The platform develops virtual
classrooms that not only allow users to deploy training environments with the
click of a button, but also reinforce learning by adding a question-answer
approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.
TryHackMe Advent of Cyber 2 Day 7 Walkthrough
While using a question-answer model
does make learning easier, TryHackMe allows users to create their own virtual
classrooms to teach particular topics enabling them to become teachers. This
not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
Room :-
https://tryhackme.com/room/adventofcyber2
Advent of Cyber 2
Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas.
Task 12 [Day 7] Networking The Grinch Really Did Steal Christmas
Story
It's 6 AM and Elf McSkidy is clocking-in to The Best Festival Company's SOC
headquarters to begin his watch over TBFC's infrastructure. After logging in,
Elf McEager proceeds to read through emails left by Elf McSkidy during t he
nightshift. TryHackMe Advent of Cyber 2 Day 7 Walkthrough
More automatic scanning alerts, oh look, another APT group. It feels
like it's going to be a long, but easy start to the week for Elf McEager.
Whilst
clearing the backlog of emails, Elf McEager reads the following: "URGENT: Data
exfiltration detected on TBFC-WEB-01". "Uh oh" goes Elf McEager. "TBFC-WEB-01?
That's Santa's webserver! Who has the motive to steal data from there?!". It's
time for the ever-vigilant Elf McEager to prove his salt and find out exactly
what happened.
Unknowingly to Elf McEager, Elf McSkidy made this
all up! Fortunately, this isn't a real attack - but a training exercise
created ahead of Elf McEager's performance review.
Learning Objectives
What are IP Addresses & how are they assigned.
Understanding TCP/IP and UDP
3-way handshake
Wireshark Crash Course (where is it used and why)
Basic Filtering and operators
Analysing our first few PCAPS
HTTP
SMB
Challenge
Made with ❤ by CMNatic
What is an IP Address?
You'll hear talk of the term "IP address" frequently throughout the
information technology field - not just TryHackMe. Short for an Internet
Protocol address, I like to explain this fundamental of networking using the
same way that a postal/mail system works in real life.
When sending
a letter, you must provide the address for where the letter should go, and it
is best practice to include your address as the return address in case the
letter is lost (or you wish to let the recipient know how to reply). An IP
address serves the same purpose but for devices connected to a network!
Devices connected to the internet will have two of these addresses -a public
and a private address. Think of a private address as the name of the recipient
at a business i.e. Joe Smith, and the public address being the location of
this business i.e. 160 Kemp Road, London.
Let's say you are
accessing the Internet through your computer. Your computer will be a part of
two networks, and in turn, will use both public and private IP address:
A private IP address to identify itself amongst other devices (such as
smartphones, TV's and other computers) within the network of your house. In
the screenshot below, the two devices have the following private IP
address:
TryHackMe similarly uses these private addresses. For you to access
other TryHackMe devices such as the instances that you deploy in this room,
you will need to be on the same private network as these instances are not
connected to the internet. This is why you must use a client such as OpenVPN
to connect to the network.
MuirlandOracle explains how these
private IP addresses work in his Intro to Networking room.
A public IP address was given by your Internet Service Provider (ISP)
that identifies your house on the Internet (the Internet is just many, many
networks connected). Using our example from above, the two devices will share
a public IP address to identify themselves on the Internet:
This is achieved through NATting, however, detailing how this works exactly this works is a bit beyond the scope of today.
Protocols 101
With the internet predicted to have 50 billion devices connected by the
end of 2020
(https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf),
chaos quickly ensues if there are no ground-rules in how devices should
communicate with each other.
If this is a bit confusing
- I don't blame you, just bear with me here. Think of it this way: You use
protocols in everyday life! When talking to someone, you will both use the
same set of protocols...otherwise, no one will understand each other. At the
very least, all parties wishing to converse will use the same language - this
is a protocol! Other protocols may also include the context or topic of the
conversation. If anyone strays from these protocols - they risk not being
understood! This is the same for network-connected devices.
Back to the technical stuff...
Enter protocols such as the TCP/IP
& UDP/IP models. With TCP/IP being the most common-place today, we'll
discuss this further. TCP/IP is a protocol that ensures that any data sent is
processed in the same order. Going back to our postal system, your letter will
go to many places - even when sending domestically. Your computer traffic does
the same, going from device to device in a process called routing. One device
could deliver data quicker (and a result, in a different order) then another
causing a headache for the situation where accuracy is important such as the
following:
- Downloading files
- Visiting a website in your browser
- Sending emails
This is unlike the UDP protocol where having all packets is not quite as
important (making the protocol a lot quicker than TCP/IP) which is why
applications like video streaming make use of UDP (i.e. Skype). We don't
really care if a few packets are lost as we can still see a majority of the
picture.
How does TCP/IP send data? The Three-Way Handshake:
The three-way handshake is the method that makes TCP reliable.
Any data that is sent is given a random number sequence and is reconstructed
using this number sequence and incrementing by 1. Both computers must agree on
the same number sequence for data to be sent in the correct order. This order
is agreed upon during three steps.
In the diagram below, "Client"
has the initial sequence number (ISN) of "0" where the "Server" has "5,000".
Any data sent from "Client" and received on "Server" will be initial sequence
+ 1. If this is the first packet from "Client" this would be "0 + 1". I've
shown three packets being sent from "Client" in the table below to help
demonstrate this:
- SYN - Client: Here's my initial number sequence (ISN) to SYNchronise with (0)
- SYN/ACK - Server: Here my Initial Number Sequence (ISN) to SYNchronise with (5,000) and I ACKnowledge your initial number sequence (0)
- ACK - Client: I ACKnowledge your Initial Number Sequence (ISN) of (5,000) here is some data that is my ISN+1
When the data is received, it is reassembled by the receiver. Let's show
the conditions of which reassembly is required:
Examples of TCP reassembling data:
No reassembly required:
If the "Server" were to receive data that was received in the exact
order it was sent from "Client":
- Sent 1st - Received 1st
- Sent 2nd - Received 2nd
- Sent 3rd - Received 3rd
Then no reassembly is needed as the data is received in the exact order
it was sent.
Reassembly required:
For example, if the "Server" was to receive all the data, but in a
different order then what was sent, reassembly is required:
- Sent 1st - Received 1st
- Sent 2nd - Received 3rd
- Sent 3rd - Received 2nd
Because all data is received, just in a different order, it can be
reassembled using the agreed sequence numbers that would have been exchanged
during the three-way-handshake.
The connection is dropped:
If the "Client" was to send three packets, but the "Server" only
receives two out of three packets, they are disconnected from each other as
the data sent is corrupt:
- Sent 1st - Received 1st
- Sent 2nd - Not received
- Sent 3rd - Received 2nd
The data will not be processed by "Server" as the packet that was sent
2nd by the "Client" was never received by the "Server"#2, meaning there was a
loss of data along the way.
Crash Course in Monitoring Network Traffic:
Being able to capture exactly what is travelling across a network and
understanding this is an important skill in information technology. From
diagnosing to capturing credentials, positions in IT ranging from system
administrators to digital forensics and us pentesters all use network traffic
in their own ways. For example, since data sent via HTTP or FTP is
unencrypted, a pentester might be able to capture usernames and passwords
being entered into a website.
Introducing Wireshark:
Wireshark is capable of recording a log of all the packets sent and
received on a computer's network adapter. For example, we can see how a
computer (highlighted in red) connected to a computer (highlighted in black)
that was running a web server via HTTP, in this case, it was the web
page:
web_server/download.HTML, which we can export and view for ourselves:
Networks are, however, rather noisy...Wireshark captured 2,648 packets after a
single minute on my machine. This makes analysing very hard. Thankfully, we
can use filters to narrow down the results. We can filter by many things, but
we'll only cover a couple of important ones in the table below. Note that all
the examples below use the == operator to see if the filter exactly matches
the value we give it.
Combining Filters With Operators
Exporting data from Wireshark:
As previously shown, Wireshark is capable of exporting data from
protocols such as HTTP by navigating to "File → Export Objects" and selecting
the protocol available. In the screenshots below, we are listing objects that
can be exported from the file-sharing SMB protocol.
We'll export the "test.txt" file onto our device.
As highlighted below:
Challenge
Download the ZIP file "aocpcaps.zip" that is attached to this task, use
a combination of the filters and features of Wireshark we've covered to answer
the questions below:
1) Open "pcap1.pcap" in Wireshark. What is the IP address that initiates an
ICMP/ping?
HINT :- Filter - ICMP
2) If we only wanted to see HTTP GET requests in our "pcap1.pcap" file, what filter would we use?
Ans :- http.request.method == GET / POST
3) Now apply this filter to "pcap1.pcap" in Wireshark, what is the name of
the article that the IP address "10.10.67.199" visited?
HINT :- Filter - http.request.method == GET
or anything else...
Ans :- reindeer-of-the-week
4) Let's begin analysing "pcap2.pcap". Look at the captured FTP traffic;
what password was leaked during the login process?
There's a lot
of irrelevant data here - Using a filter here would be useful!
HINT :- As FTP uses the TCP protocol and runs on port 21, we'd use the "tcp.port" filter and "==" operator to only show all data that is TCP and uses port 21. The filter we would use: is "tcp.port == 21"
Ans :- PASS plaintext_password_fiasco
5) Continuing with our analysis of "pcap2.pcap", what is the name of the
protocol that is encrypted?
Ans :- ssh
6) Analyse "pcap3.pcap" and recover Christmas!
What is on Elf
McSkidy's wishlist that will be used to replace Elf McEager?
HINT :- There's a lot of data! Only a tiny part of it is useful - use
filters! How would you export files?
Ans :- Rubber Ducky
Disclaimer
This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)