--- title: 'HawkEye Walkthrough' disqus: hackmd --- Cyber Defenders: HawkEye Walkthrough === Difficulty Level: Very Easy challenge link: [HawkEye](https://cyberdefenders.org/blueteam-ctf-challenges/91) ## Table of Contents [TOC] ## Scenario: An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts. Tools: * Wireshark * BrimSecurity * Apackets * MaxMind Geo IP * VirusTotal Background --- Network security is a significant subdomain of cybersecurity. It involves the protection of an organizations network infrastructure from access, misuse, or theft by unauthorized persons or systems. It also ensures that network accessibility, integrity, continuity, and reliability are maintained. Traffic analysis is an important element of network security. It involves intercepting, recording/monitoring, and analyzing network data and communication patterns. The aim is to detect and respond to system health issues, network anomalies, and threats. Some of the elements of Network security that rely on effective traffic analysis include: * Network Sniffing and Packet Analysis * Network Monitoring * Intrusion Detection and Prevention * Network Forensics * Threat Hunting In this walkthrough, we will focus on wireshark as a network sniffing and packet analysis tool. You can further explore the tools and techniques used for network security at: 1. TryHackMe SOC Level 1 path 2. Free Cisco networking courses on Cisco skills for all Walkthrough --- The challenge contains a single .pcap file. We can already tell that this a network traffic capture from the file extension. Confirm that the file is not corrupted by comparing its sha1sum hash with the one provided by the publisher. 1. **How many packets does the capture have?** Navigate to statistics->capture file properties->Measurements->Packets  2. **At what time was the first packet captured?** First set the time to UTC. At the menu click on View->Time Display Format->UTC Date and Time of Day.  Then navigate to statistics->capture file properties->Time 3. **What is the duration of the capture?** You will find the answer for this in the Time section under capture file properties.  4. **What is the most active computer at the link level?** In the OSI model, the data link layer establishes and terminates a connection between 2 physically connected nodes in a network. It contains the Logical link control and Media access control (Read more here [OSI Model](https://www.imperva.com/learn/application-security/osi-model/)). In this case, we are interested in the Media access control which uses MAC addresses to connect devices and define data transmission permissions. Thus, we are looking for the MAC address of the most active computer. Navigate to statistics->Endpoints->Ethernet You will see the devices listed from the most active to the least active  5. **Manufacturer of the NIC of the most active system at the link level?** On wireshark where you found the endpoints, select the most active device from the Ethernet section, then right click to see more options. Select Apply as Filter->Selected You will then see all the packets related to that device on the main wireshark page. At the bottom, you can see more details about each packet, which is where you will find the information HewlettP_1c next to the MAC address we found in Q4. This is the manufacturer of the device and its hardware components, in this case, the Network Interface Card [NIC](https://www.sciencedirect.com/topics/computer-science/network-interface-card#:~:text=An%20NIC%20is%20the%20core,printers%2C%20telephones%2C%20and%20scanners). You can find the full name of the company on the internet if you didn't already know it.   6. **Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level?** You can find this information from Google, don't be lazy😁 7. **The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?** If you recall your Networking basics, good for you. If you don't, this is information that you can easily find. I recommend taking a break and refreshing your knowledge on the Classes of IP addresses as well as how to calculate IP address range. The image below is an excerpt from CISCOs IP Addressing Guide that can be found [here](https://www.cisco.com/c/dam/global/en_ca/solutions/strategy/docs/sbaBN_IPv4addrG.pdf)  On wireshark, navigate to statistics->Endpoints->IPv4 You will find a list of all the IPv4 addresses that were active in the network during the traffic capture. Remember 10.0.0.255 is the broadcast IP.  8. **What is the name of the most active computer at the network level?** From the list of IP addresses in Q7 you an see that IP 10.4.10.132 has the highest number of captured packets making it the most active.  We can filter these packets on the main wireshark menu using: ```gherkin ip.addr==10.4.10.132 ``` This will show us all the packets related to that IP. We are particularly interested in packets with the DHCP protocol. [DHCP](https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top) automatically provides a host with an IP address and other configuration information. We can add an additional filter on the wireshark menu. Navigate to Edit->Find Packet then enter dhcp as the keyword to find. Select the DHCP packet with the source IP as 10.4.10.132. At the very bottom where there is additional information about the packet you will see the DHCP details. Note: This approach could also have been used to answer Q4&Q5  ###### tags: `PCAP` `Wireshark` `Network` `BRIM`