As long as we are in position to capture network traffic, Wireshark can sniff the passwords going through. As we know the flag format we have a good starting point, instructing grep to output progressively more characters until the full flag is revealed. Well, the answer is definitely yes Wireshark can capture not only passwords, but any kind of information passing through the network usernames, email addresses, personal information, pictures, videos, anything. Wireshark has identified the TradeSecrets.txt file referenced in Question 2, allowing us to extract it from the PCAP now to find the hidden flag, we can use grep. Wireshark allows us to easily export SMB Objects using a graphical interface. There is a nice simple flag in the file that was accessed. flag 04 – According to all known laws of aviation (100 points) Packet 76 shows the corresponding LOGIN FAILURE, with the hex status code 0xc000006d. We can see the user SAMBA\jtomato attempt to login in Packet 75. What is the hex status code when the user SAMBA\jtomato logs in?Īgain, consulting the Wireshark wiki we find that the Session Setup operations are signified by Opcode 0x01 filtered as below: smb2.cmd = 1 What is the path of the file that is opened?Ĭonsulting the list of SMB2 Opcodes, we find that file Read requests are signified by Opcode 0x08, and apply the following filter: smb2.cmd = 8Įxamining the first packet to contain a Read request (Packet 342), we see that the requested file path is HelloWorld\TradeSecrets.txt flag 03 – Uh uh uh (75 points) We can isolate the Tree Connect request packets using the following filter to specify Opcode 0x03: smb2.cmd = 3Īlthough there is a Tree Connect request to the IPC$ share in packet 124, the share that ends up being browsed is \ public. The Wireshark wiki contains a good overview of the SMB2 protocol, including a very helpful list of Opcodes. This write-up covers the questions relating to the smb PCAP file. As the questions were split over multiple PCAP files ( shell, smb, dhcp, network, dns, and https), I have decided to split my write-ups by PCAP for ease of reading. This series of write-ups covers the network forensics section. In May 2020 the Champlain College Digital Forensics Association, in collaboration with the Champlain Cyber Security Club, released their Spring 2020 DFIR CTF including Windows, MacOS, and Apple iOS images, as well as network traffic analysis, OSINT, and reversing challenges.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |