This task has a PCAP file used to get the answers for this room
ARP Overview
ARP or Address Resolution Protocol is a Layer 2 protocol that is used to connect IP Addresses with MAC Addresses. They will contain REQUEST messages and RESPONSE messages. To identify packets the message header will contain one of two operation codes:
Request (1)
Reply (2)
Below you can see a packet capture of multiple ARP requests and replies.
It is useful to note that most devices will identify themselves or Wireshark will identify it such as Intel_78, an example of suspicious traffic would be many requests from an unrecognized source. You need to enable a setting within Wireshark however to resolve physical addresses. To enable this feature, navigate to View > Name Resolution > Ensure that Resolve Physical Addresses is checked.
Looking at the below screenshot we can see that a Cisco device is sending ARP Requests, meaning that we should be able to trust this device, however you should always stay on the side of caution when analyzing packets.
ARP Traffic Overview
ARP Request Packets:
We can begin analyzing packets by looking at the first ARP Request packet and looking at the packet details.
Looking at the packet details above, the most important details of the packet are outlined in red. The Opcode is short for operation code and will you tell you whether it is an ARP Request or Reply. The second outlined detail is to where the packet is requesting to, in this case, it is broadcasting the request to all.
ARP Reply Packets:
Looking at the above packet details we can see from the Opcode that it is an ARP Reply packet. We can also get other useful information like the MAC and IP Address that was sent along with the reply since this is a reply packet we know that this was the information sent along with the message.
ARP is one of the simpler protocols to analyze, all you need to remember is to identify whether it is a request or reply packet and who it is being sent by.
Practical ARP Packet Analysis
Now that you know what ARP packets and normal traffic look, let's dive into an exercise.
Start the AttackBox, and go to the folder /root/Rooms/Wireshark101 and double click the task7.pcap file to open it in Wireshark; you can also download the provided PCAP on the task.
This capture has multiple protocols so you may need to use your knowledge of filtering from previous tasks; once you're ready, begin analysis of the capture.
Answer the questions below
What is the Opcode for Packet 6?
How to: Once you have the PCAP open, in the filter at the top type in ARP. This will filter and show you the ARP protocol packets. From there you should see packet 6 at the top, click on it. Packet 6 will be loaded in the section at the bottom of wireshark. Then click on the Address Resolution Protocol (ARP) section in this bottom area, it will drop down information about the ARP portion of the packet. In this information look for the Opcode, the answer will be in section.
Answer: Request (1)
What is the source MAC Address of Packet 19?
How to: So keeping the same filter in, go back up to the packets and look for number 19. Once you find it click on it, then go back down to the info section of packet 19. Click on the second layer, it is labeled Ethernet II, the subtree should expand down to show you the destination and source MAC addresses. Now you could either type this in or if you click and hold on the source MAC address, you can drag it up to the filter and choose how to add it in. Once it is added in the you can copy the MAC address and paste it into the TryHackMe answer.
Answer: 80:fb:06:f0:45:d7
What 4 packets are Reply packets?
How to: To find the answer to this question you will need to work those filtering skills. If you look at the far right side of the filter bar you will see an X, click on the X to clear out the filter bar. Once the filter bar is cleared out, then you can put in this filter code arp.opcode == 2 , this will filter out all packets except the reply packets. From there you just need to write the packet numbers in descending order for the answer. Also do not add and spaces between the commas.
Answer: 76,400,459,520
What IP Address is at 80:fb:06:f0:45:d7?
How to: To get this answer click on anyone of the reply packets. Click on the Address Resolution Protocol (ARP), then scroll down till you see sender IP address. This will be the answer to this question.
Answer: 10.251.23.1
From <https://tryhackme.com/room/wireshark>
No comments:
Post a Comment