Wire Shark Analysis

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 10

Net Ninjas LLC, 1

Wireshark
Penetration Testing Document Title
September 18, 2015

This Report Was Prepared By:


Net Ninjas LLC
Darren Blakely Security Analyst
Marie Whiting Security Analyst
David Savlowitz Security Analyst

Net Ninjas LLC, 2

WireShark Basics
Using Wireshark it is possible to capture traffic on the network that can then be analyzed
at a later time. Wireshark also has the ability to exclude traffic such as ARP and DNS using the
capture filters. This will basically ignore any of this traffic that pops up on the network.

In this case (Shown Below) a TCP packet was captured on the network and an attempt to
follow its TCP stream was made.

Net Ninjas LLC, 3

Shown above a HTTP connection was made to www.frozenbox.org. Following the TCP
stream revealed information such as timestamps, browser information and domain information.

Net Ninjas LLC, 4

If a user captures all traffic a filter can be applied to exclude certain traffic. As shown
below a filter was create to exclude TCP traffic on port 80, this is helpful if all traffic on a
network needs to be captured but only certain traffic wants to be viewed.

Net Ninjas LLC, 5

Pcapr
Pcapr.net is an online database of Pcaps for anyone looking to analyze network traffic. In
this case a malware packet was selected called Regin. This malware is essentially a piece of
Trojan does not store files on a system. Its major components involve it communicating using
ICMP and sends commands using various protocols.
As shown here multiple HTTP get requests are made to various web pages. The HTTP
requests can be logged by the malware and even has the capability to remotely control a system.
The main purpose of this malware is simply data collection.

Net Ninjas LLC, 6

Net Ninjas LLC, 7

Annes Exploit
Anne has created and used an exploit on a company. The following information was
gathered using Wireshark.
1. What was the full URI of Vick Timmes' original web request? (Please include the port in your
URI.)
a. http://10.10.10.10:8080/index.php

b.
2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this
code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their
data element with a string. What was the value of this string?
a. vEI
b.
3. Vick's computer made a second HTTP request for an object.
a. What was the filename of the object that was requested?

/index/phpmfKSxSANkeTeNrah.gif

b. What is the MD5sum of the object that was returned?

Using md5deep the md5 Hash was revealed to be df3e567d6f16d040326c7a0ea29a4f41

4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. It opened 1.3 seconds into the capture
b.

Net Ninjas LLC, 8

5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. It stayed open for 87.6 seconds
b.
6. In packet 17, the malicious server sent a file to the client.
a. What type of file was it? Choose one:

Windows executable

GIF image

PHP script

Zip file

Encrypted data

b. What was the MD5sum of the file?

7. Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after
the original connection on port 4444 was closed. With respect to these repeated failed connection
attempts:
a. How often does the TCP initial sequence number (ISN) change? (Choose one.)

Every packet

Every third packet

Every 10-15 seconds

Every 30-35 seconds

Every 60 seconds

Net Ninjas LLC, 9

b. How often does the IP ID change? (Choose one.)

Every packet

Every third packet

Every 10-15 seconds

Every 30-35 seconds

Every 60 seconds

c. How often does the source port change? (Choose one.)

Every packet

Every third packet

Every 10-15 seconds

Every 30-35 seconds

Every 60 seconds

8. Eventually, the malicious server responded and opened a new connection. When was the TCP
connection on port 4445 first successfully completed? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. 124 Seconds since first packet
b.
9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was
the MD5 sum of this executable file?
a. Exact same as before

b.

Net Ninjas LLC, 10

10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the
beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
a. 198.4 Seconds since first packet
b.

You might also like