Tcpdump Challenge | SOC 101 | TCM Security

Now it's time to put your tcpdump and command-line analysis skills to the test!

The SOC received an alert that an endpoint was exhibiting abnormal behavior as it triggered several detections, pointing to a potential info-stealer malware variant. As a SOC Analyst at Astley Financial, review the tcpdump_challenge.pcap packet capture and analyze its contents to complete the report below.

Challenge File:

• 02_Network_Security/01_tcpdump/Challenges/tcpdump_challenge.pcap

1. How many total packets are in the tcpdump_challenge.pcap packet capture?

Answer: 1344

1. How many ICMP packets are in the challenge.pcap packet capture?

Ans: 132

1. What is the ASN of the destination IP address that the endpoint was pinging?

Ans: 1335

Source IP: 10.0.2.10 pinging 172.67.72.15

Hint: IP look up of destination ip

1. How many HTTP POST requests were made in the packet capture?

Ans:

• Do OSINT research for further understanding eg: use virus total, whois domain

• Reminder: POST is the HTTP method used to send data to a server.

find 1 strange request HTTP request to the IP 149.154.167.99 which is related to another question below

1. Look for any credentials within the payloads of any HTTP packets, what is the password you uncover?

1. Aside from HTTP on port 80, what is the other well-known tcp port in the capture?

first sort the source ip, when using cut -d “.” instead of ip -f 1-4 use -f 5(for port)

• I Used -t to remove timestamps and -nn to prevent DNS resolution. (remove if you wanted)

without -nn (with DNS resolving host and ports)

1. What set of valid credentials did the endpoint use to access the file sharing server? (Format username:password)

Ans: demo:password

filter by port 21 (which is the default port for FTP)

1. What is the name of the file that was retrieved from the file sharing server?

Ans: readme.txt

I looked up ftp traffic analysis filters /commands

The RETR (Retrieve) command is used to download or copy a file from the server to the client.

tcpdump -r tcpdump_challenge.pcap port 21 OR

tcpdump -r tcpdump_challenge.pcap port 21 | grep -i "RETR"

1. Based on the unique User-Agent string found within the HTTP requests, what is the name of the related malware the endpoint might be infected with?

Ans: Lumma

HINT: This is a more involved task that requires printing the individual HTTP packets (-A). From this, search for the relevant HTTP header name and print the unique results. Perform OSINT on the abnormal looking string (Google).

https://www.darktrace.com/blog/the-rise-of-the-lumma-info-stealer

10. In defanged format, what was the full URL that the endpoint tried to connect to using the user agent identified above?

Let’s find what is making this request using the TeslaBrowser as User-Agent and between which IPs it’s happening.

-B5 (before 5 lines) , -A5 (after 5 lines) of the string found — to view more details of the packet

11. [Bonus] - What is the full title of the YouTube video that the user requested?

Hint: Remember the Location HTTP header

grep either for Word “Location” which can be in HTTP request or response body or for word “youtube” or BOTH as below discussed all

We’re finding out the requests by searching only for "youtube" and using -A to print the full ASCII payload.

BOTH words given (here location and youtube) in one line

tcpdump -r tcpdump_challenge.pcap -A | awk '/Location/ && /youtube/'

Open the link to see the video and note the full title.

This course taught me practical methods for identifying suspicious activity, analysing IPs and ports, and applying a investigation methodology.

Many thanks to TCM Security for the excellent training.