Analysing Network Packet Captures
the best category :)
A network packet capture (or pcap for short) is a list of captured packets over a network. This is usually used from a blue team perspective, to find a flag in a "Capture The Flag" competition. However, in a penetration test, a pen tester may capture packets to grab important pieces of information, such as passwords.
When searching for software to analyse packet captures, you may be overwhelmed with the choice. The software that we'll be using in this explanation will be wireshark. Wireshark is open source and free, which is why it makes it my software of choice. A simple search for your system will give you a guide on installation.
When analysing a packet capture, the first thing I recommend doing is organising the packets by protocol.
Click on where it says "protocol" once.
Out of all these packets, the 3 GET requests in the HTTP protocol section look the most interesting. I will highlight them to help them stand out.
To do this, select a packet and press CTRL+M. Did you make a mistake? No worries, just press CTRL+M again.
However, there is no text data here, as seen by the 304 errors. Let's try again.
Awesome! 200 status codes!
Now, let's give these a read.
Double clicking on the packet brings you to this:
This gives us some really useful info of:
ssssh! they arent supposed to see this, keep quiet and read the next file. xoxo - [redacted]
This tells us to read 2.txt.
This file states:
ok, this should be really hard for the defenders to see. I'm gonna encode the important data with a secure method that the attackers wont get :)
66 6f 72 65 6e 73 69 63 73 20 69 73 20 6d 79 20 70 61 73 73 69 6f 6e 20 3a 29
If you aren't in the know, maybe we should read the last highlighted packet, 3.txt.
This file states:
Did you really forget the encoding method? oh my, i guess i'll have to tell you: base16
now i really hope the defenders dont see this
Bingo! We now have the encoded text and the encoding method.
I hope you enjoyed this, and took something away from it :)