BTJA Wireshark Challenge - PCAP 2 Walkthrough

Summary:

My walkthrough of analyzing PCAP 2 of the Wireshark Challenge from Security Blue Team’s Blue Team Junior Analyst Pathway

1. What is the WebAdmin password?

• Edit > Find Packet.

• Apply these Find Packet parameters at the top: Packet Details, String, ”WebAdmin”, Find.
• In the packet details pane, notice a message in this highlighted line of HTML code that includes the text “webadmin”.

• Let’s find the password.txt file and find the webadmin password.
• In the Find Packet options, change the first option to Packet list, and type in the string “password.txt” ,then click Find.
• An HTTP GET request is highlighted in the packet list which contains the string “password.txt”.

• Right-click the packet and Follow the HTTP stream to see the contents of the password.txt file.

• The WebAdmin password is “sbt123”

2. What is the version number of the attacker’s FTP server?

• Right-click the source IP address in the GET request packet and apply it as a selected filter.
• Add and ftp to the current display filter to find all ftp traffic from the IP address in question.

• In the packet details pane, the FTP info shows version 1.5.5.

3. Which port was used to gain access to the victim Windows host?

• Change the display filter so it only shows packets where 192.168.56.1 is the source IP.
• A series of ACKs indicates an established connection; looks like this starts at the same time we see port 8081 as the destination port.

4. What is the name of a confidential file on the Windows host?

• I followed the TCP stream of TCP Retransmission packet 4258 which dropped me in at stream 2079.

• I used the arrows at the bottom right of the TCP stream window to move between streams.
• I eventually found stream 2075 which shows commands being used to list the contents of the desktop. The confidential file is listed below.

5. What is the name of the log file that was created at 4:51 AM on the Windows host?

• In stream 2075 the desktop contents also show a LogFile.log file created at 4:51 AM.

Conclusion:

• The Find Packet feature was helpful.
• Following and examining TCP streams was helpful.