Zhongke Panyun - data analysis and forensics packet flag

Data analysis and forensics

Need to be private

1. Use Wireshark View and analyze virtual machines windows 7 Under the desktop attack.pcapng Package file , through Analyzed packets attack.pcapng Find the hacker's IP Address , And put the hacker's IP Address as FLAG（ form ：[IP Address ]） Submit ：

tcp.connection.syn

By analyzing the port , Because hackers scan common ports

Flag:[172.16.1.102]

2. Continue to view the package file attack.pacapng, Analyze which ports the hacker scanned , And make all ports by FLAG（ form ：[ Port name 1, Port name 2, Port name 3…, Port name n]） From low to high ：

tcp.connection.syn and ip.src==172.16.1.102

Flag:[21,23,80,445,3389,5007]

3. Continue to view the package file attack.pacapng Analyze what the hacker finally gets the user name , And users Name as FLAG（ form ：[ user name ]） Submit ：

http.request.method==POST

Flag:[Lancelot]

4. Continue to view the package file attack.pacapng Analyze what the hacker finally got the password , And make the password by FLAG（ form ：[ password ]） Submit ：

http.request.method==POST

flag:[12369874]

5. Continue to view the package file attack.pacapng Analyze what the password of the hacker connecting the Trojan horse is , And will In a word, the password is used as FLAG（ form ：[ In a word, the password ]） Submit ：

Ctrl+f

Flag:[alpha]

6. Continue to view the package file attack.pacapng Analyze what files the hacker downloaded , And put the file name and suffix As FLAG（ form ：[ file name . Suffix name ]） Submit ：

http.request.method==POST

flag:[flag.zip]

7. Continue to view the package file attack.pacapng Extract the files downloaded by hackers , And the contents in the document are FLAG（ form ：[ The contents of the document ]） Submit ：

binwalk -eM attack.pcapng

flag:[ flag{Manners maketh man}]