- Published on
TTTCCCPPP - Network - AirTech 2024
- Authors
- Name
- Hamza Haroon
- @thegr1ffyn
TTTCCCPPP - Network - AirTech 2024
Description:
captured some reliable network traffic.
Hint: why would someone send data in the first part of the TCP handshake
Solution
Visualizing the file in Wireshark gave me lots of TCP traffic and considering the hint of the challenge gave me an idea to check the TCP traffic. This can be achieved using filter expressions in tools like Wireshark or tcpdump.
One such filter expression is:
tcp.flags.syn==1 && tcp.flags.ack ==0
This filters serves to identify packets involved in the initial step of a TCP three-way handshake. Let's break down the components:
tcp.flags.syn==1: This segment ensures that the TCP SYN flag is set to 1. In TCP communication, the SYN (synchronize) flag is employed by the initiating party to establish a connection with the receiving party.&&: The logical AND operator connects the two conditions. Both conditions must be satisfied for the filter to match.tcp.flags.ack == 0: This portion verifies that the TCP ACK (acknowledgment) flag is set to 0. In TCP, the ACK flag is used to acknowledge received packets. A value of 0 indicates that the acknowledgment for received packets hasn't been made yet.
Running the following filter on tshark gives the following output
└─$ tshark -r tttcccppp.pcapng -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -x
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 fa 10 00 00 fd 03 41 00 ....`. .......A.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 e7 10 00 00 fd 03 54 00 ....`. .......T.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 09 11 00 00 fd 03 32 00 ....`. .......2.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 07 11 00 00 fd 03 34 00 ....`. .......4.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 c0 10 00 00 fd 03 7b 00 ....`. .......{.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 e7 10 00 00 fd 03 54 00 ....`. .......T.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 e7 10 00 00 fd 03 54 00 ....`. .......T.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 e7 10 00 00 fd 03 54 00 ....`. .......T.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 f8 10 00 00 fd 03 43 00 ....`. .......C.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 f8 10 00 00 fd 03 43 00 ....`. .......C.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 f8 10 00 00 fd 03 43 00 ....`. .......C.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 eb 10 00 00 fd 03 50 00 ....`. .......P.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 eb 10 00 00 fd 03 50 00 ....`. .......P.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 eb 10 00 00 fd 03 50 00 ....`. .......P.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 dc 10 00 00 fd 03 5f 00 ....`. ......._.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 0a 11 00 00 fd 03 31 00 ....`. .......1.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 06 11 00 00 fd 03 35 00 ....`. .......5.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 dc 10 00 00 fd 03 5f 00 ....`. ......._.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 e9 10 00 00 fd 03 52 00 ....`. .......R.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 08 11 00 00 fd 03 33 00 ....`. .......3.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 cf 10 00 00 fd 03 6c 00 ....`. .......l.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 d2 10 00 00 fd 03 69 00 ....`. .......i.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 da 10 00 00 fd 03 61 00 ....`. .......a.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 d9 10 00 00 fd 03 62 00 ....`. .......b.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 cf 10 00 00 fd 03 6c 00 ....`. .......l.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 d6 10 00 00 fd 03 65 00 ....`. .......e.
0000 02 00 00 00 45 00 00 2c 00 01 00 00 40 06 7c c9 ....E..,....@.|.
0010 7f 00 00 01 7f 00 00 01 22 b8 27 0f 00 00 00 00 ........".'.....
0020 00 00 00 00 60 02 20 00 be 10 00 00 fd 03 7d 00 ....`. .......}.
Here we can see that the flag is being sent as second-last character in the 0020 coloumn of the output. We can write this down manually or do some tshark magic with awk and get us the flag in one liner.
└─$ tshark -r tttcccppp.pcapng -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -x | awk '/^0020/ {printf substr($0, length($0)-1, 1)}' | tr -d '\n'; echo
AT24{TTTCCCPPP_15_R3liable}