Solving Sherlock: Vantage
📰 Medium · Cybersecurity
Learn to solve network forensics challenges using tools like Wireshark by analyzing packet capture files and identifying attacker tools and actions.
Action Steps
- Use Wireshark to analyze packet capture files from a web server and a controller node.
- Filter HTTP requests using the http.user_agent filter to identify the tool used by the attacker.
- Look for unusual User-Agent headers to determine the attacker's tool and version.
- Analyze DNS requests to identify subdomains discovered by the attacker.
- Use the findings to trace the attacker's actions and create a persistence account.
Who Needs to Know This
Network security professionals and incident responders can benefit from this tutorial to improve their skills in analyzing network traffic and identifying potential security threats.
Key Insight
💡 Analyzing packet capture files with Wireshark can help identify attacker tools and actions, such as web fuzzing and subdomain discovery.
Share This
Boost your network forensics skills with Wireshark! Analyze packet capture files to identify attacker tools and actions. #networkforensics #cybersecurity
Key Takeaways
Learn to solve network forensics challenges using tools like Wireshark by analyzing packet capture files and identifying attacker tools and actions.
Full Article
Title: Solving Sherlock: Vantage
URL Source: https://0xseeker.medium.com/solving-sherlock-vantage-12eeb5cc1e1c?source=rss------cybersecurity-5
Published Time: 2026-04-28T22:38:48Z
Markdown Content:
# Solving Sherlock: Vantage. Category: Network Forensics | Tools… | by OxSEEKER | Apr, 2026 | Medium
[Sitemap](https://0xseeker.medium.com/sitemap/sitemap.xml)
[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)
[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)
Get app
[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)
[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

# Solving Sherlock: Vantage
[](https://0xseeker.medium.com/?source=post_page---byline--12eeb5cc1e1c---------------------------------------)
[OxSEEKER](https://0xseeker.medium.com/?source=post_page---byline--12eeb5cc1e1c---------------------------------------)
Follow
6 min read
·
1 hour ago
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2F12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&user=OxSEEKER&userId=aa60f5371320&source=---header_actions--12eeb5cc1e1c---------------------clap_footer------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2F12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=---header_actions--12eeb5cc1e1c---------------------bookmark_footer------------------)
[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3D12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=---header_actions--12eeb5cc1e1c---------------------post_audio_button------------------)
Share
**Category:** Network Forensics | **Tools:** Wireshark | **Files:** Two `.pcap` files
## Overview
This challenge involved two packet capture files ;one from a web server and one from a controller node, about an attack on an OpenStack cloud environment. The goal was to trace exactly what the attacker did, from their first probe all the way to creating a persistence account.
## Task 1 — What tool did the attacker use to fuzz the web server?
When web fuzzing tools send HTTP requests, they usually include their name and version in the **User-Agent** header. That’s the first place to look.
**Filter used:**
http.user_agent
Press enter or click to view image in full size

Screenshot of packet filtered
Looking through the results, one User-Agent immediately stood out:
> `Fuzz Faster U Fool v2.1.0-dev`
That’s **ffuf**is a popular web fuzzing tool and the version is right there in the string.
**Answer:**`ffuf@2.1.0-dev`
## Task 2 — What subdomain did the attacker discover?
When ffuf fuzzes subdomains, it sends
URL Source: https://0xseeker.medium.com/solving-sherlock-vantage-12eeb5cc1e1c?source=rss------cybersecurity-5
Published Time: 2026-04-28T22:38:48Z
Markdown Content:
# Solving Sherlock: Vantage. Category: Network Forensics | Tools… | by OxSEEKER | Apr, 2026 | Medium
[Sitemap](https://0xseeker.medium.com/sitemap/sitemap.xml)
[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)
[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)
Get app
[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)
[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

# Solving Sherlock: Vantage
[](https://0xseeker.medium.com/?source=post_page---byline--12eeb5cc1e1c---------------------------------------)
[OxSEEKER](https://0xseeker.medium.com/?source=post_page---byline--12eeb5cc1e1c---------------------------------------)
Follow
6 min read
·
1 hour ago
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2F12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&user=OxSEEKER&userId=aa60f5371320&source=---header_actions--12eeb5cc1e1c---------------------clap_footer------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2F12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=---header_actions--12eeb5cc1e1c---------------------bookmark_footer------------------)
[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3D12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=---header_actions--12eeb5cc1e1c---------------------post_audio_button------------------)
Share
**Category:** Network Forensics | **Tools:** Wireshark | **Files:** Two `.pcap` files
## Overview
This challenge involved two packet capture files ;one from a web server and one from a controller node, about an attack on an OpenStack cloud environment. The goal was to trace exactly what the attacker did, from their first probe all the way to creating a persistence account.
## Task 1 — What tool did the attacker use to fuzz the web server?
When web fuzzing tools send HTTP requests, they usually include their name and version in the **User-Agent** header. That’s the first place to look.
**Filter used:**
http.user_agent
Press enter or click to view image in full size

Screenshot of packet filtered
Looking through the results, one User-Agent immediately stood out:
> `Fuzz Faster U Fool v2.1.0-dev`
That’s **ffuf**is a popular web fuzzing tool and the version is right there in the string.
**Answer:**`ffuf@2.1.0-dev`
## Task 2 — What subdomain did the attacker discover?
When ffuf fuzzes subdomains, it sends
DeepCamp AI