Wireshark Capture the Flag (CTF)

Wireshark Capture the Flag (CTF) – Teacher Guide & Student Handout

This post contains a complete Wireshark-based Capture the Flag (CTF) activity suitable for high school students who are new to cybersecurity. It includes:

• Teacher Guide – detailed, step-by-step instructions to generate the PCAP and run the activity.
• Student Handout – ready to print or share digitally.

---

🧑‍🏫 TEACHER GUIDE – Wireshark CTF in One PCAP

1. Purpose and Overview

This activity is a guided Capture The Flag (CTF) using a single Wireshark capture file that contains:

• Realistic background network traffic (“noise”)
• Seven embedded challenges, each hiding a FLAG{...} string

Students will:

• Learn basic Wireshark navigation and filters
• Inspect ICMP, DNS, HTTP, FTP, ARP/DHCP
• Extract files from network captures
• Understand why cleartext protocols (FTP, HTTP, basic auth) are insecure

This guide explains:

1. How to prepare the environment
2. Step-by-step commands to generate the PCAP
3. How to verify each challenge is present
4. How to run the activity with students
5. Full answer key

2. Technical Prerequisites

You’ll need:

1. One Linux machine or VM to generate the PCAP:
   • Ubuntu / Debian works great
   • Needs internet access (optional but helpful for realistic DNS/web noise)
2. Installed software on that machine:
   • tcpdump (for capturing)
   • python3 & pip
   • Wireshark (for verification)
   • Optional but recommended: curl, dig (DNS client), ftp, hostnamectl
3. For the classroom:
   • Each student or team has Wireshark installed
   • A copy of the final final_ctf.pcapng
   • Projector/whiteboard to explain protocol concepts

Note: All traffic you generate is synthetic and local. You’re not hacking anything; you’re simulating traffic to be analyzed offline later.

3. High-Level Build Plan

You will:

1. Start a single long-running capture: final_ctf.pcapng
2. Generate:
   • Background noise (pings, normal HTTP/HTTPS, DNS)
   • Seven challenge sequences:
     • ICMP flag
     • HTTP POST with flag in password
     • ARP/DHCP network mapping
     • DNS exfil-style queries
     • HTTP image download
     • FTP private key transfer
     • HTTP Basic Auth credential leak
   • More background noise interspersed
3. Stop the capture
4. Verify each challenge in Wireshark
5. Distribute the final_ctf.pcapng plus the Student Handout
6. Use the answer key (at the end of this guide) for grading and hints

4. Environment Setup (Once)

On your Linux CTF-builder machine, run:

sudo apt update
sudo apt install -y tcpdump curl dnsutils ftp python3 python3-pip

Install Python libraries:

pip install flask pyftpdlib

Confirm Wireshark is installed (or install via GUI / package manager).

5. Start the Master Capture

1. Identify your main network interface:

   ip addr
   

   Look for something like eth0, ens33, or wlan0.
   In this guide, we’ll use eth0. Replace it as needed.

2. Start the capture:

   sudo tcpdump -i eth0 -w final_ctf.pcapng
   

   Leave this terminal open and running. Everything you do now will be recorded.

6. Generate Realistic Background Noise

You can sprinkle these before, between, and after challenges.

6.1 ICMP Noise (Pings)

ping -c 10 8.8.8.8 &
ping -c 10 1.1.1.1 &

6.2 HTTP & HTTPS Noise

curl http://example.com > /dev/null 2>&1
curl http://neverssl.com > /dev/null 2>&1
curl https://www.debian.org > /dev/null 2>&1
curl https://www.python.org > /dev/null 2>&1

6.3 DNS Noise

dig google.com
dig wikipedia.org
dig schooldistrict.local

You can repeat noise periodically between challenges.

7. Generate Each Challenge (Step-by-Step)

You can do these in any order, but following this sequence makes your answer key easier to manage.

Challenge 1 – ICMP “Curious Ping”

Goal for students: Find a flag hidden in the payload of an ICMP echo request.

Flag: FLAG{CURIOUS_PING}

Command:

ping -c 1 -p 464C41477B435552494F55535F50494E477D 8.8.8.8

The hex payload decodes to ASCII FLAG{CURIOUS_PING}.

Verify later:

1. Open final_ctf.pcapng in Wireshark.
2. Filter: icmp.
3. Click the ICMP Echo Request to 8.8.8.8.
4. Expand ICMP → Data and confirm the hex matches the flag.

Challenge 2 – HTTP POST “Forgotten Login”

Goal: Use “Follow TCP Stream” to find a flag hidden in HTTP POST parameters.

Flag: FLAG{FOLLOW_THE_STREAM}

7.2.1 Run a Simple HTTP Server

mkdir -p /tmp/ctf_http && cd /tmp/ctf_http
python3 -m http.server 8080 &

7.2.2 Generate the POST Request

curl -X POST \
  -d "username=student&password=FLAG{FOLLOW_THE_STREAM}" \
  http://localhost:8080/login

Verify later:

1. Filter: http && tcp.port == 8080.
2. Find the HTTP POST /login packet.
3. Right-click → Follow → TCP Stream.
4. Look for: username=student&password=FLAG{FOLLOW_THE_STREAM}.

Challenge 3 – ARP/DHCP “Who’s in the Network?”

Goal: Observe ARP and DHCP to see devices and recognize a suspicious hostname.

Flag (conceptual, from hostname/clue): FLAG{EVIL_HAXOR}

7.3.1 Create ARP/DHCP Traffic

sudo dhclient -r
sudo dhclient

This generates DHCP/BOOTP and ARP traffic as it requests an IP.
If you have multiple machines, repeat similar operations on them to create a richer ARP table.

7.3.2 (Optional) Set Suspicious Hostname

sudo hostnamectl set-hostname EVIL-HAXOR-666

Then generate a bit more traffic (pings, web requests).

Verify later:

1. Filter: bootp || dhcp to see DHCP traffic.
2. Filter: arp to see IP/MAC mapping.
3. If your DHCP implementation reveals hostname, look for EVIL-HAXOR-666 in DHCP options.
   Otherwise, treat it as a narrative clue: the rogue host is named EVIL-HAXOR-666, so the flag is FLAG{EVIL_HAXOR}.

Challenge 4 – DNS “Conspiracy Queries”

Goal: Spot suspicious DNS queries and reconstruct a fragmented flag.

Flag: FLAG{THIS_DNS_CONSPIRACY}

Split into three queries:

dig FLAG{THIS_.example.com
dig DNS_CONS.example.com
dig PIRACY}.example.com

Verify later:

1. Filter: dns.
2. Look at the Query Name column.
3. You should see:
   • FLAG{THIS_.example.com
   • DNS_CONS.example.com
   • PIRACY}.example.com
4. Students reconstruct the full flag: FLAG{THIS_DNS_CONSPIRACY}.

Challenge 5 – HTTP File “Lost Photo”

Goal: Export HTTP objects and recover a file (image) that contains the flag.

Flag inside the image: FLAG{HTTP_OBJECT_EXTRACT}

7.5.1 Prepare an Image

1. Pick any JPEG (e.g., school logo).
2. Add visible text: FLAG{HTTP_OBJECT_EXTRACT}.
3. Save it as mascot.jpg.

Serve it:

mkdir -p /tmp/ctf_http2
cp mascot.jpg /tmp/ctf_http2/
cd /tmp/ctf_http2
python3 -m http.server 8081 &

7.5.2 Generate the Download

curl http://localhost:8081/mascot.jpg > /dev/null

Verify later:

1. Filter: http && tcp.port == 8081.
2. Go to File → Export Objects → HTTP.
3. Find and save mascot.jpg.
4. Open it and confirm the flag text is visible.

Challenge 6 – FTP “Leaky Key”

Goal: See how FTP transfers a private key in cleartext and extract the flag from that file.

Flag in file: FLAG{FTP_LEAKED_PRIVATE_KEY}

7.6.1 Set Up FTP Server

mkdir -p /tmp/ftp_home
cat > /tmp/ftp_home/id_rsa << 'EOF'
-----BEGIN OPENSSH PRIVATE KEY-----
MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA...
... (any dummy key-like text is fine) ...
-----END OPENSSH PRIVATE KEY-----
# FLAG{FTP_LEAKED_PRIVATE_KEY}
EOF

Create ftp_server.py:

from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer

authorizer = DummyAuthorizer()
authorizer.add_user("testuser", "p@ssw0rd", "/tmp/ftp_home", perm="elradfmw")

handler = FTPHandler
handler.authorizer = authorizer

server = FTPServer(("0.0.0.0", 2121), handler)
server.serve_forever()

Run it:

python3 ftp_server.py &

7.6.2 Perform FTP Transfer

ftp localhost 2121 <<EOF
user testuser p@ssw0rd
binary
get id_rsa
bye
EOF

Verify later:

1. Filter: ftp || ftp-data.
2. Go to File → Export Objects → FTP.
3. Save id_rsa.
4. Open it and confirm the last line contains the flag.

Challenge 7 – HTTP Basic Auth “Secret Password”

Goal: Recognize HTTP Basic Auth, decode credentials, and see the flag in the password.

Flag (as password): FLAG{PASSWORD_IN_BASIC_AUTH}

7.7.1 Create Basic Auth Web Server

Create basic_auth_server.py:

from flask import Flask, Response, request

app = Flask(__name__)

@app.route("/secret")
def secret():
    auth = request.authorization
    if not auth:
        return Response("Auth required", status=401)
    return f"Welcome {auth.username}"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5001)

Run it:

python3 basic_auth_server.py &

7.7.2 Send Request with Flag as Password

curl -u admin:FLAG{PASSWORD_IN_BASIC_AUTH} http://localhost:5001/secret

Verify later:

1. Filter: http && tcp.port == 5001.
2. Find the HTTP GET /secret.
3. Inspect the HTTP headers for Authorization: Basic ....
4. Wireshark may show the decoded credentials directly (or students can base64-decode). The password will be FLAG{PASSWORD_IN_BASIC_AUTH}.

8. Stop Capture and Save

When all challenges and noise are done, return to the tcpdump terminal and press:

Ctrl + C

You should now have final_ctf.pcapng in your working directory. Make a backup copy somewhere safe.

9. Distribution to Students

• Copy final_ctf.pcapng to each lab machine (USB, shared drive, LMS, etc.).
• Provide them with the Student Handout (below).
• Optionally, tell them: “There are 7 flags hidden in this file. Each flag looks like FLAG{SOME_TEXT_HERE}.”

10. Running the Activity

Suggested structure for a 50–90 minute session:

1. Intro (10–15 minutes)
   • What is Wireshark?
   • What is a “flag”?
   • Show basic Wireshark navigation:
     • Open a PCAP
     • Use the filter bar (e.g., icmp, http)
     • Understand packet list, details, and bytes panes
2. Guided first challenge (10 minutes) – Solve the ICMP challenge together as a class.
3. Independent/Team work (30–50 minutes) – Let students hunt for the remaining 6 flags. Offer hints over time.
4. Debrief (10–15 minutes) – Discuss why unencrypted protocols are dangerous and what secure alternatives exist.

11. Suggested Hints (Optional)

• Hint 1: Some flags are in ICMP and DNS. Look for unusual values.
• Hint 2: Some flags hide in web traffic. Watch for HTTP POST/GET requests.
• Hint 3: One file contains a private key.
• Hint 4: One password itself is the flag. Look for “Authorization: Basic”.

12. Scoring (Suggested)

• Challenge 1 (ICMP): 10 points
• Challenge 2 (HTTP POST): 15 points
• Challenge 3 (ARP/DHCP): 15 points
• Challenge 4 (DNS): 20 points
• Challenge 5 (HTTP image): 15 points
• Challenge 6 (FTP key): 15 points
• Challenge 7 (Basic Auth): 10 points

Total: 100 points

13. Answer Key (For Teacher Only)

1. ICMP Curious Ping
   Filter: icmp
   Location: ICMP Echo Request data
   Flag: FLAG{CURIOUS_PING}
2. HTTP POST – Forgotten Login
   Filter: http && tcp.port == 8080
   Action: Follow TCP Stream of POST /login
   Flag: FLAG{FOLLOW_THE_STREAM}
3. ARP/DHCP – Who’s in the Network?
   Filters: arp, bootp || dhcp
   Concept: suspicious hostname EVIL-HAXOR-666
   Flag: FLAG{EVIL_HAXOR}
4. DNS – Conspiracy
   Filter: dns
   Reassemble from query names:
   FLAG{THIS_ + DNS_CONS + PIRACY}
   Flag: FLAG{THIS_DNS_CONSPIRACY}
5. HTTP Image – Lost Photo
   Filter: http && tcp.port == 8081
   Export Objects → HTTP → mascot.jpg
   Flag text in image: FLAG{HTTP_OBJECT_EXTRACT}
6. FTP – Leaky Key
   Filter: ftp || ftp-data
   Export Objects → FTP → id_rsa
   Flag in last line: FLAG{FTP_LEAKED_PRIVATE_KEY}
7. HTTP Basic Auth – Secret Password
   Filter: http && tcp.port == 5001
   Check Authorization header / decoded creds:
   admin:FLAG{PASSWORD_IN_BASIC_AUTH}
   Flag: FLAG{PASSWORD_IN_BASIC_AUTH}

---

🧑‍🎓 STUDENT HANDOUT – Wireshark Capture The Flag

Title: “Mystery on the Network: A Wireshark CTF”

1. Scenario

Your school’s network has captured a mysterious packet trace. Inside this captured traffic are seven hidden flags.

Each flag looks like this:

FLAG{SOME_TEXT_HERE}

Your mission is to find as many flags as you can using Wireshark.

2. What You Need

• Wireshark installed on your computer
• The capture file: final_ctf.pcapng
• A teammate or two (optional but encouraged)
• This handout

3. Getting Started

1. Open Wireshark.
2. Go to File → Open… and select final_ctf.pcapng.
3. Notice the three main parts:
   • Top pane: list of packets
   • Middle pane: details of the selected packet
   • Bottom pane: raw bytes (hex and ASCII)

4. Helpful Wireshark Tips

4.1 Display Filter Bar

At the top of Wireshark is a filter bar. You can type conditions there to show only certain types of traffic. Examples:

• icmp – only pings
• dns – only DNS traffic
• http – only HTTP traffic
• ftp || ftp-data – both FTP control and data
• arp – ARP traffic
• bootp || dhcp – DHCP traffic

After typing a filter, press Enter to apply it.

4.2 Following Streams

Sometimes a flag is hidden in a conversation, not just one packet.

1. Right-click a packet (e.g., an HTTP or FTP packet).
2. Choose “Follow → TCP Stream”.
3. A new window will show the reconstructed conversation.
4. Look for usernames, passwords, or FLAG{...} strings.

4.3 Exporting Objects (Files)

Some flags are hidden in files transmitted over the network.

1. In Wireshark, go to File → Export Objects.
2. Choose the appropriate protocol:
   • HTTP for web files (like images)
   • FTP for files transferred over FTP
3. Select a file from the list (e.g., mascot.jpg or id_rsa).
4. Click “Save”, then open the file on your computer.
5. Look inside it for a FLAG{...}.

5. Your Objectives

There are seven flags total. They are hidden across different protocols and methods, including:

• ICMP (ping) traffic
• HTTP web traffic (including forms and images)
• FTP file transfer
• DNS queries
• ARP/DHCP network discovery traffic
• HTTP Basic Authentication headers

You do not need to guess or brute force anything; every flag is plainly visible somewhere in the data if you look in the right place.

6. Suggested Hunt Order (Optional)

If you’re new to Wireshark, try this sequence:

1. ICMP Flag
   Filter: icmp
   Look at the contents/payload of the ping packets.
2. HTTP Login Flag
   Filter: http
   Look for POST requests with form data (e.g., username=...&password=...).
3. DNS Flag
   Filter: dns
   Look for suspicious or unusual domain names that look like parts of a message.
4. HTTP File (Image) Flag
   Filter: http
   Use File → Export Objects → HTTP and open any saved files (especially images).
5. FTP Key Flag
   Filter: ftp || ftp-data
   Use File → Export Objects → FTP to save files and inspect them.
6. HTTP Basic Auth Flag
   Filter: http
   Look at headers for Authorization: Basic ... and see whether Wireshark shows decoded usernames/passwords.
7. Network Mapping / ARP/DHCP Flag
   Filters: arp and bootp || dhcp
   Think about how many devices are on the network and whether any hostnames look suspicious.

7. Recording Your Answers

Use a table like this to track your discoveries:

#	Protocol / Clue	Filter Used	Where You Found It (packet / stream / file)	Flag
1
2
3
4
5
6
7

Make sure to write the flags exactly as they appear (capitalization, braces, underscores).

8. Rules & Expectations

• Do not modify, attack, or scan any real systems. This is a closed, offline exercise.
• Work individually or in small teams as allowed by your teacher.
• Ask for hints if you get stuck, but try exploring filters and menus first.
• Be prepared to share which protocol the flag was in and how you discovered it.

9. Reflection Questions

After the activity, be ready to discuss:

1. Which protocol made it easiest to find sensitive information?
2. What surprised you most about how much you can see in plain text?
3. How do encryption and secure protocols (like HTTPS instead of HTTP, SFTP instead of FTP) change this picture?
4. If you were defending a network, what would you do differently after seeing this capture?

Good luck, and happy hunting!