Packet Maze: Solving a CyberDefenders PCAP Puzzle with R, Zeek, and tshark
2021-07-20
Chapter 1 Prerequisites
You should download the ZIP file associated with CyberDefenders Lab #68 (free account required). To avoid long file and directory names in the examples the directory has been renamed to maze and the PCAP file from the ZIP file has been renamed to maze.pcapng.
This book also assumes a basic working knowledge of command line tools, and (to a degree) R/RStudio, zeek, and tshark. As such, you’ll need a local installation of:
If you’re new to modern data wrangling in R, you might want to have R for Data Science (R4DS) up in a browser tab for reference. We won’t be doing many (if any) fancy things but if some idioms leave you scratching your head, a quick search through R4DS will likely help.
The examples use various R packages that you can install via install.packages():
{glue}(for string interpolation){jsonlite}(for reading JSON data){stringi}(for string manipulation){tidyverse}(for general data operations){exif}(for retrieving image metadata){magick}(for reading images in general)
There is one package:
{MACtools}
which can be installed from GitHub via:
install.packages("remotes")
remotes::install_github("hrbrmstr/MACtools") The {exiv} package has some library dependencies which may be a bit daunting if you’ve not worked with building R packages from source, so you may just want to install ExifTool since using that as an alternative to solve one of the puzzle questions is also provided.
The {MACtools} package is only used to retrieve metadata about MAC addresses and there is no shame in typing one MAC address into the DeepMAC search field vs deal with installing another source-only, non-CRAN package.
All examples were made using the following R environment:
sessioninfo::session_info(c("glue", "jsonlite", "stringi", "tidyverse", "exif", "sf", "magick", "MACtools"))## ─ Session info ───────────────────────────────────────────────────────────────
## setting value
## version R version 4.1.0 (2021-05-18)
## os Ubuntu 21.04
## system x86_64, linux-gnu
## ui X11
## language (EN)
## collate en_US.UTF-8
## ctype en_US.UTF-8
## tz America/New_York
## date 2021-07-20
##
## ─ Packages ───────────────────────────────────────────────────────────────────
## package * version date lib source
## askpass 1.1 2019-01-13 [3] CRAN (R 4.0.2)
## assertthat 0.2.1 2019-03-21 [2] CRAN (R 4.1.0)
## backports 1.2.1 2020-12-09 [2] CRAN (R 4.1.0)
## base64enc 0.1-3 2015-07-28 [2] CRAN (R 4.1.0)
## BH 1.75.0-0 2021-01-11 [2] CRAN (R 4.1.0)
## blob 1.2.1 2020-01-20 [3] CRAN (R 4.0.1)
## brio 1.1.1 2021-01-20 [3] CRAN (R 4.0.3)
## broom 0.7.8 2021-06-24 [2] CRAN (R 4.1.0)
## callr 3.7.0 2021-04-20 [2] CRAN (R 4.1.0)
## cellranger 1.1.0 2016-07-27 [2] CRAN (R 4.1.0)
## class 7.3-19 2021-05-03 [4] CRAN (R 4.1.0)
## classInt 0.4-3 2020-04-07 [2] CRAN (R 4.1.0)
## cli 2.5.0 2021-04-26 [2] CRAN (R 4.1.0)
## clipr 0.7.1 2020-10-08 [2] CRAN (R 4.1.0)
## colorspace 2.0-2 2021-06-24 [2] CRAN (R 4.1.0)
## cpp11 0.3.1 2021-06-25 [2] CRAN (R 4.1.0)
## crayon 1.4.1 2021-02-08 [2] CRAN (R 4.1.0)
## curl 4.3 2019-12-02 [3] CRAN (R 4.0.1)
## data.table 1.13.6 2020-12-30 [3] CRAN (R 4.0.3)
## DBI 1.1.1 2021-01-15 [2] CRAN (R 4.1.0)
## dbplyr 2.1.1 2021-04-06 [2] CRAN (R 4.1.0)
## desc 1.3.0 2021-03-05 [2] CRAN (R 4.1.0)
## diffobj 0.3.2 2020-10-05 [3] CRAN (R 4.0.2)
## digest 0.6.27 2020-10-24 [3] CRAN (R 4.0.3)
## dplyr * 1.0.7 2021-06-18 [2] CRAN (R 4.1.0)
## dtplyr 1.1.0 2021-02-20 [2] CRAN (R 4.1.0)
## e1071 1.7-7 2021-05-23 [2] CRAN (R 4.1.0)
## ellipsis 0.3.2 2021-04-29 [2] CRAN (R 4.1.0)
## evaluate 0.14 2019-05-28 [2] CRAN (R 4.1.0)
## exif * 0.1.0 2015-12-14 [1] CRAN (R 4.1.0)
## fansi 0.4.2 2021-01-15 [3] CRAN (R 4.0.3)
## farver 2.1.0 2021-02-28 [2] CRAN (R 4.1.0)
## forcats * 0.5.1 2021-01-27 [2] CRAN (R 4.1.0)
## fs 1.5.0 2020-07-31 [3] CRAN (R 4.0.2)
## gargle 1.1.0 2021-04-02 [2] CRAN (R 4.1.0)
## generics 0.1.0 2020-10-31 [2] CRAN (R 4.1.0)
## ggplot2 * 3.3.3 2020-12-30 [3] CRAN (R 4.0.3)
## glue * 1.4.2 2020-08-27 [3] CRAN (R 4.0.2)
## googledrive 1.0.1 2020-05-05 [2] CRAN (R 4.1.0)
## googlesheets4 0.3.0 2021-03-04 [2] CRAN (R 4.1.0)
## gtable 0.3.0 2019-03-25 [2] CRAN (R 4.1.0)
## haven 2.4.1 2021-04-23 [2] CRAN (R 4.1.0)
## highr 0.8 2019-03-20 [3] CRAN (R 4.0.1)
## hms 1.0.0 2021-01-13 [3] CRAN (R 4.0.3)
## htmltools 0.5.1.1 2021-01-22 [3] CRAN (R 4.0.3)
## httr 1.4.2 2020-07-20 [3] CRAN (R 4.0.3)
## ids 1.0.1 2017-05-31 [2] CRAN (R 4.1.0)
## isoband 0.2.3 2020-12-01 [3] CRAN (R 4.0.3)
## jsonlite * 1.7.2 2020-12-09 [3] CRAN (R 4.0.3)
## KernSmooth 2.23-20 2021-05-03 [4] CRAN (R 4.1.0)
## knitr 1.31 2021-01-27 [3] CRAN (R 4.0.3)
## labeling 0.4.2 2020-10-20 [2] CRAN (R 4.1.0)
## lattice 0.20-44 2021-05-02 [4] CRAN (R 4.1.0)
## lifecycle 1.0.0 2021-02-15 [2] CRAN (R 4.1.0)
## lubridate 1.7.10 2021-02-26 [2] CRAN (R 4.1.0)
## MACtools * 0.1.0 2021-07-18 [1] Github (hrbrmstr/MACtools@4750d83)
## magick 2.7.2 2021-05-02 [1] CRAN (R 4.1.0)
## magrittr 2.0.1 2020-11-17 [3] CRAN (R 4.0.3)
## markdown 1.1 2019-08-07 [3] CRAN (R 4.0.1)
## MASS 7.3-54 2021-05-03 [4] CRAN (R 4.1.0)
## Matrix 1.3-4 2021-06-01 [4] CRAN (R 4.1.0)
## mgcv 1.8-36 2021-06-01 [4] CRAN (R 4.1.0)
## mime 0.9 2020-02-04 [3] CRAN (R 4.0.1)
## modelr 0.1.8 2020-05-19 [2] CRAN (R 4.1.0)
## munsell 0.5.0 2018-06-12 [2] CRAN (R 4.1.0)
## nlme 3.1-152 2021-02-04 [4] CRAN (R 4.1.0)
## openssl 1.4.3 2020-09-18 [3] CRAN (R 4.0.3)
## pillar 1.6.1 2021-05-16 [2] CRAN (R 4.1.0)
## pkgbuild 1.2.0 2020-12-15 [3] CRAN (R 4.0.3)
## pkgconfig 2.0.3 2019-09-22 [2] CRAN (R 4.1.0)
## pkgload 1.2.1 2021-04-06 [2] CRAN (R 4.1.0)
## praise 1.0.0 2015-08-11 [3] CRAN (R 4.0.1)
## prettyunits 1.1.1 2020-01-24 [2] CRAN (R 4.1.0)
## processx 3.5.2 2021-04-30 [2] CRAN (R 4.1.0)
## progress 1.2.2 2019-05-16 [3] CRAN (R 4.0.1)
## proxy 0.4-26 2021-06-07 [2] CRAN (R 4.1.0)
## ps 1.6.0 2021-02-28 [2] CRAN (R 4.1.0)
## purrr * 0.3.4 2020-04-17 [3] CRAN (R 4.0.1)
## R6 2.5.0 2020-10-28 [2] CRAN (R 4.1.0)
## rappdirs 0.3.3 2021-01-31 [2] CRAN (R 4.1.0)
## RColorBrewer 1.1-2 2014-12-07 [2] CRAN (R 4.1.0)
## Rcpp 1.0.6 2021-01-15 [3] CRAN (R 4.0.3)
## readr * 1.4.0 2020-10-05 [2] CRAN (R 4.1.0)
## readxl 1.3.1 2019-03-13 [2] CRAN (R 4.1.0)
## rematch 1.0.1 2016-04-21 [2] CRAN (R 4.1.0)
## rematch2 2.1.2 2020-05-01 [3] CRAN (R 4.0.1)
## reprex 2.0.0 2021-04-02 [2] CRAN (R 4.1.0)
## rlang 0.4.10 2020-12-30 [3] CRAN (R 4.0.4)
## rmarkdown 2.6 2020-12-14 [3] CRAN (R 4.0.3)
## rprojroot 2.0.2 2020-11-15 [3] CRAN (R 4.0.3)
## rstudioapi 0.13 2020-11-12 [2] CRAN (R 4.1.0)
## rvest 1.0.0 2021-03-09 [2] CRAN (R 4.1.0)
## s2 1.0.6 2021-06-17 [2] CRAN (R 4.1.0)
## scales 1.1.1 2020-05-11 [3] CRAN (R 4.0.1)
## selectr 0.4-2 2019-11-20 [3] CRAN (R 4.0.1)
## sf * 1.0-0 2021-06-09 [2] CRAN (R 4.1.0)
## stringi * 1.5.3 2020-09-09 [3] CRAN (R 4.0.2)
## stringr * 1.4.0 2019-02-10 [3] CRAN (R 4.0.1)
## sys 3.4 2020-07-23 [2] CRAN (R 4.1.0)
## testthat 3.0.3 2021-06-16 [2] CRAN (R 4.1.0)
## tibble * 3.1.2 2021-05-16 [2] CRAN (R 4.1.0)
## tidyr * 1.1.3 2021-03-03 [2] CRAN (R 4.1.0)
## tidyselect 1.1.0 2020-05-11 [3] CRAN (R 4.0.1)
## tidyverse * 1.3.1 2021-04-15 [2] CRAN (R 4.1.0)
## tinytex 0.29 2021-01-21 [3] CRAN (R 4.0.3)
## triebeard 0.3.0 2016-08-04 [2] CRAN (R 4.1.0)
## units 0.7-2 2021-06-08 [2] CRAN (R 4.1.0)
## utf8 1.1.4 2018-05-24 [3] CRAN (R 4.0.2)
## uuid 0.1-4 2020-02-26 [2] CRAN (R 4.1.0)
## vctrs 0.3.8 2021-04-29 [2] CRAN (R 4.1.0)
## viridisLite 0.4.0 2021-04-13 [2] CRAN (R 4.1.0)
## waldo 0.2.5 2021-03-08 [2] CRAN (R 4.1.0)
## withr 2.4.2 2021-04-18 [2] CRAN (R 4.1.0)
## wk 0.4.1 2021-03-16 [2] CRAN (R 4.1.0)
## xfun 0.24 2021-06-15 [1] CRAN (R 4.1.0)
## xml2 1.3.2 2020-04-23 [3] CRAN (R 4.0.1)
## yaml 2.2.1 2020-02-01 [3] CRAN (R 4.0.1)
##
## [1] /home/bob/R/x86_64-pc-linux-gnu-library/4.1
## [2] /usr/local/lib/R/site-library
## [3] /usr/lib/R/site-library
## [4] /usr/lib/R/library