Skip to main content

Haking On Demand_WireShark - Part 6

Discover How The Attack Happened By WireShark

 In this article you will learn how to use wireshark effectively to identify how the attack
happened and what the attacker do on the compromised machine

 Discover How The Attack Happened By WireShark:

 In this scenario a pcap file generated by cyberlympics <ref-here> in the 2013 competition will be used to answer the following questions to identify how the attacker get in and how he extract the data from the compromised machine.

The questions are:

• What files were transferred to/from the victim?
• What malware/unauthorized programs were installed?
• What directory were files transferred to or from?
• What is the router password?
• What were user passwords changed to?

•     We will start by loading the pcap file into wireshark















After while navigating throw the packet we identify interesting packets. Those packets are using FTP
protocol. We will follow the stream to figure out what have been done.



















We found really interesting data in the stream


























Here we go, a username Administrator with password GMODEOWNZYOU has been logged in to the victim. To identify the victim ip which is the ftp server we will select stream as follow
























We will identify that the stream is represent a response command from the ftp server. Therefore the victim IP is 192.168.245.12 and the attacker IP 192.168.245.3























So we need now to identify the attacker stream by select as follow














































From the stream we could identify that the attacker use the following ftp commands to retrieve some data from the ftp server

• CWD ftproot: this command used to change the working directory to ftproot

• CWD GMTMP: this command used to change the working directory to GMTMP

• LIST: this command used to list files inside the GMTMP directory

• RETR favicon.ico: this command used to download favicon.ico to the attacker machine

• RETR challenges.zip: this command used to download challenges.zip to the attacker machine

• RETR RPWD.RTF: this command used to download RPWD.RTF to the attacker machine

Currently we know that the attacker IP is 192.168.245.3. We will make a filter on the source IP of the
attacker as follow






We found interesting stream in Figure 9














We will use the same instructions as shown before in Figure 2 and Figure 6 to get the attacker stream














From this stream we could identify that the attacker use the following ftp commands to store file on the ftp server

TYPE I: this command used to set the type of file to be transferred to binary data or image

STOR PwDump7.exe: this command used upload pwdump7.exe to the ftp server

TYPE A: this command used to set the type of file to be transferred to ASCII text

Also here is another stream























From this stream we could identify that the attacker use the following ftp commands to store file on the ftp server

TYPE I: this command used to set the type of file to be transferred to binary data or image

STOR sbd.exe,BFK.exe, MSINET.OCX, convert.dll, inetlog.txt, keylog.txt, needtosend.log and sclog.txt: this command used upload files to the ftp server

TYPE A: this command used to set the type of file to be transferred to ASCII text

LIST: this command used to list files inside the GMTMP directory

So by the previous techniques you can figure out and answer the previous questions as follow:

What files were transferred to/from the victim?

Using wireshark filter “ftp.request.command==STOR” you find the following applications transferred to the victim 192.168.245.12

• PwDump7.exe

• sbd.exe

• BFK.exe

• MSINET.OCX

• converter.dll

• inetlog.txt

• keylog.txt

• needtosend.log

Using wireshark filter “ftp.request.command==RETR” you find the following applications transferred from the victim 192.168.245.12

• favicon.ico

• challenges.zip

• RPWD.RTF

What malware/unauthorized programs were installed?

 According to The Logs and the file transfered to the vivtim The programs are:

• PwDump7.exe

• sbd.exe

• BFK.exe

What directory were files transferred to or from?

 • All Files Transferred to a new Directory in C:\Inetpub\ftproot\ with name GMTMP

• Full path C:\Inetpub\ftproot\GMTMP

What is the router password?

 • Router Password Found in RPWD.RTF file

• Router Password Encryption Type 7 0139562C753F2E5C067E16

• Router Clear Text Password J0HNTH3GR8

What were user passwords changed to?

 Password changed for John, Administrator and nonadmin accounts to be GMODEOWNZYOU

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more