TryHackMe Protocols and Servers - 2 Walkthrough | Telnet, TCPDump, MITM, TLS, SSH & Hydra

calender-iconPublished: 7 Jan 2026

clock-icon5-min read

printer-icon whatsapp-icon share-icon



Table of Contents



Task 1: Introduction

We suggest that you start the AttackBox and the virtual machine as you proceed to tackle the following tasks. You can connect to the different services over Telnet or Netcat for better practice and learning experience.
Simply click check



Task 2: Sniffing Attack

Q1. What do you need to add to the command sudo tcpdump to capture only Telnet traffic?
A1. port 23

Q2. What is the simplest display filter you can use with Wireshark to show only IMAP traffic?
A2. imap

Explanation

This filter displays only packets related to the IMAP (Internet Message Access Protocol) protocol.

tcpdump is a command-line tool used to capture and analyze network traffic. 👉 It shows what data (packets) are coming in and going out of your computer.

📌 What it is used for
  • Troubleshooting network problems
  • Monitoring traffic
  • Analyzing suspicious activity
  • Capturing packets for cybersecurity investigations
Syntax

tcpdump -i eth0          # Capture traffic on interface eth0
tcpdump -i any           # Capture on all interfaces
tcpdump -nn              # Do not resolve names (faster)
tcpdump -r file.pcap     # Read from saved capture file
tcpdump -w file.pcap     # Save capture to file
tcpdump port 80          # Capture HTTP traffic


Task 3: Man-in-the-Middle (MITM) Attack

Q1. How many different interfaces does Ettercap offer?
A1. 3

Q2. In how many ways can you invoke Bettercap?
A2. 3

  1. Interactive mode
  2. Command mode (-eval)
  3. Using a caplet (script file)
Ettercap

Ettercap is a tool used to analyze and manipulate network traffic, mainly in local networks (LAN). It is commonly used in cybersecurity testing.

📌 What Ettercap can do
  • Perform Man-in-the-Middle (MITM) attacks
  • Capture usernames and passwords (if not encrypted)
  • Monitor network traffic
  • Perform ARP poisoning

Ettercap offers 3 different interfaces:

  1. Graphical User Interface (GUI)
  2. Text-based Interface (TUI / ncurses)
  3. Command-Line Interface (CLI)
General Syntax

ettercap [options] [targets]
•  -T → Text interface
•  -G → Graphical interface
•  -i → Select network interface
•  -M → Choose MITM attack type
•  -w file.pcap → Save captured data


Bettercap

Bettercap is a powerful network attack and monitoring tool used in cybersecurity testing. It is a modern replacement for older tools like Ettercap.

What Bettercap Can Do
  • Perform Man-in-the-Middle (MITM) attacks
  • ARP spoofing
  • DNS spoofing
  • Sniff network traffic
  • Capture credentials
  • WiFi network attacks
  • Bluetooth attacks


Task 4: Transport Layer Security (TLS)

Q. DNS can also be secured using TLS. What is the three-letter acronym of the DNS protocol that uses TLS?
A. DoT

Explanation:

This is where secure connection is created.

Step-by-step:

  1. Client Hello
    • Browser sends supported TLS versions
    • Browser sends supported encryption methods
  2. Server Hello
    • Server replies with chosen encryption method
    • Server sends its SSL/TLS certificate
  3. Certificate Verification
    • Browser checks if certificate is valid
    • Browser verifies if it is signed by a trusted authority
  4. Key Exchange
    • Client and server create a shared secret key
    • This key is used for encryption

Now secure channel is established 🔐

Data Transfer Phase
  • All data is encrypted using the shared key
  • Even if someone intercepts it, the
Certificate Authority

TLS certificates are issued by a Certificate Authority (CA). A Certificate Authority is a trusted organization that verifies the identity of a website or company before giving them a certificate.

Examples of Certificate Authorities:
  • DigiCert
  • Let's Encrypt
  • GlobalSign
  • Sectigo
What They Do:
  1. Verify the website owner
  2. Issue a digital certificate
  3. Sign it with their trusted private key

Browsers trust these CAs, so when they sign a certificate, the website becomes trusted.



Task 5: Secure Shell (SSH)

Q1. Use SSH to connect to MACHINE_IP as mark with the password XBtc49AB. Using uname -r, find the Kernel release?
A1. 5.15.0-119-generic

Q2. Use SSH to download the file book.txt from the remote system. How many KBs did scp display as download size?
A2. 415



Explanation-1

ssh using below command. Replace IP with your Target IP. 


ssh mark@10.48.167.225

Enter password
After successful login run uname -r which will specify kernel version.



Explanation-2

ssh using below command. Replace IP with your Target IP. 


ssh mark@10.48.167.225

Enter password
After successful login run the command ls to view the files, were you will find book.txt.
The scp command downloads the file and also gives the download size. 


scp mark@10.48.167.225:/home/mark/book.txt .


Task 6: Password Attack

Q. We learned that one of the email accounts is lazie. What is the password used to access the IMAP service on 10.48.171.68?
A. butterfly

Process

hydra -l lazie -P /usr/share/wordlists/rockyou.txt 10.48.171.68 imap

This command tells Hydra to try to guess a password for an email account using brute force.

  • Hydra connects to the server at 10.48.171.68
  • It targets the IMAP service (email login service)
  • It keeps trying passwords from rockyou.txt
  • It checks if any password works for username lazie
  • If correct password is found → Hydra displays it
Hydra

Hydra (also called THC Hydra) is a popular password brute-force tool used in cybersecurity. It is mainly used in:

  • 🔎 Penetration testing
  • 🛡️ Security auditing
  • 🎓 Ethical hacking labs (TryHackMe, Hack The Box)

Hydra tries many username + password combinations against a login service until it finds the correct one. It supports many protocols like:

  • SSH
  • FTP
  • HTTP / HTTPS
  • RDP
  • SMB
  • Telnet
  • MySQL
  • And many more


Task 7: Summary

Click check - dont change content,