Close

Page 1 of 2 12 LastLast
Results 1 to 20 of 26
  1. #1
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Wireshark output file - any uber wireshark users?

    Hey,

    Anyone want to take a look at a Wireshark output file for me?

    I am doing a distance course and we have to detail the method in using wireshark (done) and the results of an output file provided to us (almost done!)

    Is there any ninja wireshark users who could look over the file to see what i have missed?

    It is an introduction to wireshark, so nothing too taxing or advanced, but this the first time i have used it and don't want to feck up my grades!!!

  2. #2
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,194
    Thanks
    4,341
    Thanked:        1,779
    Karma Level
    1321

    Default Re: Wireshark output file - any uber wireshark users?

    I might be able to help, but I'm not certain what you actually mean.

    Please post a bit more on what you are actually trying/needing to do.

    2 Thanks given to Over Carl

    ivrytwr3 (25th March 2014), raelmadrid (25th March 2014) 


  3. #3
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    The course is on Ethical hack1ng and we have been given a wireshark output file with data activity and we are to analyse and report on the findings. There is only about 200 words available for this part of the paper, so it won't be too much depth and there are approx 20k packets. It is using Wireshark as a Computer/Network security tool as oppose to using it for analysing errors in the system, traffic analysis etc.

    I have found some clear text username and passwords and some images, but i would really appreciate someone casting an eye over and seeing if they see the same things and also what i have missed!

    Does that help?

    PM me your email and i will send you the file (4mb) any help would be appreciated!

  4. #4
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,194
    Thanks
    4,341
    Thanked:        1,779
    Karma Level
    1321

    Default Re: Wireshark output file - any uber wireshark users?

    You seem to have hit the relevant point - I'm more experience using it to find problems than to hack, but I'll send you a PM anyway and I'll tell you what I find.

    2 Thanks given to Over Carl

    ivrytwr3 (25th March 2014), raelmadrid (25th March 2014) 


  5. #5
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    File sent - much appreciated!

  6. #6
    DF Jedi Tim.Lad's Avatar
    Join Date
    May 2001
    Location
    The Badlands
    Posts
    2,073
    Thanks
    344
    Thanked:        250
    Karma Level
    375

    Default Re: Wireshark output file - any uber wireshark users?

    I can take a look to but generally I use wireshark for debugging SIP problems
    VIP WOOP !

    2 Thanks given to Tim.Lad

    ivrytwr3 (25th March 2014), raelmadrid (25th March 2014) 


  7. #7
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    Thanks for the offer - file sent!

    There is stuff hidden in the file, i've found a little bit, but to be honest, i have no idea what i am looking at! lol!!

  8. #8
    DF Jedi Tim.Lad's Avatar
    Join Date
    May 2001
    Location
    The Badlands
    Posts
    2,073
    Thanks
    344
    Thanked:        250
    Karma Level
    375

    Default Re: Wireshark output file - any uber wireshark users?

    Thats a big trace for a 200 word summary but you have a scripted attack or penetration test on a web server from 192.168.1.200 , amongst other things, telnet sessions SSH not sure what im looking for TBH
    VIP WOOP !

    3 Thanks given to Tim.Lad

    ivrytwr3 (25th March 2014), Over Carl (25th March 2014), raelmadrid (25th March 2014) 


  9. #9
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    A scripted attack or Pen Test? lol! Can you explain where you saw that please?

    That sounds like the stuff we should be looking for.

  10. #10
    DF Jedi Tim.Lad's Avatar
    Join Date
    May 2001
    Location
    The Badlands
    Posts
    2,073
    Thanks
    344
    Thanked:        250
    Karma Level
    375

    Default Re: Wireshark output file - any uber wireshark users?

    Just going out for a meal with the wife will get back to you later

    Sent from my LG-D802 using Tapatalk
    VIP WOOP !

    2 Thanks given to Tim.Lad

    ivrytwr3 (25th March 2014), raelmadrid (25th March 2014) 


  11. #11
    DF Jedi Tim.Lad's Avatar
    Join Date
    May 2001
    Location
    The Badlands
    Posts
    2,073
    Thanks
    344
    Thanked:        250
    Karma Level
    375

    Default Re: Wireshark output file - any uber wireshark users?

    Look for all the 404 not founds and look at the pattern of traffic

    Sent from my LG-D802 using Tapatalk
    VIP WOOP !

    2 Thanks given to Tim.Lad

    ivrytwr3 (25th March 2014), raelmadrid (25th March 2014) 


  12. #12
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,194
    Thanks
    4,341
    Thanked:        1,779
    Karma Level
    1321

    Default Re: Wireshark output file - any uber wireshark users?

    Quote Originally Posted by Tim.Lad View Post
    Thats a big trace for a 200 word summary but you have a scripted attack or penetration test on a web server from 192.168.1.200 , amongst other things, telnet sessions SSH not sure what im looking for TBH
    Just had a quick peek and that's pretty much what I noticed, for the attack look at frame 1039 onwards and view times(view, time display format, time of day) to show it's looking for possible valid urls and the speed of the requests makes it very unlikely to be anything except a script/program.

    Will post back a bit later, but I'm also thinking they've sent you a lot of packets for a 200 word essay, and they've given us no direction at all - should I be poking around trying to find logins, what the person was trying to do, try to get info on the internal network structure, etc - not sure which direction to put effort into.

    Edit: from 1039 you can see it checks if various url's are valid - some of them appear to be normal files you would expect on a website. Then you see it trying to look for a few variants of a weird string that has no significance to me. Then if you look from 2033 onwards, it gets interesting checking for various hacks. Not sure of the first, but 2096 seems to be trying to attack a Tivo or similar device, then 2101,2103 & 2105 probes for a ColdFusion vulnerability, then next wordpress and loads more.

    Also as well as a webserver, we can tell 192.168.1.200 is a DNS server.

    Also the script/program pretends to be an old version of IE, the user agent string is:
    mozilla/4.0 (compatible: MSIE 6.0; Windows NT 5.1)
    Last edited by Over Carl; 25th March 2014 at 08:51 PM.

    3 Thanks given to Over Carl

    ivrytwr3 (25th March 2014), raelmadrid (25th March 2014), Tim.Lad (25th March 2014) 


  13. #13
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    The actual essay is much bigger, it delves into methods, comparisons etc, but the actual analysis of the data file is only 200 words and only worth 5 out 25 points. So, it will just be saying for instance,

    "at packet xx DoS attack because x, y and z" - without going into much further detail.

    Hope that makes sense!

  14. #14
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    Interesting stuff!

    I have found some clear text passwords and some images containing hidden texts, but the other stuff you mentioned is black magic to me

  15. #15
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    Morning all,

    Packet 4294:

    (login: VlpXxbD2gfhxPzG, p/w 1 and 2: VlpXxbD2gfhxPzG, firstName: VlpXxbD2gfhxPzG, last Name: VlpXxbD2gfhxPzG, email: VlpXxbD2gfhxPzG%40VlpXxbD2gfhxPzG)

    Packet 14769:

    (login in94waL p/w in94waL, p/w2 in94waL, firstName in94waL, lastName in94waL, email in94waL%40in94waL)
    A lot of the other grabbed logins and passwords are clear to read, does anyone know what the above packets mean when they all say the same thing? Is it encrypted or something?

  16. #16
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    Any thoughts on this? Only a few days to deadline so want to make sure i'm not talking bollocks!!

  17. #17
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,194
    Thanks
    4,341
    Thanked:        1,779
    Karma Level
    1321

    Default Re: Wireshark output file - any uber wireshark users?

    I'm guessing it's a login attempt by that script. I will look at this a little later and come back to you.

    Thanks to Over Carl

    ivrytwr3 (27th March 2014) 


  18. #18
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,194
    Thanks
    4,341
    Thanked:        1,779
    Karma Level
    1321

    Default Re: Wireshark output file - any uber wireshark users?

    Look closely at 4294 and you can see &doEditUser=Add+User+Data at the end. That username/password is probably testing a backdoor/vulnerability found in some particular system that lets you mess with user data.

    Interestingly 14769 has the same at the end.

    Now I might be chatting crap, but I'm doubting they are looking for you to analyse every single vulnerability tested in 200 words. I'm guessing you may be better off looking at various tools available to perform these kind of attacks in order to think of how to mitigate them.

    Backtrack with Metasploit would probably be a good start, but I only messed around with it for a few days a couple of years ago.
    Last edited by Over Carl; 27th March 2014 at 04:17 PM.

    Thanks to Over Carl

    ivrytwr3 (27th March 2014) 


  19. #19
    DF PlaYa ivrytwr3's Avatar
    Join Date
    Oct 2010
    Location
    Lincolnshire
    Posts
    892
    Thanks
    817
    Thanked:        499
    Karma Level
    181

    Default Re: Wireshark output file - any uber wireshark users?

    Quote Originally Posted by Over carl View Post
    Look closely at 4294 and you can see &doEditUser=Add+User+Data at the end. That username/password is probably testing a backdoor/vulnerability found in some particular system that lets you mess with user data.

    Interestingly 14769 has the same at the end.
    .
    I have mentioned both those packets in the paper, but i do not understand what it is actually showing. I 'thought' it might mean it's encrypted data, but obviously not now reading your post. Can you expand on why you think it is hack/backdoor?

  20. #20
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,194
    Thanks
    4,341
    Thanked:        1,779
    Karma Level
    1321

    Default Re: Wireshark output file - any uber wireshark users?

    Firstly it's an HTTP POST, a method normally used by browsers on clients to send info to servers.

    Secondly it contains login details so we can see it's probably pretending to be a user logging on from a genuine webpage.

    Finally the &doEditUser=Add+User+Data appears to be using a server side script to be adding user data.
    It's possible for example an application had a back door put in (for development purposes?) that lets you change anything when you are logged on using that particular username, and the script checks to see if it gets a response.

    Thanks to Over Carl

    ivrytwr3 (27th March 2014) 


Page 1 of 2 12 LastLast

Similar Threads

  1. 30,000 Internet Users to Receive File-Sharing Cash Demands
    By kracken in forum The Dog and Duck
    Replies: 53
    Last Post: 30th November 2009, 08:03 AM
  2. wireshark
    By the_wizzard in forum System Security
    Replies: 2
    Last Post: 5th April 2008, 11:57 PM
  3. Uber Grind!!!
    By ElWappo in forum Hall Of Shame
    Replies: 5
    Last Post: 18th March 2006, 05:16 PM
  4. Users local Hosts file becoming blank
    By MaxP in forum PC Problems
    Replies: 0
    Last Post: 1st March 2006, 09:44 AM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •