Challenge 2 - Exfiltration InvestigationAfter your previous success getting familiar with your subnet, you've been promoted to network admin for the Linux department. After a few months, your boss has suspicion that Tim Wallowitz is exfiltrating data. Look into this matter by answering these questions.
What is the IP address of the computer that sent the data out?
Since the evidence provided was a .pcapng and since I don't own NetworkMiner Pro, I had to convert the file to a .pcap using Wireshark. All you have to do is open it and then save as the old format.
When opening in NetworkMiner we can switch over to the Sessions tab and see that each frame showed the Client host as "192.168.56.6".
What IP Address was the file placed on?
As seen in Figure 1, the data was being placed on the server host, "192.168.56.1".
What type of server was the data sent to? (Not just the name of the protocol)
What is the trade secret for? (to produce)
Looking at the Files tab in NetworkMiner we can see two files:
What was the file name of the trade secret document?
What is the file name of the 2nd file that was exfiltrated?
We already found this one as well from Question 4, the second file was called "hotpix.zip", more on this coming right up.
Questions 7-10 related to the contents of the hotpix.zip file. It was password protected so I scoured the .pcap to see if I could find any messages or references, which ultimately ended in failure. So I decided on another measure, brute force it open. Luckily Passware made quick work of it. Other similar tools such as JohnTheRipper or Hashcat may have had just as quick success for free.
What city was here?
What person exfiltrating data an expert in?
The image ghidra.png reveals the person was an expert in "Ghidra", the reverse engineering tool.
What can't chickens handle?
The image chicken.jpg shows that chickens can't handle "bandwidth".
Who's credit card was sent?