2/13/2023 0 Comments .pcap wireshark![]() SMB: packet 16 Q7:Provide the CVE number of the exploited vulnerabilityīy now you must have realized that attacker is trying to establish a SMB connection and then will exploit some vulnerability/weakness as attack vector. To get the answer, filter by smb protocol and then move to the packet where you can see NTLM_CHALLENGE and you will get the answer under Session Setup and Response. Also, you can add Stream Index column and then sort it in descending order as shown below Q5:How long did it take to perform the attack (in seconds)?Īgain refer to the Conversations window and you will get the answer under IPv4 tab->Duration Q6: What is the operating system of the target host? The easiest way to answer this question is to refer to the TCP tab in conversations window. Q4:How many TCP sessions are present in the captured traffic? Since we have the public IP of the attacker we can easily track the geo location by any Geo-IP tracker tool available online. ![]() Q2: What is the target’s IP address?įrom above we can conclude easily conclude that the target ip is 192.150.11.111 Q3: Provide the country code for the attacker’s IP address (a.k.a geo-location). Now 2 things stand out here 98.114.205.102, a public IP is making a SMB connection with 192.150.11.111, a internal server and from this we can conclude the attacker ip. In the above snippet we can see that 98.114.205.102 is initiating a TCP handshake with 192.150.11.111. ![]() Now, lets jump into the questions Q1 : What is the attacker’s IP address? This was probably used for downloading dataįrom the above point we can make a reasonable guess that attacker used SMB protocol to make a connection and then used RPC to execute code remotely. ![]() PacketMaze Challenge: Part 2 Wireshark Pcap analysis ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |