Networking challenges involve the evaluation of network traffic (packet capture), sniffing of network traffic or exploiting well-known network protocols. In CTF challenges, competitors are often presented scenarios where anomalies or specific flags within network traffic logs signify potential exploitation points. Identifying irregularities, such as unexpected traffic patterns or suspicious activity, can lead to the discovery of hidden flags. Possessing intimate knowledge of both network protocols and the tools commonly used to decipher such information is a prerequisite for success.
Common Network Protocols/Services
- SMTP – Simple Message Transfer Protocol (Port 25): is an email protocol used for sending email messages. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP.
- POP – Post Office Protocol (Port 110): used for fetching emails on a email server.
- IMAP – Internet Message Access Protocol (Port 143/993): enables access to email stored on that server. With IMAP you can access your email from various devices unlike POP which only allows access from one device.
- SMB – Server Message Block (Port 139/445): is a client-server protocol used for sharing and transferring data, and access to files. Also referred to as Samba and used as a service that enables the user to share files with other machines.
- Telnet – Teletype Network (Port 23): a protocol which allows you to make a connection to the server, and execute commands, that’s hosting telnet server. Telnet is considered insecure mainly because it does not encrypt its traffic – replaced by SSH.
- SSH – Secure Shell (Port 22): a network security protocol that employs encryption and authentication mechanisms to implement services such as secure access and file transfer.
- FTP – File Transfer Protocol (Port 20/21): uses client-server model to transfer files. FTP operates two methods, namely command (used for transmitting commands as well as replies to those commands) and data (used for transferring data).
- HTTP – Hypertext Transfer Protocol (Port 80/443): is used to load webpages using hypertext links.
- DNS – Domain Name System (Port 53): provides a simple way to communicate with devices on the internet without remembering complex numbers, values.
- ICMP – Internet Control Message Protocol: most important fundamentals in networking, because no ICMP means no replies and that means no connectivity. Most commonly used by the ping command.
- ARP – Address Resolution Protocol: is responsible for allowing devices to identify themselves on a network.
- DHCP – Dynamic Host Configuration Protocol: is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
- IP – Internet Protocol: primary job is just delivering messages between devices.
Network Traffic Analysis Using Wireshark
Wireshark is a network protocol analyzer which is often used in CTF challenges to look at recorded network traffic. Wireshark uses a filetype called PCAP (packet capture) to record traffic. PCAPs are often distributed in CTF challenges to provide recorded traffic history.
Opening PCAP files in Wireshark can be quite overwhelming due to the sheer amount of packets that might have been captured. The first step should always be to try and make sense of the traffic captured by applying the following techniques:
- Filter and Search: filter packets by protocol, source IP address, destination IP address, length, etc. In order to apply filters, simply enter the constraining factor, for example ‘http’, in the display filter bar. Filters can be chained together using ‘&&’ notation. In order to filter by IP, ensure a double equals ‘==’ is used.
- View Statistics: Navigate to “Statistics > Protocol Hierarchy” in Wireshark to see a tree of all the protocols in the capture. Note that the protocols are listed in a hierarchical fashion as the name implies, following the TCP/IP stack, which makes it relatively easy to drill down to the items of interest.
- Follow TCP Stream: right click on the packet of interest and select Follow->TCP Stream to view full conversation.
- The most pertinent part of a packet is its data payload and protocol information.
Write-ups
Write-ups of Networking CTF Challenges:
- https://www.petermstewart.net/otterctf-2018-network-challenges-birdmans-data-write-up/
- https://andrewroderos.com/how-to-solve-my-pcap-ctf-challenges/
- https://infosecwriteups.com/escaperoom-pcap-analysis-with-wireshark-ea7abcc68a18
- https://infosecwriteups.com/wireshark-twoo-forensics-picoctf-write-up-100-points-bb3dbc9e14ec
Practice
The following TryHackMe rooms offer practical exercises to grasp the topics discussed above.
- What is Networking?
- Introductory Networking
- TShark
- h4cked – put your PCAP skills to the test…
- Carnage – put your PCAP skills to the test…
- Wifi Hacking 101