DESCRIPTION
IT department analysed this file and identified that some traffic was tunneled out of the network.ย They could not identify what it was.Can you help them with the packet capture analysis
QUESTION
Can you identify the tunneling protocol and decode the data?
SOLUTION
HTTP?
Decapsulate file contents:
At agreed time, start the packet capture on 198.51.100.222
Capture it in some file eg. capture.pcapng
then filter out the traffic, remove unnecessary characters from the dump,
create ascii from hex and base64 decode it.
We shouldn't be detected by using this method. ICMP is often allowed on firewalls and
intrusion detection systems should not alert.
tshark -r capture.pcapng -Y "icmp.type == 8" -T fields -e data | sed -n 's/^.*0000000//p' | xxd -r -p | base64 -d
Bash
Command results:
$ tshark -r school-noc-dump.pcapng -Y "icmp.type == 8" -T fields -e data | sed -n 's/^.*0000000//p' | xxd -r -p | base64 -d
Running as user "root" and group "root". This could be dangerous.
School job is finished.
There was small issue accessing the database server,
but we can continue at the local hospital where subject K is treated.
As planned will create some havoc,
so we can get some eyes off from our main mission.
The flag is: c95412dc-1fce-4a69-c420
base64: invalid input
Bash