TryHackMe Certs

A kind fellow bought me a 30-day membership to Premium TryHackMe, so I decided to get some of their certificates whilst I was able to. 

I also got this one last Christmas, although whilst I'm sticking them all here, I might as well include this one too.

Wireshark - Filtering for a Port Knocking sequence

In a recent CTF, I was required to analyze a .pcapng file to find a Port Knocking sequence. I didn't know an easy way to do this, and Google only gave up some half useful answers, so after a bit of research, I decided to write this post in the hopes that someone may stumble upon it in the future :)

Filter: (tcp.flags.reset eq 1) && (tcp.flags.ack eq 1)

Before

After

Make sure that the order number is correct (The "No." column goes from lowest to highest), and read the Port number on the left in the "Info" column.

In this case, the sequence is 7864, 8273, 9241, 12007, 60753, so a:

> knock 10.10.35.61 7864 8273 9241 12007 60753 -t 500

Would get you what you need. 

I found that sometimes you might need to knock 2 or 3 times before the filtered port opens for some reason, but there you go!

Photogenic Cheetah

 :D