This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Pcap analysis

0

Can someone tell me if there is anything malicious in this pcap?

https://drive.google.com/open?id=0B1VcVVkZTYTJYTZ0Ny1rZmNwam8

Thankyou so much!

asked 23 Oct '17, 08:07

subb148's gravatar image

subb148
6223
accept rate: 0%


One Answer:

0

To me it looks as if the 192.168.56.105 is trying to determine what operating system the 192.168.56.107 is running by sending it various weird packets (like TCP packet with no flags at all) and analysing its reaction to them, and maybe it also checks for presence of known protocol stack vulnerabilities the same way.

Mentioning of nmap in the HTTP OPTIONS request supports this theory, but it may as well be that the 192.168.56.105 already became a botnet zombie and tries to find an exploitable vulnerability on its network neighbor (possibly using nmap).

answered 23 Oct '17, 09:01

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thank-you so much :)

(23 Oct '17, 09:57) subb148

If its okay, can you quickly have a look at this as well. https://drive.google.com/file/d/0B1VcVVkZTYTJdGJnSXVZdm9qaWM/view?usp=sharing , I would love your feedback if this is normal traffic or not :)

(23 Oct '17, 10:01) subb148

Are you sure I'm not doing your homework for you?

The only thing suspicious here is that when 192.168.56.106 as tcp client connects to 192.168.56.105 as server and then issues bash commands in plaintext and gets them responded, all that without any previous authentication, it connects to port 4440 which IANA lists as unassigned. So it seems that the rsh service on 192.168.56.105 is listening at a non-standard port.

The reason why I think it is a homework is that 192.168.56.105 acts as a potential attacker in this scenario while it acts as a potential victim in the previous one.

If it is not a homework, the explanation could be that 192.168.56.106 has became a zombie (by a previously "zombieized" 192.168.56.105) already before this capture has been started, and has been instructed to test rsh communication with 192.168.56.105, thus e.g. verifying that lists of authorized clients for rsh have been successfully modified there.

(23 Oct '17, 11:02) sindy

Omg..you're an absolute legend. Yes it makes complete sense. I'm at Uni and we were asked to find if there was malicious activity for around 100 pcaps. Out of 100, I have 20 which I was not able to figure out if there was anything malicious at all.

But thankyou so so much! Is there any way you can help me out with the other pcaps? I'm willing to pay you for your time :)

But thank-you again!

(23 Oct '17, 14:53) subb148

To hire someone is a proper homework solution if you study MBA :-) For IT studies, the proper solution is to look through the captures which seem not to be that big and watch for things like

  • opening TCP sessions to many different ports, possibly closing them with FIN or RESET without transferring a single byte of payload,
  • sending packets with weird contents (where Wireshark is very helpful as it highlights in yellow and red packets which it cannot decode properly,
  • repeated attempts to log in using telnet and/or ssh (because with each attempt the attacker tries a new username/password combination),
  • repeated attempts to register using SIP (same case as above),
  • tcp session establishment attempts coming from many different IPs (tens of thousands and above) at the same time - these are not conquest attempts but DDoS in progress
  • others which I don't know a I am not a cybersecurity expert, so I have no idea about all those exploits like heartbleeding bug where the password was retrieved from victim's storage at the first login attempt rather than tried from a vocabulary list.
(24 Oct '17, 09:34) sindy

Thankyou so so much!

(24 Oct '17, 11:46) subb148
showing 5 of 6 show 1 more comments