[SOLVED] Cs6035 man in the middle 2025

Whatsapp Us

Scan or Click here to open the chat!%s
, , ,

[SOLVED] Cs6035 man in the middle 2025

$25

File Name: Cs6035__man_in_the_middle_2025.zip
File Size: 282.6 KB

Categories: , , , Tags: , , ,
5/5 - (1 vote)
5/5 – (2 votes)

 Flag 1 (5 points)

Your first task is to figure out where the hackers are spending their time and gather some evidence for the Attorney General. This will also give you a good overview of Wireshark filters.

The Attorney General needs some evidence of The Necrocryptors’ associates and where the group meets.
For this, you need to gather the following information:

 Task 1.1

  • Based on the provided packet capture (pcap) file, identify the server address used by the hackers to communicate.
    • Example: irc.someplace.net
    • Points: 1

 Task 1.2

  • Based on the provided packet capture (pcap) file, identify the nicknames of the malicious actors involved in the conversation. List the nicknames in the order they appear in the conversation following the format below:
    • Example: firstactor,secondactor,thirdactor
    • Points: 1

 Task 1.3

  • Based on the provided packet capture (pcap) file, identify the channel the malicious actors use to communicate. Remember, channel names always start with #, so include # in your answer.
    • Example: #WOW
    • Points: 1

 Task 1.4

  • Based on the provided packet capture (pcap) file, identify the hash used by the malicious actor to validate its identity.
    • Example: a12342342bcde393202013434
    • Points: 1

 Task 1.5

  • Based on the pcap file provided, analyze the network traffic to determine the potential origin country of the last identified malicious actor. Consider the IP addresses, any geolocation data. Provide the name of the country
    • Example: Atlantis
    • Points: 1

Your second task will require you to recover a payload from the conversation. There are multiple ways to do this. You can use Wireshark, pyShark or any other library available.

As part of the evidence gathering, the Attorney General needs concrete evidence of malicious intent. For Task 2, you will need to review the conversation between members of TNC and gather incriminating data from this conversation.

 Task 2.1

  • Based on the provided pcap file, identify which malicious actor initiated a private chat during the conversation.
    • Example:maliciousactor
    • Points: 2

 Task 2.2

  • Based on the provided pcap file, identify the name of the file transferred by one hacker to another via IRC DCC. (Including extension)
    • Example:somefile.extension
    • Points: 5

 Task 2.3

  • Based on the provided pcap file, determine the encryption method or algorithm used to encrypt the file transferred between the hackers. (Just the 3-letter name)
    • Example:something
    • Points: 4

 Task 2.4

  • If you decrypt and run the file, you’ll get a unique hash based on your GTID. What is the hash generated?
    • Example:a123242342342342342934234
    • Points: 16

 Flag 3 (21 points)

The Attorney General lets you know that they think there is a web server in here that is phishy and is spitting out long numbers and letters. The Necrocryptors hacking group is known to play tricks with these values. The Attorney General needs the following information to track the folks operating the website:

 Task 3.1

  • The site domain name (Record just the site’s domain name and the top-level-domain (TLD) name, with the period. E.G: something.hostname.tld)
    • Example: something.something.something
    • Points: 2

 Task 3.2

  • What is the public IP address?
    • Example: 192.168.1.10
    • Points: 2

 Task 3.3

  • The primary nameserver for this domain (You may need to look outside the pcap for this information. Think about tools that will give you the nameserver data for a specific domain)
    • Example: ns-something-something.something.something
    • Points: 6

 Task 3.4

  • The hash provided by entering your Georgia Tech ID in the field (i.e. 9021042) (NOTE: The website is real and safe to access)
    • Example: abcdef1234567890953453434
    • Points: 11

 Flag 4 (27 points)

The Attorney General is impressed by you but says they believe the group is also using another server to host a malicious file. It appears that one of the hackers recently accessed this server and downloaded a file from it. As a last minute request, the Attorney General is asking you to investigate what this file is, and where it is hosted.

 Task 4.1

  • What is the IP address for the server in question?
    • Example: 192.168.8.7
    • Points:2

 Task 4.2

  • What is the username used to log in the server?
    • Example: something
    • Points:4

 Task 4.3

  • What is the password used to log in the server?
    • Example: something
    • Points:4

 Task 4.4

  • One file is downloaded from the server, what is the file name?
    • Example: something
    • Points:3

 Task 4.5

  • What is the programming language used to create this file?
    • Example: something
    • Points:5

 Task 4.6

  • If you run this file you’ll get a Combined hash. What is the unique hash for your GTID (i.e 902042)?
    • Example: 12123123129413249121249aa
    • Points:9

 Flag 5 (5 points)

Exhausted from the prior exercises, the attorney general has two more exercises for you to prove you belong here and that he shouldn’t fire you despite doing a good job. He mentions to you the hackers are getting smart and they have a website called http://www.didbastionbreak.com:5000 that has absolutely nothing to do with Azure Firewalls but everything to do with web application firewalls. Apparently there are some weaknesses integrated into the website which allow you to get to different parts of the website something called a path traversal attack.

 Task 5.1

  • There is a flag labeled 5.1 that outputs a hash when you input in your GTID. Try to find the page and recover the flag.
    • Example: tr95843fkdspugr8euyre0gfd
    • Points: 2

 Task 5.2

  • From the main page on the website, click the blue box that says “Download the Zip”. When you do, it downloads a file that is zipped and encrypted with a password. You have to use the tool “John the Ripper” to crack the encryption to find the password. What is the password for your file?
    • Hint: The password is seven numbers long
    • Points: 1

 Task 5.3

  • When you use the password to unlock the file and unzip it, it contains a program. After you run the program, what is the hash provided?
    • Example: 58437594ejgfdiohr8e054309
    • Points: 2

Suddenly, your phone rings. You see that the call is coming from Bill’ extension.You were ready to head back home and watch Netflix. Here we go again…

“Mark, great job so far! I was thinking here. This will not be the last time you will be doing this analysis on pcaps, so why don’t we start building a python class with several methods to automate some of the work for next time?” “When you say we, you are saying, why dont I build this class right?” you say.

“Of course not! I already created some skeleton code to help you out. You just need to build 3 functions now” Bill says.

“Oh, ok. Thank you Boss..”

As you hang up the call, Bill sends you via IM a zip file containing the python class and a attack pcap from a past incident so you can create the functions and test.

 Flag 6 (15 points)

For this task, you need to use the provided pcapanalysis.py and Flag6.pcap files to create three functions. The snippet below shows where you need to code the functions and the expected output on each variable n. You can create as many functions and variables you need, however the provided functions need to return the expected output.

 Function Skeleton

    # TODO: 
    #   Task 1: Return n being:
    #       n = Number of ICMP Packets
    def icmp_count(self):
        n = 0
        # TODO: Implement me 

        return n

    # TODO: 
    #   Task 2: Return r,a, being:
    #       r = Number of ICMP Echo Requests
    #       a = ICMP Echo Reply
    def icmp_request_reply(self):
        r = 0
        a = 0
        # TODO: Implement me 

        return r,a 

    # TODO: 
    #   Task 3: Return m,n, being:
    #       m = Most Common Destination MAC Address
    #       n = Number of Occurrences
    def dest_mac(self):
        m,n = 0,0 
      # TODO: Implement me 

        return m,n


if __name__ == '__main__':
    pcap_analysis = MITMProject()
    icmp_count = pcap_analysis.icmp_count()
    request,reply = pcap_analysis.icmp_request_reply()
    dest_mac,occurences = pcap_analysis.dest_mac()
    print("Number of ICMP Packets  : ", icmp_count)
    print("Number of ICMP Requests and Replies : ",request,reply)
    print("Most Common MAC Address and Number of Ocurrences: ", dest_mac,occurences)

To start, make sure that the package pyshark is installed on your system. Please review pyshark Github page to install the package and its dependency (tshark) : https://github.com/KimiNewt/pyshark/ and https://tshark.dev/setup/install/ When you open pcapanalysis.py, make sure student_id is updated with your 9-digit Georgia Tech id

# TODO: Change this to YOUR Georgia Tech ID!!!
# This is your 9-digit Georgia Tech ID
self.student_id = '900000000'

Do not modify the import statements. All you need to complete this assignment is there. New imports may be ignored by the autograder and your code will fail.

 Deliverables:

 Task 6.1

  • Modify the def icmp_count(self): function so that it returns an integer, n, which represents the number of ICMP packets in the flag6.pcap file.
  • Points: 3

 Task 6.2

  • Modify the def icmp_request_reply(self): function to return r (the number of ICMP Echo Requests as a integer) and a (the number of ICMP Echo Reply as an integer).
  • Points: 5

 Task 6.3

  • Modify the def dest_mac(self): function to return m (the most common destination MAC address as a string) and n (its number of occurrences as an integer).
  • Points: 7

Related products

Shopping Cart

Subtotal: $50

View cartCheckout

[SOLVED] Cs6035 man in the middle 2025
$25