WOLF//SEC
← All Labs
LAB 4.9-B Tier 2: Worker-Backed Obj 4.9 · intermediate · ~20min

Packet Capture Forensics

This lab is planned but not yet built. Check back soon.

Mission

Analyze a packet capture from a suspected data breach. Identify the protocol breakdown, filter for suspicious traffic, extract forensic artifacts, and write your findings.

Scenario

A Cloudflare Worker generates a simulated packet capture viewer with traffic from a compromised network segment. The capture contains normal business traffic mixed with:

  • C2Command and Control — Infrastructure attackers use to manage compromised systems beaconing hidden in HTTPSHypertext Transfer Protocol Secure — Port 443. HTTP encrypted with TLS traffic (identifiable via JA3JA3 TLS Fingerprint — Client TLS fingerprinting method for threat detection fingerprint mismatch)
  • DNSDomain Name System — Port 53 (UDP/TCP). Resolves domain names to IP addresses tunneling with unusually long subdomain queries
  • Data exfiltration via high-entropy payloads on non-standard ports

What You’ll Do

  1. Filter the capture to isolate suspicious traffic from normal business operations
  2. Identify protocol anomalies: magic bytes that don’t match the declared protocol, length fields inconsistent with payload size, timing patterns suggesting automated C2Command and Control — Infrastructure attackers use to manage compromised systems
  3. Extract IOCs: file hashes, C2Command and Control — Infrastructure attackers use to manage compromised systems domains, exfiltrated data signatures
  4. Report your findings in a structured format and validate against the ground truth

Offensive Context

This is the defensive mirror of how a protocol-level attacker operates. The same packet analysis skills — identifying magic bytes, static vs. dynamic fields, length field anomalies — apply on both sides of the table. An attacker manipulating these fields to trigger parser bugs on the server? You’re learning to spot exactly that. The JA3JA3 TLS Fingerprint — Client TLS fingerprinting method for threat detection fingerprint mismatch detection works because malware uses its own TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit stack — and now you know what to look for.