I recently started my cybersecurity journey and completed Google's Cybersecurity course on Coursera. I then embarked on the Blue Team Junior Analyst Pathway Bundle by Security Blue Team, which is entirely self-paced and free. This article is part of a series detailing my solutions to various activities covered on the platform. In this instalment, I will tackle the first activity, which involves analyzing network traffic with Wireshark.
To find the protocol used over port 3942, I applied the filter "tcp.port == 3942 or udp.port == 3942" and found that the protocol used is SSDP (Simple Service Discovery Protocol). For the IP address of the host that was pinged twice, I applied the filter "icmp.type == 8" and found the IP address to be 8.8.4.4. To count DNS query response packets, I applied the filter "dns.flags.response == 1" and found that there were 90 packets captured. To find the IP address of the host which sent the most number of bytes, I went to Statistics > Endpoints, sorted by the Tx Bytes column, and found the IP address to be 115.178.9.18.
To find the WebAdmin password, I applied the filter "http" to show all HTTP traffic, found the response to the GET request (frame 4121), which is frame 4123, and right-clicked on frame 4123 to select "Follow > HTTP Stream". The password is visible in the stream as "sbt123". To find the version number of the attacker's FTP server, I checked the first frame (4243) and found the response to be "pyftpdlib 1.5.5 ready", indicating the version number is 1.5.5. To find the port used to gain access to the victim Windows host, I applied the filter "ip.src == 192.168.56.1 and ip.dst == 192.168.56.103 and tcp.flags.ack == 1" and found the port used is 8081. To find the name of a confidential file on the Windows host, I right-clicked on the first frame (4130) from the previous step and selected "Follow > TCP Stream". The confidential file name is visible in the stream as "Employee_Information_CONFIDENTIAL.txt". To find the name of the log file that was created at 4:51 AM on the Windows host, I looked at the same TCP stream as the previous question and found the log file created at 4:51 AM is named "LogFile.log".
dev.to
dev.to
Create attached notes ...