ICMP Overview
ICMP or Internet Control Message Protocol is used to analyze various nodes on a network. This is most commonly used with utilities like ping and traceroute. You should already be familiar with how ICMP works; however, if you need a refresher, read the IETF documentation.
Below you can see a sample of what a ping would look like, we can see a request to the server from ICMP, then a reply from the server.
ICMP Traffic Overview
ICMP request:
Below we see packet details for a ping request packet. There are a few important things within the packet details that we can take note of first being the type and code of the packet. A type that equals 8 means that it is a request packet, if it is equal to 0 it is a reply packet. When these codes are altered or do not seem correct that is typically a sign of suspicious activity.
There are two other details within the packet that are useful to analyze: timestamp and data. The timestamp can be useful for identifying the time the ping was requested it can also be useful to identify suspicious activity in some cases. We can also look at the data string which will typically just be a random data string.
ICMP Reply:
Below you can see that the reply packet is very similar to the request packet. One of the main difference that distinguishes a reply packet is the code, in this case, you can see it is 0, confirming that it is a reply packet.
The same analysis techniques for Request packets apply here as well, again the main difference will be the packet type.
Practical ICMP Packet Analysis
Now that you understand how an ICMP packet is formed and what it contains, we can begin hands-on practical analysis of ICMP packets. Go to the folder /root/Rooms/Wireshark101 on the AttackBox and double click the task8.pcap file to open it in Wireshark; you can also download the pcap on this task.
This network capture only has two protocols so it is up to you whether or not you decide to filter the ICMP protocol or not.
Answer the questions below
What is the type for packet 4?
How to: Once you have the PCAP file loaded into wireshark, click on packet 4. You can look in the info section of the packet line, and see what type of ICMP packet it is. Or you can go down to the internet control message protocol (ICMP) layer in the bottom and it will say what type of packet it is. It is looking for the number associated with either reply or request.
Answer: 8
What is the type for packet 5?
How to: Just like in the question above click on packet five and either look at the packet info line or at the bottom in the ICMP layer for the answer.
Answer: 0
What is the timestamp for packet 12, only including month day and year?
note: Wireshark bases it’s time off of your devices time zone, if your answer is wrong try one day more or less.
How to: If you go back up to the packets, scroll down till you get to number 12 and click on it. Then go down to the packet info section, and click on the internet control message protocol (ICMP) section. Scroll to the bottom of this section and you will see timestamp, type into TryHackMe the date given and you have this question done.
Answer: May 30, 2013
What is the full data string for packet 18?
How to: Go back up to the packets, click on packet 18. Then go down to the packet info section, and click on the internet control message protocol (ICMP) section. Scroll to the bottom of this section and you will see data, click on it. The subtree should expand, then you will see the data string, right click it, a drop down menu will appear take your mouse and hover over copy, then another drop down menu will appear. Then take your mouse and go down to …as a Hex stream, and click it. You now have it copied and can paste it over in TryHackMe.
Answer: 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
From <https://tryhackme.com/room/wireshark>
No comments:
Post a Comment