Wire Shark Analysis
Wire Shark Analysis
Wire Shark Analysis
Wireshark
Penetration Testing Document Title
September 18, 2015
WireShark Basics
Using Wireshark it is possible to capture traffic on the network that can then be analyzed
at a later time. Wireshark also has the ability to exclude traffic such as ARP and DNS using the
capture filters. This will basically ignore any of this traffic that pops up on the network.
In this case (Shown Below) a TCP packet was captured on the network and an attempt to
follow its TCP stream was made.
Shown above a HTTP connection was made to www.frozenbox.org. Following the TCP
stream revealed information such as timestamps, browser information and domain information.
If a user captures all traffic a filter can be applied to exclude certain traffic. As shown
below a filter was create to exclude TCP traffic on port 80, this is helpful if all traffic on a
network needs to be captured but only certain traffic wants to be viewed.
Pcapr
Pcapr.net is an online database of Pcaps for anyone looking to analyze network traffic. In
this case a malware packet was selected called Regin. This malware is essentially a piece of
Trojan does not store files on a system. Its major components involve it communicating using
ICMP and sends commands using various protocols.
As shown here multiple HTTP get requests are made to various web pages. The HTTP
requests can be logged by the malware and even has the capability to remotely control a system.
The main purpose of this malware is simply data collection.
Annes Exploit
Anne has created and used an exploit on a company. The following information was
gathered using Wireshark.
1. What was the full URI of Vick Timmes' original web request? (Please include the port in your
URI.)
a. http://10.10.10.10:8080/index.php
b.
2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this
code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their
data element with a string. What was the value of this string?
a. vEI
b.
3. Vick's computer made a second HTTP request for an object.
a. What was the filename of the object that was requested?
/index/phpmfKSxSANkeTeNrah.gif
4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. It opened 1.3 seconds into the capture
b.
5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. It stayed open for 87.6 seconds
b.
6. In packet 17, the malicious server sent a file to the client.
a. What type of file was it? Choose one:
Windows executable
GIF image
PHP script
Zip file
Encrypted data
7. Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after
the original connection on port 4444 was closed. With respect to these repeated failed connection
attempts:
a. How often does the TCP initial sequence number (ISN) change? (Choose one.)
Every packet
Every 60 seconds
Every packet
Every 60 seconds
Every packet
Every 60 seconds
8. Eventually, the malicious server responded and opened a new connection. When was the TCP
connection on port 4445 first successfully completed? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. 124 Seconds since first packet
b.
9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was
the MD5 sum of this executable file?
a. Exact same as before
b.
10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. 198.4 Seconds since first packet
b.