crunchymom Posted February 2, 2017 Share Posted February 2, 2017 Okay, so first, I'm a student. I'm completing a project that requires analyzing a pcap file in Wireshark. One part of it is finding the series of packets that indicate a buffer overflow, followed by an SQL injection. I have no idea whatsoever how to filter for this, or even what to look for if I do see it. It's the only part that I haven't been able to solve yet. Everything else, Google was pretty helpful. Hints? Ideas? Filter recommendations? Thank you! Quote Link to comment Share on other sites More sharing options...
Teabot 5000 Posted February 2, 2017 Share Posted February 2, 2017 I'd imagine the sqli is going to be visible in data in a Web request, so filtering for http should help you find that. You might be able to filter the data somehow to check for common strings associated with sqli. For the buffer overflow it'll probably be visible as a long string containing some hex at the end. Maybe it would be easier to filter out the other traffic first using "!". So you could get rid of arp with "!arp" and so on. Do the same with dns and any other noise that might be in the capture and take a look through what's left afterward. Quote Link to comment Share on other sites More sharing options...
digip Posted February 2, 2017 Share Posted February 2, 2017 (edited) SQLi should be easy to spot over http. Anything encrypted over SSL/TLS is not going to be easy to see what is happening other than watching the IP/Domain requests and ports. If any of the shellcode use for overflow contains nops, you will be able to see rows of consecutive hexadecimal, like 90 90 90 90 90 repeating for example, but this will be much harder to find since it doesn't have to be nop used so much as it can be small bits of code to create an escape and overflow. Depends on what is vulnerable, so monitoring specific web apps and open ports/services in use, and inspecting those specifically would be more where to look. Much of it might be obfuscated too since evading IDS/IPS systems is also a common practice with malware attacks, only straight forward, plain text attacks are going to be easily spotted. You may also have to decode incoming streams to read them since it could be wrapped in gzip compressed data or such as well, making it harder to spot. Came across this post on twitter today and thought of your question. not exactly buffer overflow sniffing in wireshark, but might help put you on a path to test on a virtual home lab with some tools - https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder?dysig_tid=9ef06cf0a7d346f7bff7ec87baab566a&POSITION=DynamicSignal&REFERRING_SITE=Twitter&CREATIVE=112037&COUNTRY=&POSTID=eb4e3989-0b7c-4d8e-b154-f1ee5a967238 Reversing malware is not something I've ever looked at so much as pulling strings from files and looking at windows pe data for stuff while using tools like anubis for some more analysis. Edited February 2, 2017 by digip Quote Link to comment Share on other sites More sharing options...
crunchymom Posted February 2, 2017 Author Share Posted February 2, 2017 Okay, apparently I'm more newbie than a normal newbie, because most of that went over my head. Can we upload screenshots here? I'm going to try. I think I found both attacks, but in the same breath, I have no idea. Please tell me if this looks like either SQL or Buffer Overflow to you. Actually, I don't think I can. I see the tab for insert other media, and it brings me to "existing attachments"... How does this work? Quote Link to comment Share on other sites More sharing options...
digip Posted February 3, 2017 Share Posted February 3, 2017 10 hours ago, crunchymom said: Okay, apparently I'm more newbie than a normal newbie, because most of that went over my head. Can we upload screenshots here? I'm going to try. I think I found both attacks, but in the same breath, I have no idea. Please tell me if this looks like either SQL or Buffer Overflow to you. Actually, I don't think I can. I see the tab for insert other media, and it brings me to "existing attachments"... How does this work? Well, lets make sure you have the basics.. http://www.dummies.com/education/internet-basics/the-internet-for-dummies-cheat-sheet/ /sarcasm Insert other media, like UPLOAD an image, but your account is under a certain number of posts, you probably can't upload attachments yet anyway. Uploads are also limited in size for everyone's account, so the fill up quickly. Personally, I would suggest uploading images/screenshots to imgur, and non-image files to something like a dropbox account for safe storage without tampering. Free file sharing sites should be avoided(although dropbox is free) as many contain nefarious things going on with them. If you own your own website domain, using your own hosting would be better. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.