> For the complete documentation index, see [llms.txt](https://writeupsifelix.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://writeupsifelix.gitbook.io/writeups/tshark-challenge-i-teamwork-thm.md).
# TShark Challenge I: Teamwork - THM
***
## Tags
[Network Security and Traffic Analysis](/writeups/tags/network-security-and-traffic-analysis.md)
## Tools
[TShark](https://tshark.dev/setup/install/), [VirusTotal](https://www.virustotal.com/gui/)
## Scenario
An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation."
The case was assigned to you. Inspect the provided teamwork.pcap located in `~/Desktop/exercise-files` and create artefacts for detection tooling.
***
## Tasks
**`1. What is the full URL of the malicious/suspicious domain address?`**
To identify the full URL of the malicious or suspicious domain address, we first navigate to the `/desktop/exercise-files` directory, where the `.pcap` file is located. This file contains the captured network traffic data that we need to analyze.
Next, we execute this command in the terminal:
```bash
tshark -r teamwork.pcap -T fields -e http.host | sort -r | uniq.
```
This command uses TShark, a network protocol analyzer, to read the `teamwork.pcap` file.
The `-T fields` option specifies that we want to extract specific fields from the packet data, and `-e http.host` indicates that we are interested in the HTTP host field. The `sort -r | uniq` part of the command sorts the output in reverse order and removes duplicate entries, providing us with a unique list of HTTP hosts found in the capture file.
Upon executing the command, we observe from the image above that the output includes the host `https://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/`. This URL is identified as the suspicious domain address we were looking for.
It is crucial to note that this URL mimics a legitimate PayPal address but includes additional, suspicious elements that indicate it is likely used for phishing or other malicious activities. Therefore, this URL is the answer to our query.
{% hint style="success" %}
hxxp\[://]www\[.]paypal\[.]com4uswebappsresetaccountrecovery\[.]timeseaways\[.]com/
{% endhint %}
***
**`2. When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?`**
We start by navigating to VirusTotal and entering the suspicious URL we previously identified.
Once the search results load, we proceed to the details section.
Here, we find the information we need: the URL of the malicious domain was first submitted to VirusTotal on April 17, 2017, at 22:52:53 UTC.
{% hint style="success" %}
2017-04-17 22:52:53 UTC
{% endhint %}
***
**`3. Which known service was the domain trying to impersonate?`**
From the URL, it is clear that the domain is attempting to impersonate PayPal.
The structure of the URL, particularly the use of “paypal.com” within the subdomain, is designed to deceive users into believing they are accessing a legitimate PayPal service.
{% hint style="success" %}
PayPal
{% endhint %}
***
**`4. What is the IP address of the malicious domain?`**
To determine the IP address of the malicious domain, we start by executing the command:
```bash
tshark -r teamwork.pcap -T fields -e dns.qry.name -e dns.a | sort -u
```
This command reads the packet capture file `teamwork.pcap` and extracts DNS query names and their corresponding IP addresses. By using the `sort -u` option, we ensure that the output is sorted and unique, eliminating any duplicate entries.
Upon reviewing the output, we identify the IP address associated with the malicious domain as `184.154.127.226`.
{% hint style="success" %}
184\[.]154\[.]127\[.]226
{% endhint %}
***
**`5. What is the email address that was used?`**
To determine the email address used in the packet capture file, we execute the command
```bash
tshark -r teamwork.pcap -V | grep -Eo '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
```
This command reads the packet capture file `teamwork.pcap` and displays detailed information about each packet. The `-r` option specifies the file to read from, and the `-V` option provides a verbose output, showing all the details of each packet. We then pipe this output to `grep`, which uses a regular expression to search for and extract email addresses from the detailed packet information.
From the output, we identify the email address `johnny5alive@gmail.com`.
{% hint style="success" %}
johnny5alive\[at]gmail\[.]com
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://writeupsifelix.gitbook.io/writeups/tshark-challenge-i-teamwork-thm.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.