just do close okay so I'm not going to do this through the follow TCP stream the way that try hack me is asking me instead what I'm going to do is I'm just going to do file export objects HTTP and I'm interested in artist okay so the first one artist.php what I'm going to do is I'm just going to save this save that to my local desktop and let's just hit save and then I'm going to come out here so now that I have this on my desktop here I'm going to let me get myself out of the way all right I'm going to go ahead and right click this one and just do an open with pluma and that'll open up that PHP script and I can take a look through it and get an answer to the question so the question was how many artists are there so we already know that we have artist one we've seen that before and here's our name of that artist and then I have artist two and artist three so it looks like artist Two is Blade with a three and l y z a e is the artist number three so that tells me I've got three artists and the name of the second Artist as b-l-a-d-3 okay so instead of actually doing that through follow TCP stream I did get it to work by extracting that PHP script and then opening it up uh there locally and I was able to see what was going on okay so that was task number five let's go ahead and keep going here down with the conclusion congratulations you just finished Wireshark the basics room in this room we covered wire sharks so if uh you'd like to go and continue on with the next room I'm going to be doing a write-up on that as well you might have noticed that there's lots of tips and tricks that I shared with you on this video things that I bring from my real packet analysis work that I do and when how I would apply that to a CTF or a try hack me room like this so congratulations everybody thanks for sticking with me and I will see you again on another try hack me Room Walkthrough take care everybody

Info

Channel: Chris Greer

Views: 13,547

Rating: undefined out of 5

Keywords: tryhackme, wireshark, wireshark 2023, wireshark filters, wireshark training, wireshark basics, wireshark tutorial

Id: yG7qx1y4v90

Channel Id: undefined

Length: 20min 23sec (1223 seconds)

Published: Thu Dec 15 2022