Can someone tell me if there is anything malicious in this pcap? https://drive.google.com/open?id=0B1VcVVkZTYTJYTZ0Ny1rZmNwam8 Thankyou so much! asked 23 Oct '17, 08:07 subb148 |
One Answer:
To me it looks as if the 192.168.56.105 is trying to determine what operating system the 192.168.56.107 is running by sending it various weird packets (like TCP packet with no flags at all) and analysing its reaction to them, and maybe it also checks for presence of known protocol stack vulnerabilities the same way. Mentioning of nmap in the HTTP OPTIONS request supports this theory, but it may as well be that the 192.168.56.105 already became a botnet zombie and tries to find an exploitable vulnerability on its network neighbor (possibly using nmap). answered 23 Oct '17, 09:01 sindy showing 5 of 6 show 1 more comments |
Thank-you so much :)
If its okay, can you quickly have a look at this as well. https://drive.google.com/file/d/0B1VcVVkZTYTJdGJnSXVZdm9qaWM/view?usp=sharing , I would love your feedback if this is normal traffic or not :)
Are you sure I'm not doing your homework for you?
The only thing suspicious here is that when 192.168.56.106 as tcp client connects to 192.168.56.105 as server and then issues bash commands in plaintext and gets them responded, all that without any previous authentication, it connects to port 4440 which IANA lists as unassigned. So it seems that the rsh service on 192.168.56.105 is listening at a non-standard port.
The reason why I think it is a homework is that 192.168.56.105 acts as a potential attacker in this scenario while it acts as a potential victim in the previous one.
If it is not a homework, the explanation could be that 192.168.56.106 has became a zombie (by a previously "zombieized" 192.168.56.105) already before this capture has been started, and has been instructed to test rsh communication with 192.168.56.105, thus e.g. verifying that lists of authorized clients for rsh have been successfully modified there.
Omg..you're an absolute legend. Yes it makes complete sense. I'm at Uni and we were asked to find if there was malicious activity for around 100 pcaps. Out of 100, I have 20 which I was not able to figure out if there was anything malicious at all.
But thankyou so so much! Is there any way you can help me out with the other pcaps? I'm willing to pay you for your time :)
But thank-you again!
To hire someone is a proper homework solution if you study MBA :-) For IT studies, the proper solution is to look through the captures which seem not to be that big and watch for things like
Thankyou so so much!