Hello everyone, I am very new to wireshark and have close to no idea of what I'm doing. On a practice Wireshark round (don't worry, it's over now), they wanted me to "find the email address of a machine." The only problem is, there's like 10000 packets. How am I supposed to find the answers? Thanks! URL for capture file: https://drive.google.com/drive/folders/0B9mXYmkPhvROYV9TNjJHWmg3bFU Wireshark Scenario: Several complaints are coming into the IT Department that the company, All-Time Favorites Arcade's, network is running slower than normal. Due to the amount of complaints, you as the network administrator run Wireshark to capture and analyze the companies network traffic see where the bottleneck may be occurring within the company network. During your analysis of the PCAP file you notice a specific IP address is beaconing out to the Internet every two (2) hours. While beconing IP address has nothing to do with the bottleneck you originally were working to resolve the beaconing activity is suspicious. Once your analysis of the PCAP file is complete you present the information to your Security Manager concerning the beaconing IP address. The Security Manager has determined to error on the side of caution as the machine may possibly be infected with a malicious software that is calling back every two (2) hours.
asked 31 Jan '16, 16:06 DanielChen |
One Answer:
This takes a bit of understanding how the HTTP protocol (and thus, HTML) works, and how you can find it in Wireshark. In Wireshark, you are able to search for strings with "Edit->Find Packet...". I would search from strings such as "email", "mail", etc. Chances are, someone has to submit an email via a form. So in the "input" tag of the HTML form, you should see references to values that would accept an email address coming from the server to the client. Once you find that, at some point in the trace thereafter, the user will have provided the email address going to the server. So look for an email address being sent from the client source to the server destination in Wireshark. Hope that helps. answered 01 Feb '16, 13:35 jeantunis |