References
  • Welcome!
  • Crypto
    • Bases
    • Nonces
    • RSA
    • Simple Ciphers
  • Pwn
    • Canary
    • Format String Attack
      • Fuzzer
    • NX, PIE, RELRO and ASLR
    • pwntools
    • The GOT and the PLT
  • Reverse Engineering
    • Assembly
    • CTF Tips And Tricks
    • Tools
      • Angr
    • Tools Setup
  • Web
    • JWT
  • Forensics
    • Analysing Network Packet Captures
    • Disk Images
    • Steganography
Powered by GitBook
On this page
  • Part 1: What is a Network Packet Capture?
  • Part 2: What software can be used to analyse Packet Captures?
  • Part 3: Analysing The Packet Capture

Was this helpful?

Export as PDF
  1. Forensics

Analysing Network Packet Captures

the best category :)

PreviousJWTNextDisk Images

Last updated 4 years ago

Was this helpful?

Part 1: What is a Network Packet Capture?

A network packet capture (or pcap for short) is a list of captured packets over a network. This is usually used from a blue team perspective, to find a flag in a "Capture The Flag" competition. However, in a penetration test, a pen tester may capture packets to grab important pieces of information, such as passwords.

Part 2: What software can be used to analyse Packet Captures?

When searching for software to analyse packet captures, you may be overwhelmed with the choice. The software that we'll be using in this explanation will be wireshark. Wireshark is open source and free, which is why it makes it my software of choice. A simple search for your system will give you a guide on installation.

Part 3: Analysing The Packet Capture

When analysing a packet capture, the first thing I recommend doing is organising the packets by protocol.

Out of all these packets, the 3 GET requests in the HTTP protocol section look the most interesting. I will highlight them to help them stand out.

However, there is no text data here, as seen by the 304 errors. Let's try again.

Now, let's give these a read.

Double clicking on the packet brings you to this:

This gives us some really useful info of:

ssssh! they arent supposed to see this, keep quiet and read the next file. xoxo - [redacted]

This tells us to read 2.txt.

This file states:

ok, this should be really hard for the defenders to see. I'm gonna encode the important data with a secure method that the attackers wont get :)

66 6f 72 65 6e 73 69 63 73 20 69 73 20 6d 79 20 70 61 73 73 69 6f 6e 20 3a 29

enjoy! :)

If you aren't in the know, maybe we should read the last highlighted packet, 3.txt.

This file states:

Did you really forget the encoding method? oh my, i guess i'll have to tell you: base16

now i really hope the defenders dont see this

Bingo! We now have the encoded text and the encoding method.

I hope you enjoyed this, and took something away from it :)

Now, we can decode this using , and we get the message of forensics is my passion :).

cyberchef
Click on where it says "protocol" once.
To do this, select a packet and press CTRL+M. Did you make a mistake? No worries, just press CTRL+M again.
Awesome! 200 status codes!