Skip to content

Instantly share code, notes, and snippets.

@tcyrus

tcyrus/README.md

Last active August 29, 2015 14:16
Show Gist options
  • Save tcyrus/157f665fb3ee943b474e to your computer and use it in GitHub Desktop.
Save tcyrus/157f665fb3ee943b474e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Understudy Program Lectures

Raw
architecture.md

Systems Lab Architecture

Raw
networking.md

Introduction to Networking

Wireshark

By CSC

What is Wireshark?

  • Network Packet Analyzer
  • Can also be used to capture packets
  • Packet capture files have a .pcap extension

CloudShark

Online Network Packet Analyzer https://appliance.cloudshark.org/

Mac Addresses

  • Media Access Control Address
  • Unique Identifier assigned to network interfaces
  • Ex. 00-50-56-C0-00-01

Promiscuous Mode

  • Disables packet filtering
  • All packets are captured
  • Requires sudo or account in wireshark group
  • Not supported by all network cards

Notes

  • PRNP = Peer Name Resolution Protocol
    • Peer to Peer Protocol designed by Microsoft
  • ARP = Address Resolution Protocol

Filtering

  • Filter by IP Address
    • ip.addr == 192.168.1.1
  • Filter by Source or Destination IP
    • ip.dst == 192.168.1.1
    • ip.src == 192.168.1.1
  • Filter by Source and Destination
    • ip.src == 192.168.1.1 && ip.dst == 192.168.1.2
  • Multiple IP Addresses
    • ip.addr == 192.168.1.1 || ip.addr == 192.168.1.2
  • Show all but address
    • ip.addr != 192.168.1.1
  • Filter by Protocol
    • http
    • http || arp
    • http && ip.src == 192.168.1.1
  • Filter by Port
    • tcp.port eq 80
  • Display all HTTP GET requests
    • http.request
  • Display only HTTP POST requests
    • http.request.method == POST
  • Display all HTTP and DNS traffic
    • http or dns
  • Filter out ARP, DNS, and ICMP packets
    • !(arp or icmp or dns)

Follow TCP Stream

  • View Data from TCP Stream
  • Useful for viewing requests
    • HTTP
    • Telnet

Limitations

  • Encrypted Connections
    • HTTPS
    • SSH
  • Cannot edit packets

PicoCTF 2013 Problem

“You notice that the indicator light near the robot’s antenna begins to blink. Perhaps the robot is connecting to a network? Using a wireless card and the network protocol analyzer Wireshark, you are able to create a PCAP file containing the packets sent over the network. You suspect that the robot is communicating with the crashed ship. Your goal is to find the location of the ship by inspecting the network traffic. You can perform the analysis online on Cloudshark or you can download the PCAP file.”

Cloudshark URL: http://www.cloudshark.org/captures/bc1c0a7fae2c

PCAP File: https://2013.picoctf.com/problems/first_contact.pcap

CSAW 2012 CTF Problems

Provided below is a pcap of a telnet session. Your task is to find the telnet password used to login to the server.

URL: https://drive.google.com/open?id=0B5DvBrjbHOdPZzQ2NGE3a280LTg

“Some dude I know is planning a party at some bar in New York! I really want to go but he’s really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don’t know what else to do. Do you think there’s any way you can find out the secret password to get into the party for me?”

URL: https://drive.google.com/open?id=0B5DvBrjbHOdPOXhLUHY2NkZQMUE

Hint: The file is pretty big (65 MB). Maybe you should use some filters?

Difficult CSAW 2012 CTF Problem

URL: https://drive.google.com/open?id=0B5DvBrjbHOdPTUNhWlJqTTVXYnc

Hint: The pcap file is a capture of a USB device. Try to find out what type of USB device it is!

Raw
storage.md

Networked Storage Technologies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment