Wireshark 101 — TryHackMe Walkthrough
TryhackMe is an amazing platform that teaches cybersecurity through specific rooms and hands-on exercises. Interesting courses for pen testing, blue teaming, and cybersecurity beginners are available on the platform. Some rooms are completely free, others require membership, which costs about 10 euros per month and allows you to use their VPN and VM.
Wireshark is a network protocol analyzer which is used for network troubleshooting and protocol development.
The first protocol we will going to look is ARP (Address Resolution Protocol).This protocol is used to know the MAC address, once the destination IP address is known. We can use the VM machine or download the file that tryhackme provide to us in order to analyze the protocol.
This is an overview on how Whireshark looks like when it is open:
Since we are going to work on ARP protocol we need to use the filter function:
The questions that we have to solve are as follows:
The opcode is the portion of a machine language instruction that specifies the operation to be performed. The answer can be found under Address Resolution Protocol (request) where we can find other interesting info as the sender MAC and IP address and the target one.
The resolution of this question is pretty easy, we search the no. 19 and then look under Address Resolution Protocol (request)and read the source/sender MAC address.
In the next question we need to find the reply packets.
In order to solve this question we can use different methods, the first one is carefully reading the info.
In fact we can read that the packet 74 is looking for the IP 10.251.23.1, this info is shared all over to the network and the reply is from exactly the same IP and ignored from the rest. The packet 76 in fact states that the IP 10.251.23.1 can be found at the following MAC address 80:fb:06:45:d7.
So if we repete this logic going through all the packts we can find all reply packets answer.
A quicker way is to select packet 76 select Opcode: reply (2) and then apply as filter — > selected. And we can see now are showed only the reply packets.
Easiest way to find the packtes reply is to insert in the filter bar arp.opcode==2 .The equality operator ( == ) checks whether its two operands are equal, returning a Boolean result.
The last question to this protocol is to find the IP address having the MAC address
The answer can be found in the previous explanation.
The next set of questions is about ICMP(Internet Control Message protocol). This protocol iss used to analyze various nodes on a network. This is most commonly used with utilities like ping and traceroute.
In the packet details for a ping request packet, there is some important information: a type equal to 8 means it is a request packet, while if it is equal to 0 it is a reply packet. When these codes are altered or do not look correct, it is usually a sign of suspicious activity.
Now that we have this knowledge we can easily answer the first questions.
In fact if we look for packet 4 under ICMP we can see the type 8 which means request packet.
The type for packet 5 instead is 0 which means reply packet.
The timestamp can be found under ICMP, scrolling a bit down.
The last question related to this protocol is as follows.
To find the full data string we have to search under ICMP and then under data.
The next protocol we have the opportunity to analyze is DNS (Domain Name Service) protocol. This protocol is used to translate Domain Name into IP address.
The first question require to analyze packet 1.
The answer to the first question can be found under task queries. DNS servers translate name requests into IP addresses by checking which server you connect to when you type a particular domain name into your browser. These requests are called queries.
In this case we have a Reverse DNS which is used to resolve a domain name to an IP address. The answer of the question 8.8.8.8.in-addr.arpa is known as a Reverse Pointer or PTR record.The ‘A’ record, which gives the IP address connected to a domain name, is the exact opposite of a DNS PTR record.
PTR records are usually used for validation, safety or investigation.
The answer to this question can be found as well under Queries.
The last question related to this protocol is the following.
The Transaction ID is a random number generated by the nameserver initiating the query.
The next set of questions are about HTTP (Hypertext Transfer Protocol) which is an application-layer protocol for transmitting hypermedia documents, such as HTML.
To answer the first question, we can use one of the Wireshark features .Select Statistics then > Protocol Hierarchy. We can find the percent of packets originate from Domain Name System as 4.7.
Also for this question we need to use one of Wireshark’s features.Select Statistics then > Endpoint
The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.
A Uniform Resource Identifier (URI) is a unique sequence of characters that identifies a logical or physical resource used by web technologies. A URI identifies the resource by name at the specified location or URL. It can ben found under Request URI bar.
To answer these two questions we need to read the URI. The Domain name system will correspond to www.ethereal.com while the full URI will be the full string : http://www.ethereal.com/download.html
The last set of questions we need to answer to end this room on Wireshark are those related to HTTPS (Hypertext Transfer Protocol Secure). HTTPS is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted in order to increase security of data transfer.
Before starting to answer, we need to add the private key on Wireshark. Select Edit and then Preferences > Protocols
After selecting Protocols depending on the version of Wireshark we have to select TLS, if it is an older version SSL.
Then select RSA key list Edit and insert the he following preferences:
IP Address: 127.0.0.1
Port: start_tls
Protocol: http
Keyfile: RSA key location
It should look like this picture:
The key file is the location of the RSA key, so we will need to first extract it from the folder and then select where it is located to complete this step.
The rationale for answering the next questions is similar to that used for HTTP.
Now that we have that entered the key in fact the file is decrypted and we can search for the required information by scrolling through the bar as in the previous questions.
