🕴️ CTF Website : https://uscc.cyberquests.org/
This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.
Some questions refer to files contained within this ZIP file : 🔗 Spring 2019 Cyber Quest Resources. Let’s start the fun.
The following questions based on 🔗 attack.pcap :
2️⃣2️⃣ Analyze the 🔗 attack.pcap file.
What is most likely occurring?
- An SMB brute force attack
- An SSH brute force attack
- An SSH Man-in-the-Middle attack
- An SMB Replay attack
- Let’s begin with understanding of each attack:
In general a brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly.
An SMB brute force attack
Server Message Block (SMB) is the Internet standard protocol Windows uses to share files, printers, and serial ports. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what’s described as a client server, request-response protocol.
An SSH brute force attack
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
An SSH Man-in-the-Middle attack
A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.
SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication. it’s a Man-In-The-Middle attack in which a malicious user on the local network poisons network traffic to trick the target machine/user into thinking that it is the authentication server.
- Look over the sequence of packet transfer between source and
destination captured through Wireshark.
10.1.1.165do ports scanning for victim
- Closed ports :
SYNpacket on the specific port then if the port is closed then the destination will reply by sending
RSTpacket.this scan for close ports.\
- Open ports:
- Source sent
SYNpackets to the destination
- Destination sent
ACKpackets to the source (An
ACKindicates the port is listening (open))
- Source sent
RSTpackets to the destination\
- Source sent
The attacker found port
445 is open.\
According to Microsoft port
445is the microsoft-ds (NetBios helper) port and also used for ( SMB Fax Service - SMB Print Spooler - SMB Server - SMB Remote Procedure Call Locator - SMB Distributed File System - SMB Net Logon)
- Using filter
smb2, We can see that brute-force attempts have been performed by the hacker :
The attacker has tried the user
KgHZQMzV but is granted a
logon failure (STATUS_LOGON_FAILURE).
After that we can see that the user
larry has been attempted, but a
logon failure has occurred as well
But he continue brute-force attempts until he get in and try different
locations at same domain :
Tree: \\10.1.1.133\IPC$ but failed
Then he trying different domain
Until he get access at
Attack type An SMB brute force attack
2️⃣3️⃣ Whose account is being targeted in the aforementioned attack?
From previous answer we know the account targeted is Larry
2️⃣4️⃣ According to the traffic in 🔗 attack.pcap,
which ports are open on 10.1.1.133?
- 135, 139, 443, 2103, 5360
- 21, 22, 53, 139, 2103
- 135, 139, 445, 2103, 5357
- 21, 22, 53, 80, 445
As we learned from Q22 that destination send a
ACKpackets to the source which indicates the port is listening
We need to filter our packets based on this concept, we will use the following filter in Wireshark :
(tcp.flags==0x12) and not tcp.analysis.initial_rtt and ip.src==10.1.1.133
tcp.flags==0x12 looks for SYN/ACK packets (you could also use
The trick is using
not tcp.analysis.initial_rtt, because that checks
if Wireshark calculated the initial round trip time for the conversation
- and that’s something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there).
ip.src==10.1.1.133 is to set this host as source of
You can go to upper menu and select
better view and select limit to display filter which we applied.
So the open ports from options above on host
10.1.1.133 are 135,
139, 445, 2103, 5357
2️⃣5️⃣ Continue to analyze 🔗 attack.pcap.
Who is the author of the exfiltrated file?
If you Examine the packets you will find the hacker downloaded this
To extract the file:
- Select this packet by click on it .
- Go to upper menu and select
- Select the file then click
Nice photo :)
Now let’s open the file with
exiftool to examine the metadata:
Note: ExifTool does not need to be installed to run. Just download and extract either the full Perl distribution on Mac/Linux, or the Windows EXE version on Windows, and run it directly.
Open terminal and run the following command after change
path/to/file.jpg to where you saved the file
exiftool /path/to/file.jpg > data.txt
data.txt where we will save the file metadata, you can run the command
without extract the data to file.
ExifTool Version Number : 11.30 File Name : file.jpg Directory : . File Size : 41 kB File Modification Date/Time : 2019:06:22 21:31:01+03:00 File Access Date/Time : 2019:06:22 21:43:43+03:00 File Inode Change Date/Time : 2019:06:22 21:41:54+03:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.02 Resolution Unit : inches X Resolution : 96 Y Resolution : 96 DCT Encode Version : 100 APP14 Flags 0 : (none) APP14 Flags 1 : (none) Color Transform : YCbCr Exif Byte Order : Big-endian (Motorola, MM) Artist : Sarah Date/Time Original : 2018:05:29 10:46:42 Create Date : 2018:05:29 10:46:42 Sub Sec Time Original : 46 Sub Sec Time Digitized : 46 XP Title : New York City skyline XP Author : Sarah Padding : (Binary data 2108 bytes, use -b option to extract) Quality : 60% About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b Creator : Sarah Rating : 5 Warning : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto Rating Percent : 99 Title : New York City skyline Description : New York City skyline Image Width : 580 Image Height : 387 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 580x387 Megapixels : 0.224 Create Date : 2018:05:29 10:46:42.46 Date/Time Original : 2018:05:29 10:46:42.46
The file author is Sarah
2️⃣6️⃣ What is the title of the exfiltrated file?
- San Francisco Golden Gate Bridge
- New York City skyline
- Chicago Cloud Gate
- Boston Fenway Park
From extracted metadata the file title is > New York City skyline