Day 9: Wireshark - Inspecting Suspicious HTTP Traffic

Objective: Practice HTTP protocol inspection to identify malicious or anomalous web requests. The goal is to learn how to filter and analyze HTTP GET requests in Wireshark and recognize hidden indicators or embedded data.

Challenge Description: In this realistic SOC scenario, an internal host has made an unusual HTTP GET request to an external server. The attacker is using cleverly crafted URLs in HTTP GET requests to exfiltrate data. Your task is to inspect the HTTP traffic in the PCAP and find the hidden flag (TSEC format) embedded in a suspicious GET request.

Tools: Wireshark.

Steps to Solve:

Filter the captured traffic by HTTP protocol (e.g., http or tcp.port==80) to isolate web traffic. - Identify all HTTP GET requests by filtering http.request.method == "GET". - Look for requests with unusual or suspicious URLs (long paths, odd parameters). - Follow the TCP stream of any suspicious GET request to view the full URL and headers. - Examine each GET request’s headers and URL for hidden data, such as flags or encoded content. - Decode any URL-encoded or base64-encoded content in the GET request.

Solution Lab:

pcap file download hare

1. Open the PCAP in Wireshark and apply the display filter http.request.method == "GET". You should see several ^{_{HTTP GET}} requests listed. 2. Sort or review the ^_GETrequests by destination or URL path. Notice one request to ^{_{http://talosec.lab/}}where the id parameter is unusually long and contains random characters. 3. Right-click the suspicious GET packet and select Follow TCP Stream. This opens the full HTTP conversation. In the TCP stream view, you see the GET request line:

4. Identify the suspicious part of the _GETrequest. The id parameter ends ^₌looks like base64. Copy this value and decode it. 5. Check for multi-part encoding. It appears the attacker split the data across multiple requests. Return to the filtered list and see if there are other ^GETrequests to talosec.lab with different id values. 6. Find another similar GET request. You find a second request: ^_GETFollowing the TCP stream shows:

// Some code
GET / HTTP/1.1
Host: talosec.lab

7. Recognize the flag format. Thinking of the TSEC{...} pattern, you might try inserting the pieces into that format. 8. Check the TCP stream for more clues. Scroll down in the TCP stream to see the HTTP response from the server. The response body contains HTML, and within a comment you see:

This hidden comment reveals the flag. 9. Record the flag. The hidden flag discovered by analyzing the HTTP GET request is TSEC{....}.

Wireshark Display Filters:

http                          # All HTTP traffic
http.request.method == "POST" # Only POST requests
http.request.method == "GET"  # Only GET requests
http.user_agent               # Filter by User-Agent

Through this exercise, you’ve learned how to filter HTTP GET requests in Wireshark, follow TCP streams to reconstruct HTTP conversations, and extract hidden information from URLs and responses.

PreviousNetwork & Traffic Analysis NextDay 10: Wireshark Basics – Identifying Suspicious HTTP Headers and User-Agent

Last updated 3 months ago