Analysing Network Packet Captures
forensics is my passion :)
Last updated
forensics is my passion :)
Last updated
A network packet capture (or pcap for short) is a list of captured packets over a network. This is usually used from a blue team perspective, to find a flag in a "Capture The Flag" competition. However, in a penetration test, a pen tester may capture packets to grab important pieces of information, such as passwords.
When searching for software to analyse packet captures, you may be overwhelmed with the choice. The software that we'll be using in this explanation will be wireshark. Wireshark is open source and free, which is why it makes it my software of choice. A simple search for your system will give you a guide on installation.
When analysing a packet capture, the first thing I recommend doing is organising the packets by protocol.
Out of all these packets, the 3 GET requests in the HTTP protocol section look the most interesting. I will highlight them to help them stand out.
However, there is no text data here, as seen by the 304 errors. Let's try again.
Now, let's give these a read.
Double clicking on the packet brings you to this:
This gives us some really useful info of:
ssssh! they arent supposed to see this, keep quiet and read the next file. xoxo - [redacted]
This tells us to read 2.txt.
This file states:
ok, this should be really hard for the defenders to see. I'm gonna encode the important data with a secure method that the attackers wont get :)
66 6f 72 65 6e 73 69 63 73 20 69 73 20 6d 79 20 70 61 73 73 69 6f 6e 20 3a 29
enjoy! :)
If you aren't in the know, maybe we should read the last highlighted packet, 3.txt.
This file states:
Did you really forget the encoding method? oh my, i guess i'll have to tell you: base16
now i really hope the defenders dont see this
Bingo! We now have the encoded text and the encoding method.
Now, we can decode this using cyberchef, and we get the message of forensics is my passion :).
I hope you enjoyed this, and took something away from it :)