Forum Discussion

clermagic225's avatar
clermagic225
Icon for Bronze II rankBronze II
2 months ago

Help needed for Threat Hunting: Mining Behaviour

Hey everyone! I need some help with this last question of a lab. I already identified the JSON authentication token and the packet that holds it. But within that packet, I just can't find the authentication key that identifies the miner. Anyone was able to solve and help? Thanks!

 

 

 

 

 

 

  • MaxCucchi's avatar
    MaxCucchi
    2 months ago

    Hi clermagic225 

    I just wanted to chime in on this to provide additional help, if possible. Kieran is correct that you should ensure that you are entering the first six characters, not only the first five.

    That said, from the second screenshot you shared, it seems you are pulling this value from Packet 2540, which does not appear correct. For this, you will want to be sure you are reviewing the same packet that provided your answer to Task 6 in the lab. 

    For the value, you should not need to dig much deeper than the results page in Wireshark, as the answer can be found within the Info tab and identified as "Key=".

    I hope that this helps out 😊

  • KieranRowleyMaxCucchiThank you for the help! Yeap, I managed to solve it now. I was looking at the wrong packet for the whole time (i.e. the authentication token rather than the one with the embedded miner). Appreciate the help.

  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager

    Hi clermagic225 

    Please can you provide some detail of the steps you have already taken so that your fellow community members are able to assist you? In the meantime, I'll speak with the lab author and come back to you, unless any community member beats me to it!

    • clermagic225's avatar
      clermagic225
      Icon for Bronze II rankBronze II

      thanks TillyCorless ! I've identified the JSON Authentication token and i read through every line of the packet to make sure i dont miss any block of strings that look like a key. Did a CTR + F to search for keywords like "key", "auth", "token" and tried to input those into the answer field.

      • MaxCucchi's avatar
        MaxCucchi
        Icon for Community Support rankCommunity Support

        Hi clermagic225 

        I just wanted to chime in on this to provide additional help, if possible. Kieran is correct that you should ensure that you are entering the first six characters, not only the first five.

        That said, from the second screenshot you shared, it seems you are pulling this value from Packet 2540, which does not appear correct. For this, you will want to be sure you are reviewing the same packet that provided your answer to Task 6 in the lab. 

        For the value, you should not need to dig much deeper than the results page in Wireshark, as the answer can be found within the Info tab and identified as "Key=".

        I hope that this helps out 😊