Lab 1.1 – tcpdump Traffic Analysis
Analyzed PCAP traffic with tcpdump: identified /.env probing, WordPress brute-force with Hydra, and cleartext login parameters visible in the HTTP payload.
Commands
1. Initial packet overview
Read the first 20 packets from investigate.pcap to get a high-level view of traffic types (DNS, TCP, HTTP).
tcpdump -n -r investigate.pcap -c 20 -#
2. Filtering session 1: GET /.env
Filtered TCP traffic between 135.125.217.54 and 10.130.8.94 (ports 44366 and 80). Revealed an HTTP GET request for /.env; server responded 404 Not Found.
tcpdump -n -r investigate.pcap 'tcp and (host 135.125.217.54 and host 10.130.8.94) and (port 44366 and port 80)'
3. Read session.pcap
Read session.pcap to view the filtered wp-login session packets.
tcpdump -n -r session.pcap -#
4. HTTP payload extraction: visible login parameters
Dumped packet contents. Revealed cleartext HTTP POST to /wp-login.php with Hydra user-agent and visible login parameters (redacted).
tcpdump -n -r session.pcap -X -v -c 4
5. Correlate with dig
Used dig to query NS records for alphainc.ca, correlating with the captured DNS traffic.
dig alphainc.ca NS
6. Live DNS capture and read
Captured live UDP traffic on port 53 (DNS) with sudo tcpdump, wrote to created_capture.pcap, then read the capture to view DNS queries and responses.
sudo tcpdump -n -i eth0 -w created_capture.pcap 'udp port 53' tcpdump -n -r created_capture.pcap
7. DNS payload extraction
Dumped DNS packet contents in hex and ASCII, revealing domain names in the payload.
tcpdump -n -r created_capture.pcap -X
Key Findings
- HTTP GET /.env from 135.125.217.54 to 10.130.8.94; server returned 404
- HTTP POST /wp-login.php with Hydra user-agent
- DNS NS lookup mapped alphainc.ca to AWS nameservers
Security Controls
- Enforce HTTPS (HSTS)
- Rate-limit wp-login
- WAF rules for /.env probing
- Centralized logging + alerting (SIEM)