Home

Day 07 - The Grinch Really Did Steal Christmas

Date: 07, December, 2020

Author: Dhilip Sanjay S

Fundamentals

  • Introduction to IP

  • TCP/IP and UDP/IP

    • Three way handshake

  • Wireshark Basics

Solutions

Open "pcap1.pcap" in Wireshark. What is the IP address that initiates an ICMP/ping?

  • Answer: 10.11.3.2

  • Steps to reproduce:

    • Filter icmp.

If we only wanted to see HTTP GET requests in our "pcap1.pcap" file, what filter would we use?

  • Answer: http.request.method eq get

Now apply this filter to "pcap1.pcap" in Wireshark, what is the name of the article that the IP address "10.10.67.199" visited?

  • Answer: reindeer-of-the-week

  • Steps to reproduce:

    • Filter http.

    • You can find post/reindeer-of-the-week by scrolling through.

Look at the captured FTP traffic; what password was leaked during the login process?

  • Answer: plaintext_password_fiasco

  • Steps to reproduce:

    • Filter ftp.

    • Look for Login failed and PASS.

Continuing with our analysis of "pcap2.pcap", what is the name of the protocol that is encrypted?

  • Answer: SSH

Analyse "pcap3.pcap" and recover Christmas! What is on Elf McSkidy's wishlist that will be used to replace Elf McEager?

  • Answer: Rubber ducky

  • Steps to reproduce:

    • Export HTTP

    • Select Christmas.zip

    • After extracting, you check out the file elf_mcskidy_wishlist.txt

PreviousDay 06 - Be careful with what you wish on a Christmas nightNextDay 08 - What's Under the Christmas Tree?

Last updated