14 TryHackMe 靶场 Wireshark: The Basics
转载自:Wiresharkthebasics - TryHackMe Writeups
Introduction
Which file is used to simulate the screenshots?
http1.pcapng
Which file is used to answer the questions?
Exercise.pcapng
Tool Overview
Use the "Exercise.pcapng" file to answer the questions.
For these questions we must look at the Capture File Properties.
Read the "capture file comments". What is the flag?
TryHackMe_Wireshark_Demo
What is the total number of packets?
58620
What is the SHA256 hash value of the capture file?
f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb
Packet Dissection
Use the "Exercise.pcapng" file to answer the questions.
View packet number 38. Which markup language is used under the HTTP protocol?
After selecting the corresponding packet, the used markup language is displayed at the bottom of the details pane.
eXtensible Markup Language
What is the arrival date of the packet? (Answer format: Month/Day/Year)
This can be found under the Frame layer.
05/13/2004
What is the TTL value?
This can be found under the IP Source layer.
47
What is the TCP payload size?
This can be found under the TCP layer.
424
What is the e-tag value?
This can be found under the HTTP layer.
E-Tag属于HTTP头部字段(在HTTP/1.1 RFC 7232中定义),主要用于:
-
资源唯一标识:服务器为每个资源(如网页、图片)生成唯一字符串(如
"5d83a-1e6-5f0b8b4a")。 -
缓存控制:客户端通过
If-None-Match请求头携带E-Tag,服务器比对后决定返回304 Not Modified(未变更)或新内容。
虽然E-Tag属于HTTP,但攻击者可能利用其进行追踪(类似Tracking Pixel):
-
跨站点追踪:通过唯一E-Tag标识用户身份。
-
资源枚举:探测服务器是否返回
304来确认文件是否存在。
示例:
GET /file.html HTTP/1.1
Host: example.comHTTP/1.1 200 OK
ETag: "5d83a-1e6-5f0b8b4a"
9a01a-4696-7e354b00
Packet Navigation
Use the "Exercise.pcapng" file to answer the questions.
Search the "r4w" string in packet details. What is the name of artist 1?
Searching for "r4w" in the packets details pane, we get a hit for packet 43362.
r4w8173
Go to packet 12 and read the comments. What is the answer?
Package 12 contains the following comment.
Go to packet number 39765
Look at the "packet details pane". Right-click on the JPEG section and "Export packet bytes". This is an alternative way of extracting data from a capture file. What is the MD5 hash value of extracted image?
Packet Comment(数据包注释) 是人为添加到数据包中的元数据,用于标记、分类或记录额外信息。
After navigating to packet 39765 and exporting the object, we can extract its hash using md5sum.
911cd574a42865a956ccde2d04495ebf
There is a ".txt" file inside the capture file. Find the file and read it; what is the alien's name?
To get this file, we navigate to the 'export http objects' menu. Here we filter on text/plain files. This gives us one hit. From here we can preview it to find the name.
Packetmaster
Look at the expert info section. What is the number of warnings?
“分析” > “专家信息”
The warning row has a column with the number of errors.
1636
Packet Filtering
Use the "Exercise.pcapng" file to answer the questions.
Go to packet number 4. Right-click on the "Hypertext Transfer Protocol" and apply it as a filter. Now, look at the filter pane. What is the filter query?
After applying the filter, we see the query in the display filter box.
http
What is the number of displayed packets?
At the bottom of the window we get the number of displayed packets.
1089
Go to packet number 33790 and follow the stream. What is the total number of artists?
After navigating to packet 33790 and following the http stream, we can see the entire communication stream. We can get the number of artist by looking at the stream or by exporting the relevant html file.
3
What is the name of the second artist?
Blad3