The Core Addendum: CTF Walkthrough
On the debut of my new show The Core on Tuesday, I got to share a few, but not all of the Wireshark exercises I had planned. In honor of Cybersecurity Awareness Month, I thought it appropriate to frame the activity in a capture the flag (CTF) format as is often offered at security conferences and increasingly as well through online learning platforms. All the exercises, my approach to solving them, and the answers are below. I worked from two packet captures from my local test BIG-IP system.
Task 1.A - How many arp requests for 10.0.3.100?
My approach to most tasks is to start with a wide net and work toward the narrow. So for this first one, I apply a generic arp filter.
I could count from there, as you can see that there is at least one matching in packet 477, but instead, I can narrow the filter to the arp destination of the IP asked for.
And with that, I have a final answer for this task of 5.
Task 1.B - How many ping requests?
For this task, following directions is necessary, as the request is for ping requests, not all pings.
There could be even more icmp traffic at any given time, but this capture only has the request/response types. Our task is request only, which has an icmp type of 8.
Final answer: 7
Task 1.C - How many multicast DNS queries for an "Elgato Key Light Air"?
Wrapping up the first task focus, this can be accomplished one of two ways, with a generic mdns protocol filter or the dns.qry.name filter and then the contains operator for that string.
Both results are the same, and the final answer here is 13.
Task 2 - What’s the MAC address for the IP host 10.0.4.20?
This one is pretty straight forward as well. I just need to find the IP address with the ip.addr filter and match the IP as source or destination to the MAC address, but this can be refined to ip.dst or ip.src so I only need to consider one. I use ip.dst in this case.
Final answer: the mac address is 00:0c:29:b4:5c:90.
Task 3 - What are the resolved names for the 00:0c:29:21:ad:4d and ff:ff:ff:ff:ff:ff MAC addresses?
If you look at the images above in Task 1A, you'll notice that the MAC addresses in the Source/Destination columns are raw. To enable name resolution, I need to change the preferences in Wireshark.Task 4.A - What percentage of packets in the capture are handled by TMM0?
This task is our first look at using the f5ethtrailer filter list, incorporating the f5ethtrailer.tmm filter. Note that in Wireshark versions of yesteryear you had to compile this into a custom Wireshark build yourself. But from v2.6+, it's included and at least in my latest version, also enabled by default.Task 4.B - What number of packets are handled by TMM1?
This task only needs an adjustment of the tmm number. I included it just for the purpose of being attentive to what's asked. When you're in a competition, sometimes you only get one attempt to answer, so make sure you don't fall into the trap of providing the information in the wrong format.Task 5 - For a traffic flow to ip 10.0.4.20 on port 8081, what’s the request verb and the value of the X-Server-Disabled header in the response?
This one I combine two filters, ip.addr and tcp.port 8081 to find the flow or flows for this address/port pair and then look at the TCP stream of the first flow and hope for the best.Task 6 - What’s the BIG-IP version and tcpdump command that was run to generate this packet capture
This has an easy cheat in that you just need to look at the first packet in the capture, but the goal is to identify the filter f5fileinfo.cmdline.Task 7 - Limit the capture to only tcp ports 80, 443, 8080, 8081 OR tcp resets?
This task is an easy grab from the same filter as in task 6, but I wanted to make mention of the difference of capture filters and display filters. Capture filters reduce the number of packets that a) the system has to log, reducing the impact to system performance during capture and b) the analyst has to comb through and process. These are both net positives with the assumption that you are not restricting the capture past the point where you lose the necessary data to properly capture the problem you're trying to find and solve. Display filters are only limiting what you are looking at after the capture is already taken. The data set itself is not changed.Task 8 - How many GET requests can you see against tcp port 443
This is another multi-filter combination, using http and tcp.port.Task 9 - How do we decrypt the HTTPS traffic and once done, repeat task 8?
In task 7 I noted the --f5 ssl flag on the tcpdump. When you enable the database key tcpdump.sslprovider and use that flag when taking a capture, the key material will be included in your capture (WARNING!! Do not share/store this file without understanding the repercussions!) so you can decrypt the traffic for analysis. On the Wireshark side since I did include this in this second capture, I use the f5ethtrailer.keylog filter to find all the keylog entries, which need to be copied out of the capture to a file and then referenced back in the Wireshark settings. I show one below, but note that all should be done to make the whole capture decrypted. This can be done auto-magically with tshark as shown at the bottom of this lab document on Clouddocs.Task 10 - What are the virtual server names for the destinations 10.0.3.50:80 and 10.0.3.50:443, respectively?
For this final task in this CTF walkthrough, I'll need the f5ethtrailer.vip filter to narrow down the packets I need to reference, and then a combination as well of ip.dst and tcp.port filters. First, port 80.Conclusion
And there we have it! A successful journey through a variety of tasks analyzing a couple BIG-IP packet captures. As I mentioned during the show, I had a teacher in a packet analysis 20 years ago who encouraged 15 minutes a day looking at captures to keep those skills sharp. I didn't, and he was right. Use it or lose, people!- JRahmAdmin
I hope you enjoyed this as much as I enjoyed putting it together! If you have any questions or comments, let me know!
Its good to know the filters, but as a tip - if one stumbles upon how to put a filter, one can simply use the status bar of wireshark.
Select your packet, goto packet detail and click on the parameter you want to focus on. Automatically the status bar will show you the filter name.