Skip to main content

Haking On Demand_WireShark - Part 6

Discover How The Attack Happened By WireShark

 In this article you will learn how to use wireshark effectively to identify how the attack
happened and what the attacker do on the compromised machine

 Discover How The Attack Happened By WireShark:

 In this scenario a pcap file generated by cyberlympics <ref-here> in the 2013 competition will be used to answer the following questions to identify how the attacker get in and how he extract the data from the compromised machine.

The questions are:

• What files were transferred to/from the victim?
• What malware/unauthorized programs were installed?
• What directory were files transferred to or from?
• What is the router password?
• What were user passwords changed to?

•     We will start by loading the pcap file into wireshark















After while navigating throw the packet we identify interesting packets. Those packets are using FTP
protocol. We will follow the stream to figure out what have been done.



















We found really interesting data in the stream


























Here we go, a username Administrator with password GMODEOWNZYOU has been logged in to the victim. To identify the victim ip which is the ftp server we will select stream as follow
























We will identify that the stream is represent a response command from the ftp server. Therefore the victim IP is 192.168.245.12 and the attacker IP 192.168.245.3























So we need now to identify the attacker stream by select as follow














































From the stream we could identify that the attacker use the following ftp commands to retrieve some data from the ftp server

• CWD ftproot: this command used to change the working directory to ftproot

• CWD GMTMP: this command used to change the working directory to GMTMP

• LIST: this command used to list files inside the GMTMP directory

• RETR favicon.ico: this command used to download favicon.ico to the attacker machine

• RETR challenges.zip: this command used to download challenges.zip to the attacker machine

• RETR RPWD.RTF: this command used to download RPWD.RTF to the attacker machine

Currently we know that the attacker IP is 192.168.245.3. We will make a filter on the source IP of the
attacker as follow






We found interesting stream in Figure 9














We will use the same instructions as shown before in Figure 2 and Figure 6 to get the attacker stream














From this stream we could identify that the attacker use the following ftp commands to store file on the ftp server

TYPE I: this command used to set the type of file to be transferred to binary data or image

STOR PwDump7.exe: this command used upload pwdump7.exe to the ftp server

TYPE A: this command used to set the type of file to be transferred to ASCII text

Also here is another stream























From this stream we could identify that the attacker use the following ftp commands to store file on the ftp server

TYPE I: this command used to set the type of file to be transferred to binary data or image

STOR sbd.exe,BFK.exe, MSINET.OCX, convert.dll, inetlog.txt, keylog.txt, needtosend.log and sclog.txt: this command used upload files to the ftp server

TYPE A: this command used to set the type of file to be transferred to ASCII text

LIST: this command used to list files inside the GMTMP directory

So by the previous techniques you can figure out and answer the previous questions as follow:

What files were transferred to/from the victim?

Using wireshark filter “ftp.request.command==STOR” you find the following applications transferred to the victim 192.168.245.12

• PwDump7.exe

• sbd.exe

• BFK.exe

• MSINET.OCX

• converter.dll

• inetlog.txt

• keylog.txt

• needtosend.log

Using wireshark filter “ftp.request.command==RETR” you find the following applications transferred from the victim 192.168.245.12

• favicon.ico

• challenges.zip

• RPWD.RTF

What malware/unauthorized programs were installed?

 According to The Logs and the file transfered to the vivtim The programs are:

• PwDump7.exe

• sbd.exe

• BFK.exe

What directory were files transferred to or from?

 • All Files Transferred to a new Directory in C:\Inetpub\ftproot\ with name GMTMP

• Full path C:\Inetpub\ftproot\GMTMP

What is the router password?

 • Router Password Found in RPWD.RTF file

• Router Password Encryption Type 7 0139562C753F2E5C067E16

• Router Clear Text Password J0HNTH3GR8

What were user passwords changed to?

 Password changed for John, Administrator and nonadmin accounts to be GMODEOWNZYOU

Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more

Hacking - Best OF Reverse Engineering - Part7

How to Disassemble and Debug Executable Programs on Linux, Windows and Mac OS X? The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler distributed by Hex-Rays. Although IDA Pro is not the only disassembler, it is the disassembler of choice for many malware analysts, reverse engineers, and vulnerability analysts. The program is published by Hex-Rays (http://www.hex-rays.com), which provides a free version for noncommercial uses that is one version less than the current paid version. It is now version 5.0. IDA Pro will disassemble an entire program and perform tasks such as function discovery, stack analysis, local variable identification, and much more. IDA Pro includes extensive code signatures within its Fast Library Identification and Recognition Technology (FLIRT), which allows it to recognize and label a disassembled function, especially library code added by a compiler. IDA Pro is meant to be interactive, and all aspects of its disasse...
Read more