TShark Challenge II:Directory

The aim of the game is to find some questions that needs to be answered Use the techniques learned from past education so you can be better at what you are looking for

Tools

• Tshark

• Virus total

First Question: What is the name of the malicious domain?

tshark -r directory-curiosity.pcap -Y 'dns.qry.name matches "\\[.\\]|(\\.|)\\."' -T fields -e frame.number -e dns.qry.name

Second Question: What is the total number of HTTP requests sent to the malicious domain?

tshark -r directory-curiosity.pcap -Y 'http.host == "jx2-bavuong.com"' -T fields -e frame.number | wc -l

Third Question: What is the IP Address Associated with the malicious domain?

tshark -r directory-curiosity.pcap -Y 'http.host == "jx2-bavuong.com"' -T fields -e ip.dst

Fourth Question: What is the server info of the suspicious domain?

tshark -r directory-curiosity.pcap -Y "http contains \\"jx2-bavuong.com\\"" -T fields -e http.server

Fifth Question and Sixth Question

tshark -r directory-curiosity.pcap -Y "http contains \\"jx2-bavuong.com\\"" -T fields -e http.file_data

#Note this command will work on the sixth answere aswell, you just need to obtain the first HTML code, paste it in your attack box, save it as .html and open it with browser.

HTML Version

HTML saved and run on browser to find out the items in question and name of the exe

What is the SHA256 value of the malicious file?

#We ended up dumping all the files being connected to this http domain
#This will create a new directory called extracted files, go inside it and use the command
sha256sum vlauto.exe #and this will provide you your SHA256
tshark -r directory-curiosity.pcap --export-objects "http,./extracted_files"

Search the SHA256 value of the file on VirtusTotal.

What is the "PEiD packer" value?

What does the "Lastline Sandbox" flag this as?

Thank you for following the guide.