ImbecileBand Posted March 3, 2017 Share Posted March 3, 2017 Here is the file - https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=dns-remoteshell.pcap And a screenshot - http://i64.tinypic.com/6gwu2v.jpg I have to analyse this file and answer several questions about it, like, small description of the events and weather this shows an attack, but I'm new to Wireshark so I'm a bit lost. If anyone could have a look and get back to me that would be great! Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted March 5, 2017 Share Posted March 5, 2017 Cipher downgrade during negotiation? Quote Link to comment Share on other sites More sharing options...
digip Posted March 5, 2017 Share Posted March 5, 2017 If you inspect the packets and ports, you'll see there is a command prompt of plain text data going across the line, over the normal port for DNS. I would believe this to be compromised in some manner, as you shouldn't see the following being SENT and Received from port 53 (which is domain name service) in a normal situation. DNS should only be being used to resolve names, but in the pcap you link to, it looks to be using it as a covert channel to connect to a remote machine to this port, possibly to bypass IDS or filters on the network that don't block port 53 as in and out. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>dir Volume in drive C has no label. Volume Serial Number is FF47-80EB Directory of C:\ 01/12/2005 11:59 AM 0 aierrorlog.txt 01/19/2004 09:45 PM 0 AUTOEXEC.BAT 01/19/2004 09:45 PM 0 CONFIG.SYS 06/26/2004 12:12 PM <DIR> Documents and Settings 02/03/2005 11:40 PM <DIR> EasyBoot 02/29/2004 02:51 PM 11,531 installer-debug.txt 12/19/2004 12:50 AM <DIR> mga 12/19/2004 12:51 AM <DIR> mgafold 11/24/2004 07:47 PM <DIR> mnt 10/07/2004 10:01 AM <DIR> movie 06/26/2004 01:03 PM <DIR> My Downloads 01/13/2005 10:52 PM <DIR> Program Files 01/04/2005 10:27 AM <DIR> quarantine 04/19/2004 09:57 PM 7,241 s37g 10/31/2004 08:36 PM 0 s3fs 06/02/2004 08:54 PM 123 systemscandata.txt 08/08/2004 10:48 AM <DIR> Temp 12/12/2004 02:24 PM 94,135,944 temp.mpg 01/13/2005 06:10 PM <DIR> WINDOWS 11/20/2004 09:27 AM <DIR> WUTemp 8 File(s) 94,154,839 bytes 12 Dir(s) 7,145,897,984 bytes free C:\> 192.168.1.3 looks like it may be the attacking machine while 192.168.1.2 is the victim, and also listening on port 53 for the remote connection from 192.168.1.3 I also see 192.168.1.2 trying to connect back to that same machine on port 21, which is FTP, but it's getting a RST for failed connection which may have been an old connection used for remote access no longer in use. If you sort by source IP, you can see the conversations a bit easier as well, but understand where the conversation starts(not numerically by IP). The conversation starts off using port 53(dns) and then switches to port 21(ftp) from 192.168.1.3 as the attacker IP to 192.168.1.2 as the listener, but seems that the receiver doesn't like access from port 21 to the listener, and does a RST or was a failed/old connection. Eventually we see the attacker reconnect to the victim, only this time, the receiving port is 23(telnet) to the victim from port 1403 which is just an uncommon port above 1024.The fact it is listening on this port and taking command line commands, would also make me think this machine 192.168.1.2 is compromised. Look at the new data we see now, which is almost as if the attacker is looking for data on their own machine locally, accidentally typing it into the remote victims console: C:\>ls -la ls -la 'ls' is not recognized as an internal or external command, operable program or batch file. C:\>exit exit At some point, the attacker has a new connection to the victim, over port 80, which is http. We again see the common windows command line data sent over in plain text. Attacker 192.168.1.3 and victim, 192.168.1.2 on port 80: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>dir dir Volume in drive C has no label. Volume Serial Number is FF47-80EB Directory of C:\ 01/12/2005 11:59 AM 0 aierrorlog.txt 01/19/2004 09:45 PM 0 AUTOEXEC.BAT 01/19/2004 09:45 PM 0 CONFIG.SYS 06/26/2004 12:12 PM <DIR> Documents and Settings 02/03/2005 11:40 PM <DIR> EasyBoot 02/29/2004 02:51 PM 11,531 installer-debug.txt 12/19/2004 12:50 AM <DIR> mga 12/19/2004 12:51 AM <DIR> mgafold 11/24/2004 07:47 PM <DIR> mnt 10/07/2004 10:01 AM <DIR> movie 06/26/2004 01:03 PM <DIR> My Downloads 01/13/2005 10:52 PM <DIR> Program Files 01/04/2005 10:27 AM <DIR> quarantine 04/19/2004 09:57 PM 7,241 s37g 10/31/2004 08:36 PM 0 s3fs 06/02/2004 08:54 PM 123 systemscandata.txt 08/08/2004 10:48 AM <DIR> Temp 12/12/2004 02:24 PM 94,135,944 temp.mpg 01/13/2005 06:10 PM <DIR> WINDOWS 11/20/2004 09:27 AM <DIR> WUTemp 8 File(s) 94,154,839 bytes 12 Dir(s) 7,145,889,792 bytes free C:\>exit Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted March 5, 2017 Share Posted March 5, 2017 Wow, Digip, fantastic and hopefully not time consuming for you, explanation! I wasn't the one who requested it, but this is a benefit to us all... Quote Link to comment Share on other sites More sharing options...
ImbecileBand Posted March 5, 2017 Author Share Posted March 5, 2017 Great explanation - really helped! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.