What is the path of the file that is opened?Ĭonsulting the list of SMB2 Opcodes, we find that file Read requests are signified by Opcode 0x08, and apply the following filter: smb2.cmd = 8Įxamining the first packet to contain a Read request (Packet 342), we see that the requested file path is HelloWorld\TradeSecrets.txt flag 03 – Uh uh uh (75 points) We can isolate the Tree Connect request packets using the following filter to specify Opcode 0x03: smb2.cmd = 3Īlthough there is a Tree Connect request to the IPC$ share in packet 124, the share that ends up being browsed is \ public. ![]() The Wireshark wiki contains a good overview of the SMB2 protocol, including a very helpful list of Opcodes. This write-up covers the questions relating to the smb PCAP file. As the questions were split over multiple PCAP files ( shell, smb, dhcp, network, dns, and https), I have decided to split my write-ups by PCAP for ease of reading. This series of write-ups covers the network forensics section. ![]() In May 2020 the Champlain College Digital Forensics Association, in collaboration with the Champlain Cyber Security Club, released their Spring 2020 DFIR CTF including Windows, MacOS, and Apple iOS images, as well as network traffic analysis, OSINT, and reversing challenges.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |