This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[closed] How to recognize an botnet client controller?

0

Hello,

I am busy with an challenge and i try to learn to work with wireshark. I have an capturefile where i isolated this peace from : http://www.cloudshark.org/captures/11462ea19f2b

Here i found an address to the Command and Control interface of the botnet. Question: is this the client-controller or is this the botnet master (server).

How do i recognize a client-controller?

Greetings,

kweerd.

asked 03 Jan '14, 00:24

kweerd63's gravatar image

kweerd63
11113
accept rate: 0%

closed 09 Jan '14, 04:26

grahamb's gravatar image

grahamb ♦
19.8k330206

Hello,

I am trying to reach an IP adrdress and i got this message:

ZeroNet - Client Controller

Password:

Incorrect password

Incorrect password

Incorrect password

Incorrect password

Incorrect password

Incorrect password

Incorrect password

Incorrect password

Question: How can i find this password in the capture file...?

(03 Jan '14, 14:13) kweerd63

Hi,

I am not sure I understand your question - it seems that its client-server communication. What exactly are you looking for?

(03 Jan '14, 15:45) Boaz Galil

My question is: How can i connect to that Client controller and stop it?

(03 Jan '14, 22:16) kweerd63

kweerd63, I am also working on this challenge. How did you get that IP address?

(07 Jan '14, 13:30) Hooiberg

challenge? What kind of challenge?

(07 Jan '14, 13:38) Kurt Knochner ♦

Hm, maybe the Homework guys are getting sneakier... ;-)

(07 Jan '14, 16:57) Jasper ♦♦

dammit :-)

(07 Jan '14, 17:13) Kurt Knochner ♦

Hi Kurt,

It's a challenge from my office.

I have to find an client controller in a pcap file. I have been searching a while now and i think i know the ip number that has something to do with it, but i don't know how to go further now.

The pcap file is about 80 Mb.

Best regards.

(08 Jan '14, 02:13) kweerd63

It's a challenge from my office.

and you two work in the same office !?!

I have to find an client controller in a pcap file.

unless you know the botnet and how the protocol works, all you can do is browse through the frames until you find something 'suspicious'.

(08 Jan '14, 07:37) Kurt Knochner ♦

Hello Kurt,

I found different suspicious things, but i don't know what to do with it. I think i go to some course to learn more about network traffic.

Best regards,

kweerd63

(08 Jan '14, 13:50) kweerd63

Can you send me a mail how you found the client controller??? I also found the command & controll interface but not the client itself??

(09 Jan '14, 07:16) MarkV
showing 5 of 11 show 6 more comments

The question has been closed for the following reason “The question isn’t clearly defined and has become a chat thread.” by grahamb 09 Jan ‘14, 04:26


12 Answers:

12next »

1

You can search in the pcap on:

tcp.port==443 -->> botnet uses ssl connections

htttp.request.uri contains "login"

Greetz, Smile007 ;-)))

answered 08 Jan '14, 11:07

Smile007's gravatar image

Smile007
161
accept rate: 0%

Thanks,

But i tried that already. Nothing that looks like an logon or login.

I think i give up.

I did a lot of searching, decrypting and find a lot of clues,but i don't know how to finish this part. I see a lot of suspicious data. (Javascripts, perl programs, ....) but i don't see the clue to give the right answer to this contest.

Best Regards,

kweerd63

(08 Jan '14, 13:30) kweerd63

Can you post the capture file somewhere?

(08 Jan '14, 13:41) Kurt Knochner ♦
(08 Jan '14, 13:53) kweerd63

O.K. the content of the capture file leads to this web site

https://www.certifiedsecure.com/

Apparently there are 'hacking' challenges you need to pass to get some sort of certification and the guys here probably thought it might be easier to ask other people than to use their own brain, which is kind of lame ;-)

(09 Jan '14, 16:04) Kurt Knochner ♦

0

And how does this work with that searching etc???

I've searched and searched.. typed several ip's but or it's a normal site or it doesn't shows anything?

How doe i recognize if i'm on the wright botnet site???

answered 08 Jan '14, 15:12

MarkV's gravatar image

MarkV
1111
accept rate: 0%

searching only works if you know exactly what to look for, which isn't the case for an unknown botnet protocol. So, all you can do: browse through the frames and try to find something 'suspicious'.

(08 Jan '14, 15:38) Kurt Knochner ♦

0

Hi,

I am also searching for the client controller. I have the same questions. Let's help each other.

kweerd how did you search and what did you find?

answered 09 Jan '14, 00:04

zyar's gravatar image

zyar
1
accept rate: 0%

Can you please post the exact assignment text of the challenge, so we know what to look for....

(09 Jan '14, 00:24) Kurt Knochner ♦

0

client controller found.

know only the password.

answered 09 Jan '14, 01:14

zyar's gravatar image

zyar
1
accept rate: 0%

0

How did you find it????

answered 09 Jan '14, 01:48

MarkV's gravatar image

MarkV
1111
accept rate: 0%

0

@kurt

May i mail you some "stream content"? maybe you can help me with it.

answered 09 Jan '14, 01:49

zyar's gravatar image

zyar
1
accept rate: 0%

0

statistics >>> conversations >>> tcp

Then started checking the data. Longest duration first

answered 09 Jan '14, 01:52

zyar's gravatar image

zyar
1
accept rate: 0%

0

Did you find the "command and control client interface"?

Or did you found something else?

answered 09 Jan '14, 01:54

Niels999's gravatar image

Niels999
1
accept rate: 0%

0

Name of the challenge - client controller

answered 09 Jan '14, 02:11

zyar's gravatar image

zyar
1
accept rate: 0%

Hi Zyar,

I found this one also, but what to do next..?

The system still telling that i have to finish/do level 4

(09 Jan '14, 02:17) kweerd63a

O.K. guys, would you please post some information about this 'challenge'!

(09 Jan '14, 02:36) Kurt Knochner ♦

0

This is not a forum for chats, this is a Q&A site. Please read the FAQ for more info.

The nature of the posting on this question, i.e. comments as answers and the distinct lack of actual answers and the minimal Wireshark relevant content is making me want to close this question.

answered 09 Jan '14, 02:25

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Kurt: agreed and +1

(09 Jan '14, 02:33) Kurt Knochner ♦

sorry grahamd. Please don't close this question yet.

We found certain data with wireshark but we don't know what to do with it and need some help.

@kurt May i ask for your help and mail you some of the data stream? Maybe you can tel me something about it.

(09 Jan '14, 02:45) zyar

please post some information about this 'challenge'. Apparently you are all talking about the same thing and if you want further help, we need more information. And no, I'm not going to answer questions via e-mail or on the phone!

(09 Jan '14, 03:12) Kurt Knochner ♦