Hello, I am busy with an challenge and i try to learn to work with wireshark. I have an capturefile where i isolated this peace from : http://www.cloudshark.org/captures/11462ea19f2b Here i found an address to the Command and Control interface of the botnet. Question: is this the client-controller or is this the botnet master (server). How do i recognize a client-controller? Greetings, kweerd. asked 03 Jan '14, 00:24  kweerd63 closed 09 Jan '14, 04:26  grahamb ♦ showing 5 of 11 show 6 more comments |
The question has been closed for the following reason “The question isn’t clearly defined and has become a chat thread.” by grahamb 09 Jan ‘14, 04:26
12 Answers:
You can search in the pcap on: tcp.port==443 -->> botnet uses ssl connections htttp.request.uri contains "login" Greetz, Smile007 ;-))) answered 08 Jan '14, 11:07  Smile007 Thanks, But i tried that already. Nothing that looks like an logon or login. I think i give up. I did a lot of searching, decrypting and find a lot of clues,but i don't know how to finish this part. I see a lot of suspicious data. (Javascripts, perl programs, ....) but i don't see the clue to give the right answer to this contest. Best Regards, kweerd63 (08 Jan '14, 13:30) kweerd63 Can you post the capture file somewhere? (08 Jan '14, 13:41) Kurt Knochner ♦ (08 Jan '14, 13:53) kweerd63 O.K. the content of the capture file leads to this web site Apparently there are 'hacking' challenges you need to pass to get some sort of certification and the guys here probably thought it might be easier to ask other people than to use their own brain, which is kind of lame ;-) (09 Jan '14, 16:04) Kurt Knochner ♦ |
And how does this work with that searching etc??? I've searched and searched.. typed several ip's but or it's a normal site or it doesn't shows anything? How doe i recognize if i'm on the wright botnet site??? answered 08 Jan '14, 15:12  MarkV searching only works if you know exactly what to look for, which isn't the case for an unknown botnet protocol. So, all you can do: browse through the frames and try to find something 'suspicious'. (08 Jan '14, 15:38) Kurt Knochner ♦ |
Hi, I am also searching for the client controller. I have the same questions. Let's help each other. kweerd how did you search and what did you find? answered 09 Jan '14, 00:04  zyar Can you please post the exact assignment text of the challenge, so we know what to look for.... (09 Jan '14, 00:24) Kurt Knochner ♦ |
client controller found. know only the password. answered 09 Jan '14, 01:14 zyar |
How did you find it???? answered 09 Jan '14, 01:48 MarkV |
@kurt May i mail you some "stream content"? maybe you can help me with it. answered 09 Jan '14, 01:49 zyar |
statistics >>> conversations >>> tcp Then started checking the data. Longest duration first answered 09 Jan '14, 01:52 zyar |
Did you find the "command and control client interface"? Or did you found something else? answered 09 Jan '14, 01:54  Niels999 |
Name of the challenge - client controller answered 09 Jan '14, 02:11 zyar Hi Zyar, I found this one also, but what to do next..? The system still telling that i have to finish/do level 4 (09 Jan '14, 02:17) kweerd63a O.K. guys, would you please post some information about this 'challenge'! (09 Jan '14, 02:36) Kurt Knochner ♦ |
This is not a forum for chats, this is a Q&A site. Please read the FAQ for more info. The nature of the posting on this question, i.e. comments as answers and the distinct lack of actual answers and the minimal Wireshark relevant content is making me want to close this question. answered 09 Jan '14, 02:25 grahamb ♦ Kurt: agreed and +1 (09 Jan '14, 02:33) Kurt Knochner ♦ sorry grahamd. Please don't close this question yet. We found certain data with wireshark but we don't know what to do with it and need some help. @kurt May i ask for your help and mail you some of the data stream? Maybe you can tel me something about it. (09 Jan '14, 02:45) zyar please post some information about this 'challenge'. Apparently you are all talking about the same thing and if you want further help, we need more information. And no, I'm not going to answer questions via e-mail or on the phone! (09 Jan '14, 03:12) Kurt Knochner ♦ |
Hello,
I am trying to reach an IP adrdress and i got this message:
ZeroNet - Client Controller
Password:
Incorrect password
Incorrect password
Incorrect password
Incorrect password
Incorrect password
Incorrect password
Incorrect password
Incorrect password
Question: How can i find this password in the capture file...?
Hi,
I am not sure I understand your question - it seems that its client-server communication. What exactly are you looking for?
My question is: How can i connect to that Client controller and stop it?
kweerd63, I am also working on this challenge. How did you get that IP address?
challenge? What kind of challenge?
Hm, maybe the Homework guys are getting sneakier... ;-)
dammit :-)
Hi Kurt,
It's a challenge from my office.
I have to find an client controller in a pcap file. I have been searching a while now and i think i know the ip number that has something to do with it, but i don't know how to go further now.
The pcap file is about 80 Mb.
Best regards.
and you two work in the same office !?!
unless you know the botnet and how the protocol works, all you can do is browse through the frames until you find something 'suspicious'.
Hello Kurt,
I found different suspicious things, but i don't know what to do with it. I think i go to some course to learn more about network traffic.
Best regards,
kweerd63
Can you send me a mail how you found the client controller??? I also found the command & controll interface but not the client itself??