TShark

Reading PCAP Files

How many packets are in the dns.cap file?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dns.cap| wc -l                                                                                                           130 ↵
38

How many A records are in the capture? (Including responses)

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dns.cap -Y "dns.qry.type == 1" | wc -l
6

Which A record was present the most?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
www.netbsd.org
www.netbsd.org
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local
GRIMM.utelsystems.local

DNS Exfil

How many packets are in this capture?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dnsexfil.pcap | wc -l
125

How many DNS queries are in this pcap? (Not responses!)

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dnsexfil.pcap -Y "dns.flags.response == 0" | wc -l 
56

What is the DNS transaction ID of the suspicious queries (in hex)?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dnsexfil.pcap -Y "dns.id" 
0xbeef

What is the string extracted from the DNS queries?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  tshark -r dnsexfil.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | cut -d'.' -f1 | tr -d '\n'
MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

What is the flag?

╭─hnl@hnl ~/Desktop/ctf/tryhackme/tshark  
╰─➤  echo 'MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5' | base32 -d
flag{th1s_is_t0ugh_with0u7_tsh4rk!}

PreviousConti (Splunk)NextOsquery

Last updated 3 years ago

Was this helpful?