TShark - Teamwork

Inspect engress suspicious traffic to the malicious domain with TShark

By Ren Sie
Posted on September 24, 2024

Refer to Teamwork for the challenge room on TryHackMe

Scenario

An alert has been triggered: "The threat research team discovered a suspicious domain that could pose a potential threat to the organization."

Task

Review the teamwork.pcap file located in ~/Desktop/exercise-files and create artifacts for detection tools. According to VirusTotal, there is a domain marked as malicious/suspicious.

  • Investigate the contacted domains.
  • Investigate the domains by using VirusTotal.

What is the full URL of the malicious/suspicious domain address?

Investigate the HTTP request and response records to identify the available domain name in this packet.

$ tshark -r teamwork.pcap -z http_seq,tree -q

We know this is a malicious/suspicious domain address because of:

  • Weird Domain: It’s pretending to be PayPal but has suspicious subdomain.
  • Strange Paths: URLs /suspecious.php, which are unusual.

When was the URL of the suspicious domain address first submitted to VirusTotal?

By pasting the FQDN of the malicious or suspicious domain into VirusTotal, we can find out the first submission date.

Which known service was the domain trying to impersonate?

It is obvious that the suspicious domain was pretending to be PayPal, and it has suspicious subdomain.

What is the IP address of the malicious domain?

Since we already know the domain name and the question is asking for the IP address, we will use dns.a and dns.qry.name to retrieve the information.

Note: -e dns.a: Extracts IPv4 addresses returned in DNS responses.
-e dns.qry.name: Extracts domain names that were queried in DNS requests.

$ tshark -r teamwork.pcap -T fields -e dns.a -e dns.qry.name | awk NF | sort | uniq | grep -i 'paypal'

What is the email address that was used?

Firstly, find out which http traffic that contains keyword “mail".

$ tshark -r teamwork.pcap -Y 'http contains "mail"'

From the output, we know that the email can be found in one of the POST request packets, so we need to investigate all the POST request packets.

$ tshark -r teamwork.pcap -Y 'http.request.method == POST' -T fields -e http.file_data

Share: X (Twitter) Facebook LinkedIn