🕴️ Website : https://uscc.cyberquests.org/
This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.
Some questions refer to files contained within this ZIP file: 🔗 Spring 2019 Cyber Quest Resources .
01) Let's begin with understanding of each attack:
In general a brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly.
03) Look over the sequence of packet transfer between source and destination captured through Wireshark.
10.1.1.165 do ports scanning for victim
SYNpacket on the specific port then if the port is closed then the destination will reply by sending
RSTpacket.this scan for close ports.
SYNpackets to the destination
ACKpackets to the source (An
ACKindicates the port is listening (open))
RSTpackets to the destination
445 is open.
According to Microsoft port
445is the microsoft-ds (NetBios helper) port and also used for ( SMB Fax Service - SMB Print Spooler - SMB Server - SMB Remote Procedure Call Locator - SMB Distributed File System - SMB Net Logon)
04) Using filter
smb2 , We can see that brute-force attempts have been performed by the hacker :
The attacker has tried the user
KgHZQMzV but is granted a
logon failure (STATUS_LOGON_FAILURE).
After that we can see that the user
larry has been attempted, but a logon failure has occurred as well
But he continue brute-force attempts until he get in and try different locations at same domain :
Tree: \\10.1.1.133\IPC$ but failed
Then he trying different domain
Until he get access at
Attack type >
From previous answer we know the account targeted is >
02) As we learned from Q22 that destination send a
ACK packets to the source which indicates the port is listening
so we need to filter our packets based on this concept, we will use the following filter in Wireshark :
(tcp.flags==0x12) and not tcp.analysis.initial_rtt and ip.src==10.1.1.133
tcp.flags==0x12 looks for SYN/ACK packets (you could also use
The trick is using
not tcp.analysis.initial_rtt, because that checks if Wireshark calculated the initial round trip time for the conversation - and that's something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there).
And of course
ip.src==10.1.1.133 is to set this host as source of packet.
You can go to upper menu and select
Conversations for better view and select limit to display filter which we applied.
So the open ports from options above on host
10.1.1.133 are >
If you Examine the packets you will find the hacker downloaded this file:
To extract the file:
Nice photo :)
Now let's open the file with
exiftool to examine the metadata:
Open terminal and run the following command after change
path/to/file.jpg to where you saved the file
exiftool /path/to/file.jpg > data.txt
data.txt where we will save the file metadata, you can run the command without extract the data to file.
ExifTool Version Number : 11.30 File Name : file.jpg Directory : . File Size : 41 kB File Modification Date/Time : 2019:06:22 21:31:01+03:00 File Access Date/Time : 2019:06:22 21:43:43+03:00 File Inode Change Date/Time : 2019:06:22 21:41:54+03:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.02 Resolution Unit : inches X Resolution : 96 Y Resolution : 96 DCT Encode Version : 100 APP14 Flags 0 : (none) APP14 Flags 1 : (none) Color Transform : YCbCr Exif Byte Order : Big-endian (Motorola, MM) Artist : Sarah Date/Time Original : 2018:05:29 10:46:42 Create Date : 2018:05:29 10:46:42 Sub Sec Time Original : 46 Sub Sec Time Digitized : 46 XP Title : New York City skyline XP Author : Sarah Padding : (Binary data 2108 bytes, use -b option to extract) Quality : 60% About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b Creator : Sarah Rating : 5 Warning : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto Rating Percent : 99 Title : New York City skyline Description : New York City skyline Image Width : 580 Image Height : 387 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 580x387 Megapixels : 0.224 Create Date : 2018:05:29 10:46:42.46 Date/Time Original : 2018:05:29 10:46:42.46
The file author is >
From extracted metadata the file title is >