Learning Goals
In this project, youβll take on the role of a cybersecurity analyst to investigate aΒ Man-in-the-Middle (MITM) attackΒ using real-world network forensics techniques.
You will:
- Analyze packet capture (PCAP) files using tools like Wireshark and pyShark.
- Identify MITM techniques and behaviors across the OSI layers.
- Gain familiarity with application-layer protocols such asΒ HTTP,Β IRCΒ and others.
- Interpret protocol behavior through RFC documents to understand standards and anomalies.
Tools Youβll Use
- WiresharkΒ βΒ https://www.wireshark.org
Industry-standard tool for analyzing network traffic visually and in detail. - pySharkΒ βΒ https://kiminewt.github.io/pyshark/
A Python wrapper for tshark that allows programmatic packet inspection. - John the RipperΒ βΒ https://www.openwall.com/john/
A powerful password cracker used to analyze intercepted hashes or credentials. β
Protocols Youβll Explore
- HTTP (Hypertext Transfer Protocol)
- IRC (Internet Relay Chat)
RFCs You Should Review
As this is a graduate-level course, youβre expected to explore protocol specifications via official RFCs:
- RFC1459Β β Internet Relay Chat Protocol:Β https://datatracker.ietf.org/doc/html/rfc1459
- RFC2616Β β HTTP 1.1 Specification:Β https://datatracker.ietf.org/doc/html/rfc2616
Recommended Reading
To deepen your understanding of MITM techniques, consider reviewing:
- MITM Attacks in Wireless and Computer Networks β A Review
- Detection of MITM Using Physical Layer Techniques
- Large-Scale Infections of iOS Devices (iWorm)
β Final Deliverables
There areΒ twoΒ deliverables for this project, each submitted via Gradescope:
- Man in the Middle β PCAP Analysis
- A single JSON file namedΒ
project_mitm.json. - A template will be provided in the next section.
- A single JSON file namedΒ
- Man in the Middle β Programming Assignment
- Write a small program that automates part of your analysis using pyShark/tshark.
- This encourages scripting for repeatable and scalable workflows.
Ready to dive in? Head to the background and setup to begin your investigation.
Table of contents
- FAQ
- Background+Setup
- Quick Intro to Wireshark
- Flag 1
- Flag 2
- Flag 3
- Flag 4
- Flag 5
- Flag 6
- Extra Credit Background
- Submission
- Extra Credit Flag 7
π§ Background and Setup
The Situation
TheΒ Necrocryptors (TNC)Β are no ordinary hacker crew. Known across underground forums for selling stolen PII and credit card data, theyβve also made headlines with multiple high-profile data leaks. Most recently, they launched a wave ofΒ DDoS attacksΒ on U.S. infrastructureβtriggering an aggressive federal response.
Enter theΒ National Cyber Investigative Joint Task Force (NCIJTF), working hand-in-hand with the FBIβs Cyber Crime Division. Months of undercover work and silent tracking led to a breakthrough:Β captured, unencrypted communications between core TNC members.
The source of this intel? Classified. But rumor has it an insider may have flippedβor the Feds pulled off an extremely quiet man-in-the-middle operation.
π§βπΌ Your Role
You areΒ Mark, an FBI agent just back from a much-needed vacation in the Bahamas. Tan lines still fresh, you pour yourself a cup of stale office coffee when your boss,Β Bill, shouts from across the floor:
βMark! Glad youβre back. Weβve got something big. The Attorney General needs airtight evidence on the Necrocryptors. Youβve got one week. The packetβs on your desk.β
No easing back inβitβs game time.
π§° Your Mission
Youβre tasked with analyzing real network traffic associated with the TNC case. Your goals:
- Extract clear evidence of criminal activity.
- Identify the methods used by the attackers.
- Understand the protocols and patterns of communication.
- Bonus: Crack any intercepted credentials if possible.
π» Environment Setup
Youβll be using yourΒ own local setupΒ for this project. Hereβs what youβll need:
Required Tools:
- WiresharkΒ β Network protocol analyzer to inspect the PCAP files
https://www.wireshark.org - Python 3.xΒ β For automation/scripting
- pyShark or tsharkΒ β For programmatic packet analysis
https://kiminewt.github.io/pyshark/ - John the RipperΒ β Password cracker for analyzing any captured credentials
https://www.openwall.com/john/ - CyberChefΒ β A web-based βSwiss Army Knifeβ for encryption, encoding, compression, data analysis, and decoding operations
https://gchq.github.io/CyberChef/
π§ Tool Installation Instructions
To install Wireshark on Windows, please go to theΒ Wireshark WebsiteΒ Once there, you will see a page like this:

Click the correct Windows Installer (64-bit or 32-bit), depending on your OS.
Here is an example of what the 64 bit option looks like while itβs downloading in the Chrome browser. (It may look different in your browser.)

After the file finishes downloading, execute it and you will see the following screen:

Just click βNext >β on each page to install with default settings. Then you will see:

A new installation window, for Npcap, will then come up. Please continue through this Npcap installation as well to proceed with the Wireshark installation.

Once the Npcap installation is finished, the Wireshark installation should continue automatically. Once that installation is done, you will see the following:

Click βNextβ then βFinish.β Congratulations! Wireshark is now installed on your computer!
π Installing Python and pyShark
For this project, you will also need the Python interpreter which can be found here:Β Python download page
For a guided walkthrough using VScode, please refer to the following document:Β Python tutorial
Good luck!
π§ Installing Wireshark (Linux)
Inside your Linux box, Open Terminal Emulator and run the command below.Once done you may be prompted to type in the root password which you would know and βyβ to download and install all required packages. See the below image for information on this:

During the installation, if prompted, answer βYesβ for the question: βShould non-superusers be able to capture packets?β

Once the installation is complete, close the Terminal Emulator and locate Wireshark in Applications > Internet > Wireshark:

π Installing John the Ripper
John the Ripper (JtR) is a powerful, open-source password-cracking tool primarily used for security auditing and password recovery. John the Ripper is designed to detect weak passwords and poor password policies, making it a valuable tool for penetration testers, ethical hackers, and IT security auditors. It helps identify vulnerabilities in password storage mechanisms by attempting to crack hashed passwords.
Link to Download:Β Download John The Ripper
Navigate to the website. For this write up, we will be using Windows 64 bit. Click the Jumbo 64-Bit Windows Binary Zip to begin the downloadΒ 
Once the zip is downloaded and extracted, open up command prompt and cd (change directory) to the directory the extracted file is in. Once we are in the right directory, type βjohnβ. Now, you are off to the races! Take a look through the documnetation to learn through the switches.Β 
Documentation:Β Documentation for John The Ripper
Install Tips
- Windows Users: John The Ripper can easily be installed on Windows by selecting the appropriate Windows Binary (most likely 64 bit) from the site above
- Mac Users: John The Ripper can be installed on OS X or Mac OS by using the followingΒ Link Here
- If you have a Kali Linux instance, John The Ripper comes pre-built into it and you can also use it there
- You do not need the pro version for this project. The free version should be used
- Like all tools, take time reading the documentation and learning the switches and keywords
π Flag 1 β Surveillance Sweep (5 points)
βMark, letβs start simple. The AG wants to know where these clowns hang out and whoβs in the room. Itβs time to follow the chatter.β β Bill
Your first mission is reconnaissance.
According to preliminary analysis,Β The NecrocryptorsΒ have been using an old-school protocol to coordinate operations. Your job is toΒ tap into their virtual hangout, identify whoβs talking, and collect metadata to help build the case.
Use the packet capture file provided. This is a great opportunity to brush up on Wireshark filters and IRC structure.
Objectives
Task 1.1 β Find Their Hideout
- Identify theΒ IRC server addressΒ used by the hackers to communicate.
- Example:Β irc.someplace.net
- π Points: 1
Task 1.2 β Name the Actors
- Extract theΒ nicknamesΒ used by the malicious actors from the chat log.
- Format your answer in order of appearance:Β firstactor,secondactor,thirdactor
- π Points: 1
Task 1.3 β Whatβs the Channel?
- WhatΒ IRC channelΒ are the Necrocryptors using? (Channel names start withΒ
#) - Example:Β #WOW
- π Points: 1
Task 1.4 β Identity Check
- One of the actors drops aΒ hashΒ in the chatβlikely a form of identity verification. Provide the hash value.
- Example:Β a12342342bcde393202013434
- π Points: 1
Task 1.5 β Trace the Signal
- Determine theΒ country of originΒ for the last actor you identified in Flag 1.2. Use IP geolocation and traffic analysis to figure it out.
- Example:Β Egypt
- π Points: 1
π΅οΈ Tip: Donβt forget to check both directions of communication.
Once youβve completed this sweep, youβll be ready to start digging deeper into the behavior behind the chatter in Flag 2.
π Flag 2 β Digital Contraband (19 points)
βMark, weβve got something. Looks like one of them tried to pass a file under the radar. The AG wants it analyzed β yesterday.β β Bill
The Necrocryptors arenβt just chatting β theyβreΒ moving digital assets. During your last sweep, one of the actors initiated aΒ private file transfer. That payload could contain code, plans, or worse.
Your job now is to recover the file, identify how itβs protected, and extract aΒ digital fingerprintΒ that ties it back to the group β and to you.
You can useΒ Wireshark,Β pyShark, or any tooling of your choice. Use your skills and forensic intuition to piece this together.
Objectives
Task 2.1 β Who Whispered First?
- Identify theΒ malicious actorΒ who initiated the private chat (DCC) during the conversation.
- Format:Β maliciousactor
- π Points: 2
Task 2.2 β Name the File
- What is theΒ name (and extension)Β of the file transferred via IRC DCC?
- Format:Β somefile.extension
- π Points: 2
Task 2.3 β Whatβs the Cipher?
- Determine theΒ encryption algorithmΒ used to protect the file.
- Just the 3-letter name (e.g.,Β
AES,ΒDES, etc.) - π Points: 2
Task 2.4 β Executing the Payload
- After decrypting and executing the transferred file, it generates aΒ unique hash tied to your GTID. Whatβs the hash?
- Format:Β a123242342342342342934234
- π Points: 13
Tips:
- Look closely at DCC messages in the IRC stream.
Once you extract the payloadβs fingerprint, youβll have the strongest evidence yet against the group. Bill will want this on his desk ASAP.
π Flag 3 β Domain of Deceit (16 points)
βMark, we traced something weird. Thereβs a site tied to the chatter β looks harmless, but itβs spitting out cryptic hashes and numbers. Feels like a front. Go dig.β β Bill
TheΒ Bad guysΒ may be hiding in plain sight.
Buried within the network traffic is a lead: aΒ web serverΒ tied to their operation. Itβs emitting odd sequences β likely encoded data β and it might be where theyβre validating identities, issuing tokens, or even hiding command-and-control instructions.
The Attorney General wants a full breakdown β domain, infrastructure, and whatever that site spits back when given your credentials.
Objectives
Task 3.1 β Identify the Domain
- What is theΒ siteβs domain name? Include subdomains and the full TLD.
- Format:Β something.hostname.tld
- π Points: 2
Task 3.2 β Whatβs the IP?
- What is theΒ public IP addressΒ tied to the server hosting this domain?
- Format:Β 192.168.1.10
- π Points: 2
Task 3.3 β Follow the Nameserver
- Identify theΒ primary nameserverΒ associated with the domain.
- Format:Β ns-something.domain.tld
- π Points: 3
Task 3.4 β GTID Fingerprint
- Visit the site and enter yourΒ Georgia Tech IDΒ to receive aΒ unique hash. This hash will be used to track and correlate user interactions.
- Format:Β abcdef1234567890953453434
- π Points: 9
Tips:
- Use Wireshark filters likeΒ
http,Βdns, or look for base64-like patterns. - Look up DNS records using online tools or terminal commands.
- The website is safe to access β treat it like an intel drop from an undercover informant.
This server may be a key part of the Necrocryptorsβ infrastructure. Confirming its ownership and function is critical to building the case.
π Flag 4 β Final Link (27 points)
βMark, one more thing β the AG just called. Sheβs convinced thereβs another server. Said one of the actors downloaded something from it. We need to know what that was β now.β β Bill
Just when you thought you could grab another cup of coffee,Β a last-minute lead drops. Another server. Another file. One of the hackers accessed it β and the contents might just be the final nail in the case.
Your job:Β trace the server, identify how access was gained, recover the downloaded file, and analyze it for a unique fingerprint.
This is your last technical hurdle before wrapping up your investigation.
Objectives
Task 4.1 β Locate the Server
- What is theΒ IP addressΒ of the server in question?
- Format:Β 192.168.8.7
- π Points: 2
Task 4.2 β Username
- WhatΒ usernameΒ was used to access the server?
- π Points: 4
Task 4.3 β Password
- WhatΒ passwordΒ was used to log in?
- π Points: 4
Task 4.4 β What Was Downloaded?
- Identify theΒ name of the fileΒ that was pulled from the server.
- π Points: 3
Task 4.5 β Language of the Beast
- WhatΒ programming languageΒ was the file written in?
- π Points: 5
Task 4.6 β Hash of Justice
- If you run the file, youβll generate aΒ unique hash tied to your GTID.
- Format:Β 12123123129413249121249aa
- π Points: 9
π΅οΈββοΈΒ Tips:
- Watch for FTP, SCP, or HTTP file transfers.
- Look closely at authentication exchanges.
- Donβt forget your reverse engineering instincts β the code may speak for itself.
This may be the final digital trace connecting the Necrocryptors to something bigger. The AG is counting on you.
π Flag 5 β Final Stretch & Automation (18 points)
βMark, youβre not done yet. They launched a new site. Totally unrelated to Azureβ¦ but everything to do with breaking things.β β The Attorney General
Exhausted but relentless, youβre handed one last assignment β and itβs weird. The AG wants you to investigate a suspicious site:
http://www.didbastionbreak.com:5000
Apparently, itβs some hacker-themed trap disguised as a joke about firewalls. But itβs not funny β itβs hiding encrypted content, and the AG wants you to crack it.
Once thatβs done, your phone buzzesβ¦
βMark, great job so far! But letβs make sure you never have to do all of this by hand againβ¦β
Here we go.
Objectives
Task 5.1 β GTID Hash (Web App)
- Visit the website and find the page that outputs a hash when you input your GTID. Find theΒ flag labeled 5.1.
- Format:Β tr95843fkdspugr8euyre0gfd
- π Points: 2
Task 5.2 β Crack the Zip
- On the homepage, click the blue βDownload the Zipβ button. Youβll get a password-protected zip file. UseΒ John the RipperΒ to crack it. Provide the password once you retrieve it.
- Hint: The password isΒ up to seven digits long.
- π Points: 10
Task 5.3 β Run and Reveal
- After unzipping the file with the cracked password, youβll find a program inside. Run the program. It will return a hash. What is the hash?
- Format:Β 58437594ejgfdiohr8e054309
- π Points: 6
Epilogue: Automate or Die Trying
Just as you close your laptop, your phone rings.
ItβsΒ Bill. Of course it is.
βMark, great job so far! I was thinking β weβre gonna do this kind of work a lot more. Why donβt we start building a Python class to automate some of these analysis tasks?β
You squint. ββ¦When you sayΒ we, you meanΒ me, right?β
βOf course not! I already started a skeleton class for you. You just need to build three small functions.β
Before you can reply, he sends over a zip file: it contains a base Python class and a past attack PCAP.
Your mission (yes, still going):Β write the code, build the functions, and prepare for the next breach.
β No rest for the cyber-defenders.
π Flag 6 β Automation Begins (15 points)
βMark, itβs time to level up. No more clicking around Wireshark forever. Start building tools β future-you will thank you.β β Bill
Your investigation is complete β almost.
The AG was impressed. Billβs already bragging about your work to other divisions. But before you ride off into digital sunset, thereβs one last task:Β automate what youβve learned.
Youβve been sent two files:
pcapanalysis.py: the starter Python classflag6.pcap: a capture from a past operation
Your job is to complete three methods in the class usingΒ pyShark, creating a mini-forensics toolkit.
Function Skeleton
Below is the structure of the Python class youβre working with. Youβll fill in the logic for each function.
# Task 1: Return number of ICMP packets
def icmp_count(self):
n = 0
# TODO: Implement me
return n
# Task 2: Return number of Echo Requests (r) and Echo Replies (a)
def icmp_request_reply(self):
r = 0
a = 0
# TODO: Implement me
return r, a
# Task 3: Return most common destination MAC (m) and its count (n)
def dest_mac(self):
m, n = 0, 0
# TODO: Implement me
return m, n
Make sure you run the class like this:
if __name__ == '__main__':
pcap_analysis = MITMProject()
icmp_count = pcap_analysis.icmp_count()
request, reply = pcap_analysis.icmp_request_reply()
dest_mac, occurences = pcap_analysis.dest_mac()
print("Number of ICMP Packets : ", icmp_count)
print("Number of ICMP Requests and Replies : ", request, reply)
print("Most Common MAC Address and Number of Occurrences: ", dest_mac, occurences)
Setup Notes
Make sure youβve installed theΒ pysharkΒ package and its dependency,Β tshark.
Update your GTID at the top ofΒ pcapanalysis.py:
# TODO: Change this to YOUR Georgia Tech ID!!!
self.student_id = '900000000'
π«Β Do not add or change import statementsΒ β the autograder will ignore unapproved libraries.
Deliverables
Task 6.1 β Count ICMP Packets
- CompleteΒ
icmp_count()Β so it returns the total number of ICMP packets. - π Points: 3
Task 6.2 β Requests & Replies
- CompleteΒ
icmp_request_reply()Β so it returns:r: number of Echo Requestsa: number of Echo Replies
- π Points: 5
Task 6.3 β MAC Attack
- CompleteΒ
dest_mac()Β to return:m: most common destination MAC addressn: number of times it appeared
- π Points: 7
π When you finish this, your toolkit will be ready for future cases β and future agents.
Billβs already calling this theΒ Mark Protocol.
print("Automation engaged. Mission complete.")







