Tuesday, June 7, 2022

TryHackMe Wireshark 101: Task 9 TCP Traffic

 TCP Overview

TCP or Transmission Control Protocol handles the delivery of packets including sequencing and errors. You should already have an understanding of how TCP works, if you need a refresher check out the IETF TCP Documentation.

 

Below you can see a sample of a Nmap scan, scanning port 80 and 443. We can tell that the port is closed due to the RST, ACK packet in red.

 

53 38.8998% 192.168.227.128 54 38.899873 192.168.227.128 92.168.227.1 56 38.899938 192.168.227.128 57 38.89994ø 192.168.227.131 58 38.899971 192.168.227.131 192.168.227.131 e.e.e.8e 92.168 e.e.e 192.168.227.128 192.168.227.128 TCP TCP TCP TCP TCP 74 478% 74 351332 4872ø 74 3451e [sym) seq=e win=6424e Len-a mss=146e SACK PERM-I TSva1=74ge56 Tsecr=e WS=128 (sym) seq=e win=6424e Len-a mss=146e SACK PERM-I TSva1=16152451e1 Tsecr=e WS=128 443 [SYN] seq=ø Win=6424ø Len=ø mss=146ø SACK PERm=1 TSva1=749ø56 WS=128 443 [syli] seq=e win=6424e Len-e mss=146e SACK PERN=I TSva1=16152451e1 Tsecr=e ids=128 8Ø * 478ØØ CRST, seq=l Ack=l Win=ø Len=ø 6Ø 443 * 4872Ø CRST, seq=l Ack=l Win=ø Len=ø

 

When analyzing TCP packets, Wireshark can be very helpful and color code the packets in order of danger level. If you can't remember the color code go back to Task 3 and refresh on how Wireshark uses colors to match packets.

 

TCP can give useful insight into a network when analyzing however it can also be hard to analyze due to the number of packets it sends. This is where you may need to use other tools like RSA NetWitness and NetworkMiner to filter out and further analyze the captures.

 

TCP Traffic Overview

A common thing that you will see when analyzing TCP packets is known as the TCP handshake, which you should already be familiar with. It includes a series of packets: syn, synack, ack; That allows devices to establish a connection.

 

Time 1 ø.øøøøøø 2 e.3e7187 3 e.3ß7372 Source 192.168.1.1ø4 216.18.166.136 192.168.1.1ø4 Destnaton 216.18.166.136 192.168.1.1ø4 216.18.166.136 Pr o tocol TCP TCP TCP Length 74 49859 * 8ø 74 * 49859 66 49859 * [sym, seq=3588415412 Win-8192 Len=ø mss=146ø SACK PERm=1 TSva1=3ß5762 Tsecr=ø Ack=3588415413 win-5792 Len-a mss=144e TSva1=1315eg2752 Tsecr=3ß5762 WS=512 seq=6g7411256 seq=3588415413 Ack=6g7411257 Win-17136 Len-a TSva1=3ß5793 Tsecr=1315eg2752

 

Typically when this handshake is out of order or when it includes other packets like an RST packet, something suspicious or wrong is happening in the network. The Nmap scan in the section above is a perfect example of this.

 

TCP Packet Analysis

For analyzing TCP packets we will not go into the details of each individual detail of the packets; however, look at a few of the behaviors and structures that the packets have. 

 

Below we see packet details for an SYN packet. The main thing that we want to look for when looking at a TCP packet is the sequence number and acknowledgment number.

 

Wireshark Packet 53 VMware Network Adapter VMnet8 Frame 53: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface Ethernet 11, src: Dst: Internet Protocol Version 4, src: 192.168.227.128, Dst: 192.168.227.131 id Source Port: 478% Destination Port: 8ø [Stream index: I) C TCP Segment Len: Sequence number: Se uence number raw : (relative sequence number) 238988457 CNext sequence number: I (relative sequence number)) Acknowled ent number: Acknowledgment number (raw): Ima . Header Length: 4ø bytes (la) Window size value: 6424ø [Calculated window size: 64240 Checksum: øx2øbe Cunverified) (Checksum Status: Unverified) Urgent pointer: Options: (2ø bytes), Maximum segment size, C Timestamps) SACK perrnitted , Timestamps , No-operation (NO?) , Window scale

 

In this case, we see that the port was not open because the acknowledgment number is 0. 

 

Within Wireshark, we can also see the original sequence number by navigating to edit > preferences > protocols > TCP > relative sequence numbers (uncheck boxes).

 

Wireshark Preferences Steam IHS Di A SUA SYNC SYNCHROPF Synergy Syslog TACACS TACACS+ TAPA TCPENCAP TCPROS TDMoE TDMoP TeamSpeak2 TELNET Transmission Control Protocol Z] Shon TCP summary n protocol tree Validate the TCP checksum if possible Z] Allon subdissector to reassemble TCP streams Reassemble out-of-order segments Z] Analyze TCP sequence numbers Relatve sequence numbers (Requires •Analyze TCP sequence numbers") Scaling factor to use when not available from capture Not known Z] Track number of bytes in flight Z] Calculate conversation timestamps Try heurisbc sub-dissectors first Ignore TCP Tmestamps n summar y Z] Do not call subdissectors for error packets Z] TCP Experimental Options With a Magic Number Display process information via [PFIX TCP I-IDP port O

 

Frame 53: Ethernet Internet 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 11, src: Dst: Protocol Version 4, src: 192.168.227.128, Dst: 192.168.227.131 id Source Port: 478% Destination Port: 8ø [Stream index: I) C TCP Segment Len: Sequence number: 238988457 [Next sequence number: 238988458) Acknowledgment number: Acknowledgment number (raw): — Header Length: 4ø bytes (la) Window size value: 6424ø [Calculated window size: 64240 Checksum: øx2øbe Cunverified) (Checksum Status: Unverified) Urgent pointer: Options: (2ø bytes), Maximum segment size, C Timestamps) SACK perrnitted , Timestamps , No-operation (NO?) , Window scale

 

Typically TCP packets need to be looked at as a whole to tell a story rather than one by one at the details.

 

Answer the questions below

 

Read the above and move into Task 10.

How to: No Answer Needed

Answer:  No Answer Needed

 

From <https://tryhackme.com/room/wireshark
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

TryHackMe Write-Up | Sysinternals Task 9  Miscellaneous

BgInfo "It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer ...