The next step in our adventure revolves aorund packet analysis, so I reckon we’re about to fire up WireShark and do some digging into a PCAP file, something that I find rather enjoyable to do.
Day 13
What is the “Percent Packets” value of the “Hypertext Transfer Protocol”?
We can find he AoC'22-Day13.pcapng file directly on the desktop, and after opening it we just need to select Statistics, Protocol Hierarchy to get a simple representation of the packets in the capture divided into protocols. The answer to this question is found under Hypertext Transfer Protocol.
Which port number has received more than 1000 packets?
This time we’ll use the Endpoints selection instead, and in the default TCP tab look at the amount of packets. There are two possible options, but since we’re looking for a port with only four digits we can easily find the correct one. Do you remember what service this port belongs to? You should.
What is the service name of the used protocol that received more than 1000 packets?
And now you know why you should. It’s one of the most common ports, but in reality you can always look them up if you happen to forget.
What are the domain names?
Moving to the main WireShark window we can simply filter the packets with dns as our filter, and looking into the Domain Name System (query/response, depending on the packet), Queries we can find two domains. Defang them and have them in alphabetical order and you have your answer.
What are the names of the requested files?
To look for files, or more specifically the HTTP GET requests which are used to retrieve files from the web server, we can use the http.request.method == "GET" filter. Usually we’d get a lot more hits, but this time we’re lucky and only get the two we’re being asked for, so after a quick defanging we got the answer.
Which IP address downloaded the executable file?
Here we can filter with http to be able to find the relevant HTTP traffic which was used to get the file, and we can find the correct IP easily since there aren’t that many options.
Which domain address hosts the malicious file?
We can select the packet with the executable and look under the Hypertext Transfer Protocol dropdown to find Full request URI:. Defang the domain and the subdomain to get the correct answer.
What is the “user-agent” value used to download the non-executable file?
Switching to the packet of the other file we found earlier, we can find the answer to this question under the user-agent: row. No need to enter anything after the version number.
What is the sha256 hash value of the executable file?
To get the hash of the file we first need to extract the file from the capture. Select File, Export Objects, HTTP, the correct filename and click on Save. Then juse use sha256sum in terminal to get the correct answer.
What are the connected IP addresses?
Next we’ll have to look up the hash on VirusTotal, and since we’re being asked for contacted IP addresses we need to navigate to the Relations tab to find these. We can disregard 192.168.0.18 and 8.8.8.8 since they’re internal and Google DNS respectively, but the four other IP’s are the ones we need to focus on. While they’re already in the numerical order we still need to defang them, and CyberChef makes this task a breeze.