A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. Before moving ahead lets understand what this meansĭistributed Computing Environment/Remote Procedure Call (DCE/RPC)ĭCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.
Attacker uses DCERPC protocol to send a Bind call to the victim.
Lets take a closer look at the communication in TCP stream 1įrom above snippet we can make below observations : SMB: packet 16 Q7:Provide the CVE number of the exploited vulnerabilityīy now you must have realized that attacker is trying to establish a SMB connection and then will exploit some vulnerability/weakness as attack vector. To get the answer, filter by smb protocol and then move to the packet where you can see NTLM_CHALLENGE and you will get the answer under Session Setup and Response. Also, you can add Stream Index column and then sort it in descending order as shown below Q5:How long did it take to perform the attack (in seconds)?Īgain refer to the Conversations window and you will get the answer under IPv4 tab->Duration Q6: What is the operating system of the target host? The easiest way to answer this question is to refer to the TCP tab in conversations window.
Q4:How many TCP sessions are present in the captured traffic? Since we have the public IP of the attacker we can easily track the geo location by any Geo-IP tracker tool available online. Q2: What is the target’s IP address?įrom above we can conclude easily conclude that the target ip is 192.150.11.111 Q3: Provide the country code for the attacker’s IP address (a.k.a geo-location). Now 2 things stand out here 98.114.205.102, a public IP is making a SMB connection with 192.150.11.111, a internal server and from this we can conclude the attacker ip. In the above snippet we can see that 98.114.205.102 is initiating a TCP handshake with 192.150.11.111. Now, lets jump into the questions Q1 : What is the attacker’s IP address?
This was probably used for downloading dataįrom the above point we can make a reasonable guess that attacker used SMB protocol to make a connection and then used RPC to execute code remotely. PacketMaze Challenge: Part 2 Wireshark Pcap analysis
0 kommentar(er)
