# Covert Channels - Suspicious ## **Scenario**: We found some suspicious traffic on our network and think there could be some malware using covert channels to convey messages. We isolated the suspicious traffic for you to take a look. ## **Process**: To start off with on this pcap we look at the Protocol Hierarchy page ![](/files/AfZmOsrQUAY24uuIjXFh) We see there is only ICMP messages in this pcap, so the answer is in the 76 packets somewhere. And we have Request and Replies that seem to be echoing each other, so to start off we should look at one side of the conversation first. Also all the packets do not look too different from the ASCII section of the hexdump. ![](/files/7rUlPFS9ByMqzx571d4M) But after looking closer we are seeing information in the Data Section that looks “Suspicious”. But when we add the Data field as a column, we see a pattern in the data field, it looks like Hex. ![](/files/GxweYUKOEH7f1xDyq8oV) When we pull out the hex from above (take out the 0 on all the data) we get this: 66 6c 61 67 7b 50 69 6e 67 48 61 73 44 61 74 61 3f 7d 0a ![](/files/6iSJSR9S6OLGdNGs9USS) Put that in to a hex decode/CyberChef and we have decoded our flag. ### **Powershell Solution:** ``` -join ([string]::join("",(.\tshark.exe -r 'suspicious.pcapng' -Y "ip.src==192.168.17.7" -Tfields -e data | %{$_[1]})) -split '(..)'|? {$_}|%{[char][convert]::touint32($_,16)}) ``` #### What is this doing? tshark is reading in the pcap with a search filter of one of the two IP addresses. It is then extracting out the single ping data field from the results Then it is dropping the leading 0 from the results so that we can combine them to get the true hex result joining the the data together into a single line splitting all the data from one long list of characters to 2 char hex converting the hex to ASCII --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jtone2k8.gitbook.io/ctf-write-ups/network-analysis/covert-channels-suspicious.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.