1. Lab Information<\/h3>\n\n- Lab Title<\/strong>: HawkEye\u00a0Lab<\/li>\n
- Course<\/strong>: Network Forensics<\/li>\n
- This Write-up Make it by\u00a0BnHany.<\/strong><\/li>\n<\/ul>\n
2. Objective<\/h3>\nThe objective of this lab is to analyze a network capture (PCAP) file to investigate potential malicious activity.<\/em><\/p><\/blockquote>\nSpecifically, the goal is\u00a0to:<\/em><\/p><\/blockquote>\n1. Identify the victim machine and suspicious traffic.<\/p><\/blockquote>\n
2.Extract Indicators of Compromise (IoCs) such as malicious files, IPs, or credentials.<\/p><\/blockquote>\n
3.Use analysis tools (Wireshark, CyberChef, VirusTotal) to understand the nature of the\u00a0threat.<\/p><\/blockquote>\n
4.Simulate a real-world incident response by applying forensics and OSINT techniques.<\/p><\/blockquote>\n
3. Tools\u00a0Used<\/h3>\n
List all tools and platforms used in the\u00a0lab.<\/p>\n
\n- Wireshark<\/li>\n
- Brim<\/li>\n
- Apackets<\/li>\n
- VirusTotal<\/li>\n
- MaxMind Geo\u00a0IP<\/li>\n
- macvendors<\/li>\n
- abuseipdb<\/li>\n
- CyberChef<\/li>\n<\/ul>\n
4. Lab Setup\/Environment<\/h3>\n
Briefly describe the environment.<\/p>\n
\n- Any OS<\/li>\n
- Any tools that can show details for Pcap\u00a0file<\/li>\n
- Any browser to\u00a0search<\/li>\n<\/ul>\n
5. Methodology\/Steps Taken<\/h3>\n\n- Initial Inspection<\/strong><\/li>\n<\/ol>\n
\n- Opened the PCAP file using Wireshark.<\/li>\n
- Scanned through packets for any obvious anomalies or suspicious protocols (e.g., HTTP, SMTP,\u00a0DNS).<\/li>\n<\/ul>\n
\n- Filtering Key Protocols<\/strong><\/li>\n<\/ol>\n
\n- Applied filters such as http, smtp, dns, and dhcp to isolate relevant\u00a0traffic.<\/li>\n
- Identified victim\u2019s IP address using dhcp or ipv4\u00a0traffic.<\/li>\n<\/ul>\n
\n- HTTP Traffic\u00a0Analysis<\/strong><\/li>\n<\/ol>\n
\n- Inspected http.request packets to extract User-Agent strings (OS\u00a0info).<\/li>\n
- Used File > Export Objects > HTTP<\/strong> to retrieve downloadable files (e.g.,\u00a0.exe).<\/li>\n
- Uploaded suspicious files to VirusTotal for malware analysis.<\/li>\n<\/ul>\n
\n- SMTP Traffic\u00a0Analysis<\/strong><\/li>\n<\/ol>\n
\n- Located and analyzed email-related packets.<\/li>\n
- Extracted Base64-encoded credentials and decoded them using CyberChef.<\/li>\n<\/ul>\n
\n- IoC Extraction and\u00a0OSINT<\/strong><\/li>\n<\/ol>\n
\n- Collected IP addresses, MAC addresses, and\u00a0hashes.<\/li>\n
- Performed lookups using online tools (e.g., MAC vendor lookup, IP geolocation).<\/li>\n<\/ul>\n
\n- Data Correlation and Threat Assessment<\/strong><\/li>\n<\/ol>\n
\n- Cross-referenced artifacts (e.g., IPs, files, credentials) to confirm attack indicators.<\/li>\n
- Documented findings and linked activities to possible threat behavior.<\/li>\n<\/ul>\n
Lab Questions &\u00a0Answers<\/h3>\n
Q1: How many packets does the capture\u00a0have?<\/p>\n
Answer: Open the PCAP file and scroll down to the end. You will find the last packet listed in the \u2018No.\u2019\u00a0column.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*6IQQmZAUEcjudvusNgzpLw.png\")
<\/figure>\nQ2: At what time was the first packet captured?<\/p>\n
Answer: To view detailed timing information in a PCAP file, go to \u2018Statistics\u2019 \u2192 \u2018Capture File Properties\u2019 or press Ctrl + Alt + Shift + C. Be careful\u200a\u2014\u200athe displayed time is in\u00a0UTC.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*NESrATh0QSeQvF55Ltid-w.png\")
<\/figure>\nQ3\u00a0: What is the duration of the\u00a0capture?<\/p>\n
Answer: You can use the same steps in Q2 or calculate the time difference between the first and last\u00a0packet.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*4OqP82tNBVQplx3I1VFGkQ.png\")
<\/figure>\nQ4\u00a0: What is the most active computer at the link\u00a0level?<\/p>\n
answer\u00a0: Go to \u2018Statistics\u2019 \u2192 \u2018Endpoints\u2019 and check which device has the most packets. The answer will be its\u00a0address.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*CroeZXLONzG8kOrT5vNoAA.png\")
<\/figure>\nQ5\u00a0: Manufacturer of the NIC of the most active system at the link\u00a0level?<\/p>\n
answer\u00a0: Just take the MAC address with the highest number of packets and use any website or tool to find the vendor of the\u00a0device.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*WgCj3rPo3VRSxomeoH0sRg.png\")
<\/figure>\nQ6: Where is the headquarters of the company that manufactured the NIC of the most active computer at the link\u00a0level?<\/p>\n
Answer: Search for the vendor associated with the MAC address by looking up its prefix (OUI), which often includes the company\u2019s headquarters information.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*6c7BRxaN7LApKwy66taMHQ.png\")
<\/figure>\nQ7: The organization works with private addressing and netmask \/24. How many computers in the organization are involved in the\u00a0capture?<\/p>\n
Answer: Open the IPv4 section and identify the first IP address\u00a0listed.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*BF4EDt3sfbwfE0HC2EJPQA.png\")
<\/figure>\nQ8: What is the name of the most active computer at the network\u00a0level?<\/p>\n
Answer: First, search for \u2018dhcp\u2019 in the filter bar, then check which packet contains the hostname.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*1SkTYmBRh6siJYeEsHSqCw.png\")
<\/figure>\nQ9: What is the IP of the organization\u2019s DNS\u00a0server?<\/p>\n
Answer\u00a0: after upload our file in\u00a0Apackets<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*HuHVArobLfGlULdYg9uYUA.png\")
<\/figure>\nQ10: What domain is the victim asking about in packet\u00a0204?<\/p>\n
Answer: Go to packet number 204, or press Ctrl + G and enter \u2018204\u2019 to jump directly to\u00a0it.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*1CKQPvmpBELjpPCMpsSgBQ.png\")
<\/figure>\nQ11: What is the IP of the domain in the previous question?<\/p>\n
Answer: You will see the IP address in the Request\u00a0packet.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*cxb67iA653a_yo05HEmHqA.png\")
<\/figure>\nQ12: Indicate the country to which the IP in the previous section\u00a0belongs?<\/p>\n
Answer: Take the IP address and search for information about it.
in abuselIPDB<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/850\/1*iC7UlSRlP4P-r0GT8Xeuzw.png\")
<\/figure>\nQ13: What operating system does the victim\u2019s computer\u00a0run?<\/p>\n
Answer: We have identified the victim\u2019s IP address, so we need to filter all HTTP traffic related to it in order to find the operating system in the User-Agent string. To do this, enter the following filter in the\u00a0search<\/p>\n
bar:ip.src == 10.4.10.132 && http.request<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*4QcQLGreom-1Gtkj2uTgMA.png\")
<\/figure>\nQ14: What is the name of the malicious file downloaded by the accountant?<\/p>\n
Answer: In the same packet, we can also find the file the user attempted to download from the\u00a0browser.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*73WYoZIpz8TMsNVmxgn3Rg.png\")
<\/figure>\nQ15: What is the MD5 hash of the downloaded file?<\/p>\n
Answer: Just download the file by going to File > Export Objects > HTTP, then choose the file.exe and download it. After that, open VirusTotal, upload the file, and go to the ‘Details’ tab\u2014you\u2019ll see everything you need\u00a0there.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*pYmebu3BWfT0xdYhDonJDg.png\")
<\/figure>\nQ16: What software runs the web server that hosts the\u00a0malware?<\/p>\n
Answer: Select the packet that shows the file.exe, then press Ctrl + Alt + Shift + H to view the server\u00a0details.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*8u2qgoDZ6AJQaUn6sW2zNA.png\")
<\/figure>\nQ17: What is the public IP of the victim\u2019s computer?<\/p>\n
answer\u00a0: go to the packet 3166 and go to line\u00a0text<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*7-jLA8ql8361-lhdpXMd4g.png\")
<\/figure>\nQ18: In which country is the email server to which the stolen information is\u00a0sent?<\/p>\n
Answer: Take the IP address and enter it into any IP location finder to determine its geographical location.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/315\/1*FLbpTLuUjaA2p1abGbBfvA.png\")
<\/figure>\nQ19: Analyzing the first extraction of information. What software runs the email server to which the stolen data is\u00a0sent?<\/p>\n
Answer: Just find the SMTP packet, select it, and analyze its contents.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*qV7MdZnMNdcnPHPKfn3uiA.png\")
<\/figure>\nQ20: To which email account is the stolen information sent?<\/p>\n
answer\u00a0: go to the TCP stream to see the\u00a0email<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*1WXaSSVcoZ179t7cRjBhmA.png\")
<\/figure>\nQ21: What is the password used by the malware to send the\u00a0email?<\/p>\n
Answer: You will see the entire stream, so we\u2019ll extract the password hash and paste it into CyberChef for analysis.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/944\/1*N-eeRoGbBnsr6a1WHHv98g.png\")
<\/figure>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*6jNs8Bu2kWNDQ6jcrEkdIw.png\")
<\/figure>\nQ22: Which malware variant exfiltrated the\u00a0data?<\/p>\n
Answer: Take the message content from the email and paste it into CyberChef for further analysis.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*7AO-Dd0diBIeqGSiAyEsGQ.png\")
<\/figure>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*iR-Ha_U9r87LN3QzRMWCDA.png\")
<\/figure>\nQ23: What are the Bank of America access credentials? (username:password)<\/p>\n
Answer: Take the message content from the email and paste it into CyberChef for further analysis\u00a0too.<\/p>\n![\"\"](\"https:\/\/cdn-images-1.medium.com\/max\/1024\/1*YhJShO4YErjZnhvKS3XGkw.png\")
<\/figure>\nQ24: Every how many minutes does the collected data get exfiltrated?<\/p>\n
Answer\u00a0:\u00a010<\/p>\n
6. Findings \/\u00a0Analysis<\/h3>\nDuring packet analysis, we identified several Indicators of Compromise (IoCs):<\/em><\/p><\/blockquote>\n\n- A suspicious file.exe downloaded via HTTP, indicating potential malware delivery.<\/li>\n
- A User-Agent string revealing the OS of the victim (Windows 10), which helps profile the\u00a0target.<\/li>\n
- SMTP traffic containing Base64-encoded credentials, showing possible credential theft.<\/li>\n
- An outbound connection to a known malicious IP (based on VirusTotal lookup).<\/li>\n<\/ul>\n
The most suspicious activity was the HTTP transfer of an executable file and the encoded email credentials. These behaviors are consistent with data exfiltration and initial compromise stages of an\u00a0attack.<\/em><\/p><\/blockquote>\nCyberChef was used to decode captured data, confirming the presence of plaintext usernames and hashed passwords. This indicates lack of encryption and possible insider threat or weak mail server configuration.<\/em><\/p><\/blockquote>\n7. Conclusion<\/h3>\n
The objective was achieved: we successfully identified the victim, extracted malicious artifacts, and analyzed key attack components.<\/p>\n
Key learnings:<\/p>\n
\n- How to extract meaningful data from PCAP files (HTTP objects, user agents, SMTP credentials).<\/li>\n
- Using CyberChef and VirusTotal to decode and analyze potential threats.<\/li>\n
- Recognizing attacker tactics such as Base64 obfuscation and unencrypted data transfer.<\/li>\n<\/ul>\n
In a real-world scenario:<\/p>\n
\n- Immediate containment actions would include blocking the malicious IP and quarantining the affected\u00a0system.<\/li>\n
- Notify the user about credential compromise and enforce password\u00a0reset.<\/li>\n
- Perform deeper forensic analysis on the downloaded executable.<\/li>\n
- Improve email server security (enforce TLS, limit Base64 in headers).<\/li>\n<\/ul>\n
9. Recommendations\/Improvements<\/h3>\nBased on the findings and analysis, the following recommendations and improvements are suggested to enhance detection and response capabilities:<\/em><\/p><\/blockquote>\n1. Detection Improvements:<\/h3>\n
1. Enhanced Packet Inspection:<\/strong><\/p>\n\n- Implement deep packet inspection (DPI) for detecting malicious payloads in HTTP and SMTP\u00a0traffic.<\/li>\n
- Use signature-based detection to identify specific attack patterns such as Base64-encoded credentials or unusual executable downloads.<\/li>\n<\/ul>\n
2. Anomaly-Based Detection:<\/strong><\/p>\n\n- Utilize machine learning algorithms to detect abnormal traffic patterns (e.g., large data exfiltration, unusual connection attempts).<\/li>\n
- Integrate traffic baselining to flag deviations that could indicate an\u00a0attack.<\/li>\n<\/ul>\n
2. Rule\/Alert Recommendations:<\/h3>\n
1. Custom Wireshark Filters:<\/strong><\/p>\n\n- Create Wireshark display filters to isolate suspicious traffic patterns:<\/li>\n
- http.request && ip.src == <victim_IP><\/li>\n
- smtp &&\u00a0base64<\/li>\n<\/ul>\n
2. Network Monitoring Alerts:<\/strong><\/p>\n\n- Configure alerts for unusual HTTP file downloads, especially\u00a0.exe or other executable files.<\/li>\n
- Set up alerts for SMTP traffic containing suspicious Base64-encoded strings or unencrypted credentials.<\/li>\n<\/ul>\n
3. Hash-based Detection:<\/strong><\/p>\n\n- Deploy hash matching for known malicious files (e.g., from VirusTotal reports) to trigger alerts when these files are observed on the\u00a0network.<\/li>\n<\/ul>\n
3. System\/Process Improvements:<\/h3>\n
1. Email Encryption:<\/strong><\/p>\n\n- Enforce the use of TLS for email communications to prevent plain-text credential leaks.<\/li>\n<\/ul>\n
2. Network Segmentation:<\/strong><\/p>\n\n- Isolate sensitive systems (e.g., email servers, internal servers) in separate network segments to limit exposure to\u00a0threats.<\/li>\n<\/ul>\n
3. User Education & Awareness:<\/strong><\/p>\n\n- Provide training on recognizing phishing attempts, especially in relation to email attachments and\u00a0links.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/medium.com\/_\/stat?event=post.clientViewed&referrerSource=full_rss&postId=698eb306f68c\")
<\/p>\n
\nHawkEye Lab Write-Up | By BnHany<\/a> was originally published in OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"Cyber Defense Lab\u00a0Write-Up https:\/\/cyberdefenders.org\/blueteam-ctf-challenges\/hawkeye\/ 1. Lab Information Lab Title: HawkEye\u00a0Lab Course: Network Forensics This Write-up Make it by\u00a0BnHany. 2. Objective The objective of this lab is to analyze a network capture (PCAP) file to investigate potential malicious activity. Specifically, the goal is\u00a0to: 1. Identify the victim machine and suspicious traffic. 2.Extract Indicators of Compromise (IoCs) … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":307,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=306"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/306\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/307"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
2. Objective<\/h3>\nThe objective of this lab is to analyze a network capture (PCAP) file to investigate potential malicious activity.<\/em><\/p><\/blockquote>\nSpecifically, the goal is\u00a0to:<\/em><\/p><\/blockquote>\n1. Identify the victim machine and suspicious traffic.<\/p><\/blockquote>\n
2.Extract Indicators of Compromise (IoCs) such as malicious files, IPs, or credentials.<\/p><\/blockquote>\n
3.Use analysis tools (Wireshark, CyberChef, VirusTotal) to understand the nature of the\u00a0threat.<\/p><\/blockquote>\n
4.Simulate a real-world incident response by applying forensics and OSINT techniques.<\/p><\/blockquote>\n
3. Tools\u00a0Used<\/h3>\n
List all tools and platforms used in the\u00a0lab.<\/p>\n
\n- Wireshark<\/li>\n
- Brim<\/li>\n
- Apackets<\/li>\n
- VirusTotal<\/li>\n
- MaxMind Geo\u00a0IP<\/li>\n
- macvendors<\/li>\n
- abuseipdb<\/li>\n
- CyberChef<\/li>\n<\/ul>\n
4. Lab Setup\/Environment<\/h3>\n
Briefly describe the environment.<\/p>\n
\n- Any OS<\/li>\n
- Any tools that can show details for Pcap\u00a0file<\/li>\n
- Any browser to\u00a0search<\/li>\n<\/ul>\n
5. Methodology\/Steps Taken<\/h3>\n\n- Initial Inspection<\/strong><\/li>\n<\/ol>\n
\n- Opened the PCAP file using Wireshark.<\/li>\n
- Scanned through packets for any obvious anomalies or suspicious protocols (e.g., HTTP, SMTP,\u00a0DNS).<\/li>\n<\/ul>\n
\n- Filtering Key Protocols<\/strong><\/li>\n<\/ol>\n
\n- Applied filters such as http, smtp, dns, and dhcp to isolate relevant\u00a0traffic.<\/li>\n
- Identified victim\u2019s IP address using dhcp or ipv4\u00a0traffic.<\/li>\n<\/ul>\n
\n- HTTP Traffic\u00a0Analysis<\/strong><\/li>\n<\/ol>\n
\n- Inspected http.request packets to extract User-Agent strings (OS\u00a0info).<\/li>\n
- Used File > Export Objects > HTTP<\/strong> to retrieve downloadable files (e.g.,\u00a0.exe).<\/li>\n
- Uploaded suspicious files to VirusTotal for malware analysis.<\/li>\n<\/ul>\n
\n- SMTP Traffic\u00a0Analysis<\/strong><\/li>\n<\/ol>\n
\n- Located and analyzed email-related packets.<\/li>\n
- Extracted Base64-encoded credentials and decoded them using CyberChef.<\/li>\n<\/ul>\n
\n- IoC Extraction and\u00a0OSINT<\/strong><\/li>\n<\/ol>\n
\n- Collected IP addresses, MAC addresses, and\u00a0hashes.<\/li>\n
- Performed lookups using online tools (e.g., MAC vendor lookup, IP geolocation).<\/li>\n<\/ul>\n
\n- Data Correlation and Threat Assessment<\/strong><\/li>\n<\/ol>\n
\n- Cross-referenced artifacts (e.g., IPs, files, credentials) to confirm attack indicators.<\/li>\n
- Documented findings and linked activities to possible threat behavior.<\/li>\n<\/ul>\n
Lab Questions &\u00a0Answers<\/h3>\n
Q1: How many packets does the capture\u00a0have?<\/p>\n
Answer: Open the PCAP file and scroll down to the end. You will find the last packet listed in the \u2018No.\u2019\u00a0column.<\/p>\n<\/figure>\nQ2: At what time was the first packet captured?<\/p>\n
Answer: To view detailed timing information in a PCAP file, go to \u2018Statistics\u2019 \u2192 \u2018Capture File Properties\u2019 or press Ctrl + Alt + Shift + C. Be careful\u200a\u2014\u200athe displayed time is in\u00a0UTC.<\/p>\n<\/figure>\nQ3\u00a0: What is the duration of the\u00a0capture?<\/p>\n
Answer: You can use the same steps in Q2 or calculate the time difference between the first and last\u00a0packet.<\/p>\n<\/figure>\nQ4\u00a0: What is the most active computer at the link\u00a0level?<\/p>\n
answer\u00a0: Go to \u2018Statistics\u2019 \u2192 \u2018Endpoints\u2019 and check which device has the most packets. The answer will be its\u00a0address.<\/p>\n<\/figure>\nQ5\u00a0: Manufacturer of the NIC of the most active system at the link\u00a0level?<\/p>\n
answer\u00a0: Just take the MAC address with the highest number of packets and use any website or tool to find the vendor of the\u00a0device.<\/p>\n<\/figure>\nQ6: Where is the headquarters of the company that manufactured the NIC of the most active computer at the link\u00a0level?<\/p>\n
Answer: Search for the vendor associated with the MAC address by looking up its prefix (OUI), which often includes the company\u2019s headquarters information.<\/p>\n<\/figure>\nQ7: The organization works with private addressing and netmask \/24. How many computers in the organization are involved in the\u00a0capture?<\/p>\n
Answer: Open the IPv4 section and identify the first IP address\u00a0listed.<\/p>\n<\/figure>\nQ8: What is the name of the most active computer at the network\u00a0level?<\/p>\n
Answer: First, search for \u2018dhcp\u2019 in the filter bar, then check which packet contains the hostname.<\/p>\n<\/figure>\nQ9: What is the IP of the organization\u2019s DNS\u00a0server?<\/p>\n
Answer\u00a0: after upload our file in\u00a0Apackets<\/p>\n<\/figure>\nQ10: What domain is the victim asking about in packet\u00a0204?<\/p>\n
Answer: Go to packet number 204, or press Ctrl + G and enter \u2018204\u2019 to jump directly to\u00a0it.<\/p>\n<\/figure>\nQ11: What is the IP of the domain in the previous question?<\/p>\n
Answer: You will see the IP address in the Request\u00a0packet.<\/p>\n<\/figure>\nQ12: Indicate the country to which the IP in the previous section\u00a0belongs?<\/p>\n
Answer: Take the IP address and search for information about it.
in abuselIPDB<\/p>\n<\/figure>\nQ13: What operating system does the victim\u2019s computer\u00a0run?<\/p>\n
Answer: We have identified the victim\u2019s IP address, so we need to filter all HTTP traffic related to it in order to find the operating system in the User-Agent string. To do this, enter the following filter in the\u00a0search<\/p>\n
bar:ip.src == 10.4.10.132 && http.request<\/p>\n<\/figure>\nQ14: What is the name of the malicious file downloaded by the accountant?<\/p>\n
Answer: In the same packet, we can also find the file the user attempted to download from the\u00a0browser.<\/p>\n<\/figure>\nQ15: What is the MD5 hash of the downloaded file?<\/p>\n
Answer: Just download the file by going to File > Export Objects > HTTP, then choose the file.exe and download it. After that, open VirusTotal, upload the file, and go to the ‘Details’ tab\u2014you\u2019ll see everything you need\u00a0there.<\/p>\n<\/figure>\nQ16: What software runs the web server that hosts the\u00a0malware?<\/p>\n
Answer: Select the packet that shows the file.exe, then press Ctrl + Alt + Shift + H to view the server\u00a0details.<\/p>\n<\/figure>\nQ17: What is the public IP of the victim\u2019s computer?<\/p>\n
answer\u00a0: go to the packet 3166 and go to line\u00a0text<\/p>\n<\/figure>\nQ18: In which country is the email server to which the stolen information is\u00a0sent?<\/p>\n
Answer: Take the IP address and enter it into any IP location finder to determine its geographical location.<\/p>\n<\/figure>\nQ19: Analyzing the first extraction of information. What software runs the email server to which the stolen data is\u00a0sent?<\/p>\n
Answer: Just find the SMTP packet, select it, and analyze its contents.<\/p>\n<\/figure>\nQ20: To which email account is the stolen information sent?<\/p>\n
answer\u00a0: go to the TCP stream to see the\u00a0email<\/p>\n<\/figure>\nQ21: What is the password used by the malware to send the\u00a0email?<\/p>\n
Answer: You will see the entire stream, so we\u2019ll extract the password hash and paste it into CyberChef for analysis.<\/p>\n<\/figure>\n<\/figure>\nQ22: Which malware variant exfiltrated the\u00a0data?<\/p>\n
Answer: Take the message content from the email and paste it into CyberChef for further analysis.<\/p>\n<\/figure>\n<\/figure>\nQ23: What are the Bank of America access credentials? (username:password)<\/p>\n
Answer: Take the message content from the email and paste it into CyberChef for further analysis\u00a0too.<\/p>\n<\/figure>\nQ24: Every how many minutes does the collected data get exfiltrated?<\/p>\n
Answer\u00a0:\u00a010<\/p>\n
6. Findings \/\u00a0Analysis<\/h3>\nDuring packet analysis, we identified several Indicators of Compromise (IoCs):<\/em><\/p><\/blockquote>\n\n- A suspicious file.exe downloaded via HTTP, indicating potential malware delivery.<\/li>\n
- A User-Agent string revealing the OS of the victim (Windows 10), which helps profile the\u00a0target.<\/li>\n
- SMTP traffic containing Base64-encoded credentials, showing possible credential theft.<\/li>\n
- An outbound connection to a known malicious IP (based on VirusTotal lookup).<\/li>\n<\/ul>\n
The most suspicious activity was the HTTP transfer of an executable file and the encoded email credentials. These behaviors are consistent with data exfiltration and initial compromise stages of an\u00a0attack.<\/em><\/p><\/blockquote>\nCyberChef was used to decode captured data, confirming the presence of plaintext usernames and hashed passwords. This indicates lack of encryption and possible insider threat or weak mail server configuration.<\/em><\/p><\/blockquote>\n7. Conclusion<\/h3>\n
The objective was achieved: we successfully identified the victim, extracted malicious artifacts, and analyzed key attack components.<\/p>\n
Key learnings:<\/p>\n
\n- How to extract meaningful data from PCAP files (HTTP objects, user agents, SMTP credentials).<\/li>\n
- Using CyberChef and VirusTotal to decode and analyze potential threats.<\/li>\n
- Recognizing attacker tactics such as Base64 obfuscation and unencrypted data transfer.<\/li>\n<\/ul>\n
In a real-world scenario:<\/p>\n
\n- Immediate containment actions would include blocking the malicious IP and quarantining the affected\u00a0system.<\/li>\n
- Notify the user about credential compromise and enforce password\u00a0reset.<\/li>\n
- Perform deeper forensic analysis on the downloaded executable.<\/li>\n
- Improve email server security (enforce TLS, limit Base64 in headers).<\/li>\n<\/ul>\n
9. Recommendations\/Improvements<\/h3>\nBased on the findings and analysis, the following recommendations and improvements are suggested to enhance detection and response capabilities:<\/em><\/p><\/blockquote>\n1. Detection Improvements:<\/h3>\n
1. Enhanced Packet Inspection:<\/strong><\/p>\n\n- Implement deep packet inspection (DPI) for detecting malicious payloads in HTTP and SMTP\u00a0traffic.<\/li>\n
- Use signature-based detection to identify specific attack patterns such as Base64-encoded credentials or unusual executable downloads.<\/li>\n<\/ul>\n
2. Anomaly-Based Detection:<\/strong><\/p>\n\n- Utilize machine learning algorithms to detect abnormal traffic patterns (e.g., large data exfiltration, unusual connection attempts).<\/li>\n
- Integrate traffic baselining to flag deviations that could indicate an\u00a0attack.<\/li>\n<\/ul>\n
2. Rule\/Alert Recommendations:<\/h3>\n
1. Custom Wireshark Filters:<\/strong><\/p>\n\n- Create Wireshark display filters to isolate suspicious traffic patterns:<\/li>\n
- http.request && ip.src == <victim_IP><\/li>\n
- smtp &&\u00a0base64<\/li>\n<\/ul>\n
2. Network Monitoring Alerts:<\/strong><\/p>\n\n- Configure alerts for unusual HTTP file downloads, especially\u00a0.exe or other executable files.<\/li>\n
- Set up alerts for SMTP traffic containing suspicious Base64-encoded strings or unencrypted credentials.<\/li>\n<\/ul>\n
3. Hash-based Detection:<\/strong><\/p>\n\n- Deploy hash matching for known malicious files (e.g., from VirusTotal reports) to trigger alerts when these files are observed on the\u00a0network.<\/li>\n<\/ul>\n
3. System\/Process Improvements:<\/h3>\n
1. Email Encryption:<\/strong><\/p>\n\n- Enforce the use of TLS for email communications to prevent plain-text credential leaks.<\/li>\n<\/ul>\n
2. Network Segmentation:<\/strong><\/p>\n\n- Isolate sensitive systems (e.g., email servers, internal servers) in separate network segments to limit exposure to\u00a0threats.<\/li>\n<\/ul>\n
3. User Education & Awareness:<\/strong><\/p>\n\n- Provide training on recognizing phishing attempts, especially in relation to email attachments and\u00a0links.<\/li>\n<\/ul>\n
<\/p>\n
\nHawkEye Lab Write-Up | By BnHany<\/a> was originally published in OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"Cyber Defense Lab\u00a0Write-Up https:\/\/cyberdefenders.org\/blueteam-ctf-challenges\/hawkeye\/ 1. Lab Information Lab Title: HawkEye\u00a0Lab Course: Network Forensics This Write-up Make it by\u00a0BnHany. 2. Objective The objective of this lab is to analyze a network capture (PCAP) file to investigate potential malicious activity. Specifically, the goal is\u00a0to: 1. Identify the victim machine and suspicious traffic. 2.Extract Indicators of Compromise (IoCs) … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":307,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=306"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/306\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/307"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
The objective of this lab is to analyze a network capture (PCAP) file to investigate potential malicious activity.<\/em><\/p><\/blockquote>\n Specifically, the goal is\u00a0to:<\/em><\/p><\/blockquote>\n 1. Identify the victim machine and suspicious traffic.<\/p><\/blockquote>\n 2.Extract Indicators of Compromise (IoCs) such as malicious files, IPs, or credentials.<\/p><\/blockquote>\n 3.Use analysis tools (Wireshark, CyberChef, VirusTotal) to understand the nature of the\u00a0threat.<\/p><\/blockquote>\n 4.Simulate a real-world incident response by applying forensics and OSINT techniques.<\/p><\/blockquote>\n List all tools and platforms used in the\u00a0lab.<\/p>\n Briefly describe the environment.<\/p>\n Q1: How many packets does the capture\u00a0have?<\/p>\n Answer: Open the PCAP file and scroll down to the end. You will find the last packet listed in the \u2018No.\u2019\u00a0column.<\/p>\n Q2: At what time was the first packet captured?<\/p>\n Answer: To view detailed timing information in a PCAP file, go to \u2018Statistics\u2019 \u2192 \u2018Capture File Properties\u2019 or press Ctrl + Alt + Shift + C. Be careful\u200a\u2014\u200athe displayed time is in\u00a0UTC.<\/p>\n Q3\u00a0: What is the duration of the\u00a0capture?<\/p>\n Answer: You can use the same steps in Q2 or calculate the time difference between the first and last\u00a0packet.<\/p>\n Q4\u00a0: What is the most active computer at the link\u00a0level?<\/p>\n answer\u00a0: Go to \u2018Statistics\u2019 \u2192 \u2018Endpoints\u2019 and check which device has the most packets. The answer will be its\u00a0address.<\/p>\n Q5\u00a0: Manufacturer of the NIC of the most active system at the link\u00a0level?<\/p>\n answer\u00a0: Just take the MAC address with the highest number of packets and use any website or tool to find the vendor of the\u00a0device.<\/p>\n Q6: Where is the headquarters of the company that manufactured the NIC of the most active computer at the link\u00a0level?<\/p>\n Answer: Search for the vendor associated with the MAC address by looking up its prefix (OUI), which often includes the company\u2019s headquarters information.<\/p>\n Q7: The organization works with private addressing and netmask \/24. How many computers in the organization are involved in the\u00a0capture?<\/p>\n Answer: Open the IPv4 section and identify the first IP address\u00a0listed.<\/p>\n Q8: What is the name of the most active computer at the network\u00a0level?<\/p>\n Answer: First, search for \u2018dhcp\u2019 in the filter bar, then check which packet contains the hostname.<\/p>\n Q9: What is the IP of the organization\u2019s DNS\u00a0server?<\/p>\n Answer\u00a0: after upload our file in\u00a0Apackets<\/p>\n Q10: What domain is the victim asking about in packet\u00a0204?<\/p>\n Answer: Go to packet number 204, or press Ctrl + G and enter \u2018204\u2019 to jump directly to\u00a0it.<\/p>\n Q11: What is the IP of the domain in the previous question?<\/p>\n Answer: You will see the IP address in the Request\u00a0packet.<\/p>\n Q12: Indicate the country to which the IP in the previous section\u00a0belongs?<\/p>\n Answer: Take the IP address and search for information about it. Q13: What operating system does the victim\u2019s computer\u00a0run?<\/p>\n Answer: We have identified the victim\u2019s IP address, so we need to filter all HTTP traffic related to it in order to find the operating system in the User-Agent string. To do this, enter the following filter in the\u00a0search<\/p>\n bar:ip.src == 10.4.10.132 && http.request<\/p>\n Q14: What is the name of the malicious file downloaded by the accountant?<\/p>\n Answer: In the same packet, we can also find the file the user attempted to download from the\u00a0browser.<\/p>\n Q15: What is the MD5 hash of the downloaded file?<\/p>\n Answer: Just download the file by going to File > Export Objects > HTTP, then choose the file.exe and download it. After that, open VirusTotal, upload the file, and go to the ‘Details’ tab\u2014you\u2019ll see everything you need\u00a0there.<\/p>\n Q16: What software runs the web server that hosts the\u00a0malware?<\/p>\n Answer: Select the packet that shows the file.exe, then press Ctrl + Alt + Shift + H to view the server\u00a0details.<\/p>\n Q17: What is the public IP of the victim\u2019s computer?<\/p>\n answer\u00a0: go to the packet 3166 and go to line\u00a0text<\/p>\n Q18: In which country is the email server to which the stolen information is\u00a0sent?<\/p>\n Answer: Take the IP address and enter it into any IP location finder to determine its geographical location.<\/p>\n Q19: Analyzing the first extraction of information. What software runs the email server to which the stolen data is\u00a0sent?<\/p>\n Answer: Just find the SMTP packet, select it, and analyze its contents.<\/p>\n Q20: To which email account is the stolen information sent?<\/p>\n answer\u00a0: go to the TCP stream to see the\u00a0email<\/p>\n Q21: What is the password used by the malware to send the\u00a0email?<\/p>\n Answer: You will see the entire stream, so we\u2019ll extract the password hash and paste it into CyberChef for analysis.<\/p>\n Q22: Which malware variant exfiltrated the\u00a0data?<\/p>\n Answer: Take the message content from the email and paste it into CyberChef for further analysis.<\/p>\n Q23: What are the Bank of America access credentials? (username:password)<\/p>\n Answer: Take the message content from the email and paste it into CyberChef for further analysis\u00a0too.<\/p>\n Q24: Every how many minutes does the collected data get exfiltrated?<\/p>\n Answer\u00a0:\u00a010<\/p>\n During packet analysis, we identified several Indicators of Compromise (IoCs):<\/em><\/p><\/blockquote>\n The most suspicious activity was the HTTP transfer of an executable file and the encoded email credentials. These behaviors are consistent with data exfiltration and initial compromise stages of an\u00a0attack.<\/em><\/p><\/blockquote>\n CyberChef was used to decode captured data, confirming the presence of plaintext usernames and hashed passwords. This indicates lack of encryption and possible insider threat or weak mail server configuration.<\/em><\/p><\/blockquote>\n The objective was achieved: we successfully identified the victim, extracted malicious artifacts, and analyzed key attack components.<\/p>\n Key learnings:<\/p>\n In a real-world scenario:<\/p>\n Based on the findings and analysis, the following recommendations and improvements are suggested to enhance detection and response capabilities:<\/em><\/p><\/blockquote>\n 1. Enhanced Packet Inspection:<\/strong><\/p>\n 2. Anomaly-Based Detection:<\/strong><\/p>\n 1. Custom Wireshark Filters:<\/strong><\/p>\n 2. Network Monitoring Alerts:<\/strong><\/p>\n 3. Hash-based Detection:<\/strong><\/p>\n 1. Email Encryption:<\/strong><\/p>\n 2. Network Segmentation:<\/strong><\/p>\n 3. User Education & Awareness:<\/strong><\/p>\n HawkEye Lab Write-Up | By BnHany<\/a> was originally published in OSINT Team<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" Cyber Defense Lab\u00a0Write-Up https:\/\/cyberdefenders.org\/blueteam-ctf-challenges\/hawkeye\/ 1. Lab Information Lab Title: HawkEye\u00a0Lab Course: Network Forensics This Write-up Make it by\u00a0BnHany. 2. Objective The objective of this lab is to analyze a network capture (PCAP) file to investigate potential malicious activity. Specifically, the goal is\u00a0to: 1. Identify the victim machine and suspicious traffic. 2.Extract Indicators of Compromise (IoCs) … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":307,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/comments?post=306"}],"version-history":[{"count":0,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/posts\/306\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media\/307"}],"wp:attachment":[{"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/media?parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/categories?post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quantusintel.group\/osint\/wp-json\/wp\/v2\/tags?post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}3. Tools\u00a0Used<\/h3>\n
\n
4. Lab Setup\/Environment<\/h3>\n
\n
5. Methodology\/Steps Taken<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Lab Questions &\u00a0Answers<\/h3>\n
<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n
in abuselIPDB<\/p>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n<\/figure>\n6. Findings \/\u00a0Analysis<\/h3>\n
\n
7. Conclusion<\/h3>\n
\n
\n
9. Recommendations\/Improvements<\/h3>\n
1. Detection Improvements:<\/h3>\n
\n
\n
2. Rule\/Alert Recommendations:<\/h3>\n
\n
\n
\n
3. System\/Process Improvements:<\/h3>\n
\n
\n
\n
<\/p>\n
\n