Welcome back to the continuation of the NCL Preseason Posts! Today we will be covering Part 1 of the Network Traffic Analysis portion of the NCL Preseason game. If you don’t know what the NCL is, or what these posts are about, then I suggest you go back and read my Introduction Post which can be found here!

Also, if you missed my previous write-ups for the preseason, you can find the Cryptography portion here and the Log Analysis portion here!

Just a fair warning that this post will be fairly long and will be broken down into 2 parts - so let’s strap in, and get to it!

FTP

For this challenge we are provided the following file: NCL-2016-Pre-FTP.pcap

1. What was the first username/password combination attempt made to log in to the server? e.g. ‘user/password’

When we open up our pcap in Wireshark, the first thing we want to do is follow the TCP stream of the first packet in the capture. Once we do, we are provided with the following stream information and the corresponding username/password.

Answer: user1/cyberskyline

2. What software is the FTP server running? (Include name and version)

Since we are already in the TCP stream view, we can see the first line is the server’s banner information, this provides us the server and it’s version.

Answer: FileZilla 0.9.53

3. What is the first username/password combination that allows for successful authentication?

In our TCP stream view, we can go up to the next stream and we will be presented with another login attempt.

Answer: user1/metropolis

4. What is the first command the user executes on the ftp server?

Looking at the stream, and understanding FTP commands we can rule out PORT as a legit command, so we are left with LIST.

Answer: LIST

5. What file is deleted from the ftp server”?

The DELE command is being used, which deletes a specified file on the server. That file is our answer.

Answer: bank.cap

6. What file is uploaded to the ftp server?

The STOR command allows you to upload files to an FTP server. The file name after the command is our answer.

Answer: compcodes.zip

7. What is the MD5 sum of the uploaded file?

To do this we have to increment our TPC stream till we find the FTP-DATA of the file being uploaded. We find the data in stream 6. To get the MD5 sum of the file, we have to change the Show data as to RAW as shown below. Once done, go ahead and save that file to the root directory.

Once the file is saved, we will use the md5sum command in Linux to give us the file’s MD5 Hash.

root@kali:~# ls
Desktop    download   hashcat  node-v0.4.4  Public     Videos
Documents  Downloads  Music    Pictures     Templates
root@kali:~# md5sum download
3303628e25d43be4e11cc8878c5c5878  download

Answer: 3303628e25d43be4e11cc8878c5c5878

8. What file does the anonymous user download?

Once again, back in the TPC stream, at stream 4 - we see that someone is logging in as anonymous. The file name that we need for our answer is used with the RETR command.

Answer: compcodes.zip

DNS

For this challenge we are provided the following file: NCL-2016-Pre-DNS.cap

1. What is the type of the DNS record requested?

Simply type in dns in the Wireshark filter to leave us only with the DNS packets. The first query will be our answer.

Answer: AXFR

2. What domain was requested?

Looking at the AXFR query we see the domain name as well.

Answer: etas.com

3. How many items were in the response?

Click on the 2nd dns packet which will be our response, and dig into the Answers section.

Answer: 4

4. What is the TTL for all of the records?

Dig into one of the answers, and look for the Time to live.

Answer: 3600

5. What is the IP address for the “welcome” subdomain?

Looking back at the answers for welcome.etas.com it gives us the IP address.

Answer: 1.1.1.1

HTTP 1

For this challenge we are provided the following file: NCL-2016-Pre-HTTP 1.cap

1. What Linux tool was used to execute a file download?

As we have done before, follow the TCP stream of the first packet and you should see the User-Agent, which is what initiated the request. We see that the Linux tool wget was used.

Answer: wget

2. What is the name of the web server software that handled the request?

Just look for the Server line for the answer.

Answer: Nginx

3. From what IP address did the request originate?

Going back to our packets, let’s find the GET command and look at Source.

Answer: 192.168.1.140

4. What is the IP address of the server?

Same packet, just look at Destination.

Answer: 174.143.213.184

5. What is the md5sum of the file downloaded?

For this one, we have to go to File > Export Objects > HTTP and you will see a pop up like below.

Go ahead and save that image to the root directory. Then we can run the md5sum command in our CLI against the image - this will return the images MD5 Hash.

root@kali:~# ls
Desktop    download   hashcat   Music        Pictures  Templates
Documents  Downloads  logo.png  node-v0.4.4  Public    Videos
root@kali:~# md5sum logo.png 
966007c476e0c200fba8b28b250a6379  logo.png

Answer: 966007c476e0c200fba8b28b250a6379

HTTP 2

For this challenge we are provided the following file: NCL-2016-Pre-HTTP 2.pcap

1. What was the compromised website that was used to infect users with malware?

Looking through the streams, we come across Referer in stream 4. This shows us that someone is requesting another webpage, looking at the Referer URL will provide us the compromised website name.

Answer: php.net

2. What version of the php was the website using?

Let’s go back to the first stream to see the HTTP Request for php.net, and that will provide us the info we need.

Answer: 5.4.16

3. What version of Apache was the website using?

Same as above, just look for PHP.

Answer: 2.2.21

4. In what year was the capture made?

We can use the current TCP stream and just look for Date.

Answer: 2013

5. What domain servers up the malicious file?

We can see that in stream 7 there is a GET request for a .SWF file which is a Shockwave File, and possibly is malicious. (Question 7 basically gives it away…)

Answer: zivvgmyrwy.3razbave.info

6. What is the IP address of the malicious domain?

Just exit out of the TCP stream, and the first packet there should provide us the source IP.

Answer: 192.168.40.10

7. At what packet number is the first request for a malicious .SWF made?

Just as above, the packet where we got the IP also will be the packet # for the .SWF request.

Answer: 173

8. What packet number requests the first successfully delivered payload?

Working in IT Security, I know when a payload is successfully ran since you see “This program cannot be run in DOS mode.” in the packet captures… so if we go through the streams, we will see packet 213 is the first one to initiate the payload.

Answer: 213

Alright, that’s enough for Part 1 - you can read Part 2 here!

Thanks for reading - and as always, stay tuned for more!

Updated:

Leave a Comment