Lab 1: Starter PCAP Analysis
Overview
In this lab you will be practicing using Wireshark by using what you learned from the walkthrough. You will be given a few PCAP’s to look at and you need to analyze each of them in order to answer the questions. The files come from Marcelle Lee’s Packet Analysis workshop content used at Sarkfest 2025. She also has some really helpful cheat sheets:
Goals:
- Practice using Wireshark
Estimated Time: 45 Minutes
Instructions
PCAP 1
PCAP 1This packet capture is a simplified example of a credential stealing web page where attackers redirect you to a site masquerading as a legitimate one.
Question
What IP address is hosting the credential harvesting pages?
Try to figure out which organization was being targeted by looking at the HTML code.
PCAP 2
PCAP 2Review the examples for SQL injection from the following OWASP article:
Then analyze the PCAP to answer the questions.
Question
What string was used to trigger the SQL injection?
HINT: Theunquote()method from theurllib.parsepython module might come in handy.
Question
Who does the attacker login as using this technique?
PCAP 3
This next PCAP is some web shell traffic. Typically, once an attacker gets into a system, they set up a way to communicate with the machine in case their first connection breaks. A reverse shell is a common example because it give the attacker a way to remotely run shell commands on the victims system.
PCAP 3Question
What is the first command the attacker tried? Was it successful?
What was the message insecret.txt?
PCAP 4
PCAP 4The final PCAP for this lab is traffic from a RAT (remote access toolkit) that used a uniq way to communicate with its command/control server. Analyze the file to answer the following questions.
Question
What was the most commonly used (application level) protocol used in this PCAP file?
What is the top-level domain (TLD) of the site that the malware is trying to communicate with?
