Wireshark output file - any uber wireshark users?
Hey,
Anyone want to take a look at a Wireshark output file for me?
I am doing a distance course and we have to detail the method in using wireshark (done) and the results of an output file provided to us (almost done!)
Is there any ninja wireshark users who could look over the file to see what i have missed?
It is an introduction to wireshark, so nothing too taxing or advanced, but this the first time i have used it and don't want to feck up my grades!!!
Re: Wireshark output file - any uber wireshark users?
I might be able to help, but I'm not certain what you actually mean.
Please post a bit more on what you are actually trying/needing to do.
Re: Wireshark output file - any uber wireshark users?
The course is on Ethical hack1ng and we have been given a wireshark output file with data activity and we are to analyse and report on the findings. There is only about 200 words available for this part of the paper, so it won't be too much depth and there are approx 20k packets. It is using Wireshark as a Computer/Network security tool as oppose to using it for analysing errors in the system, traffic analysis etc.
I have found some clear text username and passwords and some images, but i would really appreciate someone casting an eye over and seeing if they see the same things and also what i have missed!
Does that help?
PM me your email and i will send you the file (4mb) any help would be appreciated!
Re: Wireshark output file - any uber wireshark users?
You seem to have hit the relevant point - I'm more experience using it to find problems than to hack, but I'll send you a PM anyway and I'll tell you what I find.
Re: Wireshark output file - any uber wireshark users?
File sent - much appreciated!
Re: Wireshark output file - any uber wireshark users?
I can take a look to but generally I use wireshark for debugging SIP problems
Re: Wireshark output file - any uber wireshark users?
Thanks for the offer - file sent!
There is stuff hidden in the file, i've found a little bit, but to be honest, i have no idea what i am looking at! lol!!
Re: Wireshark output file - any uber wireshark users?
Thats a big trace for a 200 word summary but you have a scripted attack or penetration test on a web server from 192.168.1.200 , amongst other things, telnet sessions SSH not sure what im looking for TBH
Re: Wireshark output file - any uber wireshark users?
A scripted attack or Pen Test? lol! Can you explain where you saw that please?
That sounds like the stuff we should be looking for.
Re: Wireshark output file - any uber wireshark users?
Just going out for a meal with the wife will get back to you later
Sent from my LG-D802 using Tapatalk
Re: Wireshark output file - any uber wireshark users?
Look for all the 404 not founds and look at the pattern of traffic
Sent from my LG-D802 using Tapatalk
Re: Wireshark output file - any uber wireshark users?
Quote:
Originally Posted by
Tim.Lad
Thats a big trace for a 200 word summary but you have a scripted attack or penetration test on a web server from 192.168.1.200 , amongst other things, telnet sessions SSH not sure what im looking for TBH
Just had a quick peek and that's pretty much what I noticed, for the attack look at frame 1039 onwards and view times(view, time display format, time of day) to show it's looking for possible valid urls and the speed of the requests makes it very unlikely to be anything except a script/program.
Will post back a bit later, but I'm also thinking they've sent you a lot of packets for a 200 word essay, and they've given us no direction at all - should I be poking around trying to find logins, what the person was trying to do, try to get info on the internal network structure, etc - not sure which direction to put effort into.
Edit: from 1039 you can see it checks if various url's are valid - some of them appear to be normal files you would expect on a website. Then you see it trying to look for a few variants of a weird string that has no significance to me. Then if you look from 2033 onwards, it gets interesting checking for various hacks. Not sure of the first, but 2096 seems to be trying to attack a Tivo or similar device, then 2101,2103 & 2105 probes for a ColdFusion vulnerability, then next wordpress and loads more.
Also as well as a webserver, we can tell 192.168.1.200 is a DNS server.
Also the script/program pretends to be an old version of IE, the user agent string is:
mozilla/4.0 (compatible: MSIE 6.0; Windows NT 5.1)
Re: Wireshark output file - any uber wireshark users?
The actual essay is much bigger, it delves into methods, comparisons etc, but the actual analysis of the data file is only 200 words and only worth 5 out 25 points. So, it will just be saying for instance,
"at packet xx DoS attack because x, y and z" - without going into much further detail.
Hope that makes sense!
Re: Wireshark output file - any uber wireshark users?
Interesting stuff!
I have found some clear text passwords and some images containing hidden texts, but the other stuff you mentioned is black magic to me :(
Re: Wireshark output file - any uber wireshark users?
Morning all,
Quote:
Packet 4294:
(login: VlpXxbD2gfhxPzG, p/w 1 and 2: VlpXxbD2gfhxPzG, firstName: VlpXxbD2gfhxPzG, last Name: VlpXxbD2gfhxPzG, email: VlpXxbD2gfhxPzG%40VlpXxbD2gfhxPzG)
Packet 14769:
(login in94waL p/w in94waL, p/w2 in94waL, firstName in94waL, lastName in94waL, email in94waL%40in94waL)
A lot of the other grabbed logins and passwords are clear to read, does anyone know what the above packets mean when they all say the same thing? Is it encrypted or something?
Re: Wireshark output file - any uber wireshark users?
Any thoughts on this? Only a few days to deadline so want to make sure i'm not talking bollocks!!
Re: Wireshark output file - any uber wireshark users?
I'm guessing it's a login attempt by that script. I will look at this a little later and come back to you.
Re: Wireshark output file - any uber wireshark users?
Look closely at 4294 and you can see &doEditUser=Add+User+Data at the end. That username/password is probably testing a backdoor/vulnerability found in some particular system that lets you mess with user data.
Interestingly 14769 has the same at the end.
Now I might be chatting crap, but I'm doubting they are looking for you to analyse every single vulnerability tested in 200 words. I'm guessing you may be better off looking at various tools available to perform these kind of attacks in order to think of how to mitigate them.
Backtrack with Metasploit would probably be a good start, but I only messed around with it for a few days a couple of years ago.
Re: Wireshark output file - any uber wireshark users?
Quote:
Originally Posted by
Over carl
Look closely at 4294 and you can see &doEditUser=Add+User+Data at the end. That username/password is probably testing a backdoor/vulnerability found in some particular system that lets you mess with user data.
Interestingly 14769 has the same at the end.
.
I have mentioned both those packets in the paper, but i do not understand what it is actually showing. I 'thought' it might mean it's encrypted data, but obviously not now reading your post. Can you expand on why you think it is hack/backdoor?
Re: Wireshark output file - any uber wireshark users?
Firstly it's an HTTP POST, a method normally used by browsers on clients to send info to servers.
Secondly it contains login details so we can see it's probably pretending to be a user logging on from a genuine webpage.
Finally the &doEditUser=Add+User+Data appears to be using a server side script to be adding user data.
It's possible for example an application had a back door put in (for development purposes?) that lets you change anything when you are logged on using that particular username, and the script checks to see if it gets a response.