clubhaa.blogg.se

How to identify compromised computer wireshark pcap
How to identify compromised computer wireshark pcap






A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. Before moving ahead lets understand what this meansĭistributed Computing Environment/Remote Procedure Call (DCE/RPC)ĭCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.

how to identify compromised computer wireshark pcap

Attacker uses DCERPC protocol to send a Bind call to the victim.

how to identify compromised computer wireshark pcap

Lets take a closer look at the communication in TCP stream 1įrom above snippet we can make below observations : SMB: packet 16 Q7:Provide the CVE number of the exploited vulnerabilityīy now you must have realized that attacker is trying to establish a SMB connection and then will exploit some vulnerability/weakness as attack vector. To get the answer, filter by smb protocol and then move to the packet where you can see NTLM_CHALLENGE and you will get the answer under Session Setup and Response. Also, you can add Stream Index column and then sort it in descending order as shown below Q5:How long did it take to perform the attack (in seconds)?Īgain refer to the Conversations window and you will get the answer under IPv4 tab->Duration Q6: What is the operating system of the target host? The easiest way to answer this question is to refer to the TCP tab in conversations window.

how to identify compromised computer wireshark pcap

Q4:How many TCP sessions are present in the captured traffic? Since we have the public IP of the attacker we can easily track the geo location by any Geo-IP tracker tool available online. Q2: What is the target’s IP address?įrom above we can conclude easily conclude that the target ip is 192.150.11.111 Q3: Provide the country code for the attacker’s IP address (a.k.a geo-location). Now 2 things stand out here 98.114.205.102, a public IP is making a SMB connection with 192.150.11.111, a internal server and from this we can conclude the attacker ip. In the above snippet we can see that 98.114.205.102 is initiating a TCP handshake with 192.150.11.111. Now, lets jump into the questions Q1 : What is the attacker’s IP address?

how to identify compromised computer wireshark pcap

This was probably used for downloading dataįrom the above point we can make a reasonable guess that attacker used SMB protocol to make a connection and then used RPC to execute code remotely. PacketMaze Challenge: Part 2 Wireshark Pcap analysis








How to identify compromised computer wireshark pcap