Hello World!

Every cybersecurity incident starts with a motivated attacker trying to achieve his goals
by attacking a target. The motive can be money, power, fame, or even a desire for
revenge. The target can be a person, a company, an organization, or even a country.

In today’s world, where almost every electronic device is connected to the Internet
Network, this network became one of the most common ways of performing the attack.

Infecting a computer with malware which usually happens throughout the network, and
controlling that target computer, is not the goal of the attack but a phase towards the
final goal.
Moreover, the attacker will usually want to extract information from the infected
computer. How can he extract this information? Through the same network which he
used to attack the computer.

Therefore, the network plays a significant role in cyber-attacks, and with Network
Forensics, one can learn about how the attack was started, what kind of information
was leaked out and what is the attacker’s motive.

In this lesson, we will meet some network concepts, protocols, and tools that will help
us with our investigation. We will also look at a demonstration of a network attack and
show how we can investigate it using some existing tools.

Things we will cover:

- Network packets and protocols

- Network analyzing
- Wireshark
- Common application protocols
- HTTP
- DNS
- Guided example
- Exercises

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Network Packets and Protocols
The data that is being sent over the network can convey different information but is
being sent similarly. This is similar to letter mail sending. Getting a letter from the bank
and getting a Happy Birthday greeting card, conveys different information but is being
sent similarly - using letters with text inside envelopes.
The envelopes in the network world are called network packets and the type of
information they convey is called application protocol
As all letters that are sent via the Post Office system need to have a recipient’s address
and name, similarly, all protocols that will be sent over the computer network will also
need to have some addressing in order to reach the correct recipient.
These addresses in computer networks are called IP address and MAC address

IP Address - address in the format of 4 groups of numbers from 0 to 255.

Examples: 192.168.1.0, 10.0.5.200, 70.80.1.1
The IP address of a device can be changed, depending on the network it is a member
of.

There are special IP addresses that signify that the message is intended for more than
one recipient. For example:

- The broadcast IP address is an address that ends with 255, i.e. 10.0.0.255
This means that every device in a network with IP address 10.0.0.X (where X
can be any number from 1 to 254) will treat this message as if it was sent to
him and will not ignore it.
- The multicast IP address is any address in the range 224.0.0.0 to 224.0.0.255,
i.e. 224.0.0.22
This means that a device with the IP 10.0.0.5 can still subscribe to multicast
messages and accept any message that reaches him with a multicast IP

Both broadcast and multicast addresses are considered logical addresses and are not
representing real machines.

Lastly, as the number of available IP addresses is limited to about 4 billion, and today
there are many more electronic devices that are connected to the internet, we cannot
assign a unique IP address for each device. To solve this, there are special IP
addresses that are considered private IPs, and they are allowed not to be unique and
repeat themselves between different networks. These groups are:

- 10.0.0.0 – 10.255.255.255
- 192.168.0.0 – 192.168.255.255
- 172.16.0.0 – 172.31.255.255

Every IP address which is not in this group is a public IP address, and must be uniquely
assigned to a single device. Any device that wants to be accessible through the

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Internet network must have a public IP address. If google web server had a private IP
address, it would not be accessible via the Internet.

MAC Address - addresses of network cards that cannot be changed as they are burnt
in the network card hardware. These addresses are in the following format: XX-XX-
XX-XX-XX-XX, where X can be a digit between 0 to 9 or an alphabetical letter between
A to F.
00-1A-A0-52-76-9F is an example of a valid MAC address
The first 3 groups of the MAC address uniquely identify who is the manufacturer of this
network device, and they are called OUI (Organization Unit Id). All of the network cards
manufactured by TP-LINK will start with D0-37-45. This information can be found
online by looking for “TP-LINK MAC address OUI”.

Similar to IP, MAC addresses also have special addresses: Broadcast and Multicast:

- Broadcast MAC address is always the address FF-FF-FF-FF-FF-FF. This

means that every device that gets a packet with destination MAC which is equal
to FF-FF-FF-FF-FF-FF, will not ignore this message.
- Multicast MAC addresses are addresses that start with a special prefix.
Examples are: 01-80-C2-XX-XX-XX, 01-00-5E-XX-XX-XX, 33-33-XX-XX-XX-
XX

But with these two addresses, IP and MAC, a network packet might be able to reach
my computer but my computer won’t know to which of all the running applications this
packet is relevant for.
In order to solve this, we need another kind of address called a port number.
Port number - A number between 1 - 65,535, which identifies a specific running
application that listens for incoming network packets.

All of the network packets that you will capture, although they might convey different
kinds of information and as such will be of different application protocols, they will
all contain source and destination IP address, MAC address, and Port number, which
will tell us the addresses of the sender and the recipient respectively.

Examples of known and widely used application protocols are

- HTTP (Hypertext Transfer Protocol)

● Generic and can be used for many purposes
- Get HTML web pages
- Download / Upload files
- Video streaming
● Client / Server based - one side is the client which initiates the HTTP
request, while another side is the server which can only respond to client
requests

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
 ● HTTP servers are addressable at port 80 or 443 for a secured version of
HTTP called HTTPS where the client request and server response are
both encrypted and can be decrypted only by them
- DNS (Domain Name System)
● As it is hard for humans to remember IP address, DNS is used to

translate domain names to IP address, such as www.google.com →

72.17.11.228
● DNS is always used behind the scenes when you browse the internet or
play online games where your game client tries to access the game
server

We will dive more in-depth into these two protocols later on.

Network Analyzing

Here is an example of a capture of a network packet. It might be easy to look at the

textual parts of the packet (the red square) and try to understand what protocol this
packet encapsulates. In this example, we can see known HTTP headers like “Accept-
Language” and “Accept-Encoding” and conclude that this is an HTTP packet.
However, not all protocols are textual, and in this example, it might be cumbersome to
identify what is the source/destination IP of this packet, or the source/destination port.
For this, we have some analysis tools that can help us to dissect the protocols. We will
cover one of the most common and easy to use, called Wireshark

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Wireshark
Wireshark is like the guard at the entrance of a condominium. As the guard logs in a
logbook every person who enters or leaves the condo, Wireshark logs every incoming
data that reaches a computer’s network card, or outgoing data that leaves it. This will
include any malicious network activity. It allows us not only to monitor network traffic
but also to analyze it. The process of monitoring the network is called sniffing.
Wireshark can be used to sniff the traffic and analyze it in real-time, or load an existing
sniff file, called a Packet Capture (.PCAP) file, and analyze it offline.

This tool is extremely useful for learning hands-on networking and understanding how
everything works. Want to know how your browser communicates with google? Or
how does your torrent client download gigabytes of movies from thousands of peers?
Open Wireshark and start analyzing!

Start with downloading Wireshark here. Once the download is finished, install it.

Open up Wireshark. Go to Capture | Start or click the fin icon to start a new capture.

Open up your browser and go to your favorite search engine, bing. You will notice
Wireshark is recording a lot of traffic. Do not worry, by the end of this tutorial, you will
understand almost all of it.

Wireshark is smart and can give us hints on what kind of data we are dealing with. It
does so by dissecting the frames and making an educated guess of the protocols it
includes. It does a great job, but remember that in the end everything is just raw data
and it can mean different things according to the context.

Let’s take a closer look at the Wireshark interface:

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
There are 3 different panes that are open in Wireshark:

1. The first pane includes all the captured frames. By default, they are sorted by
time, but we can sort them however we like. We can click on a packet and see
more information in the other 2 panes.

2. The second pane shows a breakdown of the frame into protocols. We can see
the frame consists of multiple protocols which encapsulate the ones below them
- Ethernet (Data Link), IPv4 (Network), TCP (Transport), and HTTP
(Application).

3. The third layer is a binary dump of the data. On the right, we can see a textual
representation of the data, and on the left, we can see the hex view of the raw
frame data. Hex is a shorter way to represent binary data, where 4 bits are
converted to a single alphanumeric character, from 0 to F.

We can filter out frames by using the display filter. Since Wireshark understands
protocols and automatically figures them out, we can use this to our advantage. Let’s
filter by source IP address, using the destination IP from the above frame.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Using a filter like ip.dst == 192.168.1.3, Wireshark now only shows frames that
have the required destination IP. We can combine filters using the logical operators
and/or:

We can also filter frames that contain the IP protocol by providing the IP filter without
any other info.

As an analysis tool, another thing we get from Wireshark is statistical data. Protocol
Hierarchy is an example of it. We can see visually what is the amount of traffic being
sent or received per protocol, and identify the most common protocols in our capture.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Usually, application data is being sent in multiple TCP segments. What we are
interested in, is in the application data itself and not the different TCP segments with
their fields. “Follow TCP Stream” is a very useful feature in Wireshark which builds for
us all of the TCP segments of a specific TCP connection that we choose, and shows
us only the application data that was transmitted as a single stream.

Conversations and Endpoints are another two types of statistical data. “Conversations”
shows packet exchange between two entities in the network while “Endpoints” shows
a summary of all communication sent to or from a specific entity.
This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Flow graph provides us with time-based statistics about the flow of communication. It
helps us to see what was the chronological order of the communication. We might
expect to see a DNS query before an HTTP request to a specific web server.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Many times the way in which malware enters a system is by downloading it from a
malicious web server using the HTTP protocol. Export HTTP objects allow us to save
resources that were downloaded using the HTTP protocol to the disk and research
them in a sandbox environment.

Common application protocols

HTTP
HTTP is a generic protocol and can be used for many purposes which made it so
popular and widely used.
This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
It is a Client / Server based protocol which means that there will always be a client
sending an HTTP request to a server which in return will send an HTTP response.

Imagine one computer in a network wants to download a file from another computer
in the network, you can run the second one as an HTTP server and in the first one,
use your web browser as the HTTP client that will send an HTTP request asking for
the desired file. The server then will send an HTTP response containing the file.

Another example can be a smart light bulb that acts as an HTTP server and using your
web browser or a mobile app, you will be able to turn on and off the lights via HTTP
requests.

HTTP Request

HTTP requests contain information that specifies the type of the request and the
desired resource or command we are asking from the server. Here is how an HTTP
request looks like:

Let’s explain some of these fields:

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
URI

A uniform resource identifier (URI) identifies a resource. URIs are generic and may be
used for various purposes, like pointing to files
The HTTP URI consists of 5 main parts:
● scheme - The protocol used, either http or https
● host - the host running the webserver
● port - port of the webserver. If not specified, the default port for the protocol is
used (80 for http, 443 for https)
● path - Path to the resource on the server
● query - appears at the end of the path after the question mark. This is optional
and allows passing parameters to the webserver. Parameters are given key
value pairs and are separated using the and (&) sign.
For example, Google uses the q parameter for its query string. Try this:
https://www.google.com/search?q=singapore

HTTP Methods

GET and POST are the most common methods that are implemented by all servers
and are utilized by your web browser directly

● GET - when you browse google, your browser uses GET requests to retrieve
the content of the page
● POST - When you send a form like a signup form, the browser sends the form
parameters through the HTTP body in the same syntax of a query. This is useful
because the URI has a limited length. This may also be used for sending large
parameters like files.

HTTP Headers

Lastly, an HTTP request allows the client to pass additional information using
headers, which are key and value pairs like words and their respective translations in
a dictionary.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
We always use headers when we want to add additional information that is not related
to the data, but for the communication.

Let’s take the “User Agent” header as an example. The “User Agent” is a string that
conveys information about the requesting client such as:

- application (chrome / firefox / safari / etc.)

- operating system (Windows / MacOS / Android / etc.)
- Browser engine version (AppleWebKit 525.13)

This header allows the server to respond with different content (or style) for different
clients. For example, if a client is accessing the server from a mobile phone, the server
can respond with a mobile-friendly version of the web page which is different from the
response that a client who is surfing from a desktop computer will receive.

Example of a User Agent header value:

Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.19 (KHTML, like Gecko)

Chrome/18.0.1025.45 Safari/535.19

Luckily, some online tools can extract the information from a User Agent string and
explain it better:

This information can be very valuable when analyzing HTTP network traffic as we can
learn about the actual devices in the communications, including their OS version and
whether they are using a desktop or a mobile device.
This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
HTTP Response

The HTTP response contains information that specifies whether the request was
handled successfully, the type and size of the response content, and the requested
resource itself. Here is how an HTTP request looks like:

HTTP Response Codes

Indicate whether a specific HTTP request has been completed successfully.

Responses are grouped into five classes:

- Successful responses (200–299) – i.e. 200 OK

- The server successfully handled the request
- Redirects (300–399) – i.e. 301 Moved Permanently
- The requested resource has been moved somewhere else, the client
should make a new request to the new URI
- Client errors (400–499) – i.e. 400 Bad Request / 404 Not Found
- The client is sending a malformed request, doesn’t have permission to
access the resource, or the resource he is trying to access does not
exist.
This usually indicates a failure due to the client’s fault
- Server errors (500–599) – i.e. 500 Internal Server Error
- An error on the server side prevented it from handling the client request.
This usually indicates a failure due to the server’s fault

HTTP in Wireshark

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Most HTTP traffic is secured using HTTPS which cannot be understood using
Wireshark.
However, there are still some large websites that use HTTP:

Let’s examine the traffic generated when browsing baidu.com, searching for kittens.
We can see the request methods, user agent, and parameters:

For the HTTP response, we can see interesting headers:

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
 ● Which webserver is returning our answers
● Content-Type - distinguishes different file types, like scripts, binary, or plain text
files.
● Content-Encoding - compression method

DNS

As it is hard for humans to remember IP address, DNS is used to translate domain

names to IP address, such as www.google.com → 72.17.11.228

DNS is always used behind the scenes when you browse the internet or play online

games where your game client tries to access the game server

Similar to HTTP, DNS is also Client / Server based. A DNS client, usually your
computer, sends a DNS query to a DNS server, asking “What is the IP address of the
domain called www.google.com?” The DNS server responds with a DNS reply
containing the IP address

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
DNS Query

DNS Reply

The reply repeats the question and appends to it the relevant answer with the IP
address

As mentioned before, HTTPS communication is encrypted and the request and

response cannot be understood from Wireshark. However, you can see which sites
someone is browsing by correlating DNS queries that were performed right before an
HTTPS request.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
Guided example
John came home one night and started browsing the web. Not doing much, suddenly
his computer shuts down. Luckily, his son, Mike, had a sniffer running on John’s
computer. Investigate the result pcap file (sniff1.pcap) and answer the following
questions.

Task
1. Describe John’s network
1. IP Addresses (in the LAN or WAN)
2. MAC Addresses (in the LAN or WAN)
2. Describe John’s computer:
1. How do you know it is John’s computer?
2. Operating System
3. Web browser

Let’s load the given pcap file to Wireshark and provide the necessary information for
this question using the existing analysis tools in Wireshark.

1. Using Wireshark Endpoints statistics we can easily get a list of all of the IP
address and MAC addresses in the capture file.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
 By clicking on the “Copy” button, we can copy the information in a CSV format

and in a text editor we can go over the list and analyze it.

We can see that some of the IPs are internal private IPs which are IPs in John’s
LAN. Others are public Internet (WAN) IPs.

We can also see that some of the IPs are not real IPs like the following:
10.0.0.255 - A IP used for broadcasting a message to the entire Network Subnet
224.0.0.22 , 224.0.0.252 - Multicast IPs which are used to send data to a group
of hosts in a computer network.

After removing these 3 IPs, we are left with a list of 47 IPs containing LAN and
WAN IP addresses.

2. For the list of MAC addresses we can use again the Endpoints statistics but this
time too look at the Ethernet protocol.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
 We can now start to analyze the MAC addresses as we did with the IP
addresses.
We first divide them to groups with the same first 3 bytes of the MAC address
which represent the OUI (Organization Unique Identifier) of the network device.
Then we can go over the list and try to see what MAC addresses represent real
devices and what are special addresses for broadcasting or multicasting.

ff:ff:ff:ff:ff:ff - This MAC address is easily identified as broadcast address and

can be eliminated from the list.

Now to the 33:33:ff group:

Wireshark helps us by recognizing this OUI (33:33:ff) as a special MAC address

used for multicast. This means it is not a real MAC address of a device in the
network and all of the MAC addresses with this OUI can be eliminated.

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
 Same thing happens with the 33:33:00 group:

And with 01:00:5e group:

So all of these MACs can be eliminated as well.

Finally, we are left with the 00:0c:29 group. Looking at the traffic coming from
or going to this MAC address we can see that MAC addresses in this group are
addresses of actual devices in the network. Specifically in this case, Virtual
devices created with VMware virtualization software.

So to answer this part of the question, MAC address in John’s network are:
00:0c:29:31:f9:66
00:0c:29:4c:0f:cd
00:0c:29:b9:45:b2

For part two of this exercise we need to focus on John’s computer. For this part we
will have to understand which computer is John’s computer. We have seen 3 IP

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
addresses. We know one of them, 10.0.0.1, is the router’s IP while John’s computer
can be either 10.0.0.2 or 10.0.0.3.

Let’s try to find the information of the OS and Web browser.

Usually, a header called User-Agent that is being sent with every HTTP request can
provide us with this information. So let’s filter on HTTP protocol.

We can take this User-Agent value to some websites that parse User-Agents for us:

From this we learn that this is Firefox version 61 running on a Windows 7 machine.
Let’s see what information we can get about the other IP address (10.0.0.3).

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
We can find different HTTP requests with different user agents such as: MSDW,
MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT and Microsoft-
CryptoAPI/10.0
These all seem not related to activities of a real user, but instead, HTTP requests that
are being sent from some running Microsoft applications on this computer.
We can assume that 10.0.0.2, which contains user activity of someone browsing the
Internet, is John’s computer.
So to conclude:
Computer 00:0c:29:b9:45:b2 with IP 10.0.0.2 is John’s computer. It is running a
Windows 7 with Firefox web browser.

Exercise
Use the knowledge you’ve acquired in the tutorial and extract from the file
red_alpha.pcap a PDF file which contains the password to complete this challenge

This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed,
transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document
does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.