BTJA Intro to Network Analysis Wireshark Activity PCAP 2 Walkthrough!

My walkthrough of analyzing PCAP 2 of the Wireshark Challenge from Security Blue Team’s Blue Team Junior Analyst Pathway.

After analyzing the pcap 2 given we will answer the following questions.

What is the WebAdmin password?

To get the WebAdmin password we will first checked Statistics > Protocol hierarchy.

Then after analyzing the protocols, I have decided to check passwords in unencrypted http protocol first so filter http in display filter.

As shown in figure above packet no. 4121 is requesting for password file so we will dig deeper into this packet by following his http stream to get the password.

Answer: sbt123

HTTP traffic does not have encryption so data can be seen in plain text.

2. What is the version number of the attacker’s FTP server?

As we know that the request to passwords.txt file was made by attacker (192.168.56.1) so we can get the server version number by applying the filter by selecting source IP as follows below.

and now adding ftp into display filter I have get the version number of server in the frame display section and brief google search on pyftpdlib shows that it is a python FTP server library.

Answer: 1.1.5

3. Which port was used to gain access to the victim Windows host?

To look about port we will search for attacker IP as source IP in display filter where it gets the acknowledgement (ACK) response from victim host and then will analyze which port the victim window was compromised.