https://tryhackme.com/room/wiresharktrafficanalysis
练习请移步tryhckme,(可私信问我要)。
建议有一定基础的人可直接做题,tryhackme就是这样,看起来难度不小,但是如果你按照room介绍一步步做其实难度不大……尤其是可以根据答案位数盲猜……
任务1:nmap scan
nmap/Exercise.pcapng
问题1:What is the total number of the "TCP Connect" scans?
“TCP 连接”扫描的总数是多少?
问题2:Which scan type is used to scan the TCP port 80?
哪种扫描类型用于扫描 TCP 端口 80?
问题3:How many "UDP close port" messages are there?
有多少条“UDP 关闭端口”的消息?
问题4:Which UDP port in the 55-70 port range is open?
在 55 至 70 的端口范围内,哪个 UDP 端口是开放的?
任务2:ARP 欺骗与中间人攻击
arp/Exercise
问题1:What is the number of ARP requests crafted by the attacker?
攻击者伪造了多少个 ARP 请求?
问题2:What is the number of HTTP packets received by the attacker?
攻击者收到的 HTTP 数据包数量是多少?
问题3:What is the number of sniffed username&password entries?
嗅探到的用户名和密码条目数量是多少?
问题4:What is the password of the "Client986"?
“Client986”的密码是什么?
问题5:What is the comment provided by the "Client354"?
“客户 354”提供了什么评论?
任务3:DHCP、NetBIOS、Kerberos
dhcp-netbios-kerberos/dhcp-netbios.pcap 1-3 问
dhcp-netbios-kerberos/**kerberos.pcap 4-5 问
问题1:What is the MAC address of the host "Galaxy A30"?
“Galaxy A30”这台主机的 MAC 地址是什么?
问题2:How many NetBIOS registration requests does the "LIVALJM" workstation have?
“LIVALJM”工作站有多少个 NetBIOS 注册请求?
问题3:Which host requested the IP address "172.16.13.85"?
哪个主机请求了 IP 地址“172.16.13.85”?
问题4:What is the IP address of the user "u5"? (Enter the address in defanged format.)
用户“u5”的 IP 地址是什么?(请以去格式化形式输入地址。)
问题5:What is the hostname of the available host in the Kerberos packets?
在 Kerberos 数据包中,可用主机的主机名是什么?
任务4:DNS 和 ICMP
问题1:Use the "Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap" file. Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
使用“Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap”文件。调查异常数据包。ICMP 隧道中使用了哪种协议?
问题2:Use the "Desktop/exercise-pcaps/dns-icmp/dns.pcap" file.Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
使用“Desktop/exercise-pcaps/dns-icmp/dns.pcap”文件。调查异常数据包。接收异常 DNS 查询的可疑主域名地址是什么?(以去格式化形式输入该地址。)
任务5: FTP
exercise-pcaps/ftp/ftp.pcap
问题1:How many incorrect login attempts are there?
有多少次错误的登录尝试?
问题2:What is the size of the file accessed by the "ftp" account?
“ftp”账户访问的文件大小是多少?
问题3:The adversary uploaded a document to the FTP server. What is the filename?
对手将一个文件上传到了 FTP 服务器。文件名是什么?
问题4:The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?
对手试图分配特殊标志来更改上传文件的执行权限。对手使用的命令是什么?
任务6:http
http/user-agent.pcap 1-2 问
http/http.pcapng 3-4问
问题1:Investigate the user agents. What is the number of anomalous "user-agent" types?
调查用户代理。异常的“用户代理”类型有多少种?
问题2:What is the packet number with a subtle spelling difference in the user agent field?
用户代理字段中拼写有细微差别的数据包编号是什么?
问题3:Locate the "Log4j" attack starting phase. What is the packet number?
定位“Log4j”攻击的起始阶段。数据包编号是多少?
问题4:
Locate the "Log4j" attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude "{}".)
定位“Log4j”攻击的初始阶段,并解码 base64 命令。对手联系的是哪个 IP 地址?(以去格式化形式输入地址,且不包含“{}”。)
任务7:https
https/Exercise.pcap
问题1:Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?
使用“KeysLogFile.txt”文件解密流量。HTTP2 数据包的数量是多少?
问题2:Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?
使用“KeysLogFile.txt”文件解密流量。HTTP2 数据包的数量是多少?
问题3:Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
转到第 322 帧。HTTP2 数据包的权限标头是什么?(以去格式化地址形式输入。)
问题4:Investigate the decrypted packets and find the flag! What is the flag?
调查解密后的数据包并找到标志!标志是什么?
任务8:Bonus 搜寻明文凭证
问题1:Use the "bonus/Bonus-exercise.pcap" file. What is the packet number of the credentials using "HTTP Basic Auth"?
使用“bonus/Bonus-exercise.pcap”文件。
使用“HTTP 基本身份验证”的凭证的报文编号是多少?
问题2:What is the packet number where "empty password" was submitted?“空密码”是在哪个数据包中提交的?
任务9:Bonus2 可操作的结果
问题1:Use the "bonus/Bonus-exercise.pcap" file. Select packet number 99. Create a rule for "IPFirewall (ipfw)". What is the rule for "denying source IPv4 address"?
使用“Bonus-exercise.pcap”文件。选择第 99 个数据包。为“IP 防火墙(ipfw)”创建一条规则。用于“拒绝源 IPv4 地址”的规则是什么?
问题2:Select packet number 231. Create "IPFirewall" rules. What is the rule for "allowing destination MAC address"?
选择数据包编号 231。创建“IP 防火墙”规则。允许目标 MAC 地址的规则是什么?
以上。
