Analysing Network Packet Captures

the best category :)

Part 1: What is a Network Packet Capture?

A network packet capture (or pcap for short) is a list of captured packets over a network. This is usually used from a blue team perspective, to find a flag in a "Capture The Flag" competition. However, in a penetration test, a pen tester may capture packets to grab important pieces of information, such as passwords.

Part 2: What software can be used to analyse Packet Captures?

When searching for software to analyse packet captures, you may be overwhelmed with the choice. The software that we'll be using in this explanation will be wireshark. Wireshark is open source and free, which is why it makes it my software of choice. A simple search for your system will give you a guide on installation.

Part 3: Analysing The Packet Capture

When analysing a packet capture, the first thing I recommend doing is organising the packets by protocol.

Click on where it says "protocol" once.

Out of all these packets, the 3 GET requests in the HTTP protocol section look the most interesting. I will highlight them to help them stand out.

To do this, select a packet and press CTRL+M. Did you make a mistake? No worries, just press CTRL+M again.

However, there is no text data here, as seen by the 304 errors. Let's try again.

Awesome! 200 status codes!

Now, let's give these a read.

Double clicking on the packet brings you to this:

This gives us some really useful info of:

ssssh! they arent supposed to see this, keep quiet and read the next file. xoxo - [redacted]

This tells us to read 2.txt.

This file states:

ok, this should be really hard for the defenders to see. I'm gonna encode the important data with a secure method that the attackers wont get :)

66 6f 72 65 6e 73 69 63 73 20 69 73 20 6d 79 20 70 61 73 73 69 6f 6e 20 3a 29

enjoy! :)

If you aren't in the know, maybe we should read the last highlighted packet, 3.txt.

This file states:

Did you really forget the encoding method? oh my, i guess i'll have to tell you: base16

now i really hope the defenders dont see this

Bingo! We now have the encoded text and the encoding method.

Now, we can decode this using cyberchef, and we get the message of forensics is my passion :).

I hope you enjoyed this, and took something away from it :)