Skip to content

Latest commit

 

History

History
177 lines (120 loc) · 3.67 KB

Task 23 [Day 17] Traffic analysis I Tawt I Taw A C2 Tat!.md

File metadata and controls

177 lines (120 loc) · 3.67 KB
Raw

Task 23 [Day 17] Traffic analysis I Tawt I Taw A C2 Tat!

Learning Objectives

  • Gain knowledge of the network traffic data format
  • Understand the differences between full packet captures and network flows
  • Learn how to process network flow data
  • Discover the SiLK tool suite
  • Gain hands-on experience in network flow analysis with SiLK

QUESTIONS:

  1. Which version of SiLK is installed on the VM?

Command:

rwfileinfo suspicious-flows.silk

ANSWER

3.19.1
1
  1. What is the size of the flows in the count records?

Command

rwfileinfo suspicious-flows.silk

ANSWER

11774
2
  1. What is the start time (sTime) of the sixth record in the file?

Command:

rwcut suspicious-flows.silk --fields=sTime --num-recs=6

ANSWER

2023/12/05T09:33:07.755
3
  1. What is the destination port of the sixth UDP record?

Command

rwfilter suspicious-flows.silk --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=5

ANSWER

49950
4
  1. What is the record value (%) of the dport 53?

Command

rwstats suspicious-flows.silk --fields=dPort --values=records --count=5

ANSWER

35.332088
5
  1. What is the number of bytes transmitted by the top talker on the network?

Command

rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top

ANSWER

735229
6
  1. What is the sTime value of the first DNS record going to port 53?

Command

rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwcut --fields=sTime,sIP,dIP --num-recs=1

ANSWER

2023/12/08T04:28:44.825
7
  1. What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )

Command

rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwstats --fields=sIP,dIP --values=records,bytes,packets --count=10

ANSWER We have to write the answer in defanged format:

175[.]175[.]173[.]221
8
  1. Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )

Command

rwfilter suspicious-flows.silk --aport=80 --pass=stdout | rwstats --fields=sIP,dIP,dPort --count=10

ANSWER

175[.]215[.]236[.]223
9
  1. What is the sent SYN packet's number of records?

Command

rwstats suspicious-flows.silk --fields=sIP,dIP --values=records,packets --count=10

ANSWER

1658
10