Solving Sherlock: Vantage

📰 Medium · Cybersecurity

Learn to solve network forensics challenges using tools like Wireshark by analyzing packet capture files and identifying attacker tools and actions.

intermediate Published 28 Apr 2026
Action Steps
  1. Use Wireshark to analyze packet capture files from a web server and a controller node.
  2. Filter HTTP requests using the http.user_agent filter to identify the tool used by the attacker.
  3. Look for unusual User-Agent headers to determine the attacker's tool and version.
  4. Analyze DNS requests to identify subdomains discovered by the attacker.
  5. Use the findings to trace the attacker's actions and create a persistence account.
Who Needs to Know This

Network security professionals and incident responders can benefit from this tutorial to improve their skills in analyzing network traffic and identifying potential security threats.

Key Insight

💡 Analyzing packet capture files with Wireshark can help identify attacker tools and actions, such as web fuzzing and subdomain discovery.

Share This
Boost your network forensics skills with Wireshark! Analyze packet capture files to identify attacker tools and actions. #networkforensics #cybersecurity

Key Takeaways

Learn to solve network forensics challenges using tools like Wireshark by analyzing packet capture files and identifying attacker tools and actions.

Full Article

Title: Solving Sherlock: Vantage

URL Source: https://0xseeker.medium.com/solving-sherlock-vantage-12eeb5cc1e1c?source=rss------cybersecurity-5

Published Time: 2026-04-28T22:38:48Z

Markdown Content:
# Solving Sherlock: Vantage. Category: Network Forensics | Tools… | by OxSEEKER | Apr, 2026 | Medium

[Sitemap](https://0xseeker.medium.com/sitemap/sitemap.xml)

[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)

Sign up

[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)

Get app

[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)

[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)

Sign up

[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

![Image 1](https://miro.medium.com/v2/resize:fill:32:32/1*dmbNkD5D-u45r44go_cf0g.png)

# Solving Sherlock: Vantage

[![Image 2: OxSEEKER](https://miro.medium.com/v2/da:true/resize:fill:32:32/0*FKRoMI9DTSHwp07s)](https://0xseeker.medium.com/?source=post_page---byline--12eeb5cc1e1c---------------------------------------)

[OxSEEKER](https://0xseeker.medium.com/?source=post_page---byline--12eeb5cc1e1c---------------------------------------)

Follow

6 min read

·

1 hour ago

[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2F12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&user=OxSEEKER&userId=aa60f5371320&source=---header_actions--12eeb5cc1e1c---------------------clap_footer------------------)

[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2F12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=---header_actions--12eeb5cc1e1c---------------------bookmark_footer------------------)

[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3D12eeb5cc1e1c&operation=register&redirect=https%3A%2F%2F0xseeker.medium.com%2Fsolving-sherlock-vantage-12eeb5cc1e1c&source=---header_actions--12eeb5cc1e1c---------------------post_audio_button------------------)

Share

**Category:** Network Forensics | **Tools:** Wireshark | **Files:** Two `.pcap` files

## Overview

This challenge involved two packet capture files ;one from a web server and one from a controller node, about an attack on an OpenStack cloud environment. The goal was to trace exactly what the attacker did, from their first probe all the way to creating a persistence account.

## Task 1 — What tool did the attacker use to fuzz the web server?

When web fuzzing tools send HTTP requests, they usually include their name and version in the **User-Agent** header. That’s the first place to look.

**Filter used:**

http.user_agent

Press enter or click to view image in full size

![Image 3](https://miro.medium.com/v2/resize:fit:700/1*7yv8TE-yzfar4iYZAXeB1A.png)

Screenshot of packet filtered

Looking through the results, one User-Agent immediately stood out:

> `Fuzz Faster U Fool v2.1.0-dev`

That’s **ffuf**is a popular web fuzzing tool and the version is right there in the string.

**Answer:**`ffuf@2.1.0-dev`

## Task 2 — What subdomain did the attacker discover?

When ffuf fuzzes subdomains, it sends
Read full article → ← Back to Reads