# 1_Discovery

We're asked for the IP address of the host exfiltrating data, how long this exfiltration happened, and finally, what protocols were used to exfiltrate.

First of all, let's look for the IP address of the host exfiltrating data.


Something very interesting to notice is that 192.168.11.7 is the only host that sends ICMP packets. This raises a lot of red flags, and leads me to believe that 192.168.11.7 is the host exfiltrating data.

If 192.168.11.7 was exfiltrating data, then we need to change our filter from 192.168.11.4 being the destination to being the source, and 192.168.11.7 being the destination.


With that done, we need to find out how long exfiltration happened for. We get the time of the last packet and subtract it by the time of the first packet. The last is 818.453. The first is 149.693. The difference, rounded to the nearest second, is 669 seconds, or 11:09.

To find the protocols used, we simply look at the types of packets transmitted. DNS, HTTP, ICMP.

Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/ReadingRainbow/1_Discovery.md).