Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents an easy-level challenge focused on analyzing HTTP Auth in a PCAP.
Challenge Overview #
Role Targeted: Security Analyst
Skill Level: Easy
Scenario #
We receive a log indicating a possible attack, can you gather information from the .pcap file?
Log file: /root/Desktop/ChallengeFile/webserver.em0.pcap
Note: pcap file found public resources.
PCAP Analysis #
Tools Used #
Question-Based Analysis #
- How many HTTP GET requests are in pcap?
- Using a Wireshark filter of
http.request.method == GET, we get a return of 5 packets.
- Using a Wireshark filter of
- What is the server operating system?
- Right-click -> Follow -> HTTP Stream; abstracts away a lot of the network details and gives us the HTTP protocol details. Including the responding header from the server including
Server: Apache/2.2.15 (FreeBSD) DAV/2 mod_ssl/2.2.15 OpenSSL/0.9.8nwhich points out the server is runningFreeBSD.
- Right-click -> Follow -> HTTP Stream; abstracts away a lot of the network details and gives us the HTTP protocol details. Including the responding header from the server including
- What is the name and version of the web server software?
- As we found from the
Server:header in the last question, the web server is runningApache/2.2.15
- As we found from the
- What is the version of OpenSSL running on the server?
- As we found from the
Server:header in the last question, the web server is runningOpenSSL/0.9.8n
- As we found from the
- What is the client’s user-agent information?
- The HTTP Stream also includes the client’s HTTP headers, including:
User-Agent: Lynx/2.8.7rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8n
- The HTTP Stream also includes the client’s HTTP headers, including:
- What is the username used for Basic Authentication?
- If we close out of the HTTP stream and instead Right-click -> Follow -> TCP Stream; we can swap between the different TCP streams using the up and down buttons on the “Stream” ID in the bottom right of the window. In TCP stream 1 we find the client sending the header:
Authorization: Basic d2ViYWRtaW46VzNiNERtMW4= - Throwing the base64 part of that header into CyberChef gives us:
webadmin:W3b4Dm1nauthorization goes in the order of Username:Password, so the answer iswebadmin - Side note: we could’ve also thrown this into
base64 -din the terminal, but I already had CyberChef open.
- If we close out of the HTTP stream and instead Right-click -> Follow -> TCP Stream; we can swap between the different TCP streams using the up and down buttons on the “Stream” ID in the bottom right of the window. In TCP stream 1 we find the client sending the header:
- What is the user password used for Basic Authentication?
- We found this out in the last question:
W3b4Dm1n
- We found this out in the last question:
Summary #
| Questions | Answers |
|---|---|
| How many HTTP GET requests are in pcap? | 5 |
| What is the server operating system? | freebsd |
| What is the name and version of the web server software? | apache/2.2.15 |
| What is the version of OpenSSL running on the server? | openssl/0.9.8n |
| What is the client’s user-agent information? | lynx/2.8.7rel.1 libwww-fm/2.14 ssl-mm/1.4.1 openssl/0.9.8n |
| What is the username used for Basic Authentication? | webadmin |
| What is the user password used for Basic Authentication? | w3b4dm1n |
Key Takeaways #
“Wireshark basics are always good to reinforce.”
