The Core Addendum: CTF Walkthrough
On the debut of my new show The Core on Tuesday, I got to share a few, but not all of the Wireshark exercises I had planned. In honor of Cybersecurity Awareness Month, I thought it appropriate to frame the activity in a capture the flag (CTF) format as is often offered at security conferences and increasingly as well through online learning platforms. All the exercises, my approach to solving them, and the answers are below. I worked from two packet captures from my local test BIG-IP system.
Task 1.A - How many arp requests for 10.0.3.100?
My approach to most tasks is to start with a wide net and work toward the narrow. So for this first one, I apply a generic arp filter.
I could count from there, as you can see that there is at least one matching in packet 477, but instead, I can narrow the filter to the arp destination of the IP asked for.
And with that, I have a final answer for this task of 5.
Task 1.B - How many ping requests?
For this task, following directions is necessary, as the request is for ping requests, not all pings.
There could be even more icmp traffic at any given time, but this capture only has the request/response types. Our task is request only, which has an icmp type of 8.
Final answer: 7
Task 1.C - How many multicast DNS queries for an "Elgato Key Light Air"?
Wrapping up the first task focus, this can be accomplished one of two ways, with a generic mdns protocol filter or the dns.qry.name filter and then the contains operator for that string.
Both results are the same, and the final answer here is 13.
Task 2 - What’s the MAC address for the IP host 10.0.4.20?
This one is pretty straight forward as well. I just need to find the IP address with the ip.addr filter and match the IP as source or destination to the MAC address, but this can be refined to ip.dst or ip.src so I only need to consider one. I use ip.dst in this case.
Final answer: the mac address is 00:0c:29:b4:5c:90.