TShark TryHackMe Writeup

Learn how to use TShark to accelerate your pcap analysis!

Hey Guys, After a long time. Sorry for the delay. I actually took a break from writing writeups. Welcome to the new write-up of room TShark.

Room Link: https://tryhackme.com/room/tshark

Let’s Begin,

TASK 1: Pre-Reqs

Why TShark?
Bored with trying to extract packets by hand? Need to get info from a pcap file that doesn’t extract easily from Wireshark? Are GUIs for losers but now you realized you can’t open Wireshark? Well, my friend, TShark is the solution to all your problems.

Installation

Before beginning, we need to make sure we have tshark installed it on our host - If you are using the AttackBox you can skip this, as it already has tshark installed.

Generally, tshark is installed with Wireshark. But let’s verify it’s installed anyways. Run the command below to determine if it’s installed or not.

apt list tshark

In my output above, we can see that it is installed. If it’s not installed, sudo apt install tshark will do the trick.

The tshark program is also available in a Windows installation as tshark.exe in the Wireshark install directory.

Try running tshark -h to get the help output to make sure we can access the program properly.

#1 Mark Complete once installed/verified

Answer: No answer Needed

TASK 2: Reading PCAP Files

This task uses the dns.cap capture file on the Wireshark SampleCaptures wiki page.

To read a file with TShark, we will use the -r switch. This will display a summary line of each packet similar to tcpdump output and is useful to identify high-level information about the capture.

tshark -r dns.cap

When paired with wc -l, we can quickly identify how many packets are in a capture.

tshark -r dns.cap | wc -l

We can utilize Wireshark display filters (which are DIFFERENT than bpf syntax) to narrow down what packets are displayed. If we’re interested in DNS A records only, we can use the dns.qry.type == 1 display filter to narrow down our packets. Display filters are added using the -Y switch. Our command below will show all of the A records in our capture, including responses.

tshark -r dns.cap -Y "dns.qry.type == 1"

The power of TShark comes with combining traditional Wireshark filters with extraction. We can extract specific field values directly from the pcap, allowing us to have only the interesting fields returned. One way to extract data is using the -T fields and -e [fieldname] switches. To extract the A records in the pcap, we would use -T fields -e dns.qry.name at the end of our previous tshark command. This makes our command the one below:

tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

NOTE: An easy way to identify field names in Wireshark is to navigate to the Packet Details in the capture, highlight the interesting field, then view the bottom left corner.

#1 How many packets are in the dns.cap file?

command: tshark -r filename.cap

Answer: 38

#2 How many A records are in the capture? (including responses)

command: tshark -r filename.cap -Y “dns.qry.type ==1”

Answer: 6

#3 Which A record was present the most?

command: tshark -r filename.cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name

Answer: GRIM.utelsystems.local

TASK 3: DNS Exfil

We’ve been alerted that a host in our network has been exfiltrating data over DNS, can you find it?

Use the attached file to analyze in Wireshark and TShark to find the exfiltrated data. As you identify suspicious items in Wireshark, pivot to TShark to extract relevant information.

Remember, we can filter out irrelevant packets with the -Y switch using display filters.

#1 How many packets are in this capture?

Command: tshark -r filename.pcap

Answer: 125

#2 How many DNS queries are in this pcap? (Not responses!)

Command: tshark -r filename.pcap “dns.flags.response == 0”

Total is 56 same filter you can apply on wireshark also. Here is the wireshark result.

See the footer it is saying displayed 56

Answer: 56

#3 What is the DNS transaction ID of the suspicious queries (in hex)?

Go to the wireshark and click on the ICMP protocol packet 98. That is suspicious if you have very basic knowledge of wireshark. Under the packet go to Domain Name System (query). There you’ll see Transaction ID. That is your answer.

Answer: 0xbeef

#4 What is the string extracted from the DNS queries?

command: tshark -r dns.cap

If you see carefully there is one thing common and different at the same time in every dns query which is first letter in every different DNS. So combine them and you’ll get your answer.

Answer: MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5

Remember: Don’t Go with this command tshark -r dns.cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name otherwise output will be following and trust me it is very confusion and gets complicated. It took with a hell lot time to get understand.

Note: It can also be seen in wireshark but it gets complicated.

#5 What is the flag?

The string we found earlier is a base 32 encoding. Just go this website and convert it from Base32. You’ll get the flag.

Answer: flag{th1s_is_t0ugh_with0u7_tsh4rk!}

Congratulations lab is solved. Happy Hacking !!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store