# TShark Challenge I: Teamwork - THM

***

## Tags

[Network Security and Traffic Analysis](https://writeupsifelix.gitbook.io/writeups/tags/network-security-and-traffic-analysis)

## Tools 

[TShark](https://tshark.dev/setup/install/), [VirusTotal](https://www.virustotal.com/gui/)

## Scenario

An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation."

The case was assigned to you. Inspect the provided teamwork.pcap located in `~/Desktop/exercise-files` and create artefacts for detection tooling.

***

## Tasks

<mark style="color:yellow;">**`1. What is the full URL of the malicious/suspicious domain address?`**</mark>

To identify the full URL of the malicious or suspicious domain address, we first navigate to the `/desktop/exercise-files` directory, where the `.pcap` file is located. This file contains the captured network traffic data that we need to analyze.

Next, we execute this command in the terminal:&#x20;

```bash
tshark -r teamwork.pcap -T fields -e http.host | sort -r | uniq.
```

This command uses TShark, a network protocol analyzer, to read the `teamwork.pcap` file.&#x20;

The `-T fields` option specifies that we want to extract specific fields from the packet data, and `-e http.host` indicates that we are interested in the HTTP host field. The `sort -r | uniq` part of the command sorts the output in reverse order and removes duplicate entries, providing us with a unique list of HTTP hosts found in the capture file.

<figure><img src="https://1608344315-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuQAhC0bSSjPd5WFAfdYq%2Fuploads%2FECSiqs4hnI6yhUAeb209%2Fimage.png?alt=media&#x26;token=9f9e4df2-8592-4ea0-a50d-d1c091ba880b" alt=""><figcaption></figcaption></figure>

Upon executing the command, we observe from the image above that the output includes the host `https://www.paypal.com4uswebappsresetaccountrecovery.timeseaways.com/`. This URL is identified as the suspicious domain address we were looking for.&#x20;

It is crucial to note that this URL mimics a legitimate PayPal address but includes additional, suspicious elements that indicate it is likely used for phishing or other malicious activities. Therefore, this URL is the answer to our query.

{% hint style="success" %}
hxxp\[://]www\[.]paypal\[.]com4uswebappsresetaccountrecovery\[.]timeseaways\[.]com/
{% endhint %}

***

<mark style="color:yellow;">**`2. When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?`**</mark>

We start by navigating to VirusTotal and entering the suspicious URL we previously identified.&#x20;

<figure><img src="https://1608344315-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuQAhC0bSSjPd5WFAfdYq%2Fuploads%2FlAraMQc7XOf2ZCEJqPTP%2Fimage.png?alt=media&#x26;token=8555bb8c-a466-4c46-8f5f-d52048d4ab58" alt="" width="563"><figcaption></figcaption></figure>

Once the search results load, we proceed to the details section.&#x20;

<figure><img src="https://1608344315-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuQAhC0bSSjPd5WFAfdYq%2Fuploads%2FCRC5MlguP2WK0pZFm4rX%2Fimage.png?alt=media&#x26;token=6f6c7204-7478-4d71-b565-53cf2202e8c5" alt=""><figcaption></figcaption></figure>

Here, we find the information we need: the URL of the malicious domain was first submitted to VirusTotal on April 17, 2017, at 22:52:53 UTC.&#x20;

{% hint style="success" %}
2017-04-17 22:52:53 UTC
{% endhint %}

***

<mark style="color:yellow;">**`3. Which known service was the domain trying to impersonate?`**</mark>

From the URL, it is clear that the domain is attempting to impersonate PayPal.&#x20;

The structure of the URL, particularly the use of “paypal.com” within the subdomain, is designed to deceive users into believing they are accessing a legitimate PayPal service.&#x20;

{% hint style="success" %}
PayPal
{% endhint %}

***

<mark style="color:yellow;">**`4. What is the IP address of the malicious domain?`**</mark>

To determine the IP address of the malicious domain, we start by executing the command:

```bash
tshark -r teamwork.pcap -T fields -e dns.qry.name -e dns.a | sort -u
```

This command reads the packet capture file `teamwork.pcap` and extracts DNS query names and their corresponding IP addresses. By using the `sort -u` option, we ensure that the output is sorted and unique, eliminating any duplicate entries.

<figure><img src="https://1608344315-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuQAhC0bSSjPd5WFAfdYq%2Fuploads%2FarrdCLL4XT0nR0bd3FKp%2Fimage.png?alt=media&#x26;token=89592348-5f6d-4865-8f51-bb99451cc170" alt=""><figcaption></figcaption></figure>

Upon reviewing the output, we identify the IP address associated with the malicious domain as `184.154.127.226`.&#x20;

{% hint style="success" %}
184\[.]154\[.]127\[.]226
{% endhint %}

***

<mark style="color:yellow;">**`5. What is the email address that was used?`**</mark>

To determine the email address used in the packet capture file, we execute the command&#x20;

```bash
tshark -r teamwork.pcap -V | grep -Eo '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' 
```

This command reads the packet capture file `teamwork.pcap` and displays detailed information about each packet. The `-r` option specifies the file to read from, and the `-V` option provides a verbose output, showing all the details of each packet. We then pipe this output to `grep`, which uses a regular expression to search for and extract email addresses from the detailed packet information.

<figure><img src="https://1608344315-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuQAhC0bSSjPd5WFAfdYq%2Fuploads%2Fdh9DE3mgbQyGggGQlELI%2Fimage.png?alt=media&#x26;token=573a527b-3286-4bb2-a91b-cf3e7ebda5f6" alt=""><figcaption></figcaption></figure>

From the output, we identify the email address `johnny5alive@gmail.com`.

{% hint style="success" %}
johnny5alive\[at]gmail\[.]com
{% endhint %}