TryHackMe Phishing Emails 4

Learn how to defend against phishing emails.

This is a walkthrough for the room Phishing Emails 4 on Tryhackme and it is part of the Phishing module.

TryHackMe Phishing Emails 4
  1. Task 1 Introduction
  2. Task 2 SPF (Sender Policy Framework)
  3. Task 3 DKIM (DomainKeys Identified Mail)
  4. Task 4 DMARC (Domain-Based Message Authentication, Reporting, and Conformance
  5. Task 5 S/MIME (Secure/Multipurpose Internet Mail Extensions)
  6. Task 6 SMTP Status Codes
  7. Task 7 SMTP Traffic Analysis
  8. Task 8 SMTP and C&C Communication
  9. Task 9 Conclusion

Task 1 Introduction

What is the MITRE ID for Software Configuration?

Answer: M1054 

Task 2 SPF (Sender Policy Framework)

2.1 What is the best SPF rule if you wish to ensure the domain sends no mail at all?

Source
Answer: v=spf1 ~all

2.2 What is the meaning of the -all tag?

Source
Answer: fail

Task 3 DKIM (DomainKeys Identified Mail)

Which email header shows the status of whether DKIM passed or failed?

Answer: Authentication-Results

Task 4 DMARC (Domain-Based Message Authentication, Reporting, and Conformance

Which DMARC policy would you use not to accept an email if the message fails the DMARC check?

Source
Answer: p=reject

Task 5 S/MIME (Secure/Multipurpose Internet Mail Extensions)

What is nonrepudiation? (The answer is a full sentence, including the “.”)

Source

Answer: The uniqueness of a signature prevents the owner of the signature from disowning the signature.

Task 6 SMTP Status Codes

6.1 What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

Source

Answer: smtp.response.code

6.2 What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

Open traffic.pcap on the desktop

Answer: <domain> Service ready

6.3 One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)

Answer: 156,553

6.4 Based on the packet from the previous question, what was the message regarding the mailbox?

Answer: mailbox name not allowed

6.5 What is the status code that will typically precede a SMTP DATA command?

Source

Answer: 354

Task 7 SMTP Traffic Analysis

7.1 What port is the SMTP traffic using?

Answer: 25

7.2 How many packets are specifically SMTP?

Answer: 512

7.3 What is the source IP address for all the SMTP traffic?

Answer: 10.12.19.101

7.4 What is the filename of the third file attachment?

Sources
Answer: attachment.scr

7.5 How about the last file attachment?

Answer: .zip

Task 8 SMTP and C&C Communication

Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?

Source
Answer: Zebrocy

Task 9 Conclusion

Per the playbook, what framework was used for the IR process?

Source
Answer: NIST

Leave a Reply

ajax-loader