Jump to content

Can someone help with this PCAP file?

ImbecileBand

By ImbecileBand
in Questions

 Share

Recommended Posts

ImbecileBand Newbie

ImbecileBand

Posted
Posted

Here is the file - 

https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=dns-remoteshell.pcap

And a screenshot - 

http://i64.tinypic.com/6gwu2v.jpg

 

I have to analyse this file and answer several questions about it, like, small description of the events and weather this shows an attack,  but I'm new to Wireshark so I'm a bit lost.

If anyone could have a look and get back to me that would be great!

 

 

 

 

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

If you inspect the packets and ports, you'll see there is a command prompt of plain text data going across the line, over the normal port for DNS. I would believe this to be compromised in some manner, as you shouldn't see the following being SENT and Received from port 53 (which is domain name service) in a normal situation. DNS should only be being used to resolve names, but in the pcap you link to, it looks to be using it as a covert channel to connect to a remote machine to this port, possibly to bypass IDS or filters on the network that don't block port 53 as in and out. 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is FF47-80EB

 Directory of C:\

01/12/2005  11:59 AM                 0 aierrorlog.txt
01/19/2004  09:45 PM                 0 AUTOEXEC.BAT
01/19/2004  09:45 PM                 0 CONFIG.SYS
06/26/2004  12:12 PM    <DIR>          Documents and Settings
02/03/2005  11:40 PM    <DIR>          EasyBoot
02/29/2004  02:51 PM            11,531 installer-debug.txt
12/19/2004  12:50 AM    <DIR>          mga
12/19/2004  12:51 AM    <DIR>          mgafold
11/24/2004  07:47 PM    <DIR>          mnt
10/07/2004  10:01 AM    <DIR>          movie
06/26/2004  01:03 PM    <DIR>          My Downloads
01/13/2005  10:52 PM    <DIR>          Program Files
01/04/2005  10:27 AM    <DIR>          quarantine
04/19/2004  09:57 PM             7,241 s37g
10/31/2004  08:36 PM                 0 s3fs
06/02/2004  08:54 PM               123 systemscandata.txt
08/08/2004  10:48 AM    <DIR>          Temp
12/12/2004  02:24 PM        94,135,944 temp.mpg
01/13/2005  06:10 PM    <DIR>          WINDOWS
11/20/2004  09:27 AM    <DIR>          WUTemp
               8 File(s)     94,154,839 bytes
              12 Dir(s)   7,145,897,984 bytes free

C:\>

192.168.1.3 looks like it may be the attacking machine while 192.168.1.2 is the victim, and also listening on port 53 for the remote connection from 192.168.1.3

I also see 192.168.1.2 trying to connect back to that same machine on port 21, which is FTP, but it's getting a RST for failed connection which may have been an old connection used for remote access no longer in use.

If you sort by source IP, you can see the conversations a bit easier as well, but understand where the conversation starts(not numerically by IP). The conversation starts off using port 53(dns) and then switches to port 21(ftp) from 192.168.1.3 as the attacker IP to 192.168.1.2 as the listener, but seems that the receiver doesn't like access from port 21 to the listener, and does a RST or was a failed/old connection.

Eventually we see the attacker reconnect to the victim, only this time, the receiving port is 23(telnet) to the victim from port 1403 which is just an uncommon port above 1024.The fact it is listening on this port and taking command line commands, would also make me think this machine 192.168.1.2 is compromised. Look at the new data we see now, which is almost as if the attacker is looking for data on their own machine locally, accidentally typing it into the remote victims console: 

C:\>ls -la
ls -la
'ls' is not recognized as an internal or external command,
operable program or batch file.

C:\>exit
exit

 

At some point, the attacker has a new connection to the victim, over port 80, which is http. We again see the common windows command line data sent over in plain text. Attacker 192.168.1.3 and victim, 192.168.1.2 on port 80: 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is FF47-80EB

 Directory of C:\

01/12/2005  11:59 AM                 0 aierrorlog.txt
01/19/2004  09:45 PM                 0 AUTOEXEC.BAT
01/19/2004  09:45 PM                 0 CONFIG.SYS
06/26/2004  12:12 PM    <DIR>          Documents and Settings
02/03/2005  11:40 PM    <DIR>          EasyBoot
02/29/2004  02:51 PM            11,531 installer-debug.txt
12/19/2004  12:50 AM    <DIR>          mga
12/19/2004  12:51 AM    <DIR>          mgafold
11/24/2004  07:47 PM    <DIR>          mnt
10/07/2004  10:01 AM    <DIR>          movie
06/26/2004  01:03 PM    <DIR>          My Downloads
01/13/2005  10:52 PM    <DIR>          Program Files
01/04/2005  10:27 AM    <DIR>          quarantine
04/19/2004  09:57 PM             7,241 s37g
10/31/2004  08:36 PM                 0 s3fs
06/02/2004  08:54 PM               123 systemscandata.txt
08/08/2004  10:48 AM    <DIR>          Temp
12/12/2004  02:24 PM        94,135,944 temp.mpg
01/13/2005  06:10 PM    <DIR>          WINDOWS
11/20/2004  09:27 AM    <DIR>          WUTemp
               8 File(s)     94,154,839 bytes
              12 Dir(s)   7,145,889,792 bytes free

C:\>exit

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...