This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hello,

Recently we discovered some failed authentication requests in the Exchange Transport Logs:

alt text

In the attached screenshot you can see that the user name is editor and we receive lot's of entries for different "users". The environment is:

Websense --> external firewall -->1 load balancer --> encryption server --> internal firewall -->2 load balancer --> Exchange

I believe that the connections originate from the internet because I can see failed authentication errors being reported on the encryption server because it reports that the packets are coming from the 1 load balancer's internal facing IP and because the encryption server works as a smtp proxy it passes the smtp connection towards Exchange.

What would be the post place or places to run a Wireshark capture to be sure where the requests are coming from ?

It looks to me as someone is trying to hack our Exchange, perhaps smtp auth attack ?

Thank you

asked 12 Jan '16, 12:48

adasko's gravatar image

adasko
86343842
accept rate: 0%

edited 12 Jan '16, 13:25

sindy's gravatar image

sindy
6.0k4851


If I get your drawing right, the SMTP session, if coming from the internet, is encrypted all the way from the internet through to the encryption server, and the encryption server decrypts the incoming messages into plaintext SMTP?

If so, Wireshark alone may not be enough, because only the logs of the encryption server can unambiguously disclose to you the correlation between the individual encrypted SMTP sessions coming from the internet and their plaintext counterparts you can see at the "inner" side of the encryption server. Only if the traffic is not too heavy, you might be able to find this correlation based on packets' times of occurrence (or rather tcp session establishment times).

And only after you verify that you can find the mapping at the encryption server, one way or the other, it makes sense to run a Wireshark capture at both the "inner" and "outer" interfaces of the 1st load balancer simultaneously with logging or capturing at the encryption server, and use the SSL/TLS payload of the packets "after" and "before" the loadbalancer to find the correlation between the tcp session from the load balancer to the encryption server and its "source" tcp session from the attacker to the load balancer.

permanent link

answered 12 Jan '16, 13:24

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×14

question asked: 12 Jan '16, 12:48

question was seen: 1,357 times

last updated: 12 Jan '16, 13:25

p​o​w​e​r​e​d by O​S​Q​A