Cyberdefenders PacketMaze Walkthrough

PacketMaze

Hello! In this article I’m gonna analyz an insider activity from PacketMaze challenge which is published on cyberdefenders.org.

Challenge details : As an analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer’s employee whose network activity has been monitored for a while -possible insider.

Tools that can be used : WireShark, NetworkMiner

Q1 : What is the FTP password?

View ftp traffic through filter pane, then follow tcp stream and password can be seen in the popup pane.

A1 : AfricaCTF2021

Q2 : What is the IPv6 address of the DNS server used by 192.168.1.26? (####::####:####:####:####)

To find DNS’ IPv6, let’s grab DNS server mac address. Filter by DNS parameter and ip that mentioned in the question. The query will be like;

ip.addr == 192.168.1.26 and dns

After that we can grab MAC address of DNS server which is “ca:0b:ad:ad:20:ba”. The last step is to look at the dns conversation. Follow Statistics -> Conversation after applying dns filter and look for MAC address we’ve already found. So IPv6 address can be seen by comparing IPv6 and Eth panes.

A2 : fe80::c80b:adff:feaa:1db7

Q3 : What domain is the user looking up in packet 15174?

Let’s grab the packet by filtering number.

frame.number == 15174

Follow UDP stream and got the answer.

A3 : www.7-zip.org

Q4 : How many UDP packets were sent from 192.168.1.26 to 24.39.217.246?

ip.addr == 192.168.1.26 and ip.addr == 24.39.217.246 and udp

A4 : 10

“The result was short, so I counted them one by one. There could be alternative for the long results..”

Q5 : What is the MAC address of the system being investigated in the PCAP?

We already know what IP is, so the filter is :

ip.addr == 192.168.1.26

A5 : c8:09:a8:57:47:93

Q6 : What was the camera model name used to take picture 20210429_152157.jpg ?

First, I tried to export FTP objects but I couldn’t succeed. Then, filter ftp data via filter pane. The query is ftp-data.

FTP Data

Follow TCP stream, convert data into raw and save it. The result should look like;

Image file contents

The model of the machine can be obtained with any exif tool.

A6 : LM-Q725K

Q7 : What is the server certificate public key that was used in TLS session: da4a0000342e4b73459d7360b4bea971cc303ac18d29b99067e46d16cc07f4ff?

By filtering the TLS protocol, we get all the packets. By searching TLS session value, the public key can be seen in the details pane.

Public Key

A7 :04edcc123af7b13e90ce101a31c2f996f471a7c8f48a1b81d765085f548059a550f3f4f62ca1f0e8f74d727053074a37bceb2cbdc7ce2a8994dcd76dd6834eefc5438c3b6da929321f3a1366bd14c877cc83e5d0731b7f80a6b80916efd4a23a4d

Q8 : What is the first TLS 1.3 client random that was used to establish a connection with protonmail.com?

All Server Names

We display all server names by filtering with

ssl.handshake.extensions_server_name

and Apply as Column feature.

A8 :24e92513b97a0348f733d16996929a79be21b0b1400cd7e2862a732ce7775b70

Q9 : What country is the MAC address of the FTP server registered in? (two words, one space in between)

We already found out what FTP server’s IP is. Let’s grab it again and find out what is the location. FTP server IP address is “192.168.1.20” and MAC address is “08:00:27:a6:1f:86”. https://macaddress.io/ can be used for MAC look up.

A9 : United States

Q10 : What time was a non-standard folder created on the FTP server on the 20th of April? (hh:mm)

One more time filtering ftp protocol, we can follow tcp stream and see that there is only one file is created on the 20th of April.

Listing FTP

A10 : 17:53

Q11 : What domain was the user connected to in packet 27300?

To see that, we need to grab frame first.

frame.number == 27300 // after follow tcp stream

Connected Domain

By following Statistics -> Resolved Addresses, we can filter domain name by IP address.

A11 : dfir.science

Computer Engineering student / Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Stop scratching the surface, and hack the dependencies

We’re going to the RiskMoon!

A Minute with #EPNS #43

2017 Verizon Data Breach Investigations Report from the Perspective of Exterior Security Perimeter

Android Pentesting Lab — Android Studio

Business Choice Awards 2019: VPN Services for Work, Remote Access

Can Your Hospital Room Be Hacked?

Keplerswap has a weekly report from August 30th-September 12th a technological planning of V2…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
arslanblcn

arslanblcn

Computer Engineering student / Cyber Security Enthusiast

More from Medium

FalconFriday — Code execution through Microsoft SQL Server and Oracle Database — 0xFF19

[RedDev Series #4] Experimenting SysWhisper2 with LLVM Obfuscator

Malware Analysis —Banking Trojan: Dyre

CyberDefenders Write-up: Injector