# 3_Forensics

We're asked for a list of usernames that were compromised in the attack, and the username:password combo that the attackers most likely got a hold of.

To find the list of usernames compromised in the attack, we'll open the packet capture with Wireshark and filter packets sent from our victim to our attacker, and pay attention to any kind of authentication pages that the server may have sent. In addition, we want to filter to include only HTTP 200s, as these signify "OK" requests. This will filter out a lot of background noise and 404s from the scan the attacker conducted earlier.

```
$ wireshark capture.pcap
```

```
( ip.dst == 10.187.195.95 ) and ( ip.src == 10.0.80.17 ) and ( http.response.code == 200 )
```


We find the usernames surrounded by a bunch of noise (that I admittedly don't understand). Going through these packets, we find about 5 usernames, all of which surrounded by noise (that I, again, don't understand).

```
admin
alice
bob
devtest
suzy
```

If you know why they're encapsulated in noise, please let me know.

Anyways, we're next asked for the username:password combo that they were most likely able to get a hold of. To find this, we're going to be going to the logs that we were given, and looking for any logins on any of these accounts.

```
$ grep "admin\|alice\|bob\|devtest\|suzy" auth.log
```

In doing so, we're able to find a password change for the user `devtest` to `driveby` in the logs.


Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/DriveByInc/3_Forensics.md).