-
-
Save tcyrus/157f665fb3ee943b474e to your computer and use it in GitHub Desktop.
By CSC
- Network Packet Analyzer
- Can also be used to capture packets
- Packet capture files have a .pcap extension
Online Network Packet Analyzer https://appliance.cloudshark.org/
- Media Access Control Address
- Unique Identifier assigned to network interfaces
- Ex.
00-50-56-C0-00-01
- Disables packet filtering
- All packets are captured
- Requires
sudo
or account inwireshark
group - Not supported by all network cards
- PRNP = Peer Name Resolution Protocol
- Peer to Peer Protocol designed by Microsoft
- ARP = Address Resolution Protocol
- Filter by IP Address
- ip.addr == 192.168.1.1
- Filter by Source or Destination IP
- ip.dst == 192.168.1.1
- ip.src == 192.168.1.1
- Filter by Source and Destination
- ip.src == 192.168.1.1 && ip.dst == 192.168.1.2
- Multiple IP Addresses
- ip.addr == 192.168.1.1 || ip.addr == 192.168.1.2
- Show all but address
- ip.addr != 192.168.1.1
- Filter by Protocol
- http
- http || arp
- http && ip.src == 192.168.1.1
- Filter by Port
- tcp.port eq 80
- Display all HTTP GET requests
- http.request
- Display only HTTP POST requests
- http.request.method == POST
- Display all HTTP and DNS traffic
- http or dns
- Filter out ARP, DNS, and ICMP packets
- !(arp or icmp or dns)
- View Data from TCP Stream
- Useful for viewing requests
- HTTP
- Telnet
- Encrypted Connections
- HTTPS
- SSH
- Cannot edit packets
“You notice that the indicator light near the robot’s antenna begins to blink. Perhaps the robot is connecting to a network? Using a wireless card and the network protocol analyzer Wireshark, you are able to create a PCAP file containing the packets sent over the network. You suspect that the robot is communicating with the crashed ship. Your goal is to find the location of the ship by inspecting the network traffic. You can perform the analysis online on Cloudshark or you can download the PCAP file.”
Cloudshark URL: http://www.cloudshark.org/captures/bc1c0a7fae2c
PCAP File: https://2013.picoctf.com/problems/first_contact.pcap
Provided below is a pcap of a telnet session. Your task is to find the telnet password used to login to the server.
URL: https://drive.google.com/open?id=0B5DvBrjbHOdPZzQ2NGE3a280LTg
“Some dude I know is planning a party at some bar in New York! I really want to go but he’s really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don’t know what else to do. Do you think there’s any way you can find out the secret password to get into the party for me?”
URL: https://drive.google.com/open?id=0B5DvBrjbHOdPOXhLUHY2NkZQMUE
Hint: The file is pretty big (65 MB). Maybe you should use some filters?
URL: https://drive.google.com/open?id=0B5DvBrjbHOdPTUNhWlJqTTVXYnc
Hint: The pcap file is a capture of a USB device. Try to find out what type of USB device it is!