Ommadawn Posted November 18 Posted November 18 Hi everyone, I'm working on a final project and I'm having trouble analyzing a pcap file using Wireshark. I'm new to this tool and I'm running out of time, as my deadline is in a month. Basically there's an attack, I know it's asocciated with SQL injection (inside Session2) and that's all I know at this moment. I've tried to use the filters and tools, but I'm still quite lost. Any help, no matter how small, would be very helpful. I'm open to any suggestions or advice. Please let me know if you can assist me. Having some issues irl related so unfortunately I'm out of options and I need any help that I can get. Thanks in advance for your time and help! Here are the files, there are two pcap files there - https://www.sendspace.com/file/l1fsbo Quote
Ommadawn Posted November 19 Author Posted November 19 19 hours ago, DramaKing said: I only see Session1. You are right, my bad! Here is the correct link - https://www.sendspace.com/filegroup/AF2nyGKs6EgXyGjP50DfQg All I know at this point is that Session1 includes sort of a port scanning and Session2 should include something related to SQL injection. Please whoever reads it, I'll accept any help that I can get! I don't have much time and this final project is the final straw for me to finish my studies, unforunately our teacher did not teach us anything relevant and does not accept any complaints. In the meantime I will try to watch some videos on how to work with Wireshark but I'm also moving out which means I will not be able to do it properly and I'm afraid I'll fail this final task. Quote
dark_pyrro Posted November 19 Posted November 19 You mention filters and tools, what filters and tools have you already tried? What's your "findings" this far? I mean, if this is the final project of some course/education, then it should be some build up phase which gives you the tools, or at least hints on how to work. I also don't want to provide the answers, but perhaps instead provide hints on how to move forward. However, before doing any such thing, it's good to know what you have already tried (in detail). Quote
Ommadawn Posted November 19 Author Posted November 19 7 minutes ago, dark_pyrro said: You mention filters and tools, what filters and tools have you already tried? What's your "findings" this far? I mean, if this is the final project of some course/education, then it should be some build up phase which gives you the tools, or at least hints on how to work. I also don't want to provide the answers, but perhaps instead provide hints on how to move forward. However, before doing any such thing, it's good to know what you have already tried (in detail). Thank you for replying. I was trying to use some online tools that automatically analyze pcaps but that didn't help me much and by filters I meant some basic filters, nothing too fancy. I'm pretty new to this which is why it may look like I'm not giving enough details. This is what I got so far: Attacker's IP = 192.168.0.106 , victim's IP = 192.168.0.107 Most likely used NMAP tool (or something similar to that?) for 15 minutes, started around packet number 358 (happened between 20:02:07 - 20:17:00). Then I saw that at 20:19:22 he tried to establish a connection with port 5901 which is commonly used for a second VNC server. A friend told me that he's pretty sure the attacker also used Nikto around 20:21:00 but I couldn't find it so this is only an assumption at this point. To be 100% honest with you, I do wish to get answers only because I'm supposed to get a grade on it and it's a personal project so it's not like I have a partner, hence I'm asking here for help and guidance. If you're willing to provide some hints, I would totally love that and of course if anyone is willing to teach then I'm a very good student but I also got a deadline for this project, hence I'm kinda nervous. I hope you don't take it in the wrong way, I'm being fully transparent about it. Quote
dark_pyrro Posted November 19 Posted November 19 If you look at the user agent, you can see traces of Nikto being used 1 Quote
Ommadawn Posted November 19 Author Posted November 19 1 minute ago, dark_pyrro said: If you look at the user agent, you can see traces of Nikto being used Yeah I've read on Google, this is what I saw: https://imgur.com/a/BvKKIaE Eventually, I need to build a story on what exactly happened, well the objective is to write a report on this attack. Quote
DramaKing Posted November 20 Posted November 20 9 hours ago, Ommadawn said: Thank you for replying. I was trying to use some online tools that automatically analyze pcaps but that didn't help me much and by filters I meant some basic filters, nothing too fancy. I'm pretty new to this which is why it may look like I'm not giving enough details. This is what I got so far: Attacker's IP = 192.168.0.106 , victim's IP = 192.168.0.107 Most likely used NMAP tool (or something similar to that?) for 15 minutes, started around packet number 358 (happened between 20:02:07 - 20:17:00). Then I saw that at 20:19:22 he tried to establish a connection with port 5901 which is commonly used for a second VNC server. A friend told me that he's pretty sure the attacker also used Nikto around 20:21:00 but I couldn't find it so this is only an assumption at this point. To be 100% honest with you, I do wish to get answers only because I'm supposed to get a grade on it and it's a personal project so it's not like I have a partner, hence I'm asking here for help and guidance. If you're willing to provide some hints, I would totally love that and of course if anyone is willing to teach then I'm a very good student but I also got a deadline for this project, hence I'm kinda nervous. I hope you don't take it in the wrong way, I'm being fully transparent about it. I easily identified Nikto from the useragent in packets from Session1. I do cybersecurity tutoring, so if I'm allowed to advertise, maybe we could meet for a short session. I can tell you now that I see URLs with encoded JavaScript. That isn't good and could be XSS. Never mind. I found it. You just have to do a string search for SQL operators in login attempts. It's pretty easy. 1 Quote
Ommadawn Posted November 20 Author Posted November 20 5 hours ago, DramaKing said: I easily identified Nikto from the useragent in packets from Session1. I do cybersecurity tutoring, so if I'm allowed to advertise, maybe we could meet for a short session. I can tell you now that I see URLs with encoded JavaScript. That isn't good and could be XSS. Never mind. I found it. You just have to do a string search for SQL operators in login attempts. It's pretty easy. Thank you for that. I would consider tutoring in general but since I have a deadline for this project - I rather focus on analyzing the pcaps and get any help that I can get. This is very important for me, otherwise I wouldn't create this post to begin with. Quote
DramaKing Posted November 22 Posted November 22 7 hours ago, Ommadawn said: So.. anyone? I did help. Like dark_pyrro stated, you're not getting the answer, only tips. Quote
Ommadawn Posted November 22 Author Posted November 22 20 minutes ago, DramaKing said: I did help. Like dark_pyrro stated, you're not getting the answer, only tips. I appreciate the help, but I'm looking for more than just tips. I need specific answers to complete my project on time. I don't have a lot of background knowledge on this topic, so I'm hoping for more detailed explanations and examples. I understand that giving direct answers might not be the best approach, but I'm really struggling with this project and could use some extra support. I'm just a student who tries to do my best in this project and I agree that ideally the best approach would be learning but I'm afraid I don't have enough time for this. Quote
DramaKing Posted November 22 Posted November 22 53 minutes ago, Ommadawn said: I appreciate the help, but I'm looking for more than just tips. I need specific answers to complete my project on time. I don't have a lot of background knowledge on this topic, so I'm hoping for more detailed explanations and examples. I understand that giving direct answers might not be the best approach, but I'm really struggling with this project and could use some extra support. I'm just a student who tries to do my best in this project and I agree that ideally the best approach would be learning but I'm afraid I don't have enough time for this. A Google search on Wireshark string search will give you the answer in seconds. Then you just need to be able to recognize SQL injection. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.