Network Traffic Basics TryHackMe Writeup

Overview

This room teaches the basics of Network Traffic Analysis, covering fundamental concepts of traffic inspection, protocol analysis, and security techniques.

Task 1: Getting Started

What is the name of the technique used to smuggle C2 commands via DNS?

Answer: DNS tunneling

Task 2: Traffic Investigation

2.1 Look at the HTTP example in the task and answer the following question: What is the size of the ZIP attachment included in the HTTP response?

Answer: 10485760 bytes

2.2 Which attack do attackers use to try to evade an IDS?

Answer: Fragmentation

2.3 What field in the TCP header can we use to detect session hijacking?

Answer: Sequence Number

Task 3: Network Protocol Analysis

3.1 Which category of devices generates the most traffic in a network?

Answer: Endpoint Devices

3.2 Before an SMB session can be established, which service needs to be contacted first for authentication?

Answer: Kerberos

3.3 What does TLS stand for?

Answer: Transport Layer Security

Task 4: Packet Analysis Challenges

4.1 What is the flag found in the HTTP traffic in scenario 1?

Answer: THM{FoundTheMalware}

4.2 What is the flag found in the DNS traffic in scenario 2?

Answer: THM{C2CommandFound}

Lessons Learned

DNS tunneling can be used by attackers to hide command and control (C2) traffic
HTTP traffic analysis reveals file sizes, attachments, and potential malware delivery
Fragmentation attacks can bypass intrusion detection systems
TCP sequence numbers are crucial for detecting session hijacking attempts
Endpoint devices typically generate the highest volume of network traffic
Kerberos authentication is essential for establishing SMB sessions
TLS (Transport Layer Security) provides encryption for secure communications
Packet analysis skills are essential for identifying malicious traffic patterns

Network Traffic Basics Writeup