Other than the Forensics challenge, for BloomCon 0x05 we also got a Networks CTF challenge. We were provided two different packet capture files with a list of questions for each. Let's dive into part 1 and see what I was able to find.
Who Am I? - Challenge 1
It's your first day at your new job for big consulting inc. You've been placed in charge of a small, isolated subnet of two developers. Each developer has one windows machine and are connected to a single router. Make yourself familiar with your new subnet with these tasks?
Question 1
What class of subnet is this?
Loading the .pcap file into Network Miner we can see a few hosts, starting with 192.168.x.x.
Figure 1: Hosts from the .pcap
A quick Google search for a subnet class chart shows that these are part of the C Class.
Figure 2: Subnet classes
Question 2
What is the workgroup name?
Expanding either host IP and going into the Host Details shows the workgroup name "BIGCONSULT" under the Queried NetBIOS names field.
Figure 3: workgroup name info
Question 3
What is the host name of the windows machine with the lowest IP address?- give IP address
Seen from Figure 1, the lowest IP address 192.168.2.2 had a host name of "SKYGUY".
Question 4
What is the host name of the windows machine with the highest IP address?- give the IP address
Seen from Figure 2, the higher IP address 192.168.2.3 had a host name of "PURPLE-HP".
Question 5
The service used in the above questions is what service and what port number does it use?
I wasn't completely sure what exactly they were looking for so I poked around and ended up on the Parameters tab in Network Miner. Each entry shows a NetBIOS Query over port 137, which ended up being the answer.
Figure 4: NetBIOS Queries
Conclusion
NetworkMiner made answering these questions ridiculously easy. I'm sure if you know how to use something like Wireshark it may be just as simple as well. Challenge 2 coming soon.
Tool Listing
NetworkMiner v2.6 - https://www.netresec.com/?page=Networkminer