-
Notifications
You must be signed in to change notification settings - Fork 0
/
Wireshark 101
102 lines (59 loc) · 2.88 KB
/
Wireshark 101
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
Task 7 ARP Traffic
- What is the Opcode for Packet 6?
Request (1)
- What is the source MAC Address of Packet 19?
80:fb:06:f0:45:d7
- What 4 packets are Reply packets?
76,400,459,520
- What IP Address is at 80:fb:06:f0:45:d7?
hint: 80:fb:06:f0:45:d7 is MAC Address of Packet 19?
Right click packet 19 --> select filter
answer:10.251.23.1
#Task 8 ICMP Traffic
- What is the type for packet 4?
8
- What is the type for packet 5?
0
- What is the timestamp for packet 12, only including month day and year?
note: Wireshark bases it’s time off of your devices time zone, if your answer is wrong try one day more or less.
hint:May 31, 2013 05:45:20.253336000 +07 <<-- not right
less one day
Answer: May 30, 2013
- What is the full data string for packet 18?
08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
#Task 10 DNS Traffic
- What is being queried in packet 1?
8.8.8.8.in-addr.arpa
- What site is being queried in packet 26?
www.wireshark.org
- What is the Transaction ID for packet 26?
0x2c58
#Task 11 HTTP Traffic
- What percent of packets originate from Domain Name System?
hint: Navigate to Statistics > Protocol Hierarchy.
4.7
- What endpoint ends in .237?
145.254.160.237
- What is the user-agent listed in packet 4?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
- Looking at the data stream what is the full request URI from packet 18?
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633
- What domain name was requested from packet 38?
www.ethereal.com
- Looking at the data stream what is the full request URI from packet 38?
http://www.ethereal.com/download.html
- Task 12 HTTPS Traffic
We can confirm from the packet details that the Application Data is encrypted. You can use an RSA key in Wireshark in order to view the data unencrypted. In order to load an RSA key navigate to Edit > Preferences > Protocols > TLS > [+] . If you are using an older version of Wireshark then this will be SSL instead of TLS. You will need to fill in the various sections on the menu with the following preferences:
IP Address: 127.0.0.1
Port: start_tls
Protocol: http
Keyfile: RSA key location
- Looking at the data stream what is the full request URI for packet 31?
https://localhost/icons/apache_pb.png
- Looking at the data stream what is the full request URI for packet 50?
https://localhost/icons/back.gif
- What is the User-Agent listed in packet 50?
Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
https://tryhackme.com/room/wireshark
https://www.youtube.com/watch?v=CG9QxkWU8hA
https://scriptkiddiehub.com/2021/03/06/tryhackme-wireshark-101-writeup/